Avoid BN reallocations #7486
Closed
Avoid BN reallocations #7486
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
bernd-edlinger
approved these changes
Oct 25, 2018
|
Since it's security related, I assume this should go to 1.1.1. too, right? |
|
agreed. |
kroeckx
reviewed
Oct 25, 2018
mspncp
added
branch: master
davidben
reviewed
Oct 25, 2018
| @@ -242,10 +242,11 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, | |||
| * conditional copy. | |||
| */ | |||
| if (!BN_add(l, k, dsa->q) | |||
| || !BN_add(m, l, dsa->q) | |||
| || !BN_copy(k, BN_num_bits(l) > q_bits ? l : m)) | |||
| || !BN_add(k, l, dsa->q)) | |||
There was a problem hiding this comment.
These gymnastics are questionably useful (and perhaps even counterproductive) for the same reason as mentioned in #5001 (comment)
For instance, observe that #7487 is correct, but this logic of adjusting the size of k actually worsens the inversion timing leak because BN_mod_exp_mont calls a (variable-time) division function on unreduced inputs:
Lines 353 to 357 in f81b043
This is analogous to how the ECDSA version of this previously tripped this logic:
openssl/crypto/ec/ecp_nistp256.c
Lines 2122 to 2129 in f81b043
The real fix for all of this length-leaking BIGNUM mess is things along the line of @dot-asm's recent work allowing non-minimal BIGNUMs in limited situations, or #6640 for the complete fix. With the complete fix, setting up a DSA signing operation becomes much more straightforward:
https://boringssl.googlesource.com/boringssl/+/53d9fdd548fc6cefd76fc685f0c6d185dff4b069/crypto/dsa/dsa.c#886
There was a problem hiding this comment.
I agree that there is (a lot) of work to be done to the big number implementations and that it is something that we need to do. However, the question for me, at the moment, is if the changes here are better than what was there before. I can't see how they might be worse.
There was a problem hiding this comment.
Fair enough, but you may wish to leave a comment about the efficacy of this mechanism at the least. The perturbation itself also still isn't constant-time due to BN_add and the overall bn_correct_top problem.
(Whether there is any point in this perturbation is... questionable. You may wish to just remove it at this point? The perturbation itself introduces a minor timing leak in itself, introduces another in the inversion, but potentially avoids one in the exponentiation, though one that is already made less likely after 39eeb64. After that commit, the only cases where this helps at all are the cases where everything unavoidably leaks due to bn_correct_top. That means we're now talk about magnitude of leaks and likelihood of exploitability, rather than the much more robust "constant-time" computing discipline that is usually expected for a crypto library.)
There was a problem hiding this comment.
I've added a comment referring to here.
paulidale
force-pushed
the
dsa-realloc
branch
2 times, most recently
from
e76169a
to
5ce7ae9
Compare
Avoid a timing attack that leaks information via a side channel that triggers when a BN is resized. Increasing the size of the BNs prior to doing anything with them suppresses the attack. Thanks due to Samuel Weiser for finding and locating this.
Preallocate an extra limb for some of the big numbers to avoid a reallocation that can potentially provide a side channel.
paulidale
force-pushed
the
dsa-realloc
branch
from
5ce7ae9
to
5dcfd18
Compare
levitte
pushed a commit
that referenced
this pull request
Oct 28, 2018
Avoid a timing attack that leaks information via a side channel that triggers when a BN is resized. Increasing the size of the BNs prior to doing anything with them suppresses the attack. Thanks due to Samuel Weiser for finding and locating this. Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from #7486)
levitte
pushed a commit
that referenced
this pull request
Oct 28, 2018
Preallocate an extra limb for some of the big numbers to avoid a reallocation that can potentially provide a side channel. Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from #7486)
levitte
pushed a commit
that referenced
this pull request
Oct 28, 2018
Avoid a timing attack that leaks information via a side channel that triggers when a BN is resized. Increasing the size of the BNs prior to doing anything with them suppresses the attack. Thanks due to Samuel Weiser for finding and locating this. Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from #7486) (cherry picked from commit a9cfb8c)
levitte
pushed a commit
that referenced
this pull request
Oct 28, 2018
Avoid a timing attack that leaks information via a side channel that triggers when a BN is resized. Increasing the size of the BNs prior to doing anything with them suppresses the attack. Thanks due to Samuel Weiser for finding and locating this. Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from #7486) (cherry picked from commit a9cfb8c)
|
Merged to master, 1.1.1 and 1.1.0. |
rvagg
added a commit
to rvagg/io.js
that referenced
this pull request
Oct 29, 2018
Low severity timing vulnerability in ECDSA signature generation Publicly disclosed but unreleased, pending OpenSSL 1.1.0j Also includes trivial syntax fix from openssl/openssl#7516 Ref: https://www.openssl.org/news/secadv/20181029.txt Ref: openssl/openssl#7486 PR-URL: https://github.com/nodejs/node/pull/??? Upstream: openssl/openssl@99540ec Original commit message: Timing vulnerability in ECDSA signature generation (CVE-2018-0735) Preallocate an extra limb for some of the big numbers to avoid a reallocation that can potentially provide a side channel. Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from openssl/openssl#7486)
rvagg
added a commit
to rvagg/io.js
that referenced
this pull request
Oct 30, 2018
