[openssl] OpenSSL_1_1_1-stable update
Matt Caswell
matt at openssl.org
Fri Sep 6 15:21:55 UTC 2019
The branch OpenSSL_1_1_1-stable has been updated
via 1bb2acb9987cc9d7f638b066ef396ca7f3243955 (commit)
via 2f18596c32d145f194c3d1eac9b9e77b560aad71 (commit)
from 6f34a16ea9a4d37e11a26dd4c3694ea5b107e53f (commit)
- Log -----------------------------------------------------------------
commit 1bb2acb9987cc9d7f638b066ef396ca7f3243955
Author: Cesar Pereida Garcia <cesar.pereidagarcia at tut.fi>
Date: Fri Sep 6 10:48:00 2019 +0300
[crypto/rsa] Set the constant-time flag in multi-prime RSA too
Reviewed-by: Bernd Edlinger <bernd.edlinger at hotmail.de>
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9779)
commit 2f18596c32d145f194c3d1eac9b9e77b560aad71
Author: Cesar Pereida Garcia <cesar.pereidagarcia at tut.fi>
Date: Thu Sep 5 12:13:11 2019 +0300
[crypto/asn1] Fix multiple SCA vulnerabilities during RSA key validation.
This commit addresses multiple side-channel vulnerabilities present
during RSA key validation.
Private key parameters are re-computed using variable-time functions.
This issue was discovered and reported by the NISEC group at TAU Finland.
Reviewed-by: Bernd Edlinger <bernd.edlinger at hotmail.de>
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9779)
-----------------------------------------------------------------------
Summary of changes:
crypto/asn1/x_bignum.c | 17 ++++++++++++++---
crypto/rsa/rsa_lib.c | 15 ++++++++++++---
2 files changed, 26 insertions(+), 6 deletions(-)
diff --git a/crypto/asn1/x_bignum.c b/crypto/asn1/x_bignum.c
index da57e77a7a..c1e3e523a0 100644
--- a/crypto/asn1/x_bignum.c
+++ b/crypto/asn1/x_bignum.c
@@ -130,9 +130,20 @@ static int bn_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
static int bn_secure_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
int utype, char *free_cont, const ASN1_ITEM *it)
{
- if (!*pval)
- bn_secure_new(pval, it);
- return bn_c2i(pval, cont, len, utype, free_cont, it);
+ int ret;
+ BIGNUM *bn;
+
+ if (!*pval && !bn_secure_new(pval, it))
+ return 0;
+
+ ret = bn_c2i(pval, cont, len, utype, free_cont, it);
+ if (!ret)
+ return 0;
+
+ /* Set constant-time flag for all secure BIGNUMS */
+ bn = (BIGNUM *)*pval;
+ BN_set_flags(bn, BN_FLG_CONSTTIME);
+ return ret;
}
static int bn_print(BIO *out, ASN1_VALUE **pval, const ASN1_ITEM *it,
diff --git a/crypto/rsa/rsa_lib.c b/crypto/rsa/rsa_lib.c
index 49c34b7c36..2e9effeefa 100644
--- a/crypto/rsa/rsa_lib.c
+++ b/crypto/rsa/rsa_lib.c
@@ -198,6 +198,7 @@ int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d)
if (d != NULL) {
BN_clear_free(r->d);
r->d = d;
+ BN_set_flags(r->d, BN_FLG_CONSTTIME);
}
return 1;
@@ -215,10 +216,12 @@ int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q)
if (p != NULL) {
BN_clear_free(r->p);
r->p = p;
+ BN_set_flags(r->p, BN_FLG_CONSTTIME);
}
if (q != NULL) {
BN_clear_free(r->q);
r->q = q;
+ BN_set_flags(r->q, BN_FLG_CONSTTIME);
}
return 1;
@@ -237,14 +240,17 @@ int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp)
if (dmp1 != NULL) {
BN_clear_free(r->dmp1);
r->dmp1 = dmp1;
+ BN_set_flags(r->dmp1, BN_FLG_CONSTTIME);
}
if (dmq1 != NULL) {
BN_clear_free(r->dmq1);
r->dmq1 = dmq1;
+ BN_set_flags(r->dmq1, BN_FLG_CONSTTIME);
}
if (iqmp != NULL) {
BN_clear_free(r->iqmp);
r->iqmp = iqmp;
+ BN_set_flags(r->iqmp, BN_FLG_CONSTTIME);
}
return 1;
@@ -276,12 +282,15 @@ int RSA_set0_multi_prime_params(RSA *r, BIGNUM *primes[], BIGNUM *exps[],
if (pinfo == NULL)
goto err;
if (primes[i] != NULL && exps[i] != NULL && coeffs[i] != NULL) {
- BN_free(pinfo->r);
- BN_free(pinfo->d);
- BN_free(pinfo->t);
+ BN_clear_free(pinfo->r);
+ BN_clear_free(pinfo->d);
+ BN_clear_free(pinfo->t);
pinfo->r = primes[i];
pinfo->d = exps[i];
pinfo->t = coeffs[i];
+ BN_set_flags(pinfo->r, BN_FLG_CONSTTIME);
+ BN_set_flags(pinfo->d, BN_FLG_CONSTTIME);
+ BN_set_flags(pinfo->t, BN_FLG_CONSTTIME);
} else {
rsa_multip_info_free(pinfo);
goto err;
More information about the openssl-commits
mailing list