Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP2:GA
compat-openssl098.29129
0001-DSA-Address-a-timing-side-channel-whereby-...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0001-DSA-Address-a-timing-side-channel-whereby-it-is-possible.patch of Package compat-openssl098.29129
From b96bebacfe814deb99fb64a3ed2296d95c573600 Mon Sep 17 00:00:00 2001 From: Pauli <paul.dale@oracle.com> Date: Wed, 1 Nov 2017 06:58:13 +1000 Subject: [PATCH] Address a timing side channel whereby it is possible to determine some information about the length of a value used in DSA operations from a large number of signatures. This doesn't rate as a CVE because: * For the non-constant time code, there are easier ways to extract more information. * For the constant time code, it requires a significant number of signatures to leak a small amount of information. Thanks to Neals Fournaise, Eliane Jaulmes and Jean-Rene Reinhard for reporting this issue. Original commit by Paul Dale. Backported to 1.0.2 by Matt Caswell Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4642) --- crypto/dsa/dsa_ossl.c | 42 +++++++++++++++++++++++++++--------------- 1 file changed, 27 insertions(+), 15 deletions(-) Index: openssl-0.9.8j/crypto/dsa/dsa_ossl.c =================================================================== --- openssl-0.9.8j.orig/crypto/dsa/dsa_ossl.c 2018-11-15 15:08:55.397351493 +0100 +++ openssl-0.9.8j/crypto/dsa/dsa_ossl.c 2018-11-15 15:09:14.689474463 +0100 @@ -239,7 +239,9 @@ static int dsa_sign_setup(DSA *dsa, BN_C { BN_CTX *ctx; BIGNUM k,kq,*K,*kinv=NULL,*r=NULL; + BIGNUM l, m; int ret=0; + int q_bits; if (!dsa->p || !dsa->q || !dsa->g) { @@ -249,6 +251,8 @@ static int dsa_sign_setup(DSA *dsa, BN_C BN_init(&k); BN_init(&kq); + BN_init(&l); + BN_init(&m); if (ctx_in == NULL) { @@ -259,6 +263,13 @@ static int dsa_sign_setup(DSA *dsa, BN_C if ((r=BN_new()) == NULL) goto err; + /* Preallocate space */ + q_bits = BN_num_bits(dsa->q); + if (!BN_set_bit(&k, q_bits) + || !BN_set_bit(&l, q_bits) + || !BN_set_bit(&m, q_bits)) + goto err; + /* Get random k */ do if (!BN_rand_range(&k, dsa->q)) goto err; @@ -280,20 +291,22 @@ static int dsa_sign_setup(DSA *dsa, BN_C if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) { - if (!BN_copy(&kq, &k)) goto err; + /* We do not want timing information to leak the length of k, so we + * compute G^k using an equivalent scalar of fixed bit-length. + * + * We unconditionally perform both of these additions to prevent a + * small timing information leakage. We then choose the sum that is + * one bit longer than the modulus. + * + * TODO: revisit the BN_copy aiming for a memory access agnostic + * conditional copy. + */ + + if (!BN_add(&l, &k, dsa->q) + || !BN_add(&m, &l, dsa->q) + || !BN_copy(&kq, BN_num_bits(&l) > q_bits ? &l : &m)) goto err; - BN_set_flags(&kq, BN_FLG_CONSTTIME); - /* We do not want timing information to leak the length of k, - * so we compute g^k using an equivalent exponent of fixed length. - * - * (This is a kludge that we need because the BN_mod_exp_mont() - * does not let us specify the desired timing behaviour.) */ - - if (!BN_add(&kq, &kq, dsa->q)) goto err; - if (BN_num_bits(&kq) <= BN_num_bits(dsa->q)) - { - if (!BN_add(&kq, &kq, dsa->q)) goto err; - } + BN_set_flags(&kq, BN_FLG_CONSTTIME); K = &kq; } @@ -325,7 +338,9 @@ err: if (kinv != NULL) BN_clear_free(kinv); BN_clear_free(&k); BN_clear_free(&kq); - return(ret); + BN_clear_free(&l); + BN_clear_free(&m); + return ret; } static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor