]> git.ipfire.org Git - thirdparty/openssl.git/commit
projects / thirdparty / openssl.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 3294dcd) | patch
Fix timing side-channel in ECDSA signature computation
authorTomas Mraz <tomas@openssl.org>
Wed, 15 Jan 2025 17:27:02 +0000 (18:27 +0100)
committerTomas Mraz <tomas@openssl.org>
Mon, 20 Jan 2025 08:30:48 +0000 (09:30 +0100)
commit63c40a66c5dc287485705d06122d3a6e74a6a203
tree68954f97099436f5ea159f1b955adfb19671c659tree
parent3294dcdbc2e3fc1e615b5e8c01813eefaf5a9f6fcommit | diff
Fix timing side-channel in ECDSA signature computation

There is a timing signal of around 300 nanoseconds when the top word of
the inverted ECDSA nonce value is zero. This can happen with significant
probability only for some of the supported elliptic curves. In particular
the NIST P-521 curve is affected. To be able to measure this leak, the
attacker process must either be located in the same physical computer or
must have a very fast network connection with low latency.

Attacks on ECDSA nonce are also known as Minerva attack.

Fixes CVE-2024-13176

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/26429)
crypto/bn/bn_exp.c diff | blob | blame | history
crypto/ec/ec_lib.c diff | blob | blame | history
include/crypto/bn.h diff | blob | blame | history
Mirror of https://github.com/openssl/openssl.git