openbsd/src/lib/libcrypto/ec, branch libressl-v2.9.0 A mirror of https://github.com/libressl/openbsd.git https://git.lua4.win/openbsd/atom?h=libressl-v2.9.0 2018-11-15T05:53:31+00:00 Port OpenSSL commit 99540ec79491f59ed8b46b4edf130e17dc907f52 -- mitigation 2018-11-15T05:53:31+00:00 tb 2018-11-15T05:53:31+00:00 urn:sha1:c68f49c1f250c7a1b71ff7df5f893ece438e0c28 for a timing vullnerability in ECDSA signature generation (CVE-2018-0735). Note that the blinding that we introduced back in June for ECDSA and DSA should mitigate this and related issues. This simply adds an additional layer of protection. discussed with jsing Avoid dereferencing eckey before checking it for NULL. 2018-11-09T23:39:45+00:00 tb 2018-11-09T23:39:45+00:00 urn:sha1:2feae24d2aed9e9b3713ff77dffe7a373ed0039d CID 184282 ok beck jsing mestre unrevert the use of bn_rand_interval(). 2018-11-06T07:02:33+00:00 tb 2018-11-06T07:02:33+00:00 urn:sha1:b1f2fa8da88f8be2fe7d6d9d2b8308537fcfb408 ok beck jsing Unset Z_is_zero after applying coordinate blinding and 2018-11-06T06:59:25+00:00 tb 2018-11-06T06:59:25+00:00 urn:sha1:5733d08d40f3af89bccdede48bc95c6b840c337a re-enable coordinate blinding. ok jsing disable EC_POINT coordinate blinding due to failures in ECDHE and TLS 2018-11-06T02:16:13+00:00 tb 2018-11-06T02:16:13+00:00 urn:sha1:d45a794dee47be1c2775b0914d6db527a52fc805 revert use of bn_rand_interval due to failures with ECDHE and TLS 2018-11-06T02:14:39+00:00 tb 2018-11-06T02:14:39+00:00 urn:sha1:2040275bab908960f255a8c01f793ac41a51b26b Make use of bn_rand_interval() where appropriate. 2018-11-05T23:54:27+00:00 tb 2018-11-05T23:54:27+00:00 urn:sha1:eaddac22ab3166ef515cb4c286c0c3ed322fbe40 ok beck jsing Eliminate a few "} else" branches, a few unneeded NULL checks before 2018-11-05T23:50:05+00:00 tb 2018-11-05T23:50:05+00:00 urn:sha1:8e9f1d9b90e9437962a4af66f58e24dd9fa2c0c7 freeing and indent nearby labels. ok beck jsing Implement coordinate blinding for EC_POINT. 2018-11-05T20:18:21+00:00 tb 2018-11-05T20:18:21+00:00 urn:sha1:ea31526c33ba6c4d95aeecabfffcba9455d6b4de Based on OpenSSL commit 875ba8b21ecc65ad9a6bdc66971e50 by Billy Brumley, Sohaib ul Hassan and Nicola Tuveri. ok beck jsing commit 875ba8b21ecc65ad9a6bdc66971e50461660fcbb Author: Sohaib ul Hassan <soh.19.hassan@gmail.com> Date: Sat Jun 16 17:07:40 2018 +0300 Implement coordinate blinding for EC_POINT This commit implements coordinate blinding, i.e., it randomizes the representative of an elliptic curve point in its equivalence class, for prime curves implemented through EC_GFp_simple_method, EC_GFp_mont_method, and EC_GFp_nist_method. This commit is derived from the patch https://marc.info/?l=openssl-dev&m=131194808413635 by Billy Brumley. Coordinate blinding is a generally useful side-channel countermeasure and is (mostly) free. The function itself takes a few field multiplicationss, but is usually only necessary at the beginning of a scalar multiplication (as implemented in the patch). When used this way, it makes the values that variables take (i.e., field elements in an algorithm state) unpredictable. For instance, this mitigates chosen EC point side-channel attacks for settings such as ECDH and EC private key decryption, for the aforementioned curves. For EC_METHODs using different coordinate representations this commit does nothing, but the corresponding coordinate blinding function can be easily added in the future to extend these changes to such curves. Co-authored-by: Nicola Tuveri <nic.tuv@gmail.com> Co-authored-by: Billy Brumley <bbrumley@gmail.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6526) Tweak comment. 2018-09-01T16:23:15+00:00 tb 2018-09-01T16:23:15+00:00 urn:sha1:b3296b4388f9f4111ae0266a475304f5c5b2c6e5