Fix rsaz 512 overflow bug #10574
Closed
Fix rsaz 512 overflow bug #10574
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. CVE-2019-1551
We have always a carry in %rcx or %rbx in range 0..2 from the previous stage, that is added to the result of the 64-bit square, but the low nibble of any square can only be 0, 1, 4, 9. Therefore one "adcq $0, %rdx" can be removed. Likewise in the ADX code we can remove one "adcx %rbp, $out" since %rbp is always 0, and carry is also zero, therefore that is a no-op.
paulidale
previously approved these changes
Dec 4, 2019
paulidale
added
the
approval: done
This was referenced Dec 4, 2019
|
The first two test vectors were found by the OSS-Fuzz project. |
|
The string from the first test vector was too long to C90. |
|
Hopefully the CI will work now. |
bernd-edlinger
force-pushed
the
fix_rsaz_512_overflow_bug
branch
from
15d92c9
to
6f67704
Compare
|
Travis is still unhappy... |
bernd-edlinger
force-pushed
the
fix_rsaz_512_overflow_bug
branch
from
6f67704
to
08a107e
Compare
[extended tests]
bernd-edlinger
force-pushed
the
fix_rsaz_512_overflow_bug
branch
from
08a107e
to
3e516cd
Compare
paulidale
added
approval: omc review pending
and removed
approval: done
|
Ah sorry, I forgot to push the CHANGES |
paulidale
approved these changes
Dec 5, 2019
paulidale
added
approval: done
openssl-machine
pushed a commit
that referenced
this pull request
Dec 6, 2019
There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. CVE-2019-1551 Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from #10574)
openssl-machine
pushed a commit
that referenced
this pull request
Dec 6, 2019
We have always a carry in %rcx or %rbx in range 0..2 from the previous stage, that is added to the result of the 64-bit square, but the low nibble of any square can only be 0, 1, 4, 9. Therefore one "adcq $0, %rdx" can be removed. Likewise in the ADX code we can remove one "adcx %rbp, $out" since %rbp is always 0, and carry is also zero, therefore that is a no-op. Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from #10574)
openssl-machine
pushed a commit
that referenced
this pull request
Dec 6, 2019
[extended tests] Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from #10574)
openssl-machine
pushed a commit
that referenced
this pull request
Dec 6, 2019
Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from #10574)
|
Merged to master, thanks! |
adulau
added a commit
to cve-search/git-vuln-finder
that referenced
this pull request
Dec 17, 2019
If one of more CVE id(s) are found in a commit message, those are added
in the finding output.
Example:
"8c6f86c7c5350fadf22d32d6cd4712e2ad4447ba": {
"message": "Fix an overflow bug in rsaz_512_sqr\n\nThere is an overflow bug in the x64_64 Montgomery squaring procedure used in\nexponentiation with 512-bit moduli. No EC algorithms are affected. Analysis\nsuggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a\nresult of this defect would be very difficult to perform and are not believed\nlikely. Attacks against DH512 are considered just feasible. However, for an\nattack the target would have to re-use the DH512 private key, which is not\nrecommended anyway. Also applications directly using the low level API\nBN_mod_exp may be affected if they use BN_FLG_CONSTTIME.\n\nCVE-2019-1551\n\nReviewed-by: Paul Dale <paul.dale@oracle.com>\nReviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>\n(Merged from openssl/openssl#10574",
"commit-id": "8c6f86c7c5350fadf22d32d6cd4712e2ad4447ba",
"summary": "Fix an overflow bug in rsaz_512_sqr",
"stats": {
"insertions": 197,
"deletions": 184,
"lines": 381,
"files": 1
},
"author": "Andy Polyakov",
"author-email": "appro@openssl.org",
"authored_date": 1575460101,
"committed_date": 1575635491,
"branches": [
"master"
],
"pattern-selected": "(?i)(denial of service |\bXXE\b|remote code execution|\bopen redirect|OSVDB|\bvuln|\bCVE\b |\bXSS\b|\bReDoS\b|\bNVD\b|malicious|x−frame−options|attack|cross site |exploit|malicious|directory traversal |\bRCE\b|\bdos\b|\bXSRF \b|\bXSS\b|clickjack|session.fixation|hijack|\badvisory|\binsecure |security |\bcross−origin\b|unauthori[z|s]ed |infinite loop)",
"pattern-matches": [
"attack"
],
"cve": [
"CVE-2019-1551"
],
"state": "cve-assigned"
}
The state is also updated to cve-assigned if one or more CVE are present
in the commit message.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fix for CVE-2019-1551, master branch
Checklist