Commit 51e236df authored Aug 14, 2019 by Cesar Pereida Garcia Committed by Matt Caswell Aug 27, 2019

Fix SCA vulnerability when using PVK and MSBLOB key formats



This commit addresses a side-channel vulnerability present when
PVK and MSBLOB key formats are loaded into OpenSSL.
The public key was not computed using a constant-time exponentiation
function.

This issue was discovered and reported by the NISEC group at TAU Finland.

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9587)

(cherry picked from commit 724339ff44235149c4e8ddae614e1dda6863e23e)

parent 4bdab257

crypto/pem/pvkfmt.c

+3 −0

Original line number	Original line	Diff line number	Diff line
	@@ -274,6 +274,9 @@ static EVP_PKEY b2i_dss(const unsigned char *in,
	if (!read_lebn(&p, 20, &priv_key))		if (!read_lebn(&p, 20, &priv_key))
	goto memerr;		goto memerr;

			/* Set constant time flag before public key calculation */
			BN_set_flags(priv_key, BN_FLG_CONSTTIME);

	/* Calculate public key */		/* Calculate public key */
	pub_key = BN_new();		pub_key = BN_new();
	if (pub_key == NULL)		if (pub_key == NULL)