diff options
| author | jsing <> | 2018-06-13 15:07:19 +0000 |
|---|---|---|
| committer | jsing <> | 2018-06-13 15:07:19 +0000 |
| commit | b6faac1f1a48896c4bea8877382f91ff23c964f7 (patch) | |
| tree | ece62a633ca8cf87cfaec3ac556b1af956a6c209 | |
| parent | ba88944626ec9297c3c8cfa668f42b664c45a9cc (diff) | |
| download | openbsd-b6faac1f1a48896c4bea8877382f91ff23c964f7.tar.gz openbsd-b6faac1f1a48896c4bea8877382f91ff23c964f7.tar.bz2 openbsd-b6faac1f1a48896c4bea8877382f91ff23c964f7.zip | |
MFC: Avoid a timing side-channel leak when generating DSA and ECDSA
signatures.
This is caused by an attempt to do fast modular arithmetic, which
introduces branches that leak information regarding secret values.
Issue identified and reported by Keegan Ryan of NCC Group.
ok beck@ tb@
| -rw-r--r-- | src/lib/libcrypto/dsa/dsa_ossl.c | 7 | ||||
| -rw-r--r-- | src/lib/libcrypto/ecdsa/ecs_ossl.c | 4 |
2 files changed, 4 insertions, 7 deletions
diff --git a/src/lib/libcrypto/dsa/dsa_ossl.c b/src/lib/libcrypto/dsa/dsa_ossl.c index f1013fe547..78b10a5b88 100644 --- a/src/lib/libcrypto/dsa/dsa_ossl.c +++ b/src/lib/libcrypto/dsa/dsa_ossl.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: dsa_ossl.c,v 1.30 2017/01/29 17:49:22 beck Exp $ */ | 1 | /* $OpenBSD: dsa_ossl.c,v 1.30.6.1 2018/06/13 15:07:19 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -142,11 +142,8 @@ redo: | |||
| 142 | /* Compute s = inv(k) (m + xr) mod q */ | 142 | /* Compute s = inv(k) (m + xr) mod q */ |
| 143 | if (!BN_mod_mul(&xr, dsa->priv_key, r, dsa->q, ctx)) /* s = xr */ | 143 | if (!BN_mod_mul(&xr, dsa->priv_key, r, dsa->q, ctx)) /* s = xr */ |
| 144 | goto err; | 144 | goto err; |
| 145 | if (!BN_add(s, &xr, &m)) /* s = m + xr */ | 145 | if (!BN_mod_add(s, &xr, &m, dsa->q, ctx)) /* s = m + xr */ |
| 146 | goto err; | 146 | goto err; |
| 147 | if (BN_cmp(s, dsa->q) > 0) | ||
| 148 | if (!BN_sub(s, s, dsa->q)) | ||
| 149 | goto err; | ||
| 150 | if (!BN_mod_mul(s, s, kinv, dsa->q, ctx)) | 147 | if (!BN_mod_mul(s, s, kinv, dsa->q, ctx)) |
| 151 | goto err; | 148 | goto err; |
| 152 | 149 | ||
diff --git a/src/lib/libcrypto/ecdsa/ecs_ossl.c b/src/lib/libcrypto/ecdsa/ecs_ossl.c index c7f4bcbe03..e6745b115d 100644 --- a/src/lib/libcrypto/ecdsa/ecs_ossl.c +++ b/src/lib/libcrypto/ecdsa/ecs_ossl.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ecs_ossl.c,v 1.9 2017/01/29 17:49:23 beck Exp $ */ | 1 | /* $OpenBSD: ecs_ossl.c,v 1.9.6.1 2018/06/13 15:07:19 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Written by Nils Larsch for the OpenSSL project | 3 | * Written by Nils Larsch for the OpenSSL project |
| 4 | */ | 4 | */ |
| @@ -273,7 +273,7 @@ ecdsa_do_sign(const unsigned char *dgst, int dgst_len, | |||
| 273 | ECDSAerror(ERR_R_BN_LIB); | 273 | ECDSAerror(ERR_R_BN_LIB); |
| 274 | goto err; | 274 | goto err; |
| 275 | } | 275 | } |
| 276 | if (!BN_mod_add_quick(s, tmp, m, order)) { | 276 | if (!BN_mod_add(s, tmp, m, order, ctx)) { |
| 277 | ECDSAerror(ERR_R_BN_LIB); | 277 | ECDSAerror(ERR_R_BN_LIB); |
| 278 | goto err; | 278 | goto err; |
| 279 | } | 279 | } |