Skip to content

Commit

Permalink
RSA key generation: ensure BN_mod_inverse and BN_mod_exp_mont both ge…
Browse files Browse the repository at this point in the history
…t called with BN_FLG_CONSTTIME flag set.

CVE-2018-0737

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 6939eab)
  • Loading branch information
bbbrumley authored and mattcaswell committed Apr 16, 2018
1 parent d1a6414 commit 349a41d
Showing 1 changed file with 2 additions and 0 deletions.
2 changes: 2 additions & 0 deletions crypto/rsa/rsa_gen.c
Original file line number Diff line number Diff line change
Expand Up @@ -156,6 +156,8 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value,
if (BN_copy(rsa->e, e_value) == NULL)
goto err;

BN_set_flags(rsa->p, BN_FLG_CONSTTIME);
BN_set_flags(rsa->q, BN_FLG_CONSTTIME);
BN_set_flags(r2, BN_FLG_CONSTTIME);
/* generate p and q */
for (;;) {
Expand Down

8 comments on commit 349a41d

@QinLongFei
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I want to know whether this vulnerability affect 1.0.2a. I notice "Affected 1.0.2b-1.0.2o" in OpenSSL vulnerabilities.html page.

@mattcaswell
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for drawing our attention to that. That is a typo (now fixed). 1.0.2 and 1.0.2a are affected.

@Deepti24
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When is OpenSSL version 1.0.2p going to be released?

@richsalz
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have no release-date scheduled. If a CVE comes up, that could force a release. Otherwise ... shrug.

@skcalm
Copy link

@skcalm skcalm commented on 349a41d May 16, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When will OpenSSL 1.0.2p be released? We need this version to fix the vulnerability CVE-2018-0737.

@mattcaswell
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As per the comment above from @richsalz we have no release data scheduled. CVE-2018-0737 is considered low severity and therefore most people can wait until the next release (whenever that is) to get the fix. If you must have the fix earlier than that then there is always the option of applying the patch from this commit manually.

@ctietjen
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this the issue this fixes (CVE-2018-0737) exist in the FIPS crypto module as well? If so, will it get fixed?

@richsalz
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, but we are not touching the existing FIPS code.

Please sign in to comment.