This is another patch from César Pereida that disables the DH and RSA
non-constant-time flags as well.
ok?
Index: src/crypto/dh/dh.h
===================================================================
RCS file: /cvs/src/lib/libssl/src/crypto/dh/dh.h,v
retrieving revision 1.16
diff -u -p -u -p -r1.16 dh.h
--- src/crypto/dh/dh.h 12 Jun 2014 15:49:28 -0000 1.16
+++ src/crypto/dh/dh.h 22 Jun 2016 13:37:33 -0000
@@ -78,12 +78,8 @@
#endif
#define DH_FLAG_CACHE_MONT_P 0x01
-#define DH_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DH
- * implementation now uses constant time
- * modular exponentiation for secret
exponents
- * by default. This flag causes the
- * faster variable sliding window method
to
- * be used for all exponents.
+#define DH_FLAG_NO_EXP_CONSTTIME 0x00 /* Does nothing. Previously this
switched off
+ * constant time behaviour.
*/
/* If this flag is set the DH method is FIPS compliant and can be used
Index: src/crypto/dh/dh_key.c
===================================================================
RCS file: /cvs/src/lib/libssl/src/crypto/dh/dh_key.c,v
retrieving revision 1.23
diff -u -p -u -p -r1.23 dh_key.c
--- src/crypto/dh/dh_key.c 9 Feb 2015 15:49:22 -0000 1.23
+++ src/crypto/dh/dh_key.c 22 Jun 2016 13:37:33 -0000
@@ -147,21 +147,21 @@ generate_key(DH *dh)
}
{
- BIGNUM local_prk;
- BIGNUM *prk;
+ BIGNUM *prk = BN_new();
- if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) {
- BN_init(&local_prk);
- prk = &local_prk;
- BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
- } else
- prk = priv_key;
+ if (prk == NULL)
+ goto err;
+
+ BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, prk, dh->p, ctx,
- mont))
+ mont)) {
+ BN_free(prk);
goto err;
+ }
+ BN_free(prk);
}
-
+
dh->pub_key = pub_key;
dh->priv_key = priv_key;
ok = 1;
@@ -206,10 +206,9 @@ compute_key(unsigned char *key, const BI
if (dh->flags & DH_FLAG_CACHE_MONT_P) {
mont = BN_MONT_CTX_set_locked(&dh->method_mont_p,
CRYPTO_LOCK_DH, dh->p, ctx);
- if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) {
- /* XXX */
- BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME);
- }
+
+ BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME);
+
if (!mont)
goto err;
}
@@ -238,16 +237,7 @@ static int
dh_bn_mod_exp(const DH *dh, BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
{
- /*
- * If a is only one word long and constant time is false, use the faster
- * exponenentiation function.
- */
- if (a->top == 1 && (dh->flags & DH_FLAG_NO_EXP_CONSTTIME) != 0) {
- BN_ULONG A = a->d[0];
-
- return BN_mod_exp_mont_word(r, A, p, m, ctx, m_ctx);
- } else
- return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
+ return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
}
static int
Index: src/crypto/rsa/rsa.h
===================================================================
RCS file: /cvs/src/lib/libssl/src/crypto/rsa/rsa.h,v
retrieving revision 1.27
diff -u -p -u -p -r1.27 rsa.h
--- src/crypto/rsa/rsa.h 14 Feb 2015 15:10:39 -0000 1.27
+++ src/crypto/rsa/rsa.h 22 Jun 2016 13:37:33 -0000
@@ -195,13 +195,9 @@ struct rsa_st {
#define RSA_FLAG_NO_BLINDING 0x0080
/*
- * The built-in RSA implementation uses constant time operations by default
- * in private key operations, e.g., constant time modular exponentiation,
- * modular inverse without leaking branches, division without leaking branches.
- * This flag disables these constant time operations and results in faster RSA
- * private key operations.
+ * Does nothing. Previously this switched off constant time behaviour.
