OpenBSD Journal

Errata SECURITY FIX: January 5, 2017

Contributed by grey on from the LibreSSL fixed many of the bugs, let's patch some more! dept.

Avoid possible side-channel leak of ECDSA private keys when signing.

A source code patch exists which remedies this problem:

for 6.0.

for 5.9

This is related to CVE-2016-7056 "ECDSA P-256 timing attack key recovery (OpenSSL, LibreSSL, BoringSSL)" Additional details can be read here: http://seclists.org/oss-sec/2017/q1/52

Thanks to M:Tier https://stable.mtier.org for raising awareness on this patch.

(Comments are closed)


  1. By Chas (142.79.57.1) on

    If I never use P-256, and always set either curve = secp384r1 or curve = secp521r1, then I can safely ignore this problem?

    DJB only approves of the 521 curve in any case (and I always use it unless I'm dealing with Google Chrome):

    To be fair I should mention that there's one standard NIST curve using a nice prime, namely 2^521 - 1; but the sheer size of this prime makes it much slower than NIST P-256.

    1. By Chas (142.79.57.1) on

      If you append the following output after the cert in your .pem file, you will force most (capable) OpenSSL implementations to use the 521 curve:

       

      $ openssl ecparam -list_curves
      
        secp384r1 : NIST/SECG curve over a 384 bit prime field
        secp521r1 : NIST/SECG curve over a 521 bit prime field
        prime256v1: X9.62/SECG curve over a 256 bit prime field
      
      $ openssl ecparam -name secp521r1
      
      -----BEGIN EC PARAMETERS-----
      BgUrgQQAIw==
      -----END EC PARAMETERS-----

      The curves above come from Oracle(RedHat) Linux 7.3 - supposedly this functionality was added to OpenSSL by Sun, who was very careful to avoid a number of patents in this implementation. I'm assuming that LibreSSL inherits that code.

      You can check the curve that a remote TLS server is using with s_client:

       

      $ openssl s_client -connect your.server.com:443
      
      ...
      Server Temp Key: ECDH, secp521r1, 521 bits
      ...

      Unlike Firefox, Google Chrome does not support the 521 curve, and will fall back to rsa+aes without forward secrecy. The ssllabs scanner will show what curves a browser supports.

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]