Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12:Update
openssl
openssl-add-blinding-to-dsa.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File openssl-add-blinding-to-dsa.patch of Package openssl
From 41d23d435221411b4d70c08b6c5424d0afcf4c19 Mon Sep 17 00:00:00 2001 From: Matt Caswell <matt@openssl.org> Date: Tue, 19 Jun 2018 15:07:02 +0100 Subject: [PATCH] Add blinding to a DSA signature This extends the recently added ECDSA signature blinding to blind DSA too. This is based on side channel attacks demonstrated by Keegan Ryan (NCC Group) for ECDSA which are likely to be able to be applied to DSA. Normally, as in ECDSA, during signing the signer calculates: s:= k^-1 * (m + r * priv_key) mod order In ECDSA, the addition operation above provides a sufficient signal for a flush+reload attack to derive the private key given sufficient signature operations. As a mitigation (based on a suggestion from Keegan) we add blinding to the operation so that: s := k^-1 * blind^-1 (blind * m + blind * r * priv_key) mod order Since this attack is a localhost side channel only no CVE is assigned. This commit also tweaks the previous ECDSA blinding so that blinding is only removed at the last possible step. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6524) --- CHANGES | 4 +-- crypto/dsa/dsa_ossl.c | 73 +++++++++++++++++++++++++++++++++++-------------- crypto/ecdsa/ecs_ossl.c | 14 +++++----- 3 files changed, 61 insertions(+), 30 deletions(-) Index: openssl-1.0.1i/crypto/dsa/dsa_ossl.c =================================================================== --- openssl-1.0.1i.orig/crypto/dsa/dsa_ossl.c +++ openssl-1.0.1i/crypto/dsa/dsa_ossl.c @@ -134,8 +134,7 @@ const DSA_METHOD *DSA_OpenSSL(void) static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) { BIGNUM *kinv=NULL,*r=NULL,*s=NULL; - BIGNUM m; - BIGNUM xr; + BIGNUM *m, *blind, *blindm, *tmp; BN_CTX *ctx=NULL; int reason=ERR_R_BN_LIB; DSA_SIG *ret=NULL; @@ -156,10 +155,7 @@ static DSA_SIG *dsa_do_sign(const unsign } #endif - BN_init(&m); - BN_init(&xr); - - if (!dsa->p || !dsa->q || !dsa->g) + if (dsa->p == NULL || dsa->q == NULL || dsa->g == NULL) { reason=DSA_R_MISSING_PARAMETERS; goto err; @@ -169,6 +165,12 @@ static DSA_SIG *dsa_do_sign(const unsign if (s == NULL) goto err; ctx=BN_CTX_new(); if (ctx == NULL) goto err; + m = BN_CTX_get(ctx); + blind = BN_CTX_get(ctx); + blindm = BN_CTX_get(ctx); + tmp = BN_CTX_get(ctx); + if (tmp == NULL) + goto err; redo: if ((dsa->kinv == NULL) || (dsa->r == NULL)) { @@ -183,24 +185,57 @@ redo: noredo = 1; } - + if (dlen > BN_num_bytes(dsa->q)) /* if the digest length is greater than the size of q use the * BN_num_bits(dsa->q) leftmost bits of the digest, see * fips 186-3, 4.2 */ dlen = BN_num_bytes(dsa->q); - if (BN_bin2bn(dgst,dlen,&m) == NULL) + if (BN_bin2bn(dgst,dlen,m) == NULL) goto err; - /* Compute s = inv(k) (m + xr) mod q */ - if (!BN_mod_mul(&xr,dsa->priv_key,r,dsa->q,ctx)) goto err;/* s = xr */ - if (!BN_add(s, &xr, &m)) goto err; /* s = m + xr */ - if (BN_cmp(s,dsa->q) > 0) - if (!BN_sub(s,s,dsa->q)) goto err; + /* + * The normal signature calculation is: + * + * s := k^-1 * (m + r * priv_key) mod q + * + * We will blind this to protect against side channel attacks + * + * s := blind^-1 * k^-1 * (blind * m + blind * r * priv_key) mod q + */ + + /* Generate a blinding value */ + do { + if (!BN_rand(blind, BN_num_bits(dsa->q) - 1, -1, 0)) + goto err; + } while (BN_is_zero(blind)); + BN_set_flags(blind, BN_FLG_CONSTTIME); + BN_set_flags(blindm, BN_FLG_CONSTTIME); + BN_set_flags(tmp, BN_FLG_CONSTTIME); + + /* tmp := blind * priv_key * r mod q */ + if (!BN_mod_mul(tmp, blind, dsa->priv_key, dsa->q, ctx)) + goto err; + if (!BN_mod_mul(tmp, tmp, r, dsa->q, ctx)) + goto err; + + /* blindm := blind * m mod q */ + if (!BN_mod_mul(blindm, blind, m, dsa->q, ctx)) + goto err; + + /* s : = (blind * priv_key * r) + (blind * m) mod q */ + if (!BN_mod_add_quick(s, tmp, blindm, dsa->q)) + goto err; + + /* s := s * k^-1 mod q */ if (!BN_mod_mul(s,s,kinv,dsa->q,ctx)) goto err; - ret=DSA_SIG_new(); - if (ret == NULL) goto err; + /* s:= s * blind^-1 mod q */ + if (BN_mod_inverse(blind, blind, dsa->q, ctx) == NULL) + goto err; +if (!BN_mod_mul(s, s, blind, dsa->q, ctx)) + goto err; + /* Redo if r or s is zero as required by FIPS 186-3: this is * very unlikely. */ @@ -213,9 +248,11 @@ redo: } goto redo; } + ret=DSA_SIG_new(); + if (ret == NULL) goto err; ret->r = r; ret->s = s; - + err: if (!ret) { @@ -223,11 +260,8 @@ err: BN_free(r); BN_free(s); } - if (ctx != NULL) BN_CTX_free(ctx); - BN_clear_free(&m); - BN_clear_free(&xr); - if (kinv != NULL) /* dsa->kinv is NULL now if we used it */ - BN_clear_free(kinv); + BN_CTX_free(ctx); + BN_clear_free(kinv); return(ret); }
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor