Bug 86410

From: Mark J Cox <mark@awe.com>
To: vendor-sec@lst.de
Cc: openssl-team@openssl.org
Subject: [vendor-sec] OpenSSL patch to mitigate shared resource timing attacks
Errors-To: vendor-sec-admin@lst.de
Date: Mon, 16 May 2005 09:21:05 +0100 (BST)

[-- Anhang #1 --]
[-- Typ: text/PLAIN, Kodierung: 7bit, GröÃe: 1,3K --]

I've attached a draft patch from the OpenSSL team which implements
constant time exponentiation.  This mitigates the timing attacks published
last week.  As many of you will want to release updates for OpenSSL once
this patch is committed, we're looking for testing or review feedback of
this patch by vendors.  This isn't a final patch, please don't release
updates including it yet, we just need as much testing as possible on
this.

Thanks
Mark
--
Mark J Cox ........................................... www.awe.com/mark
Apache Software Foundation ..... OpenSSL Group ..... Apache Week editor


---------- Forwarded message ----------
Here is my version of the patch, respective to OpenSSL 0.9.7 (I have a
similar patch for 0.9.8-dev).  Changes include:

- some renaming (such as "CONSTTIME" instead of "CONST_TIME" to reduce
  the number of components in macro names)

- keep the BIGNUMs within an RSA/DSA/DH object constant (set BIGNUM
  flag locally)

- cleaner handling of the BIGNUM while copying to/from the interleaved
  precomputed table (required for OpenSSL 0.9.8, which complains if
  there are leading zeros within the area designated by 'top'; and the
  previous patch may have been buggy with respect to leading zeros
  happening by chance that cause 'top' to be less than for the
  modulus)

Bodo


[-- Anhang #2: patch0515 --]
[-- Typ: text/PLAIN, Kodierung: 7bit, GröÃe: 34K --]

Created attachment 38361 [details]
patch0515.diff

unofficial beta patch

Subject: Re: [vendor-sec] OpenSSL patch to mitigate shared resource timing
        attacks
From: Alan Cox <alan@lxorguk.ukuu.org.uk>
To: Mark J Cox <mark@awe.com>
Cc: vendor-sec@lst.de, openssl-team@openssl.org
Errors-To: vendor-sec-admin@lst.de
Date: Mon, 16 May 2005 14:00:57 +0100

On Llu, 2005-05-16 at 09:21, Mark J Cox wrote:
> I've attached a draft patch from the OpenSSL team which implements
> constant time exponentiation.  This mitigates the timing attacks published
> last week.

Only if you also only touch the same cachelines in both cases. Is that
the case ? Otherwise you can use the shared cache properties in some HT
configurations to do knock certain lines out and do timing on some cache
lines only.

_______________________________________________

CAN-2005-0109

Mandrake released a patched package.

 _______________________________________________________________________

                Mandriva Linux Security Update Advisory
 _______________________________________________________________________

 Package name:           openssl
 Advisory ID:            MDKSA-2005:096
 Date:                   June 6th, 2005

 Affected versions:      10.0, 10.1, 10.2, Corporate 3.0,
                         Corporate Server 2.1
 ______________________________________________________________________

 Problem Description:

 Colin Percival reported a cache timing attack that could be used to
 allow a malicious local user to gain portions of cryptographic keys
 (CAN-2005-0109).  The OpenSSL library has been patched to add a new
 fixed-window mod_exp implementation as default for RSA, DSA, and DH
 private key operations.  The patch was designed to mitigate cache
 timing and possibly related attacks.
 _______________________________________________________________________

Hm, do they have a final patch that we don't have?

Created attachment 38875 [details]
openssl-0.9.7c-can-2005-0109.patch

that is the patch from mandrake 10.0 
openssl-0.9.7c-3.2.100mdk.src.rpm

CAN-2004-0975 will be fixed with this on too.

Petr,
do you think we can use this patch or do you eant to wait for a patch from upstream?

Yes, let's wait for upstream. (Nothing new from there.)

No news.

0.9.7h (as released a few days ago) has the fix.

+  *) Make a new fixed-window mod_exp implementation the default for
+     RSA, DSA, and DH private-key operations so that the sequence of
+     squares and multiplies and the memory access pattern are
+     independent of the particular secret key.  This will mitigate
+     cache-timing and potential related attacks.
+
+     BN_mod_exp_mont_consttime() is the new exponentiation implementation,
+     and this is automatically used by BN_mod_exp_mont() if the new flag
+     BN_FLG_EXP_CONSTTIME is set for the exponent.  RSA, DSA, and DH
+     will use this BN flag for private exponents unless the flag
+     RSA_FLAG_NO_EXP_CONSTTIME, DSA_FLAG_NO_EXP_CONSTTIME, or
+     DH_FLAG_NO_EXP_CONSTTIME, respectively, is set.
+
+     [Matthew D Wood (Intel Corp), with some changes by Bodo Moeller]
+

Good! :)

I had a look at http://cvs.openssl.org/chngview?cn=13344 and it largely
applies to 0.9.7[d-g], but there are changes in dh_key.c which depend on 
earlier and later changes (at least
http://cvs.openssl.org/chngview?cn=13126). 
The patch which Mandrake shipped (attached to this bug) seems to be an
interim version of the fix.

I discussed it with Marcus and we consider it too risky at the moment to
add these changes, in relation to the risk associated with the
vulnerability. 

As the fix has just been released by upstream in 0.9.7h as well as
0.9.8a, it won't have much test coverage yet.

For STABLE it is fixed. -> setting to resolved fixed

CVE-2005-0109: CVSS v2 Base Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)