diff options
author | Bernd Edlinger <bernd.edlinger@hotmail.de> | 2023-02-13 17:46:41 +0100 |
---|---|---|
committer | Tomas Mraz <tomas@openssl.org> | 2023-04-04 12:13:27 +0200 |
commit | f06ef1657a3d4322153b26231a7afa3d55724e52 (patch) | |
tree | 837e3d04d5a8a1308ba0248016e62a2b54767def /CHANGES.md | |
parent | 4209ce68d8fe8b1506494efa03d378d05baf9ff8 (diff) | |
download | openssl-f06ef1657a3d4322153b26231a7afa3d55724e52.tar.gz |
Alternative fix for CVE-2022-4304
This is about a timing leak in the topmost limb
of the internal result of RSA_private_decrypt,
before the padding check.
There are in fact at least three bugs together that
caused the timing leak:
First and probably most important is the fact that
the blinding did not use the constant time code path
at all when the RSA object was used for a private
decrypt, due to the fact that the Montgomery context
rsa->_method_mod_n was not set up early enough in
rsa_ossl_private_decrypt, when BN_BLINDING_create_param
needed it, and that was persisted as blinding->m_ctx,
although the RSA object creates the Montgomery context
just a bit later.
Then the infamous bn_correct_top was used on the
secret value right after the blinding was removed.
And finally the function BN_bn2binpad did not use
the constant-time code path since the BN_FLG_CONSTTIME
was not set on the secret value.
In order to address the first problem, this patch
makes sure that the rsa->_method_mod_n is initialized
right before the blinding context.
And to fix the second problem, we add a new utility
function bn_correct_top_consttime, a const-time
variant of bn_correct_top.
Together with the fact, that BN_bn2binpad is already
constant time if the flag BN_FLG_CONSTTIME is set,
this should eliminate the timing oracle completely.
In addition the no-asm variant may also have
branches that depend on secret values, because the last
invocation of bn_sub_words in bn_from_montgomery_word
had branches when the function is compiled by certain
gcc compiler versions, due to the clumsy coding style.
So additionally this patch stream-lined the no-asm
C-code in order to avoid branches where possible and
improve the resulting code quality.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20281)
Diffstat (limited to 'CHANGES.md')
-rw-r--r-- | CHANGES.md | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/CHANGES.md b/CHANGES.md index f1d204b2b4..a067043523 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -25,6 +25,17 @@ OpenSSL 3.2 ### Changes between 3.1 and 3.2 [xx XXX xxxx] + * Reworked the Fix for the Timing Oracle in RSA Decryption ([CVE-2022-4304]). + The previous fix for this timing side channel turned out to cause + a severe 2-3x performance regression in the typical use case + compared to 3.0.7. The new fix uses existing constant time + code paths, and restores the previous performance level while + fully eliminating all existing timing side channels. + The fix was developed by Bernd Edlinger with testing support + by Hubert Kario. + + *Bernd Edlinger* + * Added an "advanced" command mode to s_client. Use this with the "-adv" option. The old "basic" command mode recognises certain letters that must always appear at the start of a line and cannot be escaped. The advanced |