[openssl-commits] [openssl] master update
Matt Caswell
matt at openssl.org
Mon Jun 6 10:34:12 UTC 2016
The branch master has been updated
via 5584f65a1027b06fe0cfc4be28d1a232cf180e42 (commit)
via f943e640efbb5ec30bf57b59468c094083c99eb2 (commit)
via 399944622df7bd81af62e67ea967c470534090e2 (commit)
from 0a4c87a90c6cf6628c688868cd5f13e4b9a5f19d (commit)
- Log -----------------------------------------------------------------
commit 5584f65a1027b06fe0cfc4be28d1a232cf180e42
Author: Matt Caswell <matt at openssl.org>
Date: Thu May 26 10:55:11 2016 +0100
Deprecate the flags that switch off constant time
The flags RSA_FLAG_NO_CONSTTIME, DSA_FLAG_NO_EXP_CONSTTIME and
DH_FLAG_NO_EXP_CONSTTIME which previously provided the ability to switch
off the constant time implementation for RSA, DSA and DH have been made
no-ops and deprecated.
Reviewed-by: Richard Levitte <levitte at openssl.org>
commit f943e640efbb5ec30bf57b59468c094083c99eb2
Author: Matt Caswell <matt at openssl.org>
Date: Thu May 26 10:06:27 2016 +0100
Simplify dsa_ossl.c
The dsa_ossl.c file defined a couple of multi-line macros, but then only
used each one once. The macros just serve to complicate the code and make
it more difficult to understand what is really going on. Hence they are
removed.
Reviewed-by: Richard Levitte <levitte at openssl.org>
commit 399944622df7bd81af62e67ea967c470534090e2
Author: Cesar Pereida <cesar.pereida at aalto.fi>
Date: Mon May 23 12:45:25 2016 +0300
Fix DSA, preserve BN_FLG_CONSTTIME
Operations in the DSA signing algorithm should run in constant time in
order to avoid side channel attacks. A flaw in the OpenSSL DSA
implementation means that a non-constant time codepath is followed for
certain operations. This has been demonstrated through a cache-timing
attack to be sufficient for an attacker to recover the private DSA key.
CVE-2016-2178
Reviewed-by: Richard Levitte <levitte at openssl.org>
Reviewed-by: Matt Caswell <matt at openssl.org>
-----------------------------------------------------------------------
Summary of changes:
CHANGES | 6 ++
crypto/dh/dh_key.c | 35 +++------
crypto/dsa/dsa_key.c | 20 ++----
crypto/dsa/dsa_ossl.c | 94 +++++++++---------------
crypto/rsa/rsa_crpt.c | 21 +++---
crypto/rsa/rsa_gen.c | 61 +++++++---------
crypto/rsa/rsa_ossl.c | 196 +++++++++++++++++++-------------------------------
include/openssl/dh.h | 8 ++-
include/openssl/dsa.h | 8 +--
include/openssl/rsa.h | 14 ++--
test/dhtest.c | 4 --
test/dsatest.c | 7 --
test/rsa_test.c | 6 +-
13 files changed, 178 insertions(+), 302 deletions(-)
diff --git a/CHANGES b/CHANGES
index c64d677..792f602 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,12 @@
Changes between 1.0.2h and 1.1.0 [xx XXX 2016]
+ *) The flags RSA_FLAG_NO_CONSTTIME, DSA_FLAG_NO_EXP_CONSTTIME and
+ DH_FLAG_NO_EXP_CONSTTIME which previously provided the ability to switch
+ off the constant time implementation for RSA, DSA and DH have been made
+ no-ops and deprecated.
+ [Matt Caswell]
+
*) Windows RAND implementation was simplified to only get entropy by
calling CryptGenRandom(). Various other RAND-related tickets
were also closed.
diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
index 9b79f39..1644003 100644
--- a/crypto/dh/dh_key.c
+++ b/crypto/dh/dh_key.c
@@ -113,24 +113,18 @@ static int generate_key(DH *dh)
}
{
- BIGNUM *local_prk = NULL;
- BIGNUM *prk;
+ BIGNUM *prk = BN_new();
- if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) {
- local_prk = prk = BN_new();
- if (local_prk == NULL)
- goto err;
- BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
- } else {
- prk = priv_key;
- }
+ if (prk == NULL)
+ goto err;
+ BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, prk, dh->p, ctx, mont)) {
- BN_free(local_prk);
+ BN_free(prk);
goto err;
}
- /* We MUST free local_prk before any further use of priv_key */
- BN_free(local_prk);
+ /* We MUST free prk before any further use of priv_key */
+ BN_free(prk);
}
dh->pub_key = pub_key;
@@ -175,10 +169,7 @@ static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
if (dh->flags & DH_FLAG_CACHE_MONT_P) {
mont = BN_MONT_CTX_set_locked(&dh->method_mont_p,
dh->lock, dh->p, ctx);
- if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) {
- /* XXX */
- BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME);
- }
+ BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME);
if (!mont)
goto err;
}
@@ -207,15 +198,7 @@ static int dh_bn_mod_exp(const DH *dh, BIGNUM *r,
const BIGNUM *a, const BIGNUM *p,
const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
{
- /*
- * If a is only one word long and constant time is false, use the faster
- * exponentiation function.
- */
- if (bn_get_top(a) == 1 && ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) != 0)) {
- BN_ULONG A = bn_get_words(a)[0];
- return BN_mod_exp_mont_word(r, A, p, m, ctx, m_ctx);
- } else
- return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
+ return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
}
static int dh_init(DH *dh)
diff --git a/crypto/dsa/dsa_key.c b/crypto/dsa/dsa_key.c
index 2bb8454..aa5d42c 100644
--- a/crypto/dsa/dsa_key.c
+++ b/crypto/dsa/dsa_key.c
@@ -50,24 +50,18 @@ static int dsa_builtin_keygen(DSA *dsa)
pub_key = dsa->pub_key;
{
- BIGNUM *local_prk = NULL;
- BIGNUM *prk;
+ BIGNUM *prk = BN_new();
- if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {
- local_prk = prk = BN_new();
- if (local_prk == NULL)
- goto err;
- BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
- } else {
- prk = priv_key;
- }
+ if (prk == NULL)
+ goto err;
+ BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
if (!BN_mod_exp(pub_key, dsa->g, prk, dsa->p, ctx)) {
- BN_free(local_prk);
+ BN_free(prk);
goto err;
}
- /* We MUST free local_prk before any further use of priv_key */
- BN_free(local_prk);
+ /* We MUST free prk before any further use of priv_key */
+ BN_free(prk);
}
dsa->priv_key = priv_key;
diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c
index ce1da1c..ea09afd 100644
--- a/crypto/dsa/dsa_ossl.c
+++ b/crypto/dsa/dsa_ossl.c
@@ -42,42 +42,6 @@ static DSA_METHOD openssl_dsa_meth = {
NULL
};
-/*-
- * These macro wrappers replace attempts to use the dsa_mod_exp() and
- * bn_mod_exp() handlers in the DSA_METHOD structure. We avoid the problem of
- * having a the macro work as an expression by bundling an "err_instr". So;
- *
- * if (!dsa->meth->bn_mod_exp(dsa, r,dsa->g,&k,dsa->p,ctx,
- * dsa->method_mont_p)) goto err;
- *
- * can be replaced by;
- *
- * DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, &k, dsa->p, ctx,
- * dsa->method_mont_p);
- */
-
-#define DSA_MOD_EXP(err_instr,dsa,rr,a1,p1,a2,p2,m,ctx,in_mont) \
- do { \
- int _tmp_res53; \
- if ((dsa)->meth->dsa_mod_exp) \
