File 0001-DSA-Address-a-timing-side-channel-whereby-... of Package compat-openssl098.16428

Overview Repositories Revisions Requests Users Attributes Meta

File 0001-DSA-Address-a-timing-side-channel-whereby-it-is-possible.patch of Package compat-openssl098.16428

From b96bebacfe814deb99fb64a3ed2296d95c573600 Mon Sep 17 00:00:00 2001
From: Pauli <paul.dale@oracle.com>
Date: Wed, 1 Nov 2017 06:58:13 +1000
Subject: [PATCH] Address a timing side channel whereby it is possible to
 determine some

information about the length of a value used in DSA operations from
a large number of signatures.

This doesn't rate as a CVE because:

* For the non-constant time code, there are easier ways to extract
  more information.

* For the constant time code, it requires a significant number of signatures
  to leak a small amount of information.

Thanks to Neals Fournaise, Eliane Jaulmes and Jean-Rene Reinhard for
reporting this issue.

Original commit by Paul Dale. Backported to 1.0.2 by Matt Caswell

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4642)
---
 crypto/dsa/dsa_ossl.c | 42 +++++++++++++++++++++++++++---------------
 1 file changed, 27 insertions(+), 15 deletions(-)

Index: openssl-0.9.8j/crypto/dsa/dsa_ossl.c
===================================================================
--- openssl-0.9.8j.orig/crypto/dsa/dsa_ossl.c	2018-11-15 15:08:55.397351493 +0100
+++ openssl-0.9.8j/crypto/dsa/dsa_ossl.c	2018-11-15 15:09:14.689474463 +0100
@@ -239,7 +239,9 @@ static int dsa_sign_setup(DSA *dsa, BN_C
 	{
 	BN_CTX *ctx;
 	BIGNUM k,kq,*K,*kinv=NULL,*r=NULL;
+    BIGNUM l, m;
 	int ret=0;
+    int q_bits;
 
 	if (!dsa->p || !dsa->q || !dsa->g)
 		{
@@ -249,6 +251,8 @@ static int dsa_sign_setup(DSA *dsa, BN_C
 
 	BN_init(&k);
 	BN_init(&kq);
+    BN_init(&l);
+    BN_init(&m);
 
 	if (ctx_in == NULL)
 		{
@@ -259,6 +263,13 @@ static int dsa_sign_setup(DSA *dsa, BN_C
 
 	if ((r=BN_new()) == NULL) goto err;
 
+    /* Preallocate space */
+    q_bits = BN_num_bits(dsa->q);
+    if (!BN_set_bit(&k, q_bits)
+        || !BN_set_bit(&l, q_bits)
+        || !BN_set_bit(&m, q_bits))
+        goto err;
+
 	/* Get random k */
 	do
 		if (!BN_rand_range(&k, dsa->q)) goto err;
@@ -280,20 +291,22 @@ static int dsa_sign_setup(DSA *dsa, BN_C
 
 	if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0)
 		{
-		if (!BN_copy(&kq, &k)) goto err;
+		/* We do not want timing information to leak the length of k, so we
+         * compute G^k using an equivalent scalar of fixed bit-length.
+         *
+         * We unconditionally perform both of these additions to prevent a
+         * small timing information leakage.  We then choose the sum that is
+         * one bit longer than the modulus.
+         *
+         * TODO: revisit the BN_copy aiming for a memory access agnostic
+         * conditional copy.
+         */
+
+        if (!BN_add(&l, &k, dsa->q)
+            || !BN_add(&m, &l, dsa->q)
+            || !BN_copy(&kq, BN_num_bits(&l) > q_bits ? &l : &m)) goto err;
 
-		BN_set_flags(&kq, BN_FLG_CONSTTIME);
-		/* We do not want timing information to leak the length of k,
-		 * so we compute g^k using an equivalent exponent of fixed length.
-		 *
-		 * (This is a kludge that we need because the BN_mod_exp_mont()
-		 * does not let us specify the desired timing behaviour.) */
-
-		if (!BN_add(&kq, &kq, dsa->q)) goto err;
-		if (BN_num_bits(&kq) <= BN_num_bits(dsa->q))
-			{
-			if (!BN_add(&kq, &kq, dsa->q)) goto err;
-			}
+        BN_set_flags(&kq, BN_FLG_CONSTTIME);
 
 		K = &kq;
 		}
@@ -325,7 +338,9 @@ err:
 	if (kinv != NULL) BN_clear_free(kinv);
 	BN_clear_free(&k);
 	BN_clear_free(&kq);
-	return(ret);
+    BN_clear_free(&l);
+    BN_clear_free(&m);
+    return ret;
 	}
 
 static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,

Places

File 0001-DSA-Address-a-timing-side-channel-whereby-it-is-possible.patch of Package compat-openssl098.16428

Places