I'm wondering outloud it we should remove the #define, instead of
leaving it in there. I.E. should we be deliberately
breaking anything making use of that?
At the very least this (along with the DH one) can probably #ifndef
LIBRESSL_INTERNAL - and failing that should
we nuke them and bump majors?
On Wed, Jun 22, 2016 at 7:44 AM, Brent Cook <bust...@gmail.com> wrote:
> This is another patch from César Pereida that disables the DH and RSA
> non-constant-time flags as well.
>
> ok?
>
> Index: src/crypto/dh/dh.h
> ===================================================================
> RCS file: /cvs/src/lib/libssl/src/crypto/dh/dh.h,v
> retrieving revision 1.16
> diff -u -p -u -p -r1.16 dh.h
> --- src/crypto/dh/dh.h 12 Jun 2014 15:49:28 -0000 1.16
> +++ src/crypto/dh/dh.h 22 Jun 2016 13:37:33 -0000
> @@ -78,12 +78,8 @@
> #endif
>
> #define DH_FLAG_CACHE_MONT_P 0x01
> -#define DH_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DH
> - * implementation now uses constant
> time
> - * modular exponentiation for secret
> exponents
> - * by default. This flag causes the
> - * faster variable sliding window
> method to
> - * be used for all exponents.
> +#define DH_FLAG_NO_EXP_CONSTTIME 0x00 /* Does nothing. Previously this
> switched off
> + * constant time behaviour.
> */
>
> /* If this flag is set the DH method is FIPS compliant and can be used
> Index: src/crypto/dh/dh_key.c
> ===================================================================
> RCS file: /cvs/src/lib/libssl/src/crypto/dh/dh_key.c,v
> retrieving revision 1.23
> diff -u -p -u -p -r1.23 dh_key.c
> --- src/crypto/dh/dh_key.c 9 Feb 2015 15:49:22 -0000 1.23
> +++ src/crypto/dh/dh_key.c 22 Jun 2016 13:37:33 -0000
> @@ -147,21 +147,21 @@ generate_key(DH *dh)
> }
>
> {
> - BIGNUM local_prk;
> - BIGNUM *prk;
> + BIGNUM *prk = BN_new();
>
> - if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) {
> - BN_init(&local_prk);
> - prk = &local_prk;
> - BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
> - } else
> - prk = priv_key;
> + if (prk == NULL)
> + goto err;
> +
> + BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
>
> if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, prk, dh->p, ctx,
> - mont))
> + mont)) {
> + BN_free(prk);
> goto err;
> + }
> + BN_free(prk);
> }
> -
> +
> dh->pub_key = pub_key;
> dh->priv_key = priv_key;
> ok = 1;
> @@ -206,10 +206,9 @@ compute_key(unsigned char *key, const BI
> if (dh->flags & DH_FLAG_CACHE_MONT_P) {
> mont = BN_MONT_CTX_set_locked(&dh->method_mont_p,
> CRYPTO_LOCK_DH, dh->p, ctx);
> - if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) {
> - /* XXX */
> - BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME);
> - }
> +
> + BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME);
> +
> if (!mont)
> goto err;
> }
> @@ -238,16 +237,7 @@ static int
> dh_bn_mod_exp(const DH *dh, BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
> const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
> {
> - /*
> - * If a is only one word long and constant time is false, use the
> faster
> - * exponenentiation function.
> - */
> - if (a->top == 1 && (dh->flags & DH_FLAG_NO_EXP_CONSTTIME) != 0) {
> - BN_ULONG A = a->d[0];
> -
> - return BN_mod_exp_mont_word(r, A, p, m, ctx, m_ctx);
> - } else
> - return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
> + return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
> }
>
> static int
> Index: src/crypto/rsa/rsa.h
> ===================================================================
> RCS file: /cvs/src/lib/libssl/src/crypto/rsa/rsa.h,v
> retrieving revision 1.27
> diff -u -p -u -p -r1.27 rsa.h
> --- src/crypto/rsa/rsa.h 14 Feb 2015 15:10:39 -0000 1.27
> +++ src/crypto/rsa/rsa.h 22 Jun 2016 13:37:33 -0000
> @@ -195,13 +195,9 @@ struct rsa_st {
> #define RSA_FLAG_NO_BLINDING 0x0080
>
> /*
> - * The built-in RSA implementation uses constant time operations by default
> - * in private key operations, e.g., constant time modular exponentiation,
> - * modular inverse without leaking branches, division without leaking
> branches.
