From: Bernd Edlinger Date: Fri, 6 Sep 2019 06:46:46 +0000 (+0200) Subject: Fix a SCA leak in BN_generate_dsa_nonce X-Git-Tag: OpenSSL_1_1_1d~28 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=9e1403d91a42d917e684a37a99fa98a0025253c0;p=oweals%2Fopenssl.git Fix a SCA leak in BN_generate_dsa_nonce Reviewed-by: Matt Caswell Reviewed-by: Nicola Tuveri (Merged from https://github.com/openssl/openssl/pull/9782) (cherry picked from commit 31ca19403d56ad71d823cf62990518dfc6905bb4) --- diff --git a/crypto/bn/bn_rand.c b/crypto/bn/bn_rand.c index c0d1a32292..214768311a 100644 --- a/crypto/bn/bn_rand.c +++ b/crypto/bn/bn_rand.c @@ -225,8 +225,7 @@ int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range, goto err; /* We copy |priv| into a local buffer to avoid exposing its length. */ - todo = sizeof(priv->d[0]) * priv->top; - if (todo > sizeof(private_bytes)) { + if (BN_bn2binpad(priv, private_bytes, sizeof(private_bytes)) < 0) { /* * No reasonable DSA or ECDSA key should have a private key this * large and we don't handle this case in order to avoid leaking the @@ -235,8 +234,6 @@ int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range, BNerr(BN_F_BN_GENERATE_DSA_NONCE, BN_R_PRIVATE_KEY_TOO_LARGE); goto err; } - memcpy(private_bytes, priv->d, todo); - memset(private_bytes + todo, 0, sizeof(private_bytes) - todo); for (done = 0; done < num_k_bytes;) { if (RAND_priv_bytes(random_bytes, sizeof(random_bytes)) != 1)