[openssl-commits] [openssl] master update
Matt Caswell
matt at openssl.org
Wed Nov 1 16:38:16 UTC 2017
The branch master has been updated
via 4a089bbdf11f9e231cc68f42bba934c954d81a49 (commit)
via c0caa945f6ef30363e0d01d75155f20248403df4 (commit)
from 8d3363f2ce20f7478964db740a1213abe8458a97 (commit)
- Log -----------------------------------------------------------------
commit 4a089bbdf11f9e231cc68f42bba934c954d81a49
Author: Pauli <paul.dale at oracle.com>
Date: Wed Nov 1 06:58:39 2017 +1000
Address a timing side channel whereby it is possible to determine some
information about the length of the scalar used in ECDSA operations
from a large number (2^32) of signatures.
This doesn't rate as a CVE because:
* For the non-constant time code, there are easier ways to extract
more information.
* For the constant time code, it requires a significant number of signatures
to leak a small amount of information.
Thanks to Neals Fournaise, Eliane Jaulmes and Jean-Rene Reinhard for
reporting this issue.
Reviewed-by: Andy Polyakov <appro at openssl.org>
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4576)
commit c0caa945f6ef30363e0d01d75155f20248403df4
Author: Pauli <paul.dale at oracle.com>
Date: Wed Nov 1 06:58:13 2017 +1000
Address a timing side channel whereby it is possible to determine some
information about the length of a value used in DSA operations from
a large number of signatures.
This doesn't rate as a CVE because:
* For the non-constant time code, there are easier ways to extract
more information.
* For the constant time code, it requires a significant number of signatures
to leak a small amount of information.
Thanks to Neals Fournaise, Eliane Jaulmes and Jean-Rene Reinhard for
reporting this issue.
Reviewed-by: Andy Polyakov <appro at openssl.org>
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4576)
-----------------------------------------------------------------------
Summary of changes:
crypto/dsa/dsa_ossl.c | 35 +++++++++++++++++++++++++----------
crypto/ec/ecdsa_ossl.c | 26 ++++++++++++++++++++------
2 files changed, 45 insertions(+), 16 deletions(-)
diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c
index acfddfd..d78c5f0 100644
--- a/crypto/dsa/dsa_ossl.c
+++ b/crypto/dsa/dsa_ossl.c
@@ -146,7 +146,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
{
BN_CTX *ctx = NULL;
BIGNUM *k, *kinv = NULL, *r = *rp;
+ BIGNUM *l, *m;
int ret = 0;
+ int q_bits;
if (!dsa->p || !dsa->q || !dsa->g) {
DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_MISSING_PARAMETERS);
@@ -154,7 +156,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
}
k = BN_new();
- if (k == NULL)
+ l = BN_new();
+ m = BN_new();
+ if (k == NULL || l == NULL || m == NULL)
goto err;
if (ctx_in == NULL) {
@@ -163,6 +167,13 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
} else
ctx = ctx_in;
+ /* Preallocate space */
+ q_bits = BN_num_bits(dsa->q);
+ if (!BN_set_bit(k, q_bits)
+ || !BN_set_bit(l, q_bits)
+ || !BN_set_bit(m, q_bits))
+ goto err;
+
/* Get random k */
do {
if (dgst != NULL) {
@@ -189,17 +200,19 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
/*
* We do not want timing information to leak the length of k, so we
- * compute g^k using an equivalent exponent of fixed length. (This
- * is a kludge that we need because the BN_mod_exp_mont() does not
- * let us specify the desired timing behaviour.)
+ * compute G^k using an equivalent scalar of fixed bit-length.
+ *
+ * We unconditionally perform both of these additions to prevent a
+ * small timing information leakage. We then choose the sum that is
+ * one bit longer than the modulus.
+ *
+ * TODO: revisit the BN_copy aiming for a memory access agnostic
+ * conditional copy.
*/
-
- if (!BN_add(k, k, dsa->q))
+ if (!BN_add(l, k, dsa->q)
+ || !BN_add(m, l, dsa->q)
+ || !BN_copy(k, BN_num_bits(l) > q_bits ? l : m))
goto err;
- if (BN_num_bits(k) <= BN_num_bits(dsa->q)) {
- if (!BN_add(k, k, dsa->q))
- goto err;
- }
if ((dsa)->meth->bn_mod_exp != NULL) {
if (!dsa->meth->bn_mod_exp(dsa, r, dsa->g, k, dsa->p, ctx,
@@ -227,6 +240,8 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
if (ctx != ctx_in)
BN_CTX_free(ctx);
BN_clear_free(k);
+ BN_clear_free(l);
+ BN_clear_free(m);
return ret;
}
diff --git a/crypto/ec/ecdsa_ossl.c b/crypto/ec/ecdsa_ossl.c
index 89bfecc..ef91282 100644
--- a/crypto/ec/ecdsa_ossl.c
+++ b/crypto/ec/ecdsa_ossl.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2002-2017 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -41,6 +41,7 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in,
EC_POINT *tmp_point = NULL;
const EC_GROUP *group;
int ret = 0;
+ int order_bits;
if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL) {
ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_PASSED_NULL_PARAMETER);
@@ -77,6 +78,13 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in,
goto err;
}
+ /* Preallocate space */
+ order_bits = BN_num_bits(order);
+ if (!BN_set_bit(k, order_bits)
+ || !BN_set_bit(r, order_bits)
+ || !BN_set_bit(X, order_bits))
+ goto err;
+
do {
/* get random k */
do
@@ -100,13 +108,19 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in,
/*
* We do not want timing information to leak the length of k, so we
* compute G*k using an equivalent scalar of fixed bit-length.
+ *
+ * We unconditionally perform both of these additions to prevent a
+ * small timing information leakage. We then choose the sum that is
+ * one bit longer than the order. This guarantees the code
+ * path used in the constant time implementations elsewhere.
+ *
+ * TODO: revisit the BN_copy aiming for a memory access agnostic
+ * conditional copy.
*/
-
- if (!BN_add(k, k, order))
+ if (!BN_add(r, k, order)
+ || !BN_add(X, r, order)
+ || !BN_copy(k, BN_num_bits(r) > order_bits ? r : X))
goto err;
- if (BN_num_bits(k) <= BN_num_bits(order))
- if (!BN_add(k, k, order))
- goto err;
/* compute r the x-coordinate of generator * k */
if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) {
More information about the openssl-commits
mailing list