Skip to content

Merge of DSA reallocation fix.#7513

Closed
paulidale wants to merge 1 commit intoopenssl:OpenSSL_1_0_2-stablefrom
paulidale:102-realloc
Closed

Merge of DSA reallocation fix.#7513
paulidale wants to merge 1 commit intoopenssl:OpenSSL_1_0_2-stablefrom
paulidale:102-realloc

Conversation

@paulidale
Copy link
Copy Markdown
Contributor

@paulidale paulidale commented Oct 28, 2018
edited
Loading

Timing vulnerability in DSA signature generation (CVE-2018-0734)

Preallocate two extra limbs for some of the big numbers to avoid a reallocation
that can potentially provide a side channel.

@paulidale paulidale mentioned this pull request Oct 28, 2018
Closed
@rvagg rvagg mentioned this pull request Oct 29, 2018
Closed
levitte
levitte approved these changes Oct 29, 2018
View reviewed changes
Copy link
Copy Markdown
Member

@levitte levitte left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not entirely happy with this direct reach into BIGNUM, but can't currently see a more elegant way.

@bbbrumley
Copy link
Copy Markdown
Contributor

bbbrumley commented Oct 29, 2018

but can't currently see a more elegant way

Maybe I'm slow this morning, but isn't

sizeof(dsa->q->d[0])

the same as

sizeof(BN_ULONG)

@mattcaswell mattcaswell added this to the 1.1.1a milestone Oct 29, 2018
@paulidale
Copy link
Copy Markdown
Contributor Author

paulidale commented Oct 29, 2018

Yes, those two sizeofs are the same.

levitte pushed a commit that referenced this pull request Oct 29, 2018
@paulidale
Merge DSA reallocation timing fix CVE-2018-0734.
43e6a58 
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from #7513)
@paulidale
Copy link
Copy Markdown
Contributor Author

paulidale commented Oct 29, 2018

Merged thanks.

@paulidale paulidale closed this Oct 29, 2018
@paulidale paulidale deleted the 102-realloc branch October 29, 2018 21:25
rvagg added a commit to rvagg/io.js that referenced this pull request Nov 14, 2018
@rvagg
deps: float 43e6a58d from openssl (CVE-2018-0734)
56af407 
Low severity timing vulnerability in the DSA signature algorithm

Publicly disclosed but unreleased, pending OpenSSL 1.0.2q

Ref: openssl/openssl#7486
Ref: openssl/openssl#7513
Ref: https://www.openssl.org/news/secadv/20181030.txt
Ref: nodejs#23965
Upstream: openssl/openssl@a9cfb8c2
Upstream: openssl/openssl@43e6a58d

Original commit message:

    Avoid a timing attack that leaks information via a side channel that
    triggers when a BN is resized.  Increasing the size of the BNs
    prior to doing anything with them suppresses the attack.

    Thanks due to Samuel Weiser for finding and locating this.

    Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
    (Merged from openssl/openssl#7486)

Original backport commit message:

    Merge DSA reallocation timing fix CVE-2018-0734.

    Reviewed-by: Richard Levitte <levitte@openssl.org>
    (Merged from openssl/openssl#7513)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@levitte levitte levitte approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

1.1.1a

Development

Successfully merging this pull request may close these issues.

4 participants

@paulidale @bbbrumley @levitte @mattcaswell