diff options
author | Bernd Edlinger <bernd.edlinger@hotmail.de> | 2019-09-06 08:46:46 +0200 |
---|---|---|
committer | Bernd Edlinger <bernd.edlinger@hotmail.de> | 2019-09-06 18:41:33 +0200 |
commit | f9d1cbe64eebc9e40c7e1f0da4f8f3d98b903b91 (patch) | |
tree | 569211cb77a72337b266e686f7cee280c885fe54 | |
parent | 8bb913a3d7c29c189c7ac656c726f4a2bfcdd73b (diff) | |
download | openssl-new-f9d1cbe64eebc9e40c7e1f0da4f8f3d98b903b91.tar.gz |
Fix a SCA leak in BN_generate_dsa_nonce
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/9782)
(cherry picked from commit 31ca19403d56ad71d823cf62990518dfc6905bb4)
-rw-r--r-- | crypto/bn/bn_rand.c | 5 |
1 files changed, 1 insertions, 4 deletions
diff --git a/crypto/bn/bn_rand.c b/crypto/bn/bn_rand.c index 9ce4c5f606..bff1d249af 100644 --- a/crypto/bn/bn_rand.c +++ b/crypto/bn/bn_rand.c @@ -215,8 +215,7 @@ int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range, goto err; /* We copy |priv| into a local buffer to avoid exposing its length. */ - todo = sizeof(priv->d[0]) * priv->top; - if (todo > sizeof(private_bytes)) { + if (BN_bn2binpad(priv, private_bytes, sizeof(private_bytes)) < 0) { /* * No reasonable DSA or ECDSA key should have a private key this * large and we don't handle this case in order to avoid leaking the @@ -225,8 +224,6 @@ int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range, BNerr(BN_F_BN_GENERATE_DSA_NONCE, BN_R_PRIVATE_KEY_TOO_LARGE); goto err; } - memcpy(private_bytes, priv->d, todo); - memset(private_bytes + todo, 0, sizeof(private_bytes) - todo); for (done = 0; done < num_k_bytes;) { if (RAND_bytes(random_bytes, sizeof(random_bytes)) != 1) |