[openssl-commits] [openssl] master update

Wed Feb 21 12:08:12 UTC 2018

The branch master has been updated
       via  8db7946ee879ce483f4c81141926e1357aa6b941 (commit)
      from  ee763495250b29fd32cb4026f17678ba30a59342 (commit)


- Log -----------------------------------------------------------------
commit 8db7946ee879ce483f4c81141926e1357aa6b941
Author: Samuel Weiser <samuel.weiser at iaik.tugraz.at>
Date:   Wed Feb 21 11:56:01 2018 +0000

    Replaced variable-time GCD with consttime inversion to avoid side-channel attacks on RSA key generation
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Matt Caswell <matt at openssl.org>
    Reviewed-by: Kurt Roeckx <kurt at roeckx.be>
    (Merged from https://github.com/openssl/openssl/pull/5161)

-----------------------------------------------------------------------

Summary of changes:
 crypto/rsa/rsa_gen.c | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c
index 4b9296e..0539027 100644
--- a/crypto/rsa/rsa_gen.c
+++ b/crypto/rsa/rsa_gen.c
@@ -71,6 +71,7 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, int primes, BIGNUM *e_value,
     STACK_OF(RSA_PRIME_INFO) *prime_infos = NULL;
     BN_CTX *ctx = NULL;
     BN_ULONG bitst = 0;
+    unsigned long error = 0;
 
     if (bits < RSA_MIN_MODULUS_BITS) {
         ok = 0;             /* we set our own err */
@@ -186,10 +187,20 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, int primes, BIGNUM *e_value,
             }
             if (!BN_sub(r2, prime, BN_value_one()))
                 goto err;
-            if (!BN_gcd(r1, r2, rsa->e, ctx))
-                goto err;
-            if (BN_is_one(r1))
+            ERR_set_mark();
+            BN_set_flags(r2, BN_FLG_CONSTTIME);
+            if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) {
+               /* GCD == 1 since inverse exists */
                 break;
+            }
+            error = ERR_peek_last_error();
+            if (ERR_GET_LIB(error) == ERR_LIB_BN
+                && ERR_GET_REASON(error) == BN_R_NO_INVERSE) {
+                /* GCD != 1 */
+                ERR_pop_to_mark();
+            } else {
+                goto err;
+            }
             if (!BN_GENCB_call(cb, 2, n++))
                 goto err;
         }