- _tmp_res53 = (dsa)->meth->dsa_mod_exp((dsa), (rr), (a1), (p1), \
- (a2), (p2), (m), (ctx), (in_mont)); \
- else \
- _tmp_res53 = BN_mod_exp2_mont((rr), (a1), (p1), (a2), (p2), \
- (m), (ctx), (in_mont)); \
- if (!_tmp_res53) err_instr; \
- } while(0)
-#define DSA_BN_MOD_EXP(err_instr,dsa,r,a,p,m,ctx,m_ctx) \
- do { \
- int _tmp_res53; \
- if ((dsa)->meth->bn_mod_exp) \
- _tmp_res53 = (dsa)->meth->bn_mod_exp((dsa), (r), (a), (p), \
- (m), (ctx), (m_ctx)); \
- else \
- _tmp_res53 = BN_mod_exp_mont((r), (a), (p), (m), (ctx), (m_ctx)); \
- if (!_tmp_res53) err_instr; \
- } while(0)
-
const DSA_METHOD *DSA_OpenSSL(void)
{
return &openssl_dsa_meth;
@@ -171,7 +135,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
const unsigned char *dgst, int dlen)
{
BN_CTX *ctx = NULL;
- BIGNUM *k, *kq, *K, *kinv = NULL, *r = *rp;
+ BIGNUM *k, *kq, *kinv = NULL, *r = *rp;
int ret = 0;
if (!dsa->p || !dsa->q || !dsa->g) {
@@ -204,10 +168,6 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
goto err;
} while (BN_is_zero(k));
- if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {
- BN_set_flags(k, BN_FLG_CONSTTIME);
- }
-
if (dsa->flags & DSA_FLAG_CACHE_MONT_P) {
if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p,
dsa->lock, dsa->p, ctx))
@@ -216,30 +176,35 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
/* Compute r = (g^k mod p) mod q */
- if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {
- if (!BN_copy(kq, k))
- goto err;
+ if (!BN_copy(kq, k))
+ goto err;
- /*
- * We do not want timing information to leak the length of k, so we
- * compute g^k using an equivalent exponent of fixed length. (This
- * is a kludge that we need because the BN_mod_exp_mont() does not
- * let us specify the desired timing behaviour.)
- */
+ /*
+ * We do not want timing information to leak the length of k, so we
+ * compute g^k using an equivalent exponent of fixed length. (This
+ * is a kludge that we need because the BN_mod_exp_mont() does not
+ * let us specify the desired timing behaviour.)
+ */
+ if (!BN_add(kq, kq, dsa->q))
+ goto err;
+ if (BN_num_bits(kq) <= BN_num_bits(dsa->q)) {
if (!BN_add(kq, kq, dsa->q))
goto err;
- if (BN_num_bits(kq) <= BN_num_bits(dsa->q)) {
- if (!BN_add(kq, kq, dsa->q))
- goto err;
- }
+ }
+
+ BN_set_flags(kq, BN_FLG_CONSTTIME);
- K = kq;
+ if ((dsa)->meth->bn_mod_exp != NULL) {
+ if (!dsa->meth->bn_mod_exp(dsa, r, dsa->g, kq, dsa->p, ctx,
+ dsa->method_mont_p))
+ goto err;
} else {
- K = k;
+ if (!BN_mod_exp_mont(r, dsa->g, kq, dsa->p, ctx, dsa->method_mont_p))
+ goto err;
}
- DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, K, dsa->p, ctx,
- dsa->method_mont_p);
+
+
if (!BN_mod(r, r, dsa->q, ctx))
goto err;
@@ -337,9 +302,16 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len,
goto err;
}
- DSA_MOD_EXP(goto err, dsa, t1, dsa->g, u1, dsa->pub_key, u2, dsa->p, ctx,
- mont);
- /* BN_copy(&u1,&t1); */
+ if (dsa->meth->dsa_mod_exp != NULL) {
+ if (!dsa->meth->dsa_mod_exp(dsa, t1, dsa->g, u1, dsa->pub_key, u2,
+ dsa->p, ctx, mont))
+ goto err;
+ } else {
+ if (!BN_mod_exp2_mont(t1, dsa->g, u1, dsa->pub_key, u2, dsa->p, ctx,
+ mont))
+ goto err;
+ }
+
/* let u1 = u1 mod q */
if (!BN_mod(u1, t1, dsa->q, ctx))
goto err;
diff --git a/crypto/rsa/rsa_crpt.c b/crypto/rsa/rsa_crpt.c
index aca085a..9cd733b 100644
--- a/crypto/rsa/rsa_crpt.c
+++ b/crypto/rsa/rsa_crpt.c
@@ -147,23 +147,18 @@ BN_BLINDING *RSA_setup_blinding(RSA *rsa, BN_CTX *in_ctx)
}
{
- BIGNUM *local_n = NULL, *n;
- if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
- /* Set BN_FLG_CONSTTIME flag */
- local_n = n = BN_new();
- if (local_n == NULL) {
- RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_MALLOC_FAILURE);
- goto err;
- }
- BN_with_flags(n, rsa->n, BN_FLG_CONSTTIME);
- } else {
- n = rsa->n;
+ BIGNUM *n = BN_new();
+
+ if (n == NULL) {
+ RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_MALLOC_FAILURE);
+ goto err;
}
+ BN_with_flags(n, rsa->n, BN_FLG_CONSTTIME);
ret = BN_BLINDING_create_param(NULL, e, n, ctx, rsa->meth->bn_mod_exp,
rsa->_method_mod_n);
- /* We MUST free local_n before any further use of rsa->n */
- BN_free(local_n);
+ /* We MUST free n before any further use of rsa->n */
+ BN_free(n);
}
if (ret == NULL) {
RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_BN_LIB);
diff --git a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c
index b25d76e..5c6b619 100644
--- a/crypto/rsa/rsa_gen.c
+++ b/crypto/rsa/rsa_gen.c
@@ -137,64 +137,51 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value,
if (!BN_mul(r0, r1, r2, ctx))
goto err; /* (p-1)(q-1) */
{
- BIGNUM *local_r0 = NULL, *pr0;
- if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
- pr0 = local_r0 = BN_new();
- if (local_r0 == NULL)
- goto err;
- BN_with_flags(pr0, r0, BN_FLG_CONSTTIME);
- } else {
- pr0 = r0;
- }
+ BIGNUM *pr0 = BN_new();
+
+ if (pr0 == NULL)
+ goto err;
+ BN_with_flags(pr0, r0, BN_FLG_CONSTTIME);
if (!BN_mod_inverse(rsa->d, rsa->e, pr0, ctx)) {
- BN_free(local_r0);
+ BN_free(pr0);
goto err; /* d */
}
- /* We MUST free local_r0 before any further use of r0 */
- BN_free(local_r0);
+ /* We MUST free pr0 before any further use of r0 */
+ BN_free(pr0);
}
{
- BIGNUM *local_d = NULL, *d;
- /* set up d for correct BN_FLG_CONSTTIME flag */
- if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
- d = local_d = BN_new();
- if (local_d == NULL)
- goto err;
- BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
- } else {
- d = rsa->d;
- }
+ BIGNUM *d = BN_new();
+
+ if (d == NULL)
+ goto err;
+ BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
if ( /* calculate d mod (p-1) */
!BN_mod(rsa->dmp1, d, r1, ctx)
/* calculate d mod (q-1) */
|| !BN_mod(rsa->dmq1, d, r2, ctx)) {
- BN_free(local_d);
+ BN_free(d);
goto err;
}
- /* We MUST free local_d before any further use of rsa->d */
- BN_free(local_d);
+ /* We MUST free d before any further use of rsa->d */
+ BN_free(d);
}
{
- BIGNUM *local_p = NULL, *p;
+ BIGNUM *p = BN_new();
+
+ if (p == NULL)
+ goto err;
+ BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
/* calculate inverse of q mod p */
- if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
- p = local_p = BN_new();
- if (local_p == NULL)
- goto err;
- BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
- } else {
- p = rsa->p;
- }
if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx)) {
- BN_free(local_p);
+ BN_free(p);
goto err;
}
- /* We MUST free local_p before any further use of rsa->p */
- BN_free(local_p);
+ /* We MUST free p before any further use of rsa->p */
+ BN_free(p);
}
ok = 1;
diff --git a/crypto/rsa/rsa_ossl.c b/crypto/rsa/rsa_ossl.c
index 1aeaae9..d8af92d 100644
--- a/crypto/rsa/rsa_ossl.c
+++ b/crypto/rsa/rsa_ossl.c
@@ -300,33 +300,27 @@ static int rsa_ossl_private_encrypt(int flen, const unsigned char *from,
if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx))
goto err;
} else {
- BIGNUM *d = NULL, *local_d = NULL;
-
- if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
- local_d = d = BN_new();
- if (d == NULL) {
- RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE);
- goto err;
- }
- BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
- } else {
- d = rsa->d;
+ BIGNUM *d = BN_new();
+ if (d == NULL) {
+ RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE);
+ goto err;
}
+ BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
if (!BN_MONT_CTX_set_locked
(&rsa->_method_mod_n, rsa->lock, rsa->n, ctx)) {
- BN_free(local_d);
+ BN_free(d);
goto err;
}
if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,
rsa->_method_mod_n)) {
- BN_free(local_d);
+ BN_free(d);
goto err;
}
- /* We MUST free local_d before any further use of rsa->d */
- BN_free(local_d);
+ /* We MUST free d before any further use of rsa->d */
+ BN_free(d);
}
if (blinding)
@@ -434,32 +428,26 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx))
goto err;
} else {
- BIGNUM *d = NULL, *local_d = NULL;
-
- if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
- local_d = d = BN_new();
- if (d == NULL) {
- RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE);
- goto err;
- }
- BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
- } else {
- d = rsa->d;
+ BIGNUM *d = BN_new();
+ if (d == NULL) {
+ RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE);
+ goto err;
}
+ BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
if (!BN_MONT_CTX_set_locked
(&rsa->_method_mod_n, rsa->lock, rsa->n, ctx)) {
- BN_free(local_d);
+ BN_free(d);
goto err;
}
if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,
rsa->_method_mod_n)) {
- BN_free(local_d);
+ BN_free(d);
goto err;
}
- /* We MUST free local_d before any further use of rsa->d */
- BN_free(local_d);
+ /* We MUST free d before any further use of rsa->d */
+ BN_free(d);
}
if (blinding)
@@ -608,46 +596,35 @@ static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
vrfy = BN_CTX_get(ctx);
{
- BIGNUM *local_p = NULL, *local_q = NULL;
- BIGNUM *p = NULL, *q = NULL;
+ BIGNUM *p = BN_new(), *q = BN_new();
/*
* Make sure BN_mod_inverse in Montgomery initialization uses the
- * BN_FLG_CONSTTIME flag (unless RSA_FLAG_NO_CONSTTIME is set)
+ * BN_FLG_CONSTTIME flag
*/
- if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
- local_p = p = BN_new();
- if (p == NULL)
- goto err;
- BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
-
- local_q = q = BN_new();
- if (q == NULL) {
- BN_free(local_p);
- goto err;
- }
- BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME);
- } else {
- p = rsa->p;
- q = rsa->q;
+ if (p == NULL || q == NULL) {
+ BN_free(p);
+ BN_free(q);
+ goto err;
}
+ BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
+ BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME);
if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) {
if (!BN_MONT_CTX_set_locked
(&rsa->_method_mod_p, rsa->lock, p, ctx)
|| !BN_MONT_CTX_set_locked(&rsa->_method_mod_q,
rsa->lock, q, ctx)) {
- BN_free(local_p);
- BN_free(local_q);
+ BN_free(p);
+ BN_free(q);
goto err;
}
}
/*
- * We MUST free local_p and local_q before any further use of rsa->p and
- * rsa->q
+ * We MUST free p and q before any further use of rsa->p and rsa->q
*/
- BN_free(local_p);
- BN_free(local_q);
+ BN_free(p);
+ BN_free(q);
}
if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
@@ -657,72 +634,58 @@ static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
/* compute I mod q */
{
- BIGNUM *local_c = NULL;
- const BIGNUM *c;
- if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
- local_c = BN_new();
- if (local_c == NULL)
- goto err;
- BN_with_flags(local_c, I, BN_FLG_CONSTTIME);
- c = local_c;
- } else {
- c = I;
- }
+ BIGNUM *c = BN_new();
+ if (c == NULL)
+ goto err;
+ BN_with_flags(c, I, BN_FLG_CONSTTIME);
+
if (!BN_mod(r1, c, rsa->q, ctx)) {
- BN_free(local_c);
+ BN_free(c);
goto err;
}
{
- BIGNUM *local_dmq1 = NULL, *dmq1;
- /* compute r1^dmq1 mod q */
