Permalink
Browse files

RSA key generation: ensure BN_mod_inverse and BN_mod_exp_mont both ge…

…t called with BN_FLG_CONSTTIME flag set.

CVE-2018-0737

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 6939eab)
  • Loading branch information...
bbbrumley authored and mattcaswell committed Apr 11, 2018
1 parent d1a6414 commit 349a41da1ad88ad87825414752a8ff5fdd6a6c3f
Showing with 2 additions and 0 deletions.
  1. +2 −0 crypto/rsa/rsa_gen.c
@@ -156,6 +156,8 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value,
if (BN_copy(rsa->e, e_value) == NULL)
goto err;
BN_set_flags(rsa->p, BN_FLG_CONSTTIME);
BN_set_flags(rsa->q, BN_FLG_CONSTTIME);
BN_set_flags(r2, BN_FLG_CONSTTIME);
/* generate p and q */
for (;;) {

8 comments on commit 349a41d

@QinLongFei

This comment has been minimized.

QinLongFei replied Apr 24, 2018

I want to know whether this vulnerability affect 1.0.2a. I notice "Affected 1.0.2b-1.0.2o" in OpenSSL vulnerabilities.html page.

@mattcaswell

This comment has been minimized.

Member

mattcaswell replied Apr 24, 2018

Thanks for drawing our attention to that. That is a typo (now fixed). 1.0.2 and 1.0.2a are affected.

@Deepti24

This comment has been minimized.

Deepti24 replied Apr 26, 2018

When is OpenSSL version 1.0.2p going to be released?

@richsalz

This comment has been minimized.

Contributor

richsalz replied Apr 26, 2018

We have no release-date scheduled. If a CVE comes up, that could force a release. Otherwise ... shrug.

@skcalm

This comment has been minimized.

skcalm replied May 16, 2018

When will OpenSSL 1.0.2p be released? We need this version to fix the vulnerability CVE-2018-0737.

@mattcaswell

This comment has been minimized.

Member

mattcaswell replied May 16, 2018

As per the comment above from @richsalz we have no release data scheduled. CVE-2018-0737 is considered low severity and therefore most people can wait until the next release (whenever that is) to get the fix. If you must have the fix earlier than that then there is always the option of applying the patch from this commit manually.

@ctietjen

This comment has been minimized.

ctietjen replied Jun 19, 2018

Does this the issue this fixes (CVE-2018-0737) exist in the FIPS crypto module as well? If so, will it get fixed?

@richsalz

This comment has been minimized.

Contributor

richsalz replied Jun 19, 2018

Sorry, but we are not touching the existing FIPS code.

Please sign in to comment.