In view of the recent BN_FLG_CONSTTIME vulnerabilities in OpenSSL,

carefully document constant time vs. non-constant time operation of BN_div(3), BN_mod_exp(3), and BN_mod_inverse(3). Until the work that is required on the ill-designed BN_exp(3) and BN_gcd(3) interfaces can be undertaken, also document the imperfections in their behaviour, for now. Finally, mention BN_mod_exp(3) behaviour for even moduli. Delete the vague statement about some functions automatically setting BN_FLG_CONSTTIME. It created a false sense of security. Do not rely on it: not all relevant functions do that. Topic brought up by beck@, significant feedback and OK jsing@.
author: schwarze <> 2018-04-29 15:58:21 +0000
committer: schwarze <> 2018-04-29 15:58:21 +0000
commit: a60c20fc32aa2f822c683424f5bd90611e4d452f (patch)
tree: f067081374e9045588229a0f9af9373361fb2cbe
parent: 0a991f6de98776a2cd65f3529adb8948b51c275a (diff)
download: openbsd-a60c20fc32aa2f822c683424f5bd90611e4d452f.tar.gz
openbsd-a60c20fc32aa2f822c683424f5bd90611e4d452f.tar.bz2
openbsd-a60c20fc32aa2f822c683424f5bd90611e4d452f.zip
4 files changed, 104 insertions, 28 deletions
diff --git a/src/lib/libcrypto/man/BN_add.3 b/src/lib/libcrypto/man/BN_add.3
index 6001a9a4bd..8a11d7c080 100644
--- a/src/lib/libcrypto/man/BN_add.3
+++ b/src/lib/libcrypto/man/BN_add.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: BN_add.3,v 1.12 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: BN_add.3,v 1.13 2018/04/29 15:58:21 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: April 29 2018 $
 .Dt BN_ADD 3
 .Os
 .Sh NAME
@@ -66,6 +66,13 @@
 .Nm BN_mod_sqr ,
 .Nm BN_exp ,
 .Nm BN_mod_exp ,
+.\" The following are public, but intentionally undocumented for now:
+.\" .Nm BN_mod_exp_mont_consttime ,
+.\" .Nm BN_mod_exp_mont ,
+.\" .Nm BN_mod_exp_mont_word ,
+.\" .Nm BN_mod_exp_recp ,
+.\" .Nm BN_mod_exp_simple ,
+.\" Maybe they should be deleted from <openssl/bn.h>.
 .Nm BN_gcd
 .Nd arithmetic operations on BIGNUMs
 .Sh SYNOPSIS
@@ -245,6 +252,13 @@ and places the result in
 and the remainder in
 .Fa rem
 .Pq Li dv=a/d , rem=a%d .
+If the flag
+.Dv BN_FLG_CONSTTIME
+is set on
+.Fa a
+or
+.Fa d ,
+it operates in constant time.
 Either of
 .Fa dv
 and
@@ -343,6 +357,11 @@ to the
 power modulo
 .Fa m
 .Pq Li r=(a^p)%m .
+If the flag
+.Dv BN_FLG_CONSTTIME
+is set on
+.Fa p ,
+it operates in constant time.
 This function uses less time and space than
 .Fn BN_exp .
 .Pp
@@ -417,3 +436,31 @@ and
 .Fn BN_mod_sqr
 first appeared in OpenSSL 0.9.7 and have been available since
 .Ox 3.2 .
+.Sh BUGS
+Even if the
+.Dv BN_FLG_CONSTTIME
+flag is set on
+.Fa a
+or
+.Fa b ,
+.Fn BN_gcd
+neither fails nor operates in constant time, potentially allowing
+timing side-channel attacks.
+.Pp
+Even if the
+.Dv BN_FLG_