oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: BoringSSL private key loading is not constant time

From: Alex Gaynor <alex.gaynor () gmail com>
Date: Tue, 14 Oct 2025 19:18:05 -0400
Hey Hanno,

My understanding is that historically OpenSSL may have had this bug,
though I'm sure it's not alone. (We almost introduced this bug into
pyca/cryptography, but caught it before releasing.)

I think for pyca/cryptography we'd also be quite interested in
emitting a warning for this case:
https://github.com/pyca/cryptography/issues/13672

Alex

On Tue, Oct 14, 2025 at 7:11 PM Hanno Böck <hanno () hboeck de> wrote:


Hi David,

Thanks for the explanation. At least for me, this is different from how
I initially interpreted this issue.

It would appear that the ideal solution would be to phaseout such
malencoded EC keys. Do you have any idea how prevalent they are, and
which implementations created them?

I wonder if there are steps that can be done to get to a deprecation.

Applications could emit warnings when loading such keys, and APIs could
provide an optional flag that rejects them if application programmers
want that. That could lead to a detection of existing such keys and
ideally remaining implementations creating them would be recognized
and fixed. Possibly, this could allow deprecation in a few years.

Any thoughts on that? Any implementors of EC key using software that
might want to go in that direction?


--
Hanno Böck
https://hboeck.de/




-- 
All that is necessary for evil to succeed is for good people to do nothing.
Previous By Date Next
Previous By Thread Next

Current thread: