OpenBSD Journal
Home : : Add Story : : Archives : : About : : Create Account : : Login :
Errata SECURITY FIX: January 5, 2017
Contributed by grey on Wed Jan 11 10:41:07 2017 (GMT)
from the LibreSSL fixed many of the bugs, let's patch some more! dept.

Avoid possible side-channel leak of ECDSA private keys when signing.

A source code patch exists which remedies this problem:

for 6.0.

for 5.9

This is related to CVE-2016-7056 "ECDSA P-256 timing attack key recovery (OpenSSL, LibreSSL, BoringSSL)" Additional details can be read here:

Thanks to M:Tier for raising awareness on this patch.


<< WiFi: 11n hostap mode added to athn(4) driver, testers wanted | Reply | Flattened | Expanded | Understanding the modernization of the OpenBSD network stack, part 2: A story of if_get(9) >>

Threshold: Help

Related Links
more by grey

  avoid P-256? (mod 3/115)
by Chas ( on Wed Jan 11 18:36:13 2017 (GMT)

If I never use P-256, and always set either curve = secp384r1 or curve = secp521r1, then I can safely ignore this problem?

DJB only approves of the 521 curve in any case (and I always use it unless I'm dealing with Google Chrome):

To be fair I should mention that there's one standard NIST curve using a nice prime, namely 2^521 - 1; but the sheer size of this prime makes it much slower than NIST P-256.

  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

[ Home | Add Story | Archives | Polls | About ]

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. Some icons from used with permission from Kathleen. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. Search engine is ht://Dig. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]