Fix SCA vulnerability when using PVK and MSBLOB key formats

This commit addresses a side-channel vulnerability present when PVK and MSBLOB key formats are loaded into OpenSSL. The public key was not computed using a constant-time exponentiation function. This issue was discovered and reported by the NISEC group at TAU Finland. Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9638)
author: Cesar Pereida Garcia <cesar.pereidagarcia@tut.fi> 2019-08-19 10:33:14 +0300
committer: Matt Caswell <matt@openssl.org> 2019-08-27 09:25:51 +0100
commit: 55611d549bcf65e0de04938adbf403ccf02f241b (patch)
tree: c9e7997b7b205a7480efbf95a0f2d116eb5417d8
parent: 7fafaf27c2c2990fde2798424a38ce8443dae595 (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/crypto/pem/pvkfmt.c b/crypto/pem/pvkfmt.c
index f376f594b1..ff5674a99f 100644
--- a/crypto/pem/pvkfmt.c
+++ b/crypto/pem/pvkfmt.c
@@ -327,6 +327,8 @@ static EVP_PKEY *b2i_dss(const unsigned char **in, unsigned int length,
     } else {
         if (!read_lebn(&p, 20, &dsa->priv_key))
             goto memerr;
+        /* Set constant time flag before public key calculation */
+        BN_set_flags(dsa->priv_key, BN_FLG_CONSTTIME);
         /* Calculate public key */
         if (!(dsa->pub_key = BN_new()))
             goto memerr;
author	Cesar Pereida Garcia <cesar.pereidagarcia@tut.fi>	2019-08-19 10:33:14 +0300
committer	Matt Caswell <matt@openssl.org>	2019-08-27 09:25:51 +0100
commit	55611d549bcf65e0de04938adbf403ccf02f241b (patch)
tree	c9e7997b7b205a7480efbf95a0f2d116eb5417d8
parent	7fafaf27c2c2990fde2798424a38ce8443dae595 (diff)