Low severity timing vulnerability in the DSA signature algorithm Publicly disclosed but unreleased, pending OpenSSL 1.1.0j Ref: openssl/openssl#7486 Ref: https://www.openssl.org/news/secadv/20181030.txt PR-URL: https://github.com/nodejs/node/pull/??? Upstream: openssl/openssl@a9cfb8c2 Original commit message: Avoid a timing attack that leaks information via a side channel that triggers when a BN is resized. Increasing the size of the BNs prior to doing anything with them suppresses the attack. Thanks due to Samuel Weiser for finding and locating this. Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from openssl/openssl#7486)
Trott
pushed a commit
to Trott/io.js
that referenced
this pull request
Nov 4, 2018
Low severity timing vulnerability in the DSA signature algorithm Publicly disclosed but unreleased, pending OpenSSL 1.1.0j Ref: openssl/openssl#7486 Ref: https://www.openssl.org/news/secadv/20181030.txt PR-URL: https://github.com/nodejs/node/pull/??? Upstream: openssl/openssl@a9cfb8c2 Original commit message: Avoid a timing attack that leaks information via a side channel that triggers when a BN is resized. Increasing the size of the BNs prior to doing anything with them suppresses the attack. Thanks due to Samuel Weiser for finding and locating this. Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from openssl/openssl#7486) PR-URL: nodejs#23965 Reviewed-By: Ujjwal Sharma <usharma1998@gmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
Trott
pushed a commit
to Trott/io.js
that referenced
this pull request
Nov 4, 2018
Low severity timing vulnerability in ECDSA signature generation Publicly disclosed but unreleased, pending OpenSSL 1.1.0j Also includes trivial syntax fix from openssl/openssl#7516 Ref: https://www.openssl.org/news/secadv/20181029.txt Ref: openssl/openssl#7486 PR-URL: https://github.com/nodejs/node/pull/??? Upstream: openssl/openssl@99540ec Original commit message: Timing vulnerability in ECDSA signature generation (CVE-2018-0735) Preallocate an extra limb for some of the big numbers to avoid a reallocation that can potentially provide a side channel. Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from openssl/openssl#7486) PR-URL: nodejs#23950 Refs: https://www.openssl.org/news/secadv/20181029.txt Refs: openssl/openssl#7486 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Ujjwal Sharma <usharma1998@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: James M Snell <jasnell@gmail.com>
bbbrumley
pushed a commit
to bbbrumley/openssl
that referenced
this pull request
Nov 11, 2018
Preallocate an extra limb for some of the big numbers to avoid a reallocation that can potentially provide a side channel. Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from openssl#7486)
rvagg
added a commit
to rvagg/io.js
that referenced
this pull request
Nov 14, 2018
Low severity timing vulnerability in the DSA signature algorithm Publicly disclosed but unreleased, pending OpenSSL 1.0.2q Ref: openssl/openssl#7486 Ref: openssl/openssl#7513 Ref: https://www.openssl.org/news/secadv/20181030.txt Ref: nodejs#23965 Upstream: openssl/openssl@a9cfb8c2 Upstream: openssl/openssl@43e6a58d Original commit message: Avoid a timing attack that leaks information via a side channel that triggers when a BN is resized. Increasing the size of the BNs prior to doing anything with them suppresses the attack. Thanks due to Samuel Weiser for finding and locating this. Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from openssl/openssl#7486) Original backport commit message: Merge DSA reallocation timing fix CVE-2018-0734. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from openssl/openssl#7513)
BridgeAR
pushed a commit
to nodejs/node
that referenced
this pull request
Nov 14, 2018
Low severity timing vulnerability in the DSA signature algorithm Publicly disclosed but unreleased, pending OpenSSL 1.1.0j Ref: openssl/openssl#7486 Ref: https://www.openssl.org/news/secadv/20181030.txt PR-URL: https://github.com/nodejs/node/pull/??? Upstream: openssl/openssl@a9cfb8c2 Original commit message: Avoid a timing attack that leaks information via a side channel that triggers when a BN is resized. Increasing the size of the BNs prior to doing anything with them suppresses the attack. Thanks due to Samuel Weiser for finding and locating this. Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from openssl/openssl#7486) PR-URL: #23965 Reviewed-By: Ujjwal Sharma <usharma1998@gmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
BridgeAR
pushed a commit
to nodejs/node
that referenced
this pull request
Nov 14, 2018
Low severity timing vulnerability in ECDSA signature generation Publicly disclosed but unreleased, pending OpenSSL 1.1.0j Also includes trivial syntax fix from openssl/openssl#7516 Ref: https://www.openssl.org/news/secadv/20181029.txt Ref: openssl/openssl#7486 PR-URL: https://github.com/nodejs/node/pull/??? Upstream: openssl/openssl@99540ec Original commit message: Timing vulnerability in ECDSA signature generation (CVE-2018-0735) Preallocate an extra limb for some of the big numbers to avoid a reallocation that can potentially provide a side channel. Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from openssl/openssl#7486) PR-URL: #23950 Refs: https://www.openssl.org/news/secadv/20181029.txt Refs: openssl/openssl#7486 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Ujjwal Sharma <usharma1998@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: James M Snell <jasnell@gmail.com>
Closed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The earlier fix -- #4576 -- to avoid side channels in the DSA code was off by one in terms of the size the big numbers were pre-allocated to. In some cases the allocations needed to be increased by one word and this resulted in a timing attack that could potentially leak information. Increasing the size of the BNs prior to doing anything with them should prevent the leak.
A second variable time fix is included which avoids a variable length big number copy in favour of a constant time swap.
Thanks to Samuel Weiser for finding and reporting this.