Search
j0ke.net Open Build Service
>
Projects
>
home:netmax
:
monitoring
>
openssl1
> 0001-DSA-Address-a-timing-side-channel-whereby-it-is-possible.patch
Sign Up
|
Log In
Username
Password
Cancel
Overview
Repositories
Revisions
Requests
Users
Advanced
Attributes
Meta
File 0001-DSA-Address-a-timing-side-channel-whereby-it-is-possible.patch of Package openssl1
From b96bebacfe814deb99fb64a3ed2296d95c573600 Mon Sep 17 00:00:00 2001 From: Pauli <paul.dale@oracle.com> Date: Wed, 1 Nov 2017 06:58:13 +1000 Subject: [PATCH] Address a timing side channel whereby it is possible to determine some information about the length of a value used in DSA operations from a large number of signatures. This doesn't rate as a CVE because: * For the non-constant time code, there are easier ways to extract more information. * For the constant time code, it requires a significant number of signatures to leak a small amount of information. Thanks to Neals Fournaise, Eliane Jaulmes and Jean-Rene Reinhard for reporting this issue. Original commit by Paul Dale. Backported to 1.0.2 by Matt Caswell Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4642) --- crypto/dsa/dsa_ossl.c | 42 +++++++++++++++++++++++++++--------------- 1 file changed, 27 insertions(+), 15 deletions(-) Index: openssl-1.0.1i/crypto/dsa/dsa_ossl.c =================================================================== --- openssl-1.0.1i.orig/crypto/dsa/dsa_ossl.c 2018-11-14 14:21:43.259019996 +0100 +++ openssl-1.0.1i/crypto/dsa/dsa_ossl.c 2018-11-14 14:26:19.136587335 +0100 @@ -269,7 +269,9 @@ static int dsa_sign_setup(DSA *dsa, BN_C { BN_CTX *ctx; BIGNUM k,kq,*K,*kinv=NULL,*r=NULL; + BIGNUM l, m; int ret=0; + int q_bits; if (!dsa->p || !dsa->q || !dsa->g) { @@ -279,6 +281,8 @@ static int dsa_sign_setup(DSA *dsa, BN_C BN_init(&k); BN_init(&kq); + BN_init(&l); + BN_init(&m); if (ctx_in == NULL) { @@ -289,6 +293,13 @@ static int dsa_sign_setup(DSA *dsa, BN_C if ((r=BN_new()) == NULL) goto err; + /* Preallocate space */ + q_bits = BN_num_bits(dsa->q); + if (!BN_set_bit(&k, q_bits) + || !BN_set_bit(&l, q_bits) + || !BN_set_bit(&m, q_bits)) + goto err; + /* Get random k */ do if (!BN_rand_range(&k, dsa->q)) goto err; @@ -310,20 +321,22 @@ static int dsa_sign_setup(DSA *dsa, BN_C if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) { - if (!BN_copy(&kq, &k)) goto err; + /* We do not want timing information to leak the length of k, so we + * compute G^k using an equivalent scalar of fixed bit-length. + * + * We unconditionally perform both of these additions to prevent a + * small timing information leakage. We then choose the sum that is + * one bit longer than the modulus. + * + * TODO: revisit the BN_copy aiming for a memory access agnostic + * conditional copy. + */ + + if (!BN_add(&l, &k, dsa->q) + || !BN_add(&m, &l, dsa->q) + || !BN_copy(&kq, BN_num_bits(&l) > q_bits ? &l : &m)) goto err; - BN_set_flags(&kq, BN_FLG_CONSTTIME); - /* We do not want timing information to leak the length of k, - * so we compute g^k using an equivalent exponent of fixed length. - * - * (This is a kludge that we need because the BN_mod_exp_mont() - * does not let us specify the desired timing behaviour.) */ - - if (!BN_add(&kq, &kq, dsa->q)) goto err; - if (BN_num_bits(&kq) <= BN_num_bits(dsa->q)) - { - if (!BN_add(&kq, &kq, dsa->q)) goto err; - } + BN_set_flags(&kq, BN_FLG_CONSTTIME); K = &kq; } @@ -354,7 +367,9 @@ err: if (ctx_in == NULL) BN_CTX_free(ctx); BN_clear_free(&k); BN_clear_free(&kq); - return(ret); + BN_clear_free(&l); + BN_clear_free(&m); + return ret; } static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,