Fix SCA vulnerability when using PVK and MSBLOB key formats

This commit addresses a side-channel vulnerability present when PVK and MSBLOB key formats are loaded into OpenSSL. The public key was not computed using a constant-time exponentiation function. This issue was discovered and reported by the NISEC group at TAU Finland. Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9587) (cherry picked from commit 724339ff44235149c4e8ddae614e1dda6863e23e)
author: Cesar Pereida Garcia <cesar.pereidagarcia@tut.fi> 2019-08-14 10:17:06 +0300
committer: Matt Caswell <matt@openssl.org> 2019-08-27 09:13:34 +0100
commit: 51e236df41871871dabd2f5f7156e27a0eef3b3b (patch)
tree: 654e61541217ee222ed4c33318eb2260e69a1935
parent: 4bdab2571782393e4ba3acb8578c415ce1575a75 (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/crypto/pem/pvkfmt.c b/crypto/pem/pvkfmt.c
index e39c243814..609e3ad9ca 100644
--- a/crypto/pem/pvkfmt.c
+++ b/crypto/pem/pvkfmt.c
@@ -274,6 +274,9 @@ static EVP_PKEY *b2i_dss(const unsigned char **in,
         if (!read_lebn(&p, 20, &priv_key))
             goto memerr;
 
+        /* Set constant time flag before public key calculation */
+        BN_set_flags(priv_key, BN_FLG_CONSTTIME);
+
         /* Calculate public key */
         pub_key = BN_new();
         if (pub_key == NULL)
author	Cesar Pereida Garcia <cesar.pereidagarcia@tut.fi>	2019-08-14 10:17:06 +0300
committer	Matt Caswell <matt@openssl.org>	2019-08-27 09:13:34 +0100
commit	51e236df41871871dabd2f5f7156e27a0eef3b3b (patch)
tree	654e61541217ee222ed4c33318eb2260e69a1935
parent	4bdab2571782393e4ba3acb8578c415ce1575a75 (diff)