From be60d0cf0b244ebdb15f1b61031c677d37279477 Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Wed, 13 Jun 2018 15:08:08 +0000
Subject: MFC: Avoid a timing side-channel leak when generating DSA and ECDSA
 signatures.

This is caused by an attempt to do fast modular arithmetic, which
introduces branches that leak information regarding secret values.

Issue identified and reported by Keegan Ryan of NCC Group.

ok beck@ tb@
---
 src/lib/libcrypto/dsa/dsa_ossl.c   | 7 ++-----
 src/lib/libcrypto/ecdsa/ecs_ossl.c | 4 ++--
 2 files changed, 4 insertions(+), 7 deletions(-)

(limited to 'src')

diff --git a/src/lib/libcrypto/dsa/dsa_ossl.c b/src/lib/libcrypto/dsa/dsa_ossl.c
index f1013fe547..4e75512df8 100644
--- a/src/lib/libcrypto/dsa/dsa_ossl.c
+++ b/src/lib/libcrypto/dsa/dsa_ossl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dsa_ossl.c,v 1.30 2017/01/29 17:49:22 beck Exp $ */
+/* $OpenBSD: dsa_ossl.c,v 1.30.2.1 2018/06/13 15:08:08 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -142,11 +142,8 @@ redo:
 	/* Compute  s = inv(k) (m + xr) mod q */
 	if (!BN_mod_mul(&xr, dsa->priv_key, r, dsa->q, ctx))	/* s = xr */
 		goto err;
-	if (!BN_add(s, &xr, &m))				/* s = m + xr */
+	if (!BN_mod_add(s, &xr, &m, dsa->q, ctx))		/* s = m + xr */
 		goto err;
-	if (BN_cmp(s, dsa->q) > 0)
-		if (!BN_sub(s, s, dsa->q))
-			goto err;
 	if (!BN_mod_mul(s, s, kinv, dsa->q, ctx))
 		goto err;
 
diff --git a/src/lib/libcrypto/ecdsa/ecs_ossl.c b/src/lib/libcrypto/ecdsa/ecs_ossl.c
index c7f4bcbe03..09f3bf8416 100644
--- a/src/lib/libcrypto/ecdsa/ecs_ossl.c
+++ b/src/lib/libcrypto/ecdsa/ecs_ossl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ecs_ossl.c,v 1.9 2017/01/29 17:49:23 beck Exp $ */
+/* $OpenBSD: ecs_ossl.c,v 1.9.2.1 2018/06/13 15:08:08 jsing Exp $ */
 /*
  * Written by Nils Larsch for the OpenSSL project
  */
@@ -273,7 +273,7 @@ ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
 			ECDSAerror(ERR_R_BN_LIB);
 			goto err;
 		}
-		if (!BN_mod_add_quick(s, tmp, m, order)) {
+		if (!BN_mod_add(s, tmp, m, order, ctx)) {
 			ECDSAerror(ERR_R_BN_LIB);
 			goto err;
 		}
-- 
cgit v1.2.3-55-g6feb