git.ipfire.org Git - thirdparty/openssl.git/commit

author	Tomas Mraz <tomas@openssl.org>
	Wed, 15 Jan 2025 17:27:02 +0000 (18:27 +0100)
committer	Tomas Mraz <tomas@openssl.org>
	Mon, 20 Jan 2025 08:41:59 +0000 (09:41 +0100)
commit	07272b05b04836a762b4baa874958af51d513844
tree	e986eceb225ffad7f2c34fdd0a67ffbcd09622c4	tree
parent	643de602771f6b38ad7823e26d5a63c669eb185b	commit \| diff

Fix timing side-channel in ECDSA signature computation

There is a timing signal of around 300 nanoseconds when the top word of
the inverted ECDSA nonce value is zero. This can happen with significant
probability only for some of the supported elliptic curves. In particular
the NIST P-521 curve is affected. To be able to measure this leak, the
attacker process must either be located in the same physical computer or
must have a very fast network connection with low latency.

Attacks on ECDSA nonce are also known as Minerva attack.

Fixes CVE-2024-13176

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/26429)

(cherry picked from commit 63c40a66c5dc287485705d06122d3a6e74a6a203)

crypto/bn/bn_exp.c		diff \| blob \| blame \| history
crypto/ec/ec_lib.c		diff \| blob \| blame \| history
include/crypto/bn.h		diff \| blob \| blame \| history