- if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
- dmq1 = local_dmq1 = BN_new();
- if (local_dmq1 == NULL) {
- BN_free(local_c);
- goto err;
- }
- BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
- } else {
- dmq1 = rsa->dmq1;
+ BIGNUM *dmq1 = BN_new();
+ if (dmq1 == NULL) {
+ BN_free(c);
+ goto err;
}
+ BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
+
+ /* compute r1^dmq1 mod q */
if (!rsa->meth->bn_mod_exp(m1, r1, dmq1, rsa->q, ctx,
rsa->_method_mod_q)) {
- BN_free(local_c);
- BN_free(local_dmq1);
+ BN_free(c);
+ BN_free(dmq1);
goto err;
}
- /* We MUST free local_dmq1 before any further use of rsa->dmq1 */
- BN_free(local_dmq1);
+ /* We MUST free dmq1 before any further use of rsa->dmq1 */
+ BN_free(dmq1);
}
/* compute I mod p */
if (!BN_mod(r1, c, rsa->p, ctx)) {
- BN_free(local_c);
+ BN_free(c);
goto err;
}
- /* We MUST free local_c before any further use of I */
- BN_free(local_c);
+ /* We MUST free c before any further use of I */
+ BN_free(c);
}
{
- BIGNUM *local_dmp1 = NULL, *dmp1;
+ BIGNUM *dmp1 = BN_new();
+ if (dmp1 == NULL)
+ goto err;
+ BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
+
/* compute r1^dmp1 mod p */
- if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
- dmp1 = local_dmp1 = BN_new();
- if (local_dmp1 == NULL)
- goto err;
- BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
- } else {
- dmp1 = rsa->dmp1;
- }
if (!rsa->meth->bn_mod_exp(r0, r1, dmp1, rsa->p, ctx,
rsa->_method_mod_p)) {
- BN_free(local_dmp1);
+ BN_free(dmp1);
goto err;
}
- /* We MUST free local_dmp1 before any further use of rsa->dmp1 */
- BN_free(local_dmp1);
+ /* We MUST free dmp1 before any further use of rsa->dmp1 */
+ BN_free(dmp1);
}
if (!BN_sub(r0, r0, m1))
@@ -739,22 +702,17 @@ static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
goto err;
{
- BIGNUM *local_r1 = NULL, *pr1;
- /* Turn BN_FLG_CONSTTIME flag on before division operation */
- if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
- pr1 = local_r1 = BN_new();
- if (local_r1 == NULL)
- goto err;
- BN_with_flags(pr1, r1, BN_FLG_CONSTTIME);
- } else {
- pr1 = r1;
- }
+ BIGNUM *pr1 = BN_new();
+ if (pr1 == NULL)
+ goto err;
+ BN_with_flags(pr1, r1, BN_FLG_CONSTTIME);
+
if (!BN_mod(r0, pr1, rsa->p, ctx)) {
- BN_free(local_r1);
+ BN_free(pr1);
goto err;
}
- /* We MUST free local_r1 before any further use of r1 */
- BN_free(local_r1);
+ /* We MUST free pr1 before any further use of r1 */
+ BN_free(pr1);
}
/*
@@ -796,24 +754,18 @@ static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
* return that instead.
*/
- BIGNUM *local_d = NULL;
- BIGNUM *d = NULL;
+ BIGNUM *d = BN_new();
+ if (d == NULL)
+ goto err;
+ BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
- if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
- local_d = d = BN_new();
- if (d == NULL)
- goto err;
- BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
- } else {
- d = rsa->d;
- }
if (!rsa->meth->bn_mod_exp(r0, I, d, rsa->n, ctx,
rsa->_method_mod_n)) {
- BN_free(local_d);
+ BN_free(d);
goto err;
}
- /* We MUST free local_d before any further use of rsa->d */
- BN_free(local_d);
+ /* We MUST free d before any further use of rsa->d */
+ BN_free(d);
}
}
ret = 1;
diff --git a/include/openssl/dh.h b/include/openssl/dh.h
index beb0f9f..2eb596d 100644
--- a/include/openssl/dh.h
+++ b/include/openssl/dh.h
@@ -32,7 +32,13 @@ extern "C" {
# define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024
# define DH_FLAG_CACHE_MONT_P 0x01
-# define DH_FLAG_NO_EXP_CONSTTIME 0x02
+
+# if OPENSSL_API_COMPAT < 0x10100000L
+/*
+ * Does nothing. Previously this switched off constant time behaviour.
+ */
+# define DH_FLAG_NO_EXP_CONSTTIME 0x00
+# endif
/*
* If this flag is set the DH method is FIPS compliant and can be used in
diff --git a/include/openssl/dsa.h b/include/openssl/dsa.h
index f65ee5d..48d2b56 100644
--- a/include/openssl/dsa.h
+++ b/include/openssl/dsa.h
@@ -38,12 +38,12 @@ extern "C" {
# define OPENSSL_DSA_FIPS_MIN_MODULUS_BITS 1024
# define DSA_FLAG_CACHE_MONT_P 0x01
+# if OPENSSL_API_COMPAT < 0x10100000L
/*
- * new with 0.9.7h; the built-in DSA implementation now uses constant time
- * modular exponentiation for secret exponents by default. This flag causes
- * the faster variable sliding window method to be used for all exponents.
+ * Does nothing. Previously this switched off constant time behaviour.
*/
-# define DSA_FLAG_NO_EXP_CONSTTIME 0x02
+# define DSA_FLAG_NO_EXP_CONSTTIME 0x00
+# endif
/*
* If this flag is set the DSA method is FIPS compliant and can be used in
diff --git a/include/openssl/rsa.h b/include/openssl/rsa.h
index 6a68058..4b82081 100644
--- a/include/openssl/rsa.h
+++ b/include/openssl/rsa.h
@@ -66,18 +66,12 @@ extern "C" {
* but other engines might not need it
*/
# define RSA_FLAG_NO_BLINDING 0x0080
+# if OPENSSL_API_COMPAT < 0x10100000L
/*
- * new with 0.9.8f; the built-in RSA
- * implementation now uses constant time
- * operations by default in private key operations,
- * e.g., constant time modular exponentiation,
- * modular inverse without leaking branches,
- * division without leaking branches. This
- * flag disables these constant time
- * operations and results in faster RSA
- * private key operations.
+ * Does nothing. Previously this switched off constant time behaviour.
*/
-# define RSA_FLAG_NO_CONSTTIME 0x0100
+# define RSA_FLAG_NO_CONSTTIME 0x0000
+# endif
# if OPENSSL_API_COMPAT < 0x00908000L
/* deprecated name for the flag*/
/*
diff --git a/test/dhtest.c b/test/dhtest.c
index c0551d5..1dc395b 100644
--- a/test/dhtest.c
+++ b/test/dhtest.c
@@ -95,10 +95,6 @@ int main(int argc, char *argv[])
goto err;
bp = bg = NULL;
- /* Set a to run with normal modexp and b to use constant time */
- DH_clear_flags(a, DH_FLAG_NO_EXP_CONSTTIME);
- DH_set_flags(b, DH_FLAG_NO_EXP_CONSTTIME);
-
if (!DH_generate_key(a))
goto err;
DH_get0_key(a, &apub_key, &priv_key);
diff --git a/test/dsatest.c b/test/dsatest.c
index c64a911..b99c467 100644
--- a/test/dsatest.c
+++ b/test/dsatest.c
@@ -147,13 +147,6 @@ int main(int argc, char **argv)
goto end;
}
- DSA_set_flags(dsa, DSA_FLAG_NO_EXP_CONSTTIME);
- DSA_generate_key(dsa);
- DSA_sign(0, str1, 20, sig, &siglen, dsa);
- if (DSA_verify(0, str1, 20, sig, siglen, dsa) == 1)
- ret = 1;
-
- DSA_clear_flags(dsa, DSA_FLAG_NO_EXP_CONSTTIME);
DSA_generate_key(dsa);
DSA_sign(0, str1, 20, sig, &siglen, dsa);
if (DSA_verify(0, str1, 20, sig, siglen, dsa) == 1)
diff --git a/test/rsa_test.c b/test/rsa_test.c
index c8e68db..7d06394 100644
--- a/test/rsa_test.c
+++ b/test/rsa_test.c
@@ -241,9 +241,9 @@ int main(int argc, char *argv[])
plen = sizeof(ptext_ex) - 1;
- for (v = 0; v < 6; v++) {
+ for (v = 0; v < 3; v++) {
key = RSA_new();
- switch (v % 3) {
+ switch (v) {
case 0:
clen = key1(key, ctext_ex);
break;
@@ -254,8 +254,6 @@ int main(int argc, char *argv[])
clen = key3(key, ctext_ex);
break;
}
- if (v / 3 >= 1)
- RSA_set_flags(key, RSA_FLAG_NO_CONSTTIME);
num = RSA_public_encrypt(plen, ptext_ex, ctext, key,
RSA_PKCS1_PADDING);
More information about the openssl-commits
mailing list