From 1385f2adfdeee36db41b61c1294f507d64a60fd1 Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Wed, 13 Jun 2018 15:05:04 +0000
Subject: Avoid a timing side-channel leak when generating DSA and ECDSA
 signatures.

This is caused by an attempt to do fast modular arithmetic, which
introduces branches that leak information regarding secret values.

Issue identified and reported by Keegan Ryan of NCC Group.

ok beck@ tb@
---
 src/lib/libcrypto/dsa/dsa_ossl.c | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

(limited to 'src/lib/libcrypto/dsa')

diff --git a/src/lib/libcrypto/dsa/dsa_ossl.c b/src/lib/libcrypto/dsa/dsa_ossl.c
index 301cdd5095..505ef800dc 100644
--- a/src/lib/libcrypto/dsa/dsa_ossl.c
+++ b/src/lib/libcrypto/dsa/dsa_ossl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dsa_ossl.c,v 1.31 2018/04/28 14:22:21 tb Exp $ */
+/* $OpenBSD: dsa_ossl.c,v 1.32 2018/06/13 15:05:04 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -142,11 +142,8 @@ redo:
 	/* Compute  s = inv(k) (m + xr) mod q */
 	if (!BN_mod_mul(&xr, dsa->priv_key, r, dsa->q, ctx))	/* s = xr */
 		goto err;
-	if (!BN_add(s, &xr, &m))				/* s = m + xr */
+	if (!BN_mod_add(s, &xr, &m, dsa->q, ctx))		/* s = m + xr */
 		goto err;
-	if (BN_cmp(s, dsa->q) > 0)
-		if (!BN_sub(s, s, dsa->q))
-			goto err;
 	if (!BN_mod_mul(s, s, kinv, dsa->q, ctx))
 		goto err;
 
-- 
cgit v1.2.3-55-g6feb