> - * This flag disables these constant time operations and results in faster
> RSA
> - * private key operations.
> + * Does nothing. Previously this switched off constant time behaviour.
> */
> -#define RSA_FLAG_NO_CONSTTIME 0x0100
> +#define RSA_FLAG_NO_CONSTTIME 0x0000
>
>
> #define EVP_PKEY_CTX_set_rsa_padding(ctx, pad) \
> Index: src/crypto/rsa/rsa_crpt.c
> ===================================================================
> RCS file: /cvs/src/lib/libssl/src/crypto/rsa/rsa_crpt.c,v
> retrieving revision 1.14
> diff -u -p -u -p -r1.14 rsa_crpt.c
> --- src/crypto/rsa/rsa_crpt.c 11 Feb 2015 03:19:37 -0000 1.14
> +++ src/crypto/rsa/rsa_crpt.c 22 Jun 2016 13:37:33 -0000
> @@ -169,8 +169,8 @@ err:
> BN_BLINDING *
> RSA_setup_blinding(RSA *rsa, BN_CTX *in_ctx)
> {
> - BIGNUM local_n;
> - BIGNUM *e, *n;
> + BIGNUM *e;
> + BIGNUM *n = BN_new();
> BN_CTX *ctx;
> BN_BLINDING *ret = NULL;
>
> @@ -192,15 +192,16 @@ RSA_setup_blinding(RSA *rsa, BN_CTX *in_
> } else
> e = rsa->e;
>
> - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
> - /* Set BN_FLG_CONSTTIME flag */
> - n = &local_n;
> - BN_with_flags(n, rsa->n, BN_FLG_CONSTTIME);
> - } else
> - n = rsa->n;
> + if (n == NULL)
> + goto err;
> +
> + BN_with_flags(n, rsa->n, BN_FLG_CONSTTIME);
>
> ret = BN_BLINDING_create_param(NULL, e, n, ctx, rsa->meth->bn_mod_exp,
> rsa->_method_mod_n);
> +
> + BN_free(n);
> +
> if (ret == NULL) {
> RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_BN_LIB);
> goto err;
> Index: src/crypto/rsa/rsa_eay.c
> ===================================================================
> RCS file: /cvs/src/lib/libssl/src/crypto/rsa/rsa_eay.c,v
> retrieving revision 1.40
> diff -u -p -u -p -r1.40 rsa_eay.c
> --- src/crypto/rsa/rsa_eay.c 10 Sep 2015 15:56:25 -0000 1.40
> +++ src/crypto/rsa/rsa_eay.c 22 Jun 2016 13:37:33 -0000
> @@ -426,24 +426,26 @@ RSA_eay_private_encrypt(int flen, const
> if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx))
> goto err;
> } else {
> - BIGNUM local_d;
> - BIGNUM *d = NULL;
> + BIGNUM *d = BN_new();
>
> - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
> - BN_init(&local_d);
> - d = &local_d;
> - BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
> - } else
> - d = rsa->d;
> + if (d == NULL)
> + goto err;
> +
> + BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
>
> if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
> if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
> - CRYPTO_LOCK_RSA, rsa->n, ctx))
> + CRYPTO_LOCK_RSA, rsa->n, ctx)) {
> + BN_free(d);
> goto err;
> + }
>
> if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,
> - rsa->_method_mod_n))
> + rsa->_method_mod_n)) {
> + BN_free(d);
> goto err;
> + }
> + BN_free(d);
> }
>
> if (blinding)
> @@ -553,22 +555,26 @@ RSA_eay_private_decrypt(int flen, const
> if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx))
> goto err;
> } else {
> - BIGNUM local_d;
> - BIGNUM *d = NULL;
> + BIGNUM *d = BN_new();
>
> - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
> - d = &local_d;
> - BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
> - } else
> - d = rsa->d;
> + if (d == NULL)
> + goto err;
> +
> + BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
>
> if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
> if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
> - CRYPTO_LOCK_RSA, rsa->n, ctx))
> + CRYPTO_LOCK_RSA, rsa->n, ctx)) {
> + BN_free(d);
> goto err;
> + }
> +
> if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,
> - rsa->_method_mod_n))
> + rsa->_method_mod_n)) {
> + BN_free(d);
> goto err;
> + }
> + BN_free(d);
> }
>
> if (blinding)
> @@ -723,8 +729,10 @@ static int
> RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
> {
> BIGNUM *r1, *m1, *vrfy;
> - BIGNUM local_dmp1, local_dmq1, local_c, local_r1;
> - BIGNUM *dmp1, *dmq1, *c, *pr1;
> + BIGNUM *dmp1 = BN_new();
> + BIGNUM *dmq1 = BN_new();
> + BIGNUM *pr1 = BN_new();
> + BIGNUM *c = BN_new();
> int ret = 0;
>
> BN_CTX_start(ctx);
> @@ -737,34 +745,33 @@ RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM
> }
>
> {
> - BIGNUM local_p, local_q;
