Skip to content

Merge of DSA reallocation fix. #7513

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Merge of DSA reallocation fix. #7513

wants to merge 1 commit into from

Conversation

paulidale
Copy link
Contributor

@paulidale paulidale commented Oct 28, 2018
edited
Loading

Timing vulnerability in DSA signature generation (CVE-2018-0734)

Preallocate two extra limbs for some of the big numbers to avoid a reallocation
that can potentially provide a side channel.

@paulidale paulidale mentioned this pull request Oct 28, 2018
Closed
@rvagg rvagg mentioned this pull request Oct 29, 2018
Closed
levitte
levitte approved these changes Oct 29, 2018
View reviewed changes
Copy link
Member

@levitte levitte left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not entirely happy with this direct reach into BIGNUM, but can't currently see a more elegant way.

@bbbrumley
Copy link
Contributor

but can't currently see a more elegant way

Maybe I'm slow this morning, but isn't

sizeof(dsa->q->d[0])

the same as

sizeof(BN_ULONG)

@mattcaswell mattcaswell added this to the 1.1.1a milestone Oct 29, 2018
@paulidale
Copy link
Contributor Author

Yes, those two sizeofs are the same.

levitte pushed a commit that referenced this pull request Oct 29, 2018
@paulidale
Merge DSA reallocation timing fix CVE-2018-0734.
43e6a58 
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from #7513)
@paulidale
Copy link
Contributor Author

Merged thanks.

@paulidale paulidale closed this Oct 29, 2018
@paulidale paulidale deleted the 102-realloc branch October 29, 2018 21:25
rvagg added a commit to rvagg/io.js that referenced this pull request Nov 14, 2018
@rvagg
deps: float 43e6a58d from openssl (CVE-2018-0734)
56af407 
Low severity timing vulnerability in the DSA signature algorithm

Publicly disclosed but unreleased, pending OpenSSL 1.0.2q

Ref: openssl/openssl#7486
Ref: openssl/openssl#7513
Ref: https://www.openssl.org/news/secadv/20181030.txt
Ref: nodejs#23965
Upstream: openssl/openssl@a9cfb8c2
Upstream: openssl/openssl@43e6a58d

Original commit message:

    Avoid a timing attack that leaks information via a side channel that
    triggers when a BN is resized.  Increasing the size of the BNs
    prior to doing anything with them suppresses the attack.

    Thanks due to Samuel Weiser for finding and locating this.

    Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
    (Merged from openssl/openssl#7486)

Original backport commit message:

    Merge DSA reallocation timing fix CVE-2018-0734.

    Reviewed-by: Richard Levitte <levitte@openssl.org>
    (Merged from openssl/openssl#7513)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@levitte levitte levitte approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.1.1a
Development

Successfully merging this pull request may close these issues.
4 participants
@paulidale @bbbrumley @levitte @mattcaswell