summaryrefslogtreecommitdiffstats
path: root/lib/libcrypto/dsa/dsa_ossl.c
diff options
context:
space:
mode:
authorjsing <jsing@openbsd.org>2018-06-13 15:05:04 +0000
committerjsing <jsing@openbsd.org>2018-06-13 15:05:04 +0000
commitf29541e5410001a6dd97e432b00d00cf05a54a86 (patch)
tree9c30fa2dead90c60071c0331bfd103ce95c0d3a7 /lib/libcrypto/dsa/dsa_ossl.c
parentCall pledge(2) earlier before opening the auth channel and readpassphrase() (diff)
downloadwireguard-openbsd-f29541e5410001a6dd97e432b00d00cf05a54a86.tar.xz
wireguard-openbsd-f29541e5410001a6dd97e432b00d00cf05a54a86.zip
Avoid a timing side-channel leak when generating DSA and ECDSA signatures.
This is caused by an attempt to do fast modular arithmetic, which introduces branches that leak information regarding secret values. Issue identified and reported by Keegan Ryan of NCC Group. ok beck@ tb@
Diffstat (limited to 'lib/libcrypto/dsa/dsa_ossl.c')
-rw-r--r--lib/libcrypto/dsa/dsa_ossl.c7
1 files changed, 2 insertions, 5 deletions
diff --git a/lib/libcrypto/dsa/dsa_ossl.c b/lib/libcrypto/dsa/dsa_ossl.c
index 301cdd50950..505ef800dca 100644
--- a/lib/libcrypto/dsa/dsa_ossl.c
+++ b/lib/libcrypto/dsa/dsa_ossl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dsa_ossl.c,v 1.31 2018/04/28 14:22:21 tb Exp $ */
+/* $OpenBSD: dsa_ossl.c,v 1.32 2018/06/13 15:05:04 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -142,11 +142,8 @@ redo:
/* Compute s = inv(k) (m + xr) mod q */
if (!BN_mod_mul(&xr, dsa->priv_key, r, dsa->q, ctx)) /* s = xr */
goto err;
- if (!BN_add(s, &xr, &m)) /* s = m + xr */
+ if (!BN_mod_add(s, &xr, &m, dsa->q, ctx)) /* s = m + xr */
goto err;
- if (BN_cmp(s, dsa->q) > 0)
- if (!BN_sub(s, s, dsa->q))
- goto err;
if (!BN_mod_mul(s, s, kinv, dsa->q, ctx))
goto err;