MFC: Avoid a timing side-channel leak when generating DSA and ECDSA

signatures. This is caused by an attempt to do fast modular arithmetic, which introduces branches that leak information regarding secret values. Issue identified and reported by Keegan Ryan of NCC Group. ok beck@ tb@
libressl · Jun 13, 2018 · 6630862 · 6630862
1 parent 716bac9
commit 6630862
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 7 deletions.
diff --git a/src/lib/libcrypto/dsa/dsa_ossl.c b/src/lib/libcrypto/dsa/dsa_ossl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dsa_ossl.c,v 1.29 2017/01/21 11:00:46 beck Exp $ */
+/* $OpenBSD: dsa_ossl.c,v 1.30 2017/01/29 17:49:22 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -142,11 +142,8 @@ dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
 	/* Compute  s = inv(k) (m + xr) mod q */
 	if (!BN_mod_mul(&xr, dsa->priv_key, r, dsa->q, ctx))	/* s = xr */
 		goto err;
-	if (!BN_add(s, &xr, &m))				/* s = m + xr */
+	if (!BN_mod_add(s, &xr, &m, dsa->q, ctx))		/* s = m + xr */
 		goto err;
-	if (BN_cmp(s, dsa->q) > 0)
-		if (!BN_sub(s, s, dsa->q))
-			goto err;
 	if (!BN_mod_mul(s, s, kinv, dsa->q, ctx))
 		goto err;
 

diff --git a/src/lib/libcrypto/ecdsa/ecs_ossl.c b/src/lib/libcrypto/ecdsa/ecs_ossl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ecs_ossl.c,v 1.8 2017/01/21 11:00:47 beck Exp $ */
+/* $OpenBSD: ecs_ossl.c,v 1.9 2017/01/29 17:49:23 beck Exp $ */
 /*
  * Written by Nils Larsch for the OpenSSL project
  */
@@ -273,7 +273,7 @@ ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
 			ECDSAerror(ERR_R_BN_LIB);
 			goto err;
 		}
-		if (!BN_mod_add_quick(s, tmp, m, order)) {
+		if (!BN_mod_add(s, tmp, m, order, ctx)) {
 			ECDSAerror(ERR_R_BN_LIB);
 			goto err;
 		}