summary |
shortlog |
log |
commit | commitdiff |
tree
raw |
patch |
inline | side by side (from parent 1:
8d3363f)
information about the length of a value used in DSA operations from
a large number of signatures.
This doesn't rate as a CVE because:
* For the non-constant time code, there are easier ways to extract
more information.
* For the constant time code, it requires a significant number of signatures
to leak a small amount of information.
Thanks to Neals Fournaise, Eliane Jaulmes and Jean-Rene Reinhard for
reporting this issue.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4576)
{
BN_CTX *ctx = NULL;
BIGNUM *k, *kinv = NULL, *r = *rp;
{
BN_CTX *ctx = NULL;
BIGNUM *k, *kinv = NULL, *r = *rp;
if (!dsa->p || !dsa->q || !dsa->g) {
DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_MISSING_PARAMETERS);
if (!dsa->p || !dsa->q || !dsa->g) {
DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_MISSING_PARAMETERS);
+ l = BN_new();
+ m = BN_new();
+ if (k == NULL || l == NULL || m == NULL)
goto err;
if (ctx_in == NULL) {
goto err;
if (ctx_in == NULL) {
+ /* Preallocate space */
+ q_bits = BN_num_bits(dsa->q);
+ if (!BN_set_bit(k, q_bits)
+ || !BN_set_bit(l, q_bits)
+ || !BN_set_bit(m, q_bits))
+ goto err;
+
/* Get random k */
do {
if (dgst != NULL) {
/* Get random k */
do {
if (dgst != NULL) {
/*
* We do not want timing information to leak the length of k, so we
/*
* We do not want timing information to leak the length of k, so we
- * compute g^k using an equivalent exponent of fixed length. (This
- * is a kludge that we need because the BN_mod_exp_mont() does not
- * let us specify the desired timing behaviour.)
+ * compute G^k using an equivalent scalar of fixed bit-length.
+ *
+ * We unconditionally perform both of these additions to prevent a
+ * small timing information leakage. We then choose the sum that is
+ * one bit longer than the modulus.
+ *
+ * TODO: revisit the BN_copy aiming for a memory access agnostic
+ * conditional copy.
-
- if (!BN_add(k, k, dsa->q))
+ if (!BN_add(l, k, dsa->q)
+ || !BN_add(m, l, dsa->q)
+ || !BN_copy(k, BN_num_bits(l) > q_bits ? l : m))
- if (BN_num_bits(k) <= BN_num_bits(dsa->q)) {
- if (!BN_add(k, k, dsa->q))
- goto err;
- }
if ((dsa)->meth->bn_mod_exp != NULL) {
if (!dsa->meth->bn_mod_exp(dsa, r, dsa->g, k, dsa->p, ctx,
if ((dsa)->meth->bn_mod_exp != NULL) {
if (!dsa->meth->bn_mod_exp(dsa, r, dsa->g, k, dsa->p, ctx,
if (ctx != ctx_in)
BN_CTX_free(ctx);
BN_clear_free(k);
if (ctx != ctx_in)
BN_CTX_free(ctx);
BN_clear_free(k);
+ BN_clear_free(l);
+ BN_clear_free(m);