Skip to content

Commit

Permalink
deps: float 415c3356 from openssl (DSA vulnerability)
Browse files Browse the repository at this point in the history
Low severity timing vulnerability in the DSA signature algorithm

Publicly disclosed but unreleased, pending OpenSSL 1.1.0j, not deemed
severe enough to be assigned a CVE #.

Ref: openssl/openssl#7487
PR-URL: https://github.com/nodejs/node/pull/???
Upstream: openssl/openssl@415c3356

Original commit message:

    DSA mod inverse fix

    There is a side channel attack against the division used to calculate one of
    the modulo inverses in the DSA algorithm.  This change takes advantage of the
    primality of the modulo and Fermat's little theorem to calculate the inverse
    without leaking information.

    Thanks to Samuel Weiser for finding and reporting this.

    Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
    Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
    (Merged from openssl/openssl#7487)

PR-URL: #23965
Reviewed-By: Ujjwal Sharma <usharma1998@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
  • Loading branch information
rvagg authored and Trott committed Nov 4, 2018
1 parent c1e6703 commit e2260e9
Showing 1 changed file with 31 additions and 1 deletion.
32 changes: 31 additions & 1 deletion deps/openssl/openssl/crypto/dsa/dsa_ossl.c
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,8 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len,
DSA_SIG *sig, DSA *dsa);
static int dsa_init(DSA *dsa);
static int dsa_finish(DSA *dsa);
static BIGNUM *dsa_mod_inverse_fermat(const BIGNUM *k, const BIGNUM *q,
BN_CTX *ctx);

static DSA_METHOD openssl_dsa_meth = {
"OpenSSL DSA method",
Expand Down Expand Up @@ -261,7 +263,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
goto err;

/* Compute part of 's = inv(k) (m + xr) mod q' */
if ((kinv = BN_mod_inverse(NULL, k, dsa->q, ctx)) == NULL)
if ((kinv = dsa_mod_inverse_fermat(k, dsa->q, ctx)) == NULL)
goto err;

BN_clear_free(*kinvp);
Expand Down Expand Up @@ -395,3 +397,31 @@ static int dsa_finish(DSA *dsa)
BN_MONT_CTX_free(dsa->method_mont_p);
return (1);
}

/*
* Compute the inverse of k modulo q.
* Since q is prime, Fermat's Little Theorem applies, which reduces this to
* mod-exp operation. Both the exponent and modulus are public information
* so a mod-exp that doesn't leak the base is sufficient. A newly allocated
* BIGNUM is returned which the caller must free.
*/
static BIGNUM *dsa_mod_inverse_fermat(const BIGNUM *k, const BIGNUM *q,
BN_CTX *ctx)
{
BIGNUM *res = NULL;
BIGNUM *r, *e;

if ((r = BN_new()) == NULL)
return NULL;

BN_CTX_start(ctx);
if ((e = BN_CTX_get(ctx)) != NULL
&& BN_set_word(r, 2)
&& BN_sub(e, q, r)
&& BN_mod_exp_mont(r, k, e, q, ctx, NULL))
res = r;
else
BN_free(r);
BN_CTX_end(ctx);
return res;
}

0 comments on commit e2260e9

Please sign in to comment.