*/
-#define RSA_FLAG_NO_CONSTTIME 0x0100
+#define RSA_FLAG_NO_CONSTTIME 0x0000
#define EVP_PKEY_CTX_set_rsa_padding(ctx, pad) \
Index: src/crypto/rsa/rsa_crpt.c
===================================================================
RCS file: /cvs/src/lib/libssl/src/crypto/rsa/rsa_crpt.c,v
retrieving revision 1.14
diff -u -p -u -p -r1.14 rsa_crpt.c
--- src/crypto/rsa/rsa_crpt.c 11 Feb 2015 03:19:37 -0000 1.14
+++ src/crypto/rsa/rsa_crpt.c 22 Jun 2016 13:37:33 -0000
@@ -169,8 +169,8 @@ err:
BN_BLINDING *
RSA_setup_blinding(RSA *rsa, BN_CTX *in_ctx)
{
- BIGNUM local_n;
- BIGNUM *e, *n;
+ BIGNUM *e;
+ BIGNUM *n = BN_new();
BN_CTX *ctx;
BN_BLINDING *ret = NULL;
@@ -192,15 +192,16 @@ RSA_setup_blinding(RSA *rsa, BN_CTX *in_
} else
e = rsa->e;
- if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
- /* Set BN_FLG_CONSTTIME flag */
- n = &local_n;
- BN_with_flags(n, rsa->n, BN_FLG_CONSTTIME);
- } else
- n = rsa->n;
+ if (n == NULL)
+ goto err;
+
+ BN_with_flags(n, rsa->n, BN_FLG_CONSTTIME);
ret = BN_BLINDING_create_param(NULL, e, n, ctx, rsa->meth->bn_mod_exp,
rsa->_method_mod_n);
+
+ BN_free(n);
+
if (ret == NULL) {
RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_BN_LIB);
goto err;
Index: src/crypto/rsa/rsa_eay.c
===================================================================
RCS file: /cvs/src/lib/libssl/src/crypto/rsa/rsa_eay.c,v
retrieving revision 1.40
diff -u -p -u -p -r1.40 rsa_eay.c
--- src/crypto/rsa/rsa_eay.c 10 Sep 2015 15:56:25 -0000 1.40
+++ src/crypto/rsa/rsa_eay.c 22 Jun 2016 13:37:33 -0000
@@ -426,24 +426,26 @@ RSA_eay_private_encrypt(int flen, const
if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx))
goto err;
} else {
- BIGNUM local_d;
- BIGNUM *d = NULL;
+ BIGNUM *d = BN_new();
- if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
- BN_init(&local_d);
- d = &local_d;
- BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
- } else
- d = rsa->d;
+ if (d == NULL)
+ goto err;
+
+ BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
- CRYPTO_LOCK_RSA, rsa->n, ctx))
+ CRYPTO_LOCK_RSA, rsa->n, ctx)) {
+ BN_free(d);
goto err;
+ }
if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,
- rsa->_method_mod_n))
+ rsa->_method_mod_n)) {
+ BN_free(d);
goto err;
+ }
+ BN_free(d);
}
if (blinding)
@@ -553,22 +555,26 @@ RSA_eay_private_decrypt(int flen, const
if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx))
goto err;
} else {
- BIGNUM local_d;
- BIGNUM *d = NULL;
+ BIGNUM *d = BN_new();
- if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
- d = &local_d;
- BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
- } else
- d = rsa->d;
+ if (d == NULL)
+ goto err;
+
+ BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
- CRYPTO_LOCK_RSA, rsa->n, ctx))
+ CRYPTO_LOCK_RSA, rsa->n, ctx)) {
+ BN_free(d);
goto err;
+ }
+
if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,
- rsa->_method_mod_n))
+ rsa->_method_mod_n)) {
+ BN_free(d);
goto err;
+ }
+ BN_free(d);
}
if (blinding)
@@ -723,8 +729,10 @@ static int
RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
{
BIGNUM *r1, *m1, *vrfy;
- BIGNUM local_dmp1, local_dmq1, local_c, local_r1;
- BIGNUM *dmp1, *dmq1, *c, *pr1;
+ BIGNUM *dmp1 = BN_new();
+ BIGNUM *dmq1 = BN_new();
+ BIGNUM *pr1 = BN_new();
+ BIGNUM *c = BN_new();
int ret = 0;
BN_CTX_start(ctx);
@@ -737,34 +745,33 @@ RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM
}
{
- BIGNUM local_p, local_q;
- BIGNUM *p = NULL, *q = NULL;
+ BIGNUM *p = BN_new();
+ BIGNUM *q = BN_new();
/*
* Make sure BN_mod_inverse in Montgomery intialization uses the
- * BN_FLG_CONSTTIME flag (unless RSA_FLAG_NO_CONSTTIME is set)
