[openssl] OpenSSL_1_0_2-stable update

Matt Caswell matt at openssl.org
Mon Sep 9 07:19:49 UTC 2019


The branch OpenSSL_1_0_2-stable has been updated
       via  adaebd81a01e2926a3106feec0476db7c8d7b362 (commit)
      from  6a7bad0fd7a2125d075e459b33145d4ce5ee0de9 (commit)


- Log -----------------------------------------------------------------
commit adaebd81a01e2926a3106feec0476db7c8d7b362
Author: Cesar Pereida Garcia <cesar.pereidagarcia at tut.fi>
Date:   Thu Sep 5 17:47:40 2019 +0300

    [crypto/rsa] Fix multiple SCA vulnerabilities during RSA key validation.
    
    This commit addresses multiple side-channel vulnerabilities present during RSA key validation.
    Private key parameters are re-computed using variable-time functions.
    
    This issue was discovered and reported by the NISEC group at TAU Finland.
    
    Reviewed-by: Bernd Edlinger <bernd.edlinger at hotmail.de>
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/9785)

-----------------------------------------------------------------------

Summary of changes:
 crypto/rsa/rsa_chk.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/crypto/rsa/rsa_chk.c b/crypto/rsa/rsa_chk.c
index 475dfc5628..3ea4e02974 100644
--- a/crypto/rsa/rsa_chk.c
+++ b/crypto/rsa/rsa_chk.c
@@ -63,6 +63,10 @@ int RSA_check_key(const RSA *key)
         return 0;
     }
 
+    /* Set consant-time flag on private parameters */
+    BN_set_flags(key->p, BN_FLG_CONSTTIME);
+    BN_set_flags(key->q, BN_FLG_CONSTTIME);
+    BN_set_flags(key->d, BN_FLG_CONSTTIME);
     i = BN_new();
     j = BN_new();
     k = BN_new();
@@ -141,6 +145,10 @@ int RSA_check_key(const RSA *key)
     }
 
     if (key->dmp1 != NULL && key->dmq1 != NULL && key->iqmp != NULL) {
+        /* Set consant-time flag on CRT parameters */
+        BN_set_flags(key->dmp1, BN_FLG_CONSTTIME);
+        BN_set_flags(key->dmq1, BN_FLG_CONSTTIME);
+        BN_set_flags(key->iqmp, BN_FLG_CONSTTIME);
         /* dmp1 = d mod (p-1)? */
         if (!BN_sub(i, key->p, BN_value_one())) {
             ret = -1;


More information about the openssl-commits mailing list