[openssl] OpenSSL_1_0_2-stable update
nic.tuv at gmail.com
nic.tuv at gmail.com
Thu Feb 21 20:02:37 UTC 2019
The branch OpenSSL_1_0_2-stable has been updated
via 9acdddf1acd6f6be41ddb711b6b55fe7f5481320 (commit)
via d769ce09b690237c35c32032edbaf0339c480e85 (commit)
from e30dfbebe7fa3af40fd840fc89b004376fc2b21f (commit)
- Log -----------------------------------------------------------------
commit 9acdddf1acd6f6be41ddb711b6b55fe7f5481320
Author: Nicola Tuveri <nic.tuv at gmail.com>
Date: Fri Feb 8 12:42:25 2019 +0200
Clear BN_FLG_CONSTTIME on BN_CTX_get()
(cherry picked from commit c8147d37ccaaf28c430d3fb45a14af36597e48b8)
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8295)
commit d769ce09b690237c35c32032edbaf0339c480e85
Author: Nicola Tuveri <nic.tuv at gmail.com>
Date: Tue Feb 12 00:37:25 2019 +0200
Test for constant-time flag leakage in BN_CTX
This commit adds a simple unit test to make sure that the constant-time
flag does not "leak" among BN_CTX frames:
- test_ctx_consttime_flag() initializes (and later frees before
returning) a BN_CTX object, then it calls in sequence
test_ctx_set_ct_flag() and test_ctx_check_ct_flag() using the same
BN_CTX object.
- test_ctx_set_ct_flag() starts a frame in the given BN_CTX and sets the
BN_FLG_CONSTTIME flag on some of the BIGNUMs obtained from the frame
before ending it.
- test_ctx_check_ct_flag() then starts a new frame and gets a number of
BIGNUMs from it. In absence of leaks, none of the BIGNUMs in the new
frame should have BN_FLG_CONSTTIME set.
In actual BN_CTX usage inside libcrypto the leak could happen at any
depth level in the BN_CTX stack, with varying results depending on the
patterns of sibling trees of nested function calls sharing the same
BN_CTX object, and the effect of unintended BN_FLG_CONSTTIME on the
called BN_* functions.
This simple unit test abstracts away this complexity and verifies that
the leak does not happen between two sibling functions sharing the same
BN_CTX object at the same level of nesting.
(manually cherry picked from commit fe16ae5f95fa86ddb049a8d1e2caee0b80b32282)
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8295)
-----------------------------------------------------------------------
Summary of changes:
crypto/bn/bn_ctx.c | 2 ++
crypto/bn/bntest.c | 101 +++++++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 103 insertions(+)
diff --git a/crypto/bn/bn_ctx.c b/crypto/bn/bn_ctx.c
index 526c6a0..3391134 100644
--- a/crypto/bn/bn_ctx.c
+++ b/crypto/bn/bn_ctx.c
@@ -299,6 +299,8 @@ BIGNUM *BN_CTX_get(BN_CTX *ctx)
}
/* OK, make sure the returned bignum is "zero" */
BN_zero(ret);
+ /* clear BN_FLG_CONSTTIME if leaked from previous frames */
+ ret->flags &= (~BN_FLG_CONSTTIME);
ctx->used++;
CTXDBG_RET(ctx, ret);
return ret;
diff --git a/crypto/bn/bntest.c b/crypto/bn/bntest.c
index abe5dbe..75aa707 100644
--- a/crypto/bn/bntest.c
+++ b/crypto/bn/bntest.c
@@ -89,6 +89,10 @@
#include <openssl/x509.h>
#include <openssl/err.h>
+#ifndef OSSL_NELEM
+# define OSSL_NELEM(x) (sizeof(x)/sizeof(x[0]))
