[openssl] master update
Matt Caswell
matt at openssl.org
Wed Jan 20 16:26:34 UTC 2021
The branch master has been updated
via 5b57aa24c35f78cc11aa91586bc8e8826c2ece5a (commit)
from 53d650d1f3b34188a86409def4d086974b301cef (commit)
- Log -----------------------------------------------------------------
commit 5b57aa24c35f78cc11aa91586bc8e8826c2ece5a
Author: Matt Caswell <matt at openssl.org>
Date: Wed Jan 6 17:03:44 2021 +0000
Ensure SRP BN_mod_exp follows the constant time path
SRP_Calc_client_key calls BN_mod_exp with private data. However it was
not setting BN_FLG_CONSTTIME and therefore not using the constant time
implementation. This could be exploited in a side channel attack to
recover the password.
Since the attack is local host only this is outside of the current OpenSSL
threat model and therefore no CVE is assigned.
Thanks to Mohammed Sabt and Daniel De Almeida Braga for reporting this
issue.
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13888)
-----------------------------------------------------------------------
Summary of changes:
CHANGES.md | 15 ++++++++++++++-
crypto/srp/srp_lib.c | 11 ++++++++---
2 files changed, 22 insertions(+), 4 deletions(-)
diff --git a/CHANGES.md b/CHANGES.md
index 8ae1c7470a..a298a0590c 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -1395,7 +1395,20 @@ OpenSSL 3.0
OpenSSL 1.1.1
-------------
-### Changes between 1.1.1h and 1.1.1i [xx XXX xxxx]
+### Changes between 1.1.1i and 1.1.1j [xx XXX xxxx]
+
+ * Fixed SRP_Calc_client_key so that it uses constant time. The previous
+ implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This
+ could be exploited in a side channel attack to recover the password. Since
+ the attack is local host only this is outside of the current OpenSSL
+ threat model and therefore no CVE is assigned.
+
+ Thanks to Mohammed Sabt and Daniel De Almeida Braga for reporting this
+ issue.
+
+ *Matt Caswell*
+
+### Changes between 1.1.1h and 1.1.1i [8 Dec 2020]
* Fixed NULL pointer deref in the GENERAL_NAME_cmp function
This function could crash if both GENERAL_NAMEs contain an EDIPARTYNAME.
diff --git a/crypto/srp/srp_lib.c b/crypto/srp/srp_lib.c
index 092cc159aa..39113d53ec 100644
--- a/crypto/srp/srp_lib.c
+++ b/crypto/srp/srp_lib.c
@@ -211,6 +211,7 @@ BIGNUM *SRP_Calc_client_key_ex(const BIGNUM *N, const BIGNUM *B, const BIGNUM *g
OSSL_LIB_CTX *libctx, const char *propq)
{
BIGNUM *tmp = NULL, *tmp2 = NULL, *tmp3 = NULL, *k = NULL, *K = NULL;
+ BIGNUM *xtmp = NULL;
BN_CTX *bn_ctx;
if (u == NULL || B == NULL || N == NULL || g == NULL || x == NULL
@@ -219,10 +220,13 @@ BIGNUM *SRP_Calc_client_key_ex(const BIGNUM *N, const BIGNUM *B, const BIGNUM *g
if ((tmp = BN_new()) == NULL ||
(tmp2 = BN_new()) == NULL ||
- (tmp3 = BN_new()) == NULL)
+ (tmp3 = BN_new()) == NULL ||
+ (xtmp = BN_new()) == NULL)
goto err;
- if (!BN_mod_exp(tmp, g, x, N, bn_ctx))
+ BN_with_flags(xtmp, x, BN_FLG_CONSTTIME);
+ BN_set_flags(tmp, BN_FLG_CONSTTIME);
+ if (!BN_mod_exp(tmp, g, xtmp, N, bn_ctx))
goto err;
if ((k = srp_Calc_k(N, g, libctx, propq)) == NULL)
goto err;
@@ -230,7 +234,7 @@ BIGNUM *SRP_Calc_client_key_ex(const BIGNUM *N, const BIGNUM *B, const BIGNUM *g
goto err;
if (!BN_mod_sub(tmp, B, tmp2, N, bn_ctx))
goto err;
- if (!BN_mul(tmp3, u, x, bn_ctx))
+ if (!BN_mul(tmp3, u, xtmp, bn_ctx))
goto err;
if (!BN_add(tmp2, a, tmp3))
goto err;
@@ -242,6 +246,7 @@ BIGNUM *SRP_Calc_client_key_ex(const BIGNUM *N, const BIGNUM *B, const BIGNUM *g
err:
BN_CTX_free(bn_ctx);
+ BN_free(xtmp);
BN_clear_free(tmp);
BN_clear_free(tmp2);
BN_clear_free(tmp3);
More information about the openssl-commits
mailing list