fixup! Make BN_generate_dsa_nonce() constant time and non-biased

openssl · Apr 30, 2024 · 504662c · 504662c
1 parent 3d10823
commit 504662c
Showing 1 changed file with 12 additions and 1 deletion.
diff --git a/crypto/bn/bn_rand.c b/crypto/bn/bn_rand.c
@@ -10,6 +10,7 @@
 #include <stdio.h>
 #include <time.h>
 #include "internal/cryptlib.h"
+#include "internal/endian.h"
 #include "crypto/rand.h"
 #include "bn_local.h"
 #include <openssl/rand.h>
@@ -337,12 +338,22 @@ int ossl_bn_gen_dsa_nonce_fixed_top(BIGNUM *out, const BIGNUM *range,
     }
     for (n = 0; n < max_n; n++) {
         for (done = 1; done < num_k_bytes;) {
+            unsigned char done_le[sizeof(done)];
+#if IS_BIG_ENDIAN
+            size_t i;
+
+            /* Generate the same values on BE platforms for FIPS POST KAT */
+            for (i = 0; i < sizeof(done_le); ++i)
+                done_le[i] = ((unsigned char)&done)[sizeof(done_le) - 1 - i];
+#else
+            memcpy(done_le, done, sizeof(done_le));
+#endif
             if (RAND_priv_bytes_ex(libctx, random_bytes, sizeof(random_bytes),
                                    0) <= 0)
                 goto end;
 
             if (!EVP_DigestInit_ex(mdctx, md, NULL)
-                    || !EVP_DigestUpdate(mdctx, &done, sizeof(done))
+                    || !EVP_DigestUpdate(mdctx, &done_le, sizeof(done_le))
                     || !EVP_DigestUpdate(mdctx, private_bytes,
                                          sizeof(private_bytes))
                     || !EVP_DigestUpdate(mdctx, message, message_len)