[openssl] OpenSSL_1_1_1-stable update
bernd.edlinger at hotmail.de
bernd.edlinger at hotmail.de
Fri Sep 6 16:41:25 UTC 2019
The branch OpenSSL_1_1_1-stable has been updated
via 9e1403d91a42d917e684a37a99fa98a0025253c0 (commit)
from 1bb2acb9987cc9d7f638b066ef396ca7f3243955 (commit)
- Log -----------------------------------------------------------------
commit 9e1403d91a42d917e684a37a99fa98a0025253c0
Author: Bernd Edlinger <bernd.edlinger at hotmail.de>
Date: Fri Sep 6 08:46:46 2019 +0200
Fix a SCA leak in BN_generate_dsa_nonce
Reviewed-by: Matt Caswell <matt at openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv at gmail.com>
(Merged from https://github.com/openssl/openssl/pull/9782)
(cherry picked from commit 31ca19403d56ad71d823cf62990518dfc6905bb4)
-----------------------------------------------------------------------
Summary of changes:
crypto/bn/bn_rand.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/crypto/bn/bn_rand.c b/crypto/bn/bn_rand.c
index c0d1a32292..214768311a 100644
--- a/crypto/bn/bn_rand.c
+++ b/crypto/bn/bn_rand.c
@@ -225,8 +225,7 @@ int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range,
goto err;
/* We copy |priv| into a local buffer to avoid exposing its length. */
- todo = sizeof(priv->d[0]) * priv->top;
- if (todo > sizeof(private_bytes)) {
+ if (BN_bn2binpad(priv, private_bytes, sizeof(private_bytes)) < 0) {
/*
* No reasonable DSA or ECDSA key should have a private key this
* large and we don't handle this case in order to avoid leaking the
@@ -235,8 +234,6 @@ int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range,
BNerr(BN_F_BN_GENERATE_DSA_NONCE, BN_R_PRIVATE_KEY_TOO_LARGE);
goto err;
}
- memcpy(private_bytes, priv->d, todo);
- memset(private_bytes + todo, 0, sizeof(private_bytes) - todo);
for (done = 0; done < num_k_bytes;) {
if (RAND_priv_bytes(random_bytes, sizeof(random_bytes)) != 1)
More information about the openssl-commits
mailing list