Bugzilla – Bug 86410
VUL-0: openssl: patches against CPU hyperthreading timing-attack
Last modified: 2018-06-22 07:44:51 UTC
Hi Peter, and this is the other one. The patches are not public AFAIK. http://www.daemonology.net/hyperthreading-considered-harmful/
From: Mark J Cox <mark@awe.com> To: vendor-sec@lst.de Cc: openssl-team@openssl.org Subject: [vendor-sec] OpenSSL patch to mitigate shared resource timing attacks Errors-To: vendor-sec-admin@lst.de Date: Mon, 16 May 2005 09:21:05 +0100 (BST) [-- Anhang #1 --] [-- Typ: text/PLAIN, Kodierung: 7bit, GröÃe: 1,3K --] I've attached a draft patch from the OpenSSL team which implements constant time exponentiation. This mitigates the timing attacks published last week. As many of you will want to release updates for OpenSSL once this patch is committed, we're looking for testing or review feedback of this patch by vendors. This isn't a final patch, please don't release updates including it yet, we just need as much testing as possible on this. Thanks Mark -- Mark J Cox ........................................... www.awe.com/mark Apache Software Foundation ..... OpenSSL Group ..... Apache Week editor ---------- Forwarded message ---------- Here is my version of the patch, respective to OpenSSL 0.9.7 (I have a similar patch for 0.9.8-dev). Changes include: - some renaming (such as "CONSTTIME" instead of "CONST_TIME" to reduce the number of components in macro names) - keep the BIGNUMs within an RSA/DSA/DH object constant (set BIGNUM flag locally) - cleaner handling of the BIGNUM while copying to/from the interleaved precomputed table (required for OpenSSL 0.9.8, which complains if there are leading zeros within the area designated by 'top'; and the previous patch may have been buggy with respect to leading zeros happening by chance that cause 'top' to be less than for the modulus) Bodo [-- Anhang #2: patch0515 --] [-- Typ: text/PLAIN, Kodierung: 7bit, GröÃe: 34K --]
Created attachment 38361 [details] patch0515.diff unofficial beta patch
Subject: Re: [vendor-sec] OpenSSL patch to mitigate shared resource timing attacks From: Alan Cox <alan@lxorguk.ukuu.org.uk> To: Mark J Cox <mark@awe.com> Cc: vendor-sec@lst.de, openssl-team@openssl.org Errors-To: vendor-sec-admin@lst.de Date: Mon, 16 May 2005 14:00:57 +0100 On Llu, 2005-05-16 at 09:21, Mark J Cox wrote: > I've attached a draft patch from the OpenSSL team which implements > constant time exponentiation. This mitigates the timing attacks published > last week. Only if you also only touch the same cachelines in both cases. Is that the case ? Otherwise you can use the shared cache properties in some HT configurations to do knock certain lines out and do timing on some cache lines only. _______________________________________________
CAN-2005-0109
Mandrake released a patched package. _______________________________________________________________________ Mandriva Linux Security Update Advisory _______________________________________________________________________ Package name: openssl Advisory ID: MDKSA-2005:096 Date: June 6th, 2005 Affected versions: 10.0, 10.1, 10.2, Corporate 3.0, Corporate Server 2.1 ______________________________________________________________________ Problem Description: Colin Percival reported a cache timing attack that could be used to allow a malicious local user to gain portions of cryptographic keys (CAN-2005-0109). The OpenSSL library has been patched to add a new fixed-window mod_exp implementation as default for RSA, DSA, and DH private key operations. The patch was designed to mitigate cache timing and possibly related attacks. _______________________________________________________________________
Hm, do they have a final patch that we don't have?
Created attachment 38875 [details] openssl-0.9.7c-can-2005-0109.patch that is the patch from mandrake 10.0 openssl-0.9.7c-3.2.100mdk.src.rpm
CAN-2004-0975 will be fixed with this on too.
Petr, do you think we can use this patch or do you eant to wait for a patch from upstream?
Yes, let's wait for upstream. (Nothing new from there.)
No news.
0.9.7h (as released a few days ago) has the fix. + *) Make a new fixed-window mod_exp implementation the default for + RSA, DSA, and DH private-key operations so that the sequence of + squares and multiplies and the memory access pattern are + independent of the particular secret key. This will mitigate + cache-timing and potential related attacks. + + BN_mod_exp_mont_consttime() is the new exponentiation implementation, + and this is automatically used by BN_mod_exp_mont() if the new flag + BN_FLG_EXP_CONSTTIME is set for the exponent. RSA, DSA, and DH + will use this BN flag for private exponents unless the flag + RSA_FLAG_NO_EXP_CONSTTIME, DSA_FLAG_NO_EXP_CONSTTIME, or + DH_FLAG_NO_EXP_CONSTTIME, respectively, is set. + + [Matthew D Wood (Intel Corp), with some changes by Bodo Moeller] +
Good! :)
I had a look at http://cvs.openssl.org/chngview?cn=13344 and it largely applies to 0.9.7[d-g], but there are changes in dh_key.c which depend on earlier and later changes (at least http://cvs.openssl.org/chngview?cn=13126). The patch which Mandrake shipped (attached to this bug) seems to be an interim version of the fix. I discussed it with Marcus and we consider it too risky at the moment to add these changes, in relation to the risk associated with the vulnerability. As the fix has just been released by upstream in 0.9.7h as well as 0.9.8a, it won't have much test coverage yet. For STABLE it is fixed. -> setting to resolved fixed
CVE-2005-0109: CVSS v2 Base Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)