Fix SCA vulnerability when using PVK and MSBLOB key formats
authorCesar Pereida Garcia <cesar.pereidagarcia@tut.fi>
Wed, 14 Aug 2019 07:17:06 +0000 (10:17 +0300)
committerMatt Caswell <matt@openssl.org>
Tue, 27 Aug 2019 08:07:30 +0000 (09:07 +0100)
This commit addresses a side-channel vulnerability present when
PVK and MSBLOB key formats are loaded into OpenSSL.
The public key was not computed using a constant-time exponentiation
function.

This issue was discovered and reported by the NISEC group at TAU Finland.

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9587)

crypto/pem/pvkfmt.c

index 348a92b64adea7facdfad590034982f53420f007..adf29144336eb07ce095900e6f3d3ebbdb869f29 100644 (file)
@@ -274,6 +274,9 @@ static EVP_PKEY *b2i_dss(const unsigned char **in,
         if (!read_lebn(&p, 20, &priv_key))
             goto memerr;
 
+        /* Set constant time flag before public key calculation */
+        BN_set_flags(priv_key, BN_FLG_CONSTTIME);
+
         /* Calculate public key */
         pub_key = BN_new();
         if (pub_key == NULL)