From: Bernd Edlinger <bernd.edlinger@hotmail.de>
Date: Mon, 3 Nov 2025 13:00:15 +0000 (+0100)
Subject: Document CVE-2021-4160
X-Git-Tag: 3.6-PRE-CLANG-FORMAT-WEBKIT~35
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5b6e0c9eed545bafd33487e26c665f14b8130ed4;p=thirdparty%2Fopenssl.git

Document CVE-2021-4160

This was fixed in openssl 3.0.1 by #17258 and assigned
CVE-2021-4160 but unfortunately forgotten to mention
in the CHANGES and/or NEWS.

Reviewed-by: Paul Yang <paulyang.inf@gmail.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29051)

(cherry picked from commit 134f17d526a5d0a9fbd66adf85e53df8a764a2ff)
---

diff --git a/CHANGES.md b/CHANGES.md
index e0b6a2fbdcf..487f3cd1c16 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -2560,6 +2560,24 @@ breaking changes, and mappings for the large list of deprecated functions.
 
 ### Changes between 3.0.0 and 3.0.1 [14 Dec 2021]
 
+ * Fixed carry bug in BN_mod_exp which may produce incorrect results on MIPS
+   squaring procedure. Many EC algorithms are affected, including some of the
+   TLS 1.3 default curves. Impact was not analyzed in detail, because the
+   pre-requisites for attack are considered unlikely and include reusing
+   private keys. Analysis suggests that attacks against RSA and DSA as a result
+   of this defect would be very difficult to perform and are not believed
+   likely. Attacks against DH are considered just feasible (although very
+   difficult) because most of the work necessary to deduce information about
+   a private key may be performed offline.
+   The amount of resources required for such an attack would be significant.
+   However, for an attack on TLS to be meaningful, the server would have
+   to share the DH private key among multiple clients, which is no longer
+   an option since CVE-2016-0701.
+   The issue only affects OpenSSL on MIPS platforms.
+   ([CVE-2021-4160])
+
+   *Bernd Edlinger*
+
  * Fixed invalid handling of X509_verify_cert() internal errors in libssl
    Internally libssl in OpenSSL calls X509_verify_cert() on the client side to
    verify a certificate supplied by a server. That function may return a
diff --git a/NEWS.md b/NEWS.md
index 7df20518880..4b26739d3d9 100644
--- a/NEWS.md
+++ b/NEWS.md
@@ -618,6 +618,8 @@ OpenSSL 3.0
 
 ### Major changes between OpenSSL 3.0.0 and OpenSSL 3.0.1 [14 Dec 2021]
 
+  * Fixed carry bug in BN_mod_exp which may produce incorrect results on MIPS
+    ([CVE-2021-4160])
   * Fixed invalid handling of X509_verify_cert() internal errors in libssl
     ([CVE-2021-4044])
   * Allow fetching an operation from the provider that owns an unexportable key