+ * BN_FLG_CONSTTIME flag
*/
- if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
- BN_init(&local_p);
- p = &local_p;
- BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
-
- BN_init(&local_q);
- q = &local_q;
- BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME);
- } else {
- p = rsa->p;
- q = rsa->q;
+ if (p == NULL || q == NULL) {
+ BN_free(p);
+ BN_free(q);
+ goto err;
}
+ BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
+ BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME);
if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) {
- if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p,
- CRYPTO_LOCK_RSA, p, ctx))
- goto err;
- if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q,
- CRYPTO_LOCK_RSA, q, ctx))
+ if (!BN_MONT_CTX_set_locked
+ (&rsa->_method_mod_p,CRYPTO_LOCK_RSA, p, ctx)
+ || !BN_MONT_CTX_set_locked(&rsa->_method_mod_q,
+ CRYPTO_LOCK_RSA, q, ctx)) {
+ BN_free(p);
+ BN_free(q);
goto err;
+ }
}
+ BN_free(p);
+ BN_free(q);
}
if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
@@ -773,46 +780,55 @@ RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM
goto err;
/* compute I mod q */
- if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
- c = &local_c;
- BN_with_flags(c, I, BN_FLG_CONSTTIME);
- if (!BN_mod(r1, c, rsa->q, ctx))
- goto err;
- } else {
- if (!BN_mod(r1, I, rsa->q, ctx))
- goto err;
+ if (c == NULL)
+ goto err;
+
+ BN_with_flags(c, I, BN_FLG_CONSTTIME);
+
+ if (!BN_mod(r1, c, rsa->q, ctx)) {
+ BN_free(c);
+ goto err;
}
/* compute r1^dmq1 mod q */
- if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
- dmq1 = &local_dmq1;
- BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
- } else
- dmq1 = rsa->dmq1;
+ if (dmq1 == NULL) {
+ BN_free(c);
+ goto err;
+ }
+ BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
+
if (!rsa->meth->bn_mod_exp(m1, r1, dmq1, rsa->q, ctx,
- rsa->_method_mod_q))
+ rsa->_method_mod_q)) {
+ BN_free(c);
+ BN_free(dmq1);
goto err;
+ }
+ BN_free(dmq1);
/* compute I mod p */
- if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
- c = &local_c;
- BN_with_flags(c, I, BN_FLG_CONSTTIME);
- if (!BN_mod(r1, c, rsa->p, ctx))
- goto err;
- } else {
- if (!BN_mod(r1, I, rsa->p, ctx))
- goto err;
+ if (c == NULL)
+ goto err;
+
+ BN_with_flags(c, I, BN_FLG_CONSTTIME);
+
+ if (!BN_mod(r1, c, rsa->p, ctx)) {
+ BN_free(c);
+ goto err;
}
+ BN_free(c);
/* compute r1^dmp1 mod p */
- if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
- dmp1 = &local_dmp1;
- BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
- } else
- dmp1 = rsa->dmp1;
+ if (dmp1 == NULL)
+ goto err;
+
+ BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
+
if (!rsa->meth->bn_mod_exp(r0, r1, dmp1, rsa->p, ctx,
- rsa->_method_mod_p))
+ rsa->_method_mod_p)) {
+ BN_free(dmp1);
goto err;
+ }
+ BN_free(dmp1);
if (!BN_sub(r0, r0, m1))
goto err;
@@ -828,14 +844,17 @@ RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM
goto err;
/* Turn BN_FLG_CONSTTIME flag on before division operation */
- if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
- pr1 = &local_r1;
- BN_with_flags(pr1, r1, BN_FLG_CONSTTIME);
- } else
- pr1 = r1;
- if (!BN_mod(r0, pr1, rsa->p, ctx))
+ if (pr1 == NULL)
goto err;
+ BN_with_flags(pr1, r1, BN_FLG_CONSTTIME);
+
+ if (!BN_mod(r0, pr1, rsa->p, ctx)) {
+ BN_free(pr1);
+ goto err;
+ }
+ BN_free(pr1);
+
/*
* If p < q it is occasionally possible for the correction of
* adding 'p' if r0 is negative above to leave the result still
@@ -876,17 +895,19 @@ RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM
* mod_exp and return that instead.
