File 0001-DSA-mod-inverse-fix.patch of Package openssl-1_1.13606

From 84862c0979737b591acb689aef41ae2644176f32 Mon Sep 17 00:00:00 2001
From: Pauli <paul.dale@oracle.com>
Date: Mon, 29 Oct 2018 06:50:51 +1000
Subject: [PATCH] DSA mod inverse fix

There is a side channel attack against the division used to calculate one of
the modulo inverses in the DSA algorithm.  This change takes advantage of the
primality of the modulo and Fermat's little theorem to calculate the inverse
without leaking information.

Thanks to Samuel Weiser for finding and reporting this.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/7487)

(cherry picked from commit 415c33563528667868c3c653a612e6fc8736fd79)
---
 crypto/dsa/dsa_ossl.c | 32 +++++++++++++++++++++++++++++++-
 1 file changed, 31 insertions(+), 1 deletion(-)

Index: openssl-1.1.0i/crypto/dsa/dsa_ossl.c
===================================================================
--- openssl-1.1.0i.orig/crypto/dsa/dsa_ossl.c	2018-11-05 12:00:07.489661029 +0100
+++ openssl-1.1.0i/crypto/dsa/dsa_ossl.c	2018-11-05 12:00:07.521661205 +0100
@@ -29,6 +29,8 @@ static int dsa_do_verify(const unsigned
                          DSA_SIG *sig, DSA *dsa);
 static int dsa_init(DSA *dsa);
 static int dsa_finish(DSA *dsa);
+static BIGNUM *dsa_mod_inverse_fermat(const BIGNUM *k, const BIGNUM *q,
+                                      BN_CTX *ctx);
 
 static DSA_METHOD openssl_dsa_meth = {
     "OpenSSL DSA method",
@@ -280,7 +282,7 @@ static int dsa_sign_setup(DSA *dsa, BN_C
         goto err;
 
     /* Compute  part of 's = inv(k) (m + xr) mod q' */
-    if ((kinv = BN_mod_inverse(NULL, k, dsa->q, ctx)) == NULL)
+    if ((kinv = dsa_mod_inverse_fermat(k, dsa->q, ctx)) == NULL)
         goto err;
 
     BN_clear_free(*kinvp);
@@ -428,3 +430,31 @@ static int dsa_finish(DSA *dsa)
     BN_MONT_CTX_free(dsa->method_mont_p);
     return (1);
 }
+
+/*
+ * Compute the inverse of k modulo q.
+ * Since q is prime, Fermat's Little Theorem applies, which reduces this to
+ * mod-exp operation.  Both the exponent and modulus are public information
+ * so a mod-exp that doesn't leak the base is sufficient.  A newly allocated
+ * BIGNUM is returned which the caller must free.
+ */
+static BIGNUM *dsa_mod_inverse_fermat(const BIGNUM *k, const BIGNUM *q,
+                                      BN_CTX *ctx)
+{
+    BIGNUM *res = NULL;
+    BIGNUM *r, *e;
+
+    if ((r = BN_new()) == NULL)
+        return NULL;
+
+    BN_CTX_start(ctx);
+    if ((e = BN_CTX_get(ctx)) != NULL
+            && BN_set_word(r, 2)
+            && BN_sub(e, q, r)
+            && BN_mod_exp_mont(r, k, e, q, ctx, NULL))
+        res = r;
+    else
+        BN_free(r);
+    BN_CTX_end(ctx);
+    return res;
+}