Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
From a private email by Ján Jančár:
It appears nearly all versions of Crypto++ are affected. Based on some research of antique Crypto++, I believe that means Crypto++ 3.2 and forward. Crypto++ 3.2 was released March 20, 2000.
Also posted to the mailing list at ECDSA timing leaks.
Yikes. The finding about sect curves is significant enough, but I'm additionally concerned about this:
To my knowledge, the prime field curves are where ECDSA is more frequently used: for example, the nistp curves are standardized for use in SSH. I am curious about the significance of this "much smaller" leak and what type of addressing it might require.
This is the initial cut-in of complete addition algorithms according to https://eprint.iacr.org/2015/1060.pdf. There are two outstanding problems. First, HMQV and FHMQV are failing self tests. We need to investigate further. Second, we cannot use the new algorithms on paths where a Montgomery representation is used. We need to investigate further. This cut-in will allow us to proceed on evaluating the timing leaks.
This check-in provides the fix for leaks in ECP's Add() and Double(). The fixes were taken from Joost Renes, Craig Costello, and Lejla Batina's [Complete addition formulas for prime order elliptic curves](https://eprint.iacr.org/2015/1060.pdf). The Pull Request includes two additional changes that were related to testing the primary fix. First, an `AuthenticatedKeyAgreementWithRolesValidate` interface was added. It allows us to test key agreement when roles are involved. Roles are "client", "server", "initiator", "recipient", etc. Second, `SetGlobalSeed` was added to `test.cpp` to help with reproducible results. We had code in two different places that set the seed value for the random number generator. But it was sloppy and doing a poor job since results could not be reproduced under some circumstances.
A partial patch is available. The patch was created against the Crypto++ 8.2 and Crypto++ 5.6.4 releases. The patch fixes (1) leak in ECDSA nonce length; and (2) leak in prime fields (ECP class). Prime fields are the important one because they are ubiquitous.
The fix is incomplete because it is missing the fix for (3) leak in binary fields (EC2N class). The fix for (3) should be ready in a couple of weeks. Binary fields are less important because nearly no one (no one?) uses them. They have been discouraged for years.
The patches below were produced with
Partial patch: cve-2019-14318.patch.zip
Script to create patch: cve-2019-14318.sh.zip
Partial patch: cve-2019-14318-CryptoPP564.patch.zip
Source for patch: https://github.com/noloader/cryptopp/tree/cve-2019-14318