Fix a SCA leak in BN_generate_dsa_nonce

Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/9782)
author: Bernd Edlinger <bernd.edlinger@hotmail.de> 2019-09-06 08:46:46 +0200
committer: Bernd Edlinger <bernd.edlinger@hotmail.de> 2019-09-06 18:38:59 +0200
commit: 31ca19403d56ad71d823cf62990518dfc6905bb4 (patch)
tree: 3a1de0cce7d3ebb6c24ca78dd8eea3c0acbf0dac /crypto/bn
parent: d2baf88c43e5a40cfc3bcd4ca35cbae53161941c (diff)
1 files changed, 1 insertions, 4 deletions
diff --git a/crypto/bn/bn_rand.c b/crypto/bn/bn_rand.c
index fa75a3b10e..2b3e6f2076 100644
--- a/crypto/bn/bn_rand.c
+++ b/crypto/bn/bn_rand.c
@@ -264,8 +264,7 @@ int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range,
         goto err;
 
     /* We copy |priv| into a local buffer to avoid exposing its length. */
-    todo = sizeof(priv->d[0]) * priv->top;
-    if (todo > sizeof(private_bytes)) {
+    if (BN_bn2binpad(priv, private_bytes, sizeof(private_bytes)) < 0) {
         /*
          * No reasonable DSA or ECDSA key should have a private key this
          * large and we don't handle this case in order to avoid leaking the
@@ -274,8 +273,6 @@ int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range,
         BNerr(BN_F_BN_GENERATE_DSA_NONCE, BN_R_PRIVATE_KEY_TOO_LARGE);
         goto err;
     }
-    memcpy(private_bytes, priv->d, todo);
-    memset(private_bytes + todo, 0, sizeof(private_bytes) - todo);
 
     md = EVP_MD_fetch(libctx, "SHA512", NULL);
     if (md == NULL) {
author	Bernd Edlinger <bernd.edlinger@hotmail.de>	2019-09-06 08:46:46 +0200
committer	Bernd Edlinger <bernd.edlinger@hotmail.de>	2019-09-06 18:38:59 +0200
commit	31ca19403d56ad71d823cf62990518dfc6905bb4 (patch)
tree	3a1de0cce7d3ebb6c24ca78dd8eea3c0acbf0dac /crypto/bn
parent	d2baf88c43e5a40cfc3bcd4ca35cbae53161941c (diff)