[openssl-commits] [openssl] OpenSSL_1_0_2-stable update

Matt Caswell matt at openssl.org
Wed Mar 21 19:21:32 UTC 2018


The branch OpenSSL_1_0_2-stable has been updated
       via  0d6710289307d277ebc3354105c965b6e8ba8eb0 (commit)
       via  64eb614ccc7ccf30cc412b736f509f1d82bbf897 (commit)
       via  0b199a883e9170cdfe8e61c150bbaf8d8951f3e7 (commit)
      from  c03db40dcfa8b9e0d71837fcc70d1af6b9994cf1 (commit)


- Log -----------------------------------------------------------------
commit 0d6710289307d277ebc3354105c965b6e8ba8eb0
Author: Samuel Weiser <samuel.weiser at iaik.tugraz.at>
Date:   Fri Feb 9 14:11:47 2018 +0100

    consttime flag changed
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Kurt Roeckx <kurt at roeckx.be>
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/5170)
    
    (cherry picked from commit 7150a4720af7913cae16f2e4eaf768b578c0b298)

commit 64eb614ccc7ccf30cc412b736f509f1d82bbf897
Author: Samuel Weiser <samuel.weiser at iaik.tugraz.at>
Date:   Wed Jan 31 13:10:55 2018 +0100

    used ERR set/pop mark
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Kurt Roeckx <kurt at roeckx.be>
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/5170)
    
    (cherry picked from commit 011f82e66f4bf131c733fd41a8390039859aafb2)

commit 0b199a883e9170cdfe8e61c150bbaf8d8951f3e7
Author: Samuel Weiser <samuel.weiser at iaik.tugraz.at>
Date:   Tue Dec 5 15:55:17 2017 +0100

    Replaced variable-time GCD with consttime inversion to avoid side-channel attacks on RSA key generation
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Kurt Roeckx <kurt at roeckx.be>
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/5170)
    
    (cherry picked from commit 9db724cfede4ba7a3668bff533973ee70145ec07)

-----------------------------------------------------------------------

Summary of changes:
 crypto/rsa/rsa_gen.c | 32 ++++++++++++++++++++++++++------
 1 file changed, 26 insertions(+), 6 deletions(-)

diff --git a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c
index a85493d..9ca5dfe 100644
--- a/crypto/rsa/rsa_gen.c
+++ b/crypto/rsa/rsa_gen.c
@@ -109,6 +109,7 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value,
     BIGNUM *pr0, *d, *p;
     int bitsp, bitsq, ok = -1, n = 0;
     BN_CTX *ctx = NULL;
+    unsigned long error = 0;
 
     /*
      * When generating ridiculously small keys, we can get stuck
@@ -155,16 +156,26 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value,
     if (BN_copy(rsa->e, e_value) == NULL)
         goto err;
 
+    BN_set_flags(r2, BN_FLG_CONSTTIME);
     /* generate p and q */
     for (;;) {
         if (!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb))
             goto err;
         if (!BN_sub(r2, rsa->p, BN_value_one()))
             goto err;
-        if (!BN_gcd(r1, r2, rsa->e, ctx))
-            goto err;
-        if (BN_is_one(r1))
+        ERR_set_mark();
+        if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) {
+            /* GCD == 1 since inverse exists */
             break;
+        }
+        error = ERR_peek_last_error();
+        if (ERR_GET_LIB(error) == ERR_LIB_BN
+            && ERR_GET_REASON(error) == BN_R_NO_INVERSE) {
+            /* GCD != 1 */
+            ERR_pop_to_mark();
+        } else {
+            goto err;
+        }
         if (!BN_GENCB_call(cb, 2, n++))
             goto err;
     }
@@ -177,10 +188,19 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value,
         } while (BN_cmp(rsa->p, rsa->q) == 0);
         if (!BN_sub(r2, rsa->q, BN_value_one()))
             goto err;
-        if (!BN_gcd(r1, r2, rsa->e, ctx))
-            goto err;
-        if (BN_is_one(r1))
+        ERR_set_mark();
+        if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) {
+            /* GCD == 1 since inverse exists */
             break;
+        }
+        error = ERR_peek_last_error();
+        if (ERR_GET_LIB(error) == ERR_LIB_BN
+            && ERR_GET_REASON(error) == BN_R_NO_INVERSE) {
+            /* GCD != 1 */
+            ERR_pop_to_mark();
+        } else {
+            goto err;
+        }
         if (!BN_GENCB_call(cb, 2, n++))
             goto err;
     }


More information about the openssl-commits mailing list