> - BIGNUM *p = NULL, *q = NULL;
> + BIGNUM *p = BN_new();
> + BIGNUM *q = BN_new();
>
> /*
> * Make sure BN_mod_inverse in Montgomery intialization uses
> the
> - * BN_FLG_CONSTTIME flag (unless RSA_FLAG_NO_CONSTTIME is set)
> + * BN_FLG_CONSTTIME flag
> */
> - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
> - BN_init(&local_p);
> - p = &local_p;
> - BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
> -
> - BN_init(&local_q);
> - q = &local_q;
> - BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME);
> - } else {
> - p = rsa->p;
> - q = rsa->q;
> + if (p == NULL || q == NULL) {
> + BN_free(p);
> + BN_free(q);
> + goto err;
> }
> + BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
> + BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME);
>
> if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) {
> - if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p,
> - CRYPTO_LOCK_RSA, p, ctx))
> - goto err;
> - if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q,
> - CRYPTO_LOCK_RSA, q, ctx))
> + if (!BN_MONT_CTX_set_locked
> + (&rsa->_method_mod_p,CRYPTO_LOCK_RSA, p, ctx)
> + ||
> !BN_MONT_CTX_set_locked(&rsa->_method_mod_q,
> + CRYPTO_LOCK_RSA, q, ctx)) {
> + BN_free(p);
> + BN_free(q);
> goto err;
> + }
> }
> + BN_free(p);
> + BN_free(q);
> }
>
> if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
> @@ -773,46 +780,55 @@ RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM
> goto err;
>
> /* compute I mod q */
> - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
> - c = &local_c;
> - BN_with_flags(c, I, BN_FLG_CONSTTIME);
> - if (!BN_mod(r1, c, rsa->q, ctx))
> - goto err;
> - } else {
> - if (!BN_mod(r1, I, rsa->q, ctx))
> - goto err;
> + if (c == NULL)
> + goto err;
> +
> + BN_with_flags(c, I, BN_FLG_CONSTTIME);
> +
> + if (!BN_mod(r1, c, rsa->q, ctx)) {
> + BN_free(c);
> + goto err;
> }
>
> /* compute r1^dmq1 mod q */
> - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
> - dmq1 = &local_dmq1;
> - BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
> - } else
> - dmq1 = rsa->dmq1;
> + if (dmq1 == NULL) {
> + BN_free(c);
> + goto err;
> + }
> + BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
> +
> if (!rsa->meth->bn_mod_exp(m1, r1, dmq1, rsa->q, ctx,
> - rsa->_method_mod_q))
> + rsa->_method_mod_q)) {
> + BN_free(c);
> + BN_free(dmq1);
> goto err;
> + }
> + BN_free(dmq1);
>
> /* compute I mod p */
> - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
> - c = &local_c;
> - BN_with_flags(c, I, BN_FLG_CONSTTIME);
> - if (!BN_mod(r1, c, rsa->p, ctx))
> - goto err;
> - } else {
> - if (!BN_mod(r1, I, rsa->p, ctx))
> - goto err;
> + if (c == NULL)
> + goto err;
> +
> + BN_with_flags(c, I, BN_FLG_CONSTTIME);
> +
> + if (!BN_mod(r1, c, rsa->p, ctx)) {
> + BN_free(c);
> + goto err;
> }
> + BN_free(c);
>
> /* compute r1^dmp1 mod p */
> - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
> - dmp1 = &local_dmp1;
> - BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
> - } else
> - dmp1 = rsa->dmp1;
> + if (dmp1 == NULL)
> + goto err;
> +
> + BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
> +
> if (!rsa->meth->bn_mod_exp(r0, r1, dmp1, rsa->p, ctx,
> - rsa->_method_mod_p))
> + rsa->_method_mod_p)) {
> + BN_free(dmp1);
> goto err;
> + }
> + BN_free(dmp1);
>
> if (!BN_sub(r0, r0, m1))
> goto err;
> @@ -828,14 +844,17 @@ RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM
> goto err;
>
> /* Turn BN_FLG_CONSTTIME flag on before division operation */
> - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
> - pr1 = &local_r1;
> - BN_with_flags(pr1, r1, BN_FLG_CONSTTIME);
> - } else
> - pr1 = r1;
> - if (!BN_mod(r0, pr1, rsa->p, ctx))
> + if (pr1 == NULL)
> goto err;
>
> + BN_with_flags(pr1, r1, BN_FLG_CONSTTIME);
> +
> + if (!BN_mod(r0, pr1, rsa->p, ctx)) {
> + BN_free(pr1);
> + goto err;
> + }
> + BN_free(pr1);
> +
> /*
> * If p < q it is occasionally possible for the correction of
> * adding 'p' if r0 is negative above to leave the result still
> @@ -876,17 +895,19 @@ RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM
> * mod_exp and return that instead.