*/
- BIGNUM local_d;
- BIGNUM *d = NULL;
+ BIGNUM *d = BN_new();
+
+ if (d == NULL)
+ goto err;
+
+ BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
- if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
- d = &local_d;
- BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
- } else
- d = rsa->d;
if (!rsa->meth->bn_mod_exp(r0, I, d, rsa->n, ctx,
- rsa->_method_mod_n))
+ rsa->_method_mod_n)) {
+ BN_free(d);
goto err;
+ }
+ BN_free(d);
}
}
ret = 1;
Index: src/crypto/rsa/rsa_gen.c
===================================================================
RCS file: /cvs/src/lib/libssl/src/crypto/rsa/rsa_gen.c,v
retrieving revision 1.17
diff -u -p -u -p -r1.17 rsa_gen.c
--- src/crypto/rsa/rsa_gen.c 9 Feb 2015 15:49:22 -0000 1.17
+++ src/crypto/rsa/rsa_gen.c 22 Jun 2016 13:37:33 -0000
@@ -90,8 +90,9 @@ static int
rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
{
BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *r3 = NULL, *tmp;
- BIGNUM local_r0, local_d, local_p;
- BIGNUM *pr0, *d, *p;
+ BIGNUM *pr0 = BN_new();
+ BIGNUM *d = BN_new();
+ BIGNUM *p = BN_new();
int bitsp, bitsq, ok = -1, n = 0;
BN_CTX *ctx = NULL;
@@ -193,37 +194,39 @@ rsa_builtin_keygen(RSA *rsa, int bits, B
goto err;
if (!BN_mul(r0, r1, r2, ctx)) /* (p-1)(q-1) */
goto err;
- if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
- pr0 = &local_r0;
- BN_with_flags(pr0, r0, BN_FLG_CONSTTIME);
- } else
- pr0 = r0;
- if (!BN_mod_inverse(rsa->d, rsa->e, pr0, ctx)) /* d */
+ if (pr0 == NULL)
goto err;
+ BN_with_flags(pr0, r0, BN_FLG_CONSTTIME);
+ if (!BN_mod_inverse(rsa->d, rsa->e, pr0, ctx)) { /* d */
+ BN_free(pr0);
+ goto err;
+ }
/* set up d for correct BN_FLG_CONSTTIME flag */
- if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
- d = &local_d;
- BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
- } else
- d = rsa->d;
+ if (d == NULL)
+ goto err;
+ BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
/* calculate d mod (p-1) */
- if (!BN_mod(rsa->dmp1, d, r1, ctx))
+ if (!BN_mod(rsa->dmp1, d, r1, ctx)) {
+ BN_free(d);
goto err;
+ }
/* calculate d mod (q-1) */
- if (!BN_mod(rsa->dmq1, d, r2, ctx))
+ if (!BN_mod(rsa->dmq1, d, r2, ctx)) {
+ BN_free(d);
goto err;
+ }
/* calculate inverse of q mod p */
- if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
- p = &local_p;
- BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
- } else
- p = rsa->p;
- if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx))
+ if (p == NULL)
+ goto err;
+ BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
+ if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx)) {
+ BN_free(p);
goto err;
+ }
ok = 1;
err:
