diff options
| author | beck <> | 2016-06-06 10:00:04 +0000 |
|---|---|---|
| committer | beck <> | 2016-06-06 10:00:04 +0000 |
| commit | b57d9bfda0a4cfebac3b70e39ad9581d29db6c4f (patch) | |
| tree | 23303af74e383f015a626a18ca4c5e07811c9a9d | |
| parent | cec8eada4b7c80bf9a2bbf5ae93b31c991639338 (diff) | |
| download | openbsd-b57d9bfda0a4cfebac3b70e39ad9581d29db6c4f.tar.gz openbsd-b57d9bfda0a4cfebac3b70e39ad9581d29db6c4f.tar.bz2 openbsd-b57d9bfda0a4cfebac3b70e39ad9581d29db6c4f.zip | |
Correct a problem that prevents the DSA signing algorithm from running
in constant time even if the flag BN_FLG_CONSTTIME is set. This issue
was reported by Cesar Pereida (Aalto University), Billy Brumley
(Tampere University of Technology), and Yuval Yarom (The University of
Adelaide and NICTA). The fix was developed by Cesar Pereida.
| -rw-r--r-- | src/lib/libcrypto/dsa/dsa_ossl.c | 10 | ||||
| -rw-r--r-- | src/lib/libssl/src/crypto/dsa/dsa_ossl.c | 10 |
2 files changed, 12 insertions, 8 deletions
diff --git a/src/lib/libcrypto/dsa/dsa_ossl.c b/src/lib/libcrypto/dsa/dsa_ossl.c index 7c0a7802b0..13101cea1d 100644 --- a/src/lib/libcrypto/dsa/dsa_ossl.c +++ b/src/lib/libcrypto/dsa/dsa_ossl.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: dsa_ossl.c,v 1.23 2015/09/10 07:58:28 bcook Exp $ */ | 1 | /* $OpenBSD: dsa_ossl.c,v 1.24 2016/06/06 10:00:04 beck Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -247,9 +247,6 @@ dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) | |||
| 247 | if (!BN_rand_range(&k, dsa->q)) | 247 | if (!BN_rand_range(&k, dsa->q)) |
| 248 | goto err; | 248 | goto err; |
| 249 | } while (BN_is_zero(&k)); | 249 | } while (BN_is_zero(&k)); |
| 250 | if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) { | ||
| 251 | BN_set_flags(&k, BN_FLG_CONSTTIME); | ||
| 252 | } | ||
| 253 | 250 | ||
| 254 | if (dsa->flags & DSA_FLAG_CACHE_MONT_P) { | 251 | if (dsa->flags & DSA_FLAG_CACHE_MONT_P) { |
| 255 | if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p, | 252 | if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p, |
| @@ -283,6 +280,11 @@ dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) | |||
| 283 | } else { | 280 | } else { |
| 284 | K = &k; | 281 | K = &k; |
| 285 | } | 282 | } |
| 283 | |||
| 284 | if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) { | ||
| 285 | BN_set_flags(&k, BN_FLG_CONSTTIME); | ||
| 286 | } | ||
| 287 | |||
| 286 | DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, K, dsa->p, ctx, | 288 | DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, K, dsa->p, ctx, |
| 287 | dsa->method_mont_p); | 289 | dsa->method_mont_p); |
| 288 | if (!BN_mod(r,r,dsa->q,ctx)) | 290 | if (!BN_mod(r,r,dsa->q,ctx)) |
diff --git a/src/lib/libssl/src/crypto/dsa/dsa_ossl.c b/src/lib/libssl/src/crypto/dsa/dsa_ossl.c index 7c0a7802b0..13101cea1d 100644 --- a/src/lib/libssl/src/crypto/dsa/dsa_ossl.c +++ b/src/lib/libssl/src/crypto/dsa/dsa_ossl.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: dsa_ossl.c,v 1.23 2015/09/10 07:58:28 bcook Exp $ */ | 1 | /* $OpenBSD: dsa_ossl.c,v 1.24 2016/06/06 10:00:04 beck Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -247,9 +247,6 @@ dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) | |||
| 247 | if (!BN_rand_range(&k, dsa->q)) | 247 | if (!BN_rand_range(&k, dsa->q)) |
| 248 | goto err; | 248 | goto err; |
| 249 | } while (BN_is_zero(&k)); | 249 | } while (BN_is_zero(&k)); |
| 250 | if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) { | ||
| 251 | BN_set_flags(&k, BN_FLG_CONSTTIME); | ||
| 252 | } | ||
| 253 | 250 | ||
| 254 | if (dsa->flags & DSA_FLAG_CACHE_MONT_P) { | 251 | if (dsa->flags & DSA_FLAG_CACHE_MONT_P) { |
| 255 | if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p, | 252 | if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p, |
| @@ -283,6 +280,11 @@ dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) | |||
| 283 | } else { | 280 | } else { |
| 284 | K = &k; | 281 | K = &k; |
| 285 | } | 282 | } |
| 283 | |||
| 284 | if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) { | ||
| 285 | BN_set_flags(&k, BN_FLG_CONSTTIME); | ||
| 286 | } | ||
| 287 | |||
| 286 | DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, K, dsa->p, ctx, | 288 | DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, K, dsa->p, ctx, |
| 287 | dsa->method_mont_p); | 289 | dsa->method_mont_p); |
| 288 | if (!BN_mod(r,r,dsa->q,ctx)) | 290 | if (!BN_mod(r,r,dsa->q,ctx)) |