> */
>
> - BIGNUM local_d;
> - BIGNUM *d = NULL;
> + BIGNUM *d = BN_new();
> +
> + if (d == NULL)
> + goto err;
> +
> + BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
>
> - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
> - d = &local_d;
> - BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
> - } else
> - d = rsa->d;
> if (!rsa->meth->bn_mod_exp(r0, I, d, rsa->n, ctx,
> - rsa->_method_mod_n))
> + rsa->_method_mod_n)) {
> + BN_free(d);
> goto err;
> + }
> + BN_free(d);
> }
> }
> ret = 1;
> Index: src/crypto/rsa/rsa_gen.c
> ===================================================================
> RCS file: /cvs/src/lib/libssl/src/crypto/rsa/rsa_gen.c,v
> retrieving revision 1.17
> diff -u -p -u -p -r1.17 rsa_gen.c
> --- src/crypto/rsa/rsa_gen.c 9 Feb 2015 15:49:22 -0000 1.17
> +++ src/crypto/rsa/rsa_gen.c 22 Jun 2016 13:37:33 -0000
> @@ -90,8 +90,9 @@ static int
> rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
> {
> BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *r3 = NULL, *tmp;
> - BIGNUM local_r0, local_d, local_p;
> - BIGNUM *pr0, *d, *p;
> + BIGNUM *pr0 = BN_new();
> + BIGNUM *d = BN_new();
> + BIGNUM *p = BN_new();
> int bitsp, bitsq, ok = -1, n = 0;
> BN_CTX *ctx = NULL;
>
> @@ -193,37 +194,39 @@ rsa_builtin_keygen(RSA *rsa, int bits, B
> goto err;
> if (!BN_mul(r0, r1, r2, ctx)) /* (p-1)(q-1) */
> goto err;
> - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
> - pr0 = &local_r0;
> - BN_with_flags(pr0, r0, BN_FLG_CONSTTIME);
> - } else
> - pr0 = r0;
> - if (!BN_mod_inverse(rsa->d, rsa->e, pr0, ctx)) /* d */
> + if (pr0 == NULL)
> goto err;
> + BN_with_flags(pr0, r0, BN_FLG_CONSTTIME);
> + if (!BN_mod_inverse(rsa->d, rsa->e, pr0, ctx)) { /* d */
> + BN_free(pr0);
> + goto err;
> + }
>
> /* set up d for correct BN_FLG_CONSTTIME flag */
> - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
> - d = &local_d;
> - BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
> - } else
> - d = rsa->d;
> + if (d == NULL)
> + goto err;
> + BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
>
> /* calculate d mod (p-1) */
> - if (!BN_mod(rsa->dmp1, d, r1, ctx))
> + if (!BN_mod(rsa->dmp1, d, r1, ctx)) {
> + BN_free(d);
> goto err;
> + }
>
> /* calculate d mod (q-1) */
> - if (!BN_mod(rsa->dmq1, d, r2, ctx))
> + if (!BN_mod(rsa->dmq1, d, r2, ctx)) {
> + BN_free(d);
> goto err;
> + }
>
> /* calculate inverse of q mod p */
> - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
> - p = &local_p;
> - BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
> - } else
> - p = rsa->p;
> - if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx))
> + if (p == NULL)
> + goto err;
> + BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
> + if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx)) {
> + BN_free(p);
> goto err;
> + }
>
> ok = 1;
> err:
>
