Hi, Given this issue in openssl [0] , I think the issue of software errors helping retrieve an RSA key seems less and less foreign. Given its repercussions if such an issue exists (RSA private keys can be retrieved) would it make sense to have a bug fix release with that?
regards, Nikos
[0]. https://blog.fuzzing-project.org/31-Fuzzing-Math-miscalculations-in-OpenSSLs...
Nikos Mavrogiannopoulos n.mavrogiannopoulos@gmail.com writes:
Given this issue in openssl [0] , I think the issue of software errors helping retrieve an RSA key seems less and less foreign. Given its repercussions if such an issue exists (RSA private keys can be retrieved) would it make sense to have a bug fix release with that?
You're absolutely right that release is overdue, we've been talking about it since September at least.
I haven't checked carefully, but I think the main missing piece is documentation for the new functions (I have a patch from you including some docs, but I haven't gotten to that yet, and a bunch of new functions have been added since then).
Anything else?
Regards, /Niels
On Tue, 2015-12-08 at 07:22 +0100, Niels Möller wrote:
Nikos Mavrogiannopoulos n.mavrogiannopoulos@gmail.com writes:
Given this issue in openssl [0] , I think the issue of software errors helping retrieve an RSA key seems less and less foreign. Given its repercussions if such an issue exists (RSA private keys can be retrieved) would it make sense to have a bug fix release with that?
You're absolutely right that release is overdue, we've been talking about it since September at least. I haven't checked carefully, but I think the main missing piece is documentation for the new functions (I have a patch from you including some docs, but I haven't gotten to that yet, and a bunch of new functions have been added since then). Anything else?
The SHA3 fix, but I think that's already in.
regards, Nikos
Nikos Mavrogiannopoulos nmav@gnutls.org writes:
The SHA3 fix, but I think that's already in.
It is, including some documentation updates.
I also received a report of an ecc secp256r1 miscomputation the other day, which I have been able to reproduce and want to fix.
(And RSA PSS will have to wait until after the release).
Regards, /Niels
nisse@lysator.liu.se (Niels Möller) writes:
I also received a report of an ecc secp256r1 miscomputation the other day, which I have been able to reproduce and want to fix.
I have fixed two bugs in the 64-bit C implementation of ecc_256_modp and ecc_256_modq, in ecc-256.c. It was carry propagation in unlikely cases not done right. These functions are a bit too hairy for their own good, maybe they ought to be rewritten using a simpler reduction scheme (they're not very preformance critical, but they should be kept side-channel silent).
It's not obviously exploitable, in the sense that it makes it easy to get ecdsa_verify to accept forged signatures, but not obvious doesn't imply not possible, of course.
I have let additional mod tests run overnight, and I haven't uncovered any problems in any of the other ecc curves, so the known bugs affect only nettle_secp_256r1.
Regards, /Niels
nettle-bugs@lists.lysator.liu.se
-
Nikos Mavrogiannopoulos -
Nikos Mavrogiannopoulos -
nisse@lysator.liu.se