1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
|
From 2a3058269d854754b66ef8bdaefb7820bd8c0908 Mon Sep 17 00:00:00 2001
From: Ken Zalewski <ken.zalewski@gmail.com>
Date: Sun, 9 Feb 2025 11:47:12 -0500
Subject: [PATCH] Patch to openssl-1.1.1zb p2. This version addresses one
vulnerability: CVE-2024-13176
---
CHANGES | 25 +++++++++++++++++++++++++
NEWS | 5 +++++
README | 2 +-
crypto/bn/bn_exp.c | 21 +++++++++++++++------
crypto/ec/ec_lib.c | 6 +++---
include/crypto/bn.h | 3 +++
include/openssl/opensslv.h | 2 +-
7 files changed, 53 insertions(+), 11 deletions(-)
diff --git a/CHANGES b/CHANGES
index 7d82f7a..66ae239 100644
--- a/CHANGES
+++ b/CHANGES
@@ -7,6 +7,31 @@
https://github.com/openssl/openssl/commits/ and pick the appropriate
release branch.
+ Changes between 1.1.1zb_p1 and 1.1.1zb_p2 [20 Jan 2025]
+
+ *) Fix timing side-channel in ECDSA signature computation
+
+ There is a timing signal of around 300 nanoseconds when the top word of
+ the inverted ECDSA nonce value is zero. This can happen with significant
+ probability only for some of the supported elliptic curves. In particular
+ the NIST P-521 curve is affected. To be able to measure this leak, the
+ attacker process must either be located in the same physical computer or
+ must have a very fast network connection with low latency.
+
+ Attacks on ECDSA nonce are also known as Minerva attack.
+
+ [CVE-2024-13176]
+ [Tomas Mraz]
+
+
+ Changes between 1.1.1zb and 1.1.1zb_p1 [24 Oct 2024]
+
+ *) Fix the version number for versions that require two letters.
+
+ [V Petrischew]
+ [Ken Zalewski]
+
+
Changes between 1.1.1za and 1.1.1zb [16 Oct 2024]
*) Harden BN_GF2m_poly2arr against misuse
diff --git a/NEWS b/NEWS
index 7810ece..ab46ab1 100644
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,11 @@
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.
+ Major changes between OpenSSL 1.1.1zb and OpenSSL 1.1.1zb_p2 [20 Jan 2025]
+
+ o Fix version number for versions that require two letters
+ o Fix timing side-channel in ECDSA signature computation
+
Major changes between OpenSSL 1.1.1za and OpenSSL 1.1.1zb [16 Oct 2024]
o Harden BN_GF2m_poly2arr against misuse
diff --git a/README b/README
index 6612eb0..a02895e 100644
--- a/README
+++ b/README
@@ -1,5 +1,5 @@
- OpenSSL 1.1.1zb 16 Oct 2024
+ OpenSSL 1.1.1zb_p2 20 Jan 2025
Copyright (c) 1998-2023 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
diff --git a/crypto/bn/bn_exp.c b/crypto/bn/bn_exp.c
index 517e3c2..0489658 100644
--- a/crypto/bn/bn_exp.c
+++ b/crypto/bn/bn_exp.c
@@ -601,7 +601,7 @@ static int MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM *b, int top,
* out by Colin Percival,
* http://www.daemonology.net/hyperthreading-considered-harmful/)
*/
-int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
+int bn_mod_exp_mont_fixed_top(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
const BIGNUM *m, BN_CTX *ctx,
BN_MONT_CTX *in_mont)
{
@@ -618,10 +618,6 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
unsigned int t4 = 0;
#endif
- bn_check_top(a);
- bn_check_top(p);
- bn_check_top(m);
-
if (!BN_is_odd(m)) {
BNerr(BN_F_BN_MOD_EXP_MONT_CONSTTIME, BN_R_CALLED_WITH_EVEN_MODULUS);
return 0;
@@ -1141,7 +1137,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
goto err;
} else
#endif
- if (!BN_from_montgomery(rr, &tmp, mont, ctx))
+ if (!bn_from_mont_fixed_top(rr, &tmp, mont, ctx))
goto err;
ret = 1;
err:
@@ -1155,6 +1151,19 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
return ret;
}
+int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
+ const BIGNUM *m, BN_CTX *ctx,
+ BN_MONT_CTX *in_mont)
+{
+ bn_check_top(a);
+ bn_check_top(p);
+ bn_check_top(m);
+ if (!bn_mod_exp_mont_fixed_top(rr, a, p, m, ctx, in_mont))
+ return 0;
+ bn_correct_top(rr);
+ return 1;
+}
+
int BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p,
const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont)
{
diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c
index 08db89f..fef0c2f 100644
--- a/crypto/ec/ec_lib.c
+++ b/crypto/ec/ec_lib.c
@@ -1155,10 +1155,10 @@ static int ec_field_inverse_mod_ord(const EC_GROUP *group, BIGNUM *r,
if (!BN_sub(e, group->order, e))
goto err;
/*-
- * Exponent e is public.
- * No need for scatter-gather or BN_FLG_CONSTTIME.
+ * Although the exponent is public we want the result to be
+ * fixed top.
*/
- if (!BN_mod_exp_mont(r, x, e, group->order, ctx, group->mont_data))
+ if (!bn_mod_exp_mont_fixed_top(r, x, e, group->order, ctx, group->mont_data))
goto err;
ret = 1;
diff --git a/include/crypto/bn.h b/include/crypto/bn.h
index 250914c..10cfc84 100644
--- a/include/crypto/bn.h
+++ b/include/crypto/bn.h
@@ -72,6 +72,9 @@ int bn_set_words(BIGNUM *a, const BN_ULONG *words, int num_words);
*/
int bn_mul_mont_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
BN_MONT_CTX *mont, BN_CTX *ctx);
+int bn_mode_exp_mont_fixed_top(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
+ const BIGNUM *m, BN_CTX *ctx,
+ BN_MONT_CTX *in_mont);
int bn_to_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont,
BN_CTX *ctx);
int bn_from_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont,
diff --git a/include/openssl/opensslv.h b/include/openssl/opensslv.h
index ddf42b6..1568415 100644
--- a/include/openssl/opensslv.h
+++ b/include/openssl/opensslv.h
@@ -40,7 +40,7 @@ extern "C" {
* major minor fix final patch/beta)
*/
# define OPENSSL_VERSION_NUMBER 0x101011bfL
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1zb 16 Oct 2024"
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1z 20 Jan 2025"
/*-
* The macros below are to be used for shared library (.so, .dll, ...)
|
