-
-
Notifications
You must be signed in to change notification settings - Fork 10.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix rsaz 512 overflow bug #10574
Fix rsaz 512 overflow bug #10574
Conversation
There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. CVE-2019-1551
We have always a carry in %rcx or %rbx in range 0..2 from the previous stage, that is added to the result of the 64-bit square, but the low nibble of any square can only be 0, 1, 4, 9. Therefore one "adcq $0, %rdx" can be removed. Likewise in the ADX code we can remove one "adcx %rbp, $out" since %rbp is always 0, and carry is also zero, therefore that is a no-op.
The first two test vectors were found by the OSS-Fuzz project.
|
The string from the first test vector was too long to C90.
|
Hopefully the CI will work now. |
15d92c9
to
6f67704
Compare
Travis is still unhappy... |
6f67704
to
08a107e
Compare
[extended tests]
08a107e
to
3e516cd
Compare
Ah sorry, I forgot to push the CHANGES |
There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. CVE-2019-1551 Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from #10574)
We have always a carry in %rcx or %rbx in range 0..2 from the previous stage, that is added to the result of the 64-bit square, but the low nibble of any square can only be 0, 1, 4, 9. Therefore one "adcq $0, %rdx" can be removed. Likewise in the ADX code we can remove one "adcx %rbp, $out" since %rbp is always 0, and carry is also zero, therefore that is a no-op. Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from #10574)
[extended tests] Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from #10574)
Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from #10574)
Merged to master, thanks! |
If one of more CVE id(s) are found in a commit message, those are added in the finding output. Example: "8c6f86c7c5350fadf22d32d6cd4712e2ad4447ba": { "message": "Fix an overflow bug in rsaz_512_sqr\n\nThere is an overflow bug in the x64_64 Montgomery squaring procedure used in\nexponentiation with 512-bit moduli. No EC algorithms are affected. Analysis\nsuggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a\nresult of this defect would be very difficult to perform and are not believed\nlikely. Attacks against DH512 are considered just feasible. However, for an\nattack the target would have to re-use the DH512 private key, which is not\nrecommended anyway. Also applications directly using the low level API\nBN_mod_exp may be affected if they use BN_FLG_CONSTTIME.\n\nCVE-2019-1551\n\nReviewed-by: Paul Dale <paul.dale@oracle.com>\nReviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>\n(Merged from openssl/openssl#10574", "commit-id": "8c6f86c7c5350fadf22d32d6cd4712e2ad4447ba", "summary": "Fix an overflow bug in rsaz_512_sqr", "stats": { "insertions": 197, "deletions": 184, "lines": 381, "files": 1 }, "author": "Andy Polyakov", "author-email": "appro@openssl.org", "authored_date": 1575460101, "committed_date": 1575635491, "branches": [ "master" ], "pattern-selected": "(?i)(denial of service |\bXXE\b|remote code execution|\bopen redirect|OSVDB|\bvuln|\bCVE\b |\bXSS\b|\bReDoS\b|\bNVD\b|malicious|x−frame−options|attack|cross site |exploit|malicious|directory traversal |\bRCE\b|\bdos\b|\bXSRF \b|\bXSS\b|clickjack|session.fixation|hijack|\badvisory|\binsecure |security |\bcross−origin\b|unauthori[z|s]ed |infinite loop)", "pattern-matches": [ "attack" ], "cve": [ "CVE-2019-1551" ], "state": "cve-assigned" } The state is also updated to cve-assigned if one or more CVE are present in the commit message.
Fix for CVE-2019-1551, master branch
Checklist