| # OpenSSL Advisory: January 21st, 2025 (BoringSSL Not Affected) |
| |
| OpenSSL have published a [security advisory](https://openssl-library.org/news/secadv/20250120.txt). Here's how it affects BoringSSL: |
| |
| CVE | Summary | [Severity] in OpenSSL | Impact to BoringSSL |
| ----|---------|-----------------------|--------------------- |
| CVE-2024-13176 | Timing side-channel in ECDSA signature computation | Low | Not affected; already fixed in [November 2017](https://boringssl-review.googlesource.com/c/boringssl/+/23075) |
| |
| [Severity]: https://openssl-library.org/policies/general/security-policy/index.html#issue-severity |
| |
| ## CVE-2024-13176 |
| |
| CVE-2024-13176 is a [timing leak](https://www.bearssl.org/constanttime.html) of the ECDSA nonce during signing. The ECDSA nonce is very sensitive and even a small leak [can lead to leaking the private key](https://eprint.iacr.org/2020/615.pdf). The leak comes from OpenSSL's use of a big integer that canonicalizes away leading zeros in its in-memory representation. This leaks the number of leading zeros of a number of intermediate calculations. |
| |
| In [November 2017](https://boringssl-review.googlesource.com/c/boringssl/+/23075), we changed our ECDSA implementation to no longer use the general `BIGNUM` library here, which both reduced allocation overhead and avoided this leak. In 2018, we reworked our copy of the `BIGNUM` library to avoid this canonicalization and fix analogous leaks elsewhere, e.g. in RSA. In 2018, we also [filed an issue](https://github.com/openssl/openssl/issues/6640) for OpenSSL, describing our work. |
