Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP1:Update
openssl
0001-Merge-to-1.0.2-DSA-mod-inverse-fix.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0001-Merge-to-1.0.2-DSA-mod-inverse-fix.patch of Package openssl
From ebf65dbe1a67682d7e1f58db9c53ef737fb37f32 Mon Sep 17 00:00:00 2001 From: Pauli <paul.dale@oracle.com> Date: Mon, 29 Oct 2018 07:18:09 +1000 Subject: [PATCH] Merge to 1.0.2: DSA mod inverse fix. There is a side channel attack against the division used to calculate one of the modulo inverses in the DSA algorithm. This change takes advantage of the primality of the modulo and Fermat's little theorem to calculate the inverse without leaking information. Thanks to Samuel Weiser for finding and reporting this. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7512) --- crypto/dsa/dsa_ossl.c | 34 ++++++++++++++++++++++++++++++++-- 1 file changed, 32 insertions(+), 2 deletions(-) Index: openssl-1.0.1i/crypto/dsa/dsa_ossl.c =================================================================== --- openssl-1.0.1i.orig/crypto/dsa/dsa_ossl.c 2018-11-15 10:53:14.081384477 +0100 +++ openssl-1.0.1i/crypto/dsa/dsa_ossl.c 2018-11-15 10:55:39.378312616 +0100 @@ -75,6 +75,8 @@ static int dsa_do_verify(const unsigned DSA *dsa); static int dsa_init(DSA *dsa); static int dsa_finish(DSA *dsa); +static BIGNUM *dsa_mod_inverse_fermat(const BIGNUM *k, const BIGNUM *q, + BN_CTX *ctx); static DSA_METHOD openssl_dsa_meth = { "OpenSSL DSA method", @@ -349,7 +351,7 @@ static int dsa_sign_setup(DSA *dsa, BN_C if (!BN_mod(r,r,dsa->q,ctx)) goto err; /* Compute part of 's = inv(k) (m + xr) mod q' */ - if ((kinv=BN_mod_inverse(NULL,&k,dsa->q,ctx)) == NULL) goto err; + if ((kinv=dsa_mod_inverse_fermat(&k,dsa->q,ctx)) == NULL) goto err; if (*kinvp != NULL) BN_clear_free(*kinvp); *kinvp=kinv; @@ -496,3 +498,31 @@ static int dsa_finish(DSA *dsa) return(1); } + +/* + * Compute the inverse of k modulo q. + * Since q is prime, Fermat's Little Theorem applies, which reduces this to + * mod-exp operation. Both the exponent and modulus are public information + * so a mod-exp that doesn't leak the base is sufficient. A newly allocated + * BIGNUM is returned which the caller must free. + */ +static BIGNUM *dsa_mod_inverse_fermat(const BIGNUM *k, const BIGNUM *q, + BN_CTX *ctx) +{ + BIGNUM *res = NULL; + BIGNUM *r, e; + + if ((r = BN_new()) == NULL) + return NULL; + + BN_init(&e); + + if (BN_set_word(r, 2) + && BN_sub(&e, q, r) + && BN_mod_exp_mont(r, k, &e, q, ctx, NULL)) + res = r; + else + BN_free(r); + BN_free(&e); + return res; +}
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor