-
-
Notifications
You must be signed in to change notification settings - Fork 10k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Avoid BN reallocations #7486
Avoid BN reallocations #7486
Conversation
Since it's security related, I assume this should go to 1.1.1. too, right? |
agreed. |
@@ -242,10 +242,11 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, | |||
* conditional copy. | |||
*/ | |||
if (!BN_add(l, k, dsa->q) | |||
|| !BN_add(m, l, dsa->q) | |||
|| !BN_copy(k, BN_num_bits(l) > q_bits ? l : m)) | |||
|| !BN_add(k, l, dsa->q)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These gymnastics are questionably useful (and perhaps even counterproductive) for the same reason as mentioned in #5001 (comment)
For instance, observe that #7487 is correct, but this logic of adjusting the size of k
actually worsens the inversion timing leak because BN_mod_exp_mont
calls a (variable-time) division function on unreduced inputs:
Lines 353 to 357 in f81b043
if (a->neg || BN_ucmp(a, m) >= 0) { | |
if (!BN_nnmod(val[0], a, m, ctx)) | |
goto err; | |
aa = val[0]; | |
} else |
This is analogous to how the ECDSA version of this previously tripped this logic:
openssl/crypto/ec/ecp_nistp256.c
Lines 2122 to 2129 in f81b043
/* | |
* this is an unusual input, and we don't guarantee | |
* constant-timeness | |
*/ | |
if (!BN_nnmod(tmp_scalar, p_scalar, group->order, ctx)) { | |
ECerr(EC_F_EC_GFP_NISTP256_POINTS_MUL, ERR_R_BN_LIB); | |
goto err; | |
} |
The real fix for all of this length-leaking BIGNUM
mess is things along the line of @dot-asm's recent work allowing non-minimal BIGNUM
s in limited situations, or #6640 for the complete fix. With the complete fix, setting up a DSA signing operation becomes much more straightforward:
https://boringssl.googlesource.com/boringssl/+/53d9fdd548fc6cefd76fc685f0c6d185dff4b069/crypto/dsa/dsa.c#886
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree that there is (a lot) of work to be done to the big number implementations and that it is something that we need to do. However, the question for me, at the moment, is if the changes here are better than what was there before. I can't see how they might be worse.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fair enough, but you may wish to leave a comment about the efficacy of this mechanism at the least. The perturbation itself also still isn't constant-time due to BN_add
and the overall bn_correct_top
problem.
(Whether there is any point in this perturbation is... questionable. You may wish to just remove it at this point? The perturbation itself introduces a minor timing leak in itself, introduces another in the inversion, but potentially avoids one in the exponentiation, though one that is already made less likely after 39eeb64. After that commit, the only cases where this helps at all are the cases where everything unavoidably leaks due to bn_correct_top
. That means we're now talk about magnitude of leaks and likelihood of exploitability, rather than the much more robust "constant-time" computing discipline that is usually expected for a crypto library.)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've added a comment referring to here.
e76169a
to
5ce7ae9
Compare
Avoid a timing attack that leaks information via a side channel that triggers when a BN is resized. Increasing the size of the BNs prior to doing anything with them suppresses the attack. Thanks due to Samuel Weiser for finding and locating this.
Preallocate an extra limb for some of the big numbers to avoid a reallocation that can potentially provide a side channel.
5ce7ae9
to
5dcfd18
Compare
Avoid a timing attack that leaks information via a side channel that triggers when a BN is resized. Increasing the size of the BNs prior to doing anything with them suppresses the attack. Thanks due to Samuel Weiser for finding and locating this. Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from #7486)
Preallocate an extra limb for some of the big numbers to avoid a reallocation that can potentially provide a side channel. Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from #7486)
Avoid a timing attack that leaks information via a side channel that triggers when a BN is resized. Increasing the size of the BNs prior to doing anything with them suppresses the attack. Thanks due to Samuel Weiser for finding and locating this. Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from #7486) (cherry picked from commit a9cfb8c)
Avoid a timing attack that leaks information via a side channel that triggers when a BN is resized. Increasing the size of the BNs prior to doing anything with them suppresses the attack. Thanks due to Samuel Weiser for finding and locating this. Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from #7486) (cherry picked from commit a9cfb8c)
Merged to master, 1.1.1 and 1.1.0. |
Low severity timing vulnerability in ECDSA signature generation Publicly disclosed but unreleased, pending OpenSSL 1.1.0j Also includes trivial syntax fix from openssl/openssl#7516 Ref: https://www.openssl.org/news/secadv/20181029.txt Ref: openssl/openssl#7486 PR-URL: https://github.com/nodejs/node/pull/??? Upstream: openssl/openssl@99540ec Original commit message: Timing vulnerability in ECDSA signature generation (CVE-2018-0735) Preallocate an extra limb for some of the big numbers to avoid a reallocation that can potentially provide a side channel. Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from openssl/openssl#7486)
Low severity timing vulnerability in the DSA signature algorithm Publicly disclosed but unreleased, pending OpenSSL 1.1.0j Ref: openssl/openssl#7486 Ref: https://www.openssl.org/news/secadv/20181030.txt PR-URL: https://github.com/nodejs/node/pull/??? Upstream: openssl/openssl@a9cfb8c2 Original commit message: Avoid a timing attack that leaks information via a side channel that triggers when a BN is resized. Increasing the size of the BNs prior to doing anything with them suppresses the attack. Thanks due to Samuel Weiser for finding and locating this. Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from openssl/openssl#7486)
Low severity timing vulnerability in the DSA signature algorithm Publicly disclosed but unreleased, pending OpenSSL 1.1.0j Ref: openssl/openssl#7486 Ref: https://www.openssl.org/news/secadv/20181030.txt PR-URL: https://github.com/nodejs/node/pull/??? Upstream: openssl/openssl@a9cfb8c2 Original commit message: Avoid a timing attack that leaks information via a side channel that triggers when a BN is resized. Increasing the size of the BNs prior to doing anything with them suppresses the attack. Thanks due to Samuel Weiser for finding and locating this. Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from openssl/openssl#7486) PR-URL: nodejs#23965 Reviewed-By: Ujjwal Sharma <usharma1998@gmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
Low severity timing vulnerability in ECDSA signature generation Publicly disclosed but unreleased, pending OpenSSL 1.1.0j Also includes trivial syntax fix from openssl/openssl#7516 Ref: https://www.openssl.org/news/secadv/20181029.txt Ref: openssl/openssl#7486 PR-URL: https://github.com/nodejs/node/pull/??? Upstream: openssl/openssl@99540ec Original commit message: Timing vulnerability in ECDSA signature generation (CVE-2018-0735) Preallocate an extra limb for some of the big numbers to avoid a reallocation that can potentially provide a side channel. Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from openssl/openssl#7486) PR-URL: nodejs#23950 Refs: https://www.openssl.org/news/secadv/20181029.txt Refs: openssl/openssl#7486 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Ujjwal Sharma <usharma1998@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: James M Snell <jasnell@gmail.com>
Preallocate an extra limb for some of the big numbers to avoid a reallocation that can potentially provide a side channel. Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from openssl#7486)
Low severity timing vulnerability in the DSA signature algorithm Publicly disclosed but unreleased, pending OpenSSL 1.0.2q Ref: openssl/openssl#7486 Ref: openssl/openssl#7513 Ref: https://www.openssl.org/news/secadv/20181030.txt Ref: nodejs#23965 Upstream: openssl/openssl@a9cfb8c2 Upstream: openssl/openssl@43e6a58d Original commit message: Avoid a timing attack that leaks information via a side channel that triggers when a BN is resized. Increasing the size of the BNs prior to doing anything with them suppresses the attack. Thanks due to Samuel Weiser for finding and locating this. Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from openssl/openssl#7486) Original backport commit message: Merge DSA reallocation timing fix CVE-2018-0734. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from openssl/openssl#7513)
Low severity timing vulnerability in the DSA signature algorithm Publicly disclosed but unreleased, pending OpenSSL 1.1.0j Ref: openssl/openssl#7486 Ref: https://www.openssl.org/news/secadv/20181030.txt PR-URL: https://github.com/nodejs/node/pull/??? Upstream: openssl/openssl@a9cfb8c2 Original commit message: Avoid a timing attack that leaks information via a side channel that triggers when a BN is resized. Increasing the size of the BNs prior to doing anything with them suppresses the attack. Thanks due to Samuel Weiser for finding and locating this. Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from openssl/openssl#7486) PR-URL: #23965 Reviewed-By: Ujjwal Sharma <usharma1998@gmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
Low severity timing vulnerability in ECDSA signature generation Publicly disclosed but unreleased, pending OpenSSL 1.1.0j Also includes trivial syntax fix from openssl/openssl#7516 Ref: https://www.openssl.org/news/secadv/20181029.txt Ref: openssl/openssl#7486 PR-URL: https://github.com/nodejs/node/pull/??? Upstream: openssl/openssl@99540ec Original commit message: Timing vulnerability in ECDSA signature generation (CVE-2018-0735) Preallocate an extra limb for some of the big numbers to avoid a reallocation that can potentially provide a side channel. Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from openssl/openssl#7486) PR-URL: #23950 Refs: https://www.openssl.org/news/secadv/20181029.txt Refs: openssl/openssl#7486 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Ujjwal Sharma <usharma1998@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: James M Snell <jasnell@gmail.com>
The earlier fix -- #4576 -- to avoid side channels in the DSA code was off by one in terms of the size the big numbers were pre-allocated to. In some cases the allocations needed to be increased by one word and this resulted in a timing attack that could potentially leak information. Increasing the size of the BNs prior to doing anything with them should prevent the leak.
A second variable time fix is included which avoids a variable length big number copy in favour of a constant time swap.
Thanks to Samuel Weiser for finding and reporting this.