OpenSSL have published a security advisory. Here's how it affects BoringSSL:
| CVE | Summary | Severity in OpenSSL | Impact to BoringSSL |
|---|---|---|---|
| CVE-2024-13176 | Timing side-channel in ECDSA signature computation | Low | Not affected; already fixed in November 2017 |
CVE-2024-13176 is a timing leak of the ECDSA nonce during signing. The ECDSA nonce is very sensitive and even a small leak can lead to leaking the private key. The leak comes from OpenSSL's use of a big integer that canonicalizes away leading zeros in its in-memory representation. This leaks the number of leading zeros of a number of intermediate calculations.
In November 2017, we changed our ECDSA implementation to no longer use the general BIGNUM library here, which both reduced allocation overhead and avoided this leak. In 2018, we reworked our copy of the BIGNUM library to avoid this canonicalization and fix analogous leaks elsewhere, e.g. in RSA. In 2018, we also filed an issue for OpenSSL, describing our work.