[openssl-commits] [openssl] OpenSSL_1_0_2-stable update

Matt Caswell matt at openssl.org
Tue Jan 16 16:54:33 UTC 2018

The branch OpenSSL_1_0_2-stable has been updated
       via  8837a048ce7ff8d06acf81451d12e617b281444d (commit)
      from  da9ed72576a6b21a44df5eb913727838e99ff7c8 (commit)

- Log -----------------------------------------------------------------
commit 8837a048ce7ff8d06acf81451d12e617b281444d
Author: Matt Caswell <matt at openssl.org>
Date:   Mon Jan 15 11:23:07 2018 +0000

    Revert BN_copy() flag copy semantics change
    Commit 9f9442918a changed the semantics of BN_copy() to additionally
    copy the BN_FLG_CONSTTIME flag if it is set. This turns out to be
    ill advised as it has unintended consequences. For example calling
    BN_mod_inverse_no_branch() can sometimes return a result with the flag
    set and sometimes not as a result. This can lead to later failures if we
    go down code branches that do not support constant time, but check for
    the presence of the flag.
    The original commit was made due to an issue in BN_MOD_CTX_set(). The
    original PR fixed the problem in that function, but it was changed in
    review to fix it in BN_copy() instead. The solution seems to be to revert
    the BN_copy() change and go back to the originally proposed way.
    Reviewed-by: Paul Dale <paul.dale at oracle.com>
    (Merged from https://github.com/openssl/openssl/pull/5080)
    (cherry picked from commit 7d461736f7bd3af3c2f266f8541034ecf6f41ed9)


Summary of changes:
 crypto/bn/bn_lib.c  | 3 ---
 crypto/bn/bn_mont.c | 2 ++
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/crypto/bn/bn_lib.c b/crypto/bn/bn_lib.c
index f9c65f9..10b78f5 100644
--- a/crypto/bn/bn_lib.c
+++ b/crypto/bn/bn_lib.c
@@ -524,9 +524,6 @@ BIGNUM *BN_copy(BIGNUM *a, const BIGNUM *b)
     memcpy(a->d, b->d, sizeof(b->d[0]) * b->top);
-    if (BN_get_flags(b, BN_FLG_CONSTTIME) != 0)
-        BN_set_flags(a, BN_FLG_CONSTTIME);
     a->top = b->top;
     a->neg = b->neg;
diff --git a/crypto/bn/bn_mont.c b/crypto/bn/bn_mont.c
index 3af9db8..94e7a8f 100644
--- a/crypto/bn/bn_mont.c
+++ b/crypto/bn/bn_mont.c
@@ -382,6 +382,8 @@ int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx)
     R = &(mont->RR);            /* grab RR as a temp */
     if (!BN_copy(&(mont->N), mod))
         goto err;               /* Set N */
+    if (BN_get_flags(mod, BN_FLG_CONSTTIME) != 0)
+        BN_set_flags(&(mont->N), BN_FLG_CONSTTIME);
     mont->N.neg = 0;
 #ifdef MONT_WORD

More information about the openssl-commits mailing list