Skip to content
  1. Jul 03, 2018
  2. Jul 02, 2018
  3. Jul 01, 2018
  4. Jun 29, 2018
  5. Jun 28, 2018
  6. Jun 25, 2018
  7. Jun 24, 2018
  8. Jun 23, 2018
  9. Jun 22, 2018
  10. Jun 21, 2018
  11. Jun 18, 2018
  12. Jun 15, 2018
  13. Jun 13, 2018
    • Matt Caswell's avatar
      Add blinding to an ECDSA signature · 0c27d793
      Matt Caswell authored
      
      
      Keegan Ryan (NCC Group) has demonstrated a side channel attack on an
      ECDSA signature operation. During signing the signer calculates:
      
      s:= k^-1 * (m + r * priv_key) mod order
      
      The addition operation above provides a sufficient signal for a
      flush+reload attack to derive the private key given sufficient signature
      operations.
      
      As a mitigation (based on a suggestion from Keegan) we add blinding to
      the operation so that:
      
      s := k^-1 * blind^-1 (blind * m + blind * r * priv_key) mod order
      
      Since this attack is a localhost side channel only no CVE is assigned.
      
      Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
      0c27d793
  14. Jun 12, 2018
  15. Jun 11, 2018
  16. Jun 09, 2018
  17. Jun 08, 2018
  18. Jun 07, 2018
    • Marcus Huewe's avatar
      Do not free a session before calling the remove_session_cb · 6849421c
      Marcus Huewe authored
      If the remove_session_cb accesses the session's data (for instance,
      via SSL_SESSION_get_protocol_version), a potential use after free
      can occur. For this, consider the following scenario when adding
      a new session via SSL_CTX_add_session:
      
      - The session cache is full
        (SSL_CTX_sess_number(ctx) > SSL_CTX_sess_get_cache_size(ctx))
      - Only the session cache has a reference to ctx->session_cache_tail
        (that is, ctx->session_cache_tail->references == 1)
      
      Since the cache is full, remove_session_lock is called to remove
      ctx->session_cache_tail from the cache. That is, it
      SSL_SESSION_free()s the session, which free()s the data. Afterwards,
      the free()d session is passed to the remove_session_cb. If the callback
      accesses the session's data, we have a use after free.
      
      The free before calling the callback behavior was introduced in
      commit e4612d02
      
       ("Remove sessions
      from external cache, even if internal cache not used.").
      
      CLA: trivial
      
      Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
      Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
      (Merged from https://github.com/openssl/openssl/pull/6222)
      
      (cherry picked from commit c0a58e03)
      6849421c
  19. Jun 05, 2018
  20. Jun 02, 2018
  21. May 31, 2018
  22. May 30, 2018
  23. May 29, 2018
  24. May 26, 2018