+#endif
+
const int num0 = 100; /* number of tests */
const int num1 = 50; /* additional tests for some functions */
const int num2 = 5; /* number of tests for slow functions */
@@ -123,6 +127,7 @@ int test_gf2m_mod_solve_quad(BIO *bp, BN_CTX *ctx);
int test_kron(BIO *bp, BN_CTX *ctx);
int test_sqrt(BIO *bp, BN_CTX *ctx);
int rand_neg(void);
+static int test_ctx_consttime_flag(void);
static int results = 0;
static unsigned char lst[] =
@@ -330,6 +335,15 @@ int main(int argc, char *argv[])
goto err;
(void)BIO_flush(out);
#endif
+
+ /* silently flush any pre-existing error on the stack */
+ ERR_clear_error();
+
+ message(out, "BN_CTX_get BN_FLG_CONSTTIME");
+ if (!test_ctx_consttime_flag())
+ goto err;
+ (void)BIO_flush(out);
+
BN_CTX_free(ctx);
BIO_free(out);
@@ -2158,3 +2172,90 @@ int rand_neg(void)
return (sign[(neg++) % 8]);
}
+
+static int test_ctx_set_ct_flag(BN_CTX *c)
+{
+ int st = 0;
+ size_t i;
+ BIGNUM *b[15];
+
+ BN_CTX_start(c);
+ for (i = 0; i < OSSL_NELEM(b); i++) {
+ if (NULL == (b[i] = BN_CTX_get(c))) {
+ fprintf(stderr, "ERROR: BN_CTX_get() failed.\n");
+ goto err;
+ }
+ if (i % 2 == 1)
+ BN_set_flags(b[i], BN_FLG_CONSTTIME);
+ }
+
+ st = 1;
+ err:
+ BN_CTX_end(c);
+ return st;
+}
+
+static int test_ctx_check_ct_flag(BN_CTX *c)
+{
+ int st = 0;
+ size_t i;
+ BIGNUM *b[30];
+
+ BN_CTX_start(c);
+ for (i = 0; i < OSSL_NELEM(b); i++) {
+ if (NULL == (b[i] = BN_CTX_get(c))) {
+ fprintf(stderr, "ERROR: BN_CTX_get() failed.\n");
+ goto err;
+ }
+ if (BN_get_flags(b[i], BN_FLG_CONSTTIME) != 0) {
+ fprintf(stderr, "ERROR: BN_FLG_CONSTTIME should not be set.\n");
+ goto err;
+ }
+ }
+
+ st = 1;
+ err:
+ BN_CTX_end(c);
+ return st;
+}
+
+static int test_ctx_consttime_flag(void)
+{
+ /*-
+ * The constant-time flag should not "leak" among BN_CTX frames:
+ *
+ * - test_ctx_set_ct_flag() starts a frame in the given BN_CTX and
+ * sets the BN_FLG_CONSTTIME flag on some of the BIGNUMs obtained
+ * from the frame before ending it.
+ * - test_ctx_check_ct_flag() then starts a new frame and gets a
+ * number of BIGNUMs from it. In absence of leaks, none of the
+ * BIGNUMs in the new frame should have BN_FLG_CONSTTIME set.
+ *
+ * In actual BN_CTX usage inside libcrypto the leak could happen at
+ * any depth level in the BN_CTX stack, with varying results
+ * depending on the patterns of sibling trees of nested function
+ * calls sharing the same BN_CTX object, and the effect of
+ * unintended BN_FLG_CONSTTIME on the called BN_* functions.
+ *
+ * This simple unit test abstracts away this complexity and verifies
+ * that the leak does not happen between two sibling functions
+ * sharing the same BN_CTX object at the same level of nesting.
+ *
+ */
+ BN_CTX *c = NULL;
+ int st = 0;
+
+ if (NULL == (c = BN_CTX_new())) {
+ fprintf(stderr, "ERROR: BN_CTX_new() failed.\n");
+ goto err;
+ }
+
+ if (!test_ctx_set_ct_flag(c)
+ || !test_ctx_check_ct_flag(c))
+ goto err;
+
+ st = 1;
+ err:
+ BN_CTX_free(c);
+ return st;
+}
More information about the openssl-commits
mailing list