[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
Matt Caswell
matt at openssl.org
Wed Mar 21 19:21:21 UTC 2018
The branch OpenSSL_1_1_0-stable has been updated
via 7150a4720af7913cae16f2e4eaf768b578c0b298 (commit)
via 011f82e66f4bf131c733fd41a8390039859aafb2 (commit)
via 9db724cfede4ba7a3668bff533973ee70145ec07 (commit)
from 178a2a6f1c25d05d801544e6f18963726d90ac0b (commit)
- Log -----------------------------------------------------------------
commit 7150a4720af7913cae16f2e4eaf768b578c0b298
Author: Samuel Weiser <samuel.weiser at iaik.tugraz.at>
Date: Fri Feb 9 14:11:47 2018 +0100
consttime flag changed
Reviewed-by: Rich Salz <rsalz at openssl.org>
Reviewed-by: Kurt Roeckx <kurt at roeckx.be>
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5170)
commit 011f82e66f4bf131c733fd41a8390039859aafb2
Author: Samuel Weiser <samuel.weiser at iaik.tugraz.at>
Date: Wed Jan 31 13:10:55 2018 +0100
used ERR set/pop mark
Reviewed-by: Rich Salz <rsalz at openssl.org>
Reviewed-by: Kurt Roeckx <kurt at roeckx.be>
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5170)
commit 9db724cfede4ba7a3668bff533973ee70145ec07
Author: Samuel Weiser <samuel.weiser at iaik.tugraz.at>
Date: Tue Dec 5 15:55:17 2017 +0100
Replaced variable-time GCD with consttime inversion to avoid side-channel attacks on RSA key generation
Reviewed-by: Rich Salz <rsalz at openssl.org>
Reviewed-by: Kurt Roeckx <kurt at roeckx.be>
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5170)
-----------------------------------------------------------------------
Summary of changes:
crypto/rsa/rsa_gen.c | 32 ++++++++++++++++++++++++++------
1 file changed, 26 insertions(+), 6 deletions(-)
diff --git a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c
index 4ced965..4952ec3 100644
--- a/crypto/rsa/rsa_gen.c
+++ b/crypto/rsa/rsa_gen.c
@@ -42,6 +42,7 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value,
BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *r3 = NULL, *tmp;
int bitsp, bitsq, ok = -1, n = 0;
BN_CTX *ctx = NULL;
+ unsigned long error = 0;
/*
* When generating ridiculously small keys, we can get stuck
@@ -88,16 +89,26 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value,
if (BN_copy(rsa->e, e_value) == NULL)
goto err;
+ BN_set_flags(r2, BN_FLG_CONSTTIME);
/* generate p and q */
for (;;) {
if (!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb))
goto err;
if (!BN_sub(r2, rsa->p, BN_value_one()))
goto err;
- if (!BN_gcd(r1, r2, rsa->e, ctx))
- goto err;
- if (BN_is_one(r1))
+ ERR_set_mark();
+ if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) {
+ /* GCD == 1 since inverse exists */
break;
+ }
+ error = ERR_peek_last_error();
+ if (ERR_GET_LIB(error) == ERR_LIB_BN
+ && ERR_GET_REASON(error) == BN_R_NO_INVERSE) {
+ /* GCD != 1 */
+ ERR_pop_to_mark();
+ } else {
+ goto err;
+ }
if (!BN_GENCB_call(cb, 2, n++))
goto err;
}
@@ -110,10 +121,19 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value,
} while (BN_cmp(rsa->p, rsa->q) == 0);
if (!BN_sub(r2, rsa->q, BN_value_one()))
goto err;
- if (!BN_gcd(r1, r2, rsa->e, ctx))
- goto err;
- if (BN_is_one(r1))
+ ERR_set_mark();
+ if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) {
+ /* GCD == 1 since inverse exists */
break;
+ }
+ error = ERR_peek_last_error();
+ if (ERR_GET_LIB(error) == ERR_LIB_BN
+ && ERR_GET_REASON(error) == BN_R_NO_INVERSE) {
+ /* GCD != 1 */
+ ERR_pop_to_mark();
+ } else {
+ goto err;
+ }
if (!BN_GENCB_call(cb, 2, n++))
goto err;
}
More information about the openssl-commits
mailing list