Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAO5O-E+iB2dy2BfQrLmCsNjXnuXjxAToPSETBfrJpe38TF7Dag@mail.gmail.com>
Date: Tue, 20 Mar 2018 22:34:25 +0100
From: Guido Vranken <guidovranken@...il.com>
To: oss-security@...ts.openwall.com
Subject: OpenSSL: bug in modular exponentiation

My bignum fuzzer (https://github.com/guidovranken/bignum-fuzzer)
running on Google's oss-fuzz recently found a bug in affecting
constant-time modular exponentiation.
OpenSSL does not treat this as a security vulnerability. This is a
heads-up to developers who rely on the affected code so they can
review the impact on their applications on a case-by-case basis.

The bug is located in a function written in assembly language and the
bug can only manifest on specific processors, most likely the same as
CVE-2017-3738 (see https://www.openssl.org/news/vulnerabilities.html):

"This only affects processors that support the AVX2 but not ADX
extensions like Intel Haswell (4th generation)"

As far as I know BoringSSL and LibreSSL are not affected.

You can use the PoC below the line to see if your system is affected.

A system that is affected:

$ cat /proc/cpuinfo | grep "avx2\|adx" -o | sort -u
avx2
$ ./a.out
result is 0
result is 179769313486231590772930519078902473361797697894230657273430081157732675805500963132708477322407536021120113879871393357658789768814416622492847430639474124377767893424865485276302219601246094119453082952085005768838150682342462881473913110540827237163350510684586298239947245938479716304835356083471597445343

A system that is not affected:

$ cat /proc/cpuinfo | grep "avx2\|adx" -o | sort -u
adx
avx2
$ ./a.out
result is 0
result is 0

-------------------

#include <openssl/bn.h>

static void do_mod_exp(int consttime)
{
    BIGNUM *res, *A = NULL, *B = NULL, *C = NULL;
    BN_CTX *ctx = BN_CTX_new();
    char* bn_str = NULL;

    res = BN_new();
    BN_dec2bn(&A,
"000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000179769313486231590772930519078902473361797697894230657273430081157732675805500963132708477322407536021120113879871393357658789768814416622492847430639474124377767893424865485276302219601246094119453082952085005768838150682342462881473913110540827237163350510684586298239947245938479716304835356083471597445343");
    BN_dec2bn(&B,
"000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000022222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222");
    BN_dec2bn(&C,
"000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000179769313486231590772930519078902473361797697894230657273430081157732675805500963132708477322407536021120113879871393357658789768814416622492847430639474124377767893424865485276302219601246094119453082952085005768838150682342462881473913110540827237163350510684586298239947245938479716304835356083471597445343");

    if ( consttime ) {
        BN_set_flags(A, BN_FLG_CONSTTIME);
    }
    BN_mod_exp(res, A, B, C, ctx);
    bn_str = BN_bn2dec(res);
    printf("result is %s\n", bn_str);
    OPENSSL_free(bn_str);
    BN_CTX_free(ctx);
    BN_free(A);
    BN_free(B);
    BN_free(C);
}

int main(void)
{
    do_mod_exp(0);
    do_mod_exp(1);
    return 0;
}

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.