Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openssl-3 for openSUSE:Factory checked in at 2025-01-25 19:09:48 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openssl-3 (Old) and /work/SRC/openSUSE:Factory/.openssl-3.new.2316 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openssl-3" Sat Jan 25 19:09:48 2025 rev:36 rq:1240110 version:3.2.3 Changes: -------- --- /work/SRC/openSUSE:Factory/openssl-3/openssl-3.changes 2025-01-05 15:27:01.895336080 +0100 +++ /work/SRC/openSUSE:Factory/.openssl-3.new.2316/openssl-3.changes 2025-01-25 19:09:52.626254915 +0100 @@ -1,0 +2,6 @@ +Wed Jan 22 13:15:51 UTC 2025 - Lucas Mulling <lucas.mull...@suse.com> + +- bsc#1236136 CVE-2024-13176: Fix timing side-channel in ECDSA signature computation + * Add patch openssl-CVE-2024-13176.patch + +------------------------------------------------------------------- New: ---- openssl-CVE-2024-13176.patch BETA DEBUG BEGIN: New:- bsc#1236136 CVE-2024-13176: Fix timing side-channel in ECDSA signature computation * Add patch openssl-CVE-2024-13176.patch BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openssl-3.spec ++++++ --- /var/tmp/diff_new_pack.AZB3iH/_old 2025-01-25 19:09:53.958309398 +0100 +++ /var/tmp/diff_new_pack.AZB3iH/_new 2025-01-25 19:09:53.962309562 +0100 @@ -144,6 +144,8 @@ # PATCH-FIX-UPSTREAM: Fix failing tests on ppc64 jsc#PED-10280 Patch65: openssl-3-fix-sha3-squeeze-ppc64.patch Patch66: openssl-3-fix-quic_multistream_test.patch +# PATCH-FIX-UPSTREAM: bsc#1236136 CVE-2024-13176: Fix timing side-channel in ECDSA signature computation +Patch67: openssl-CVE-2024-13176.patch BuildRequires: pkgconfig ++++++ openssl-CVE-2024-13176.patch ++++++ >From 4b1cb94a734a7d4ec363ac0a215a25c181e11f65 Mon Sep 17 00:00:00 2001 From: Tomas Mraz <to...@openssl.org> Date: Wed, 15 Jan 2025 18:27:02 +0100 Subject: [PATCH] Fix timing side-channel in ECDSA signature computation There is a timing signal of around 300 nanoseconds when the top word of the inverted ECDSA nonce value is zero. This can happen with significant probability only for some of the supported elliptic curves. In particular the NIST P-521 curve is affected. To be able to measure this leak, the attacker process must either be located in the same physical computer or must have a very fast network connection with low latency. Attacks on ECDSA nonce are also known as Minerva attack. Fixes CVE-2024-13176 Reviewed-by: Tim Hudson <t...@openssl.org> Reviewed-by: Neil Horman <nhor...@openssl.org> Reviewed-by: Paul Dale <ppz...@gmail.com> (Merged from https://github.com/openssl/openssl/pull/26429) (cherry picked from commit 63c40a66c5dc287485705d06122d3a6e74a6a203) (cherry picked from commit 392dcb336405a0c94486aa6655057f59fd3a0902) --- crypto/bn/bn_exp.c | 21 +++++++++++++++------ crypto/ec/ec_lib.c | 7 ++++--- include/crypto/bn.h | 3 +++ 3 files changed, 22 insertions(+), 9 deletions(-) diff --git a/crypto/bn/bn_exp.c b/crypto/bn/bn_exp.c index b876edbfac36e..af52e2ced6914 100644 --- a/crypto/bn/bn_exp.c +++ b/crypto/bn/bn_exp.c @@ -606,7 +606,7 @@ static int MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM *b, int top, * out by Colin Percival, * http://www.daemonology.net/hyperthreading-considered-harmful/) */ -int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, +int bn_mod_exp_mont_fixed_top(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont) { @@ -623,10 +623,6 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, unsigned int t4 = 0; #endif - bn_check_top(a); - bn_check_top(p); - bn_check_top(m); - if (!BN_is_odd(m)) { ERR_raise(ERR_LIB_BN, BN_R_CALLED_WITH_EVEN_MODULUS); return 0; @@ -1146,7 +1142,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, goto err; } else #endif - if (!BN_from_montgomery(rr, &tmp, mont, ctx)) + if (!bn_from_mont_fixed_top(rr, &tmp, mont, ctx)) goto err; ret = 1; err: @@ -1160,6 +1156,19 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, return ret; } +int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, + const BIGNUM *m, BN_CTX *ctx, + BN_MONT_CTX *in_mont) +{ + bn_check_top(a); + bn_check_top(p); + bn_check_top(m); + if (!bn_mod_exp_mont_fixed_top(rr, a, p, m, ctx, in_mont)) + return 0; + bn_correct_top(rr); + return 1; +} + int BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont) { diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c index c92b4dcb0ac45..a79fbb98cf6fa 100644 --- a/crypto/ec/ec_lib.c +++ b/crypto/ec/ec_lib.c @@ -21,6 +21,7 @@ #include <openssl/opensslv.h> #include <openssl/param_build.h> #include "crypto/ec.h" +#include "crypto/bn.h" #include "internal/nelem.h" #include "ec_local.h" @@ -1261,10 +1262,10 @@ static int ec_field_inverse_mod_ord(const EC_GROUP *group, BIGNUM *r, if (!BN_sub(e, group->order, e)) goto err; /*- - * Exponent e is public. - * No need for scatter-gather or BN_FLG_CONSTTIME. + * Although the exponent is public we want the result to be + * fixed top. */ - if (!BN_mod_exp_mont(r, x, e, group->order, ctx, group->mont_data)) + if (!bn_mod_exp_mont_fixed_top(r, x, e, group->order, ctx, group->mont_data)) goto err; ret = 1; diff --git a/include/crypto/bn.h b/include/crypto/bn.h index 302f031c2ff1d..499e1d10efab0 100644 --- a/include/crypto/bn.h +++ b/include/crypto/bn.h @@ -73,6 +73,9 @@ int bn_set_words(BIGNUM *a, const BN_ULONG *words, int num_words); */ int bn_mul_mont_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_MONT_CTX *mont, BN_CTX *ctx); +int bn_mod_exp_mont_fixed_top(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, + const BIGNUM *m, BN_CTX *ctx, + BN_MONT_CTX *in_mont); int bn_to_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont, BN_CTX *ctx); int bn_from_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont,
