[openssl-commits] [openssl] OpenSSL_1_1_0-stable update

Matt Caswell matt at openssl.org
Wed Nov 1 16:40:24 UTC 2017


The branch OpenSSL_1_1_0-stable has been updated
       via  ab9195255a2616fc1b5511407b2ded4ea2765ad1 (commit)
       via  71844800d543162f709c6a223d993a50506028c2 (commit)
      from  bb0c588ab2c6dae55bb8adbcf72cab3bca390e0f (commit)


- Log -----------------------------------------------------------------
commit ab9195255a2616fc1b5511407b2ded4ea2765ad1
Author: Pauli <paul.dale at oracle.com>
Date:   Wed Nov 1 06:58:39 2017 +1000

    Address a timing side channel whereby it is possible to determine some
    
    information about the length of the scalar used in ECDSA operations
    from a large number (2^32) of signatures.
    
    This doesn't rate as a CVE because:
    
    * For the non-constant time code, there are easier ways to extract
      more information.
    
    * For the constant time code, it requires a significant number of signatures
      to leak a small amount of information.
    
    Thanks to Neals Fournaise, Eliane Jaulmes and Jean-Rene Reinhard for
    reporting this issue.
    
    Reviewed-by: Andy Polyakov <appro at openssl.org>
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/4576)
    
    (cherry picked from commit 4a089bbdf11f9e231cc68f42bba934c954d81a49)

commit 71844800d543162f709c6a223d993a50506028c2
Author: Pauli <paul.dale at oracle.com>
Date:   Wed Nov 1 06:58:13 2017 +1000

     Address a timing side channel whereby it is possible to determine some
    
    information about the length of a value used in DSA operations from
    a large number of signatures.
    
    This doesn't rate as a CVE because:
    
    * For the non-constant time code, there are easier ways to extract
      more information.
    
    * For the constant time code, it requires a significant number of signatures
      to leak a small amount of information.
    
    Thanks to Neals Fournaise, Eliane Jaulmes and Jean-Rene Reinhard for
    reporting this issue.
    
    Reviewed-by: Andy Polyakov <appro at openssl.org>
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/4576)
    
    (cherry picked from commit c0caa945f6ef30363e0d01d75155f20248403df4)

-----------------------------------------------------------------------

Summary of changes:
 crypto/dsa/dsa_ossl.c  | 35 +++++++++++++++++++++++++----------
 crypto/ec/ecdsa_ossl.c | 26 ++++++++++++++++++++------
 2 files changed, 45 insertions(+), 16 deletions(-)

diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c
index 4793377..7f48cf2 100644
--- a/crypto/dsa/dsa_ossl.c
+++ b/crypto/dsa/dsa_ossl.c
@@ -148,7 +148,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
 {
     BN_CTX *ctx = NULL;
     BIGNUM *k, *kinv = NULL, *r = *rp;
+    BIGNUM *l, *m;
     int ret = 0;
+    int q_bits;
 
     if (!dsa->p || !dsa->q || !dsa->g) {
         DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_MISSING_PARAMETERS);
@@ -156,7 +158,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
     }
 
     k = BN_new();
-    if (k == NULL)
+    l = BN_new();
+    m = BN_new();
+    if (k == NULL || l == NULL || m == NULL)
         goto err;
 
     if (ctx_in == NULL) {
@@ -165,6 +169,13 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
     } else
         ctx = ctx_in;
 
+    /* Preallocate space */
+    q_bits = BN_num_bits(dsa->q);
+    if (!BN_set_bit(k, q_bits)
+        || !BN_set_bit(l, q_bits)
+        || !BN_set_bit(m, q_bits))
+        goto err;
+
     /* Get random k */
     do {
         if (dgst != NULL) {
@@ -191,17 +202,19 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
 
     /*
      * We do not want timing information to leak the length of k, so we
-     * compute g^k using an equivalent exponent of fixed length. (This
-     * is a kludge that we need because the BN_mod_exp_mont() does not
-     * let us specify the desired timing behaviour.)
+     * compute G^k using an equivalent scalar of fixed bit-length.
+     *
+     * We unconditionally perform both of these additions to prevent a
+     * small timing information leakage.  We then choose the sum that is
+     * one bit longer than the modulus.
+     *
+     * TODO: revisit the BN_copy aiming for a memory access agnostic
+     * conditional copy.
      */
-
-    if (!BN_add(k, k, dsa->q))
+    if (!BN_add(l, k, dsa->q)
+        || !BN_add(m, l, dsa->q)
+        || !BN_copy(k, BN_num_bits(l) > q_bits ? l : m))
         goto err;
-    if (BN_num_bits(k) <= BN_num_bits(dsa->q)) {
-        if (!BN_add(k, k, dsa->q))
-            goto err;
-    }
 
     if ((dsa)->meth->bn_mod_exp != NULL) {
             if (!dsa->meth->bn_mod_exp(dsa, r, dsa->g, k, dsa->p, ctx,
@@ -229,6 +242,8 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
     if (ctx != ctx_in)
         BN_CTX_free(ctx);
     BN_clear_free(k);
+    BN_clear_free(l);
+    BN_clear_free(m);
     return ret;
 }
 
diff --git a/crypto/ec/ecdsa_ossl.c b/crypto/ec/ecdsa_ossl.c
index d67c485..72e2f0f 100644
--- a/crypto/ec/ecdsa_ossl.c
+++ b/crypto/ec/ecdsa_ossl.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2002-2017 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -41,6 +41,7 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in,
     EC_POINT *tmp_point = NULL;
     const EC_GROUP *group;
     int ret = 0;
+    int order_bits;
 
     if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL) {
         ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_PASSED_NULL_PARAMETER);
@@ -77,6 +78,13 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in,
         goto err;
     }
 
+    /* Preallocate space */
+    order_bits = BN_num_bits(order);
+    if (!BN_set_bit(k, order_bits)
+        || !BN_set_bit(r, order_bits)
+        || !BN_set_bit(X, order_bits))
+        goto err;
+
     do {
         /* get random k */
         do
@@ -100,13 +108,19 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in,
         /*
          * We do not want timing information to leak the length of k, so we
          * compute G*k using an equivalent scalar of fixed bit-length.
+         *
+         * We unconditionally perform both of these additions to prevent a
+         * small timing information leakage.  We then choose the sum that is
+         * one bit longer than the order.  This guarantees the code
+         * path used in the constant time implementations elsewhere.
+         *
+         * TODO: revisit the BN_copy aiming for a memory access agnostic
+         * conditional copy.
          */
-
-        if (!BN_add(k, k, order))
+        if (!BN_add(r, k, order)
+            || !BN_add(X, r, order)
+            || !BN_copy(k, BN_num_bits(r) > order_bits ? r : X))
             goto err;
-        if (BN_num_bits(k) <= BN_num_bits(order))
-            if (!BN_add(k, k, order))
-                goto err;
 
         /* compute r the x-coordinate of generator * k */
         if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) {


More information about the openssl-commits mailing list