Cesar Pereida Garcia reports:
The signing function in crypto/ecdsa/ecdsa_ossl.c in certain OpenSSL
versions and forks is vulnerable to timing attacks when signing with the
standardized elliptic curve P-256 despite featuring constant-time curve
operations and modular inversion. A software defect omits setting the
BN_FLG_CONSTTIME flag for nonces, failing to take a secure code path in
the BN_mod_inverse method and therefore resulting in a cache-timing attack
vulnerability.
A malicious user with local access can recover ECDSA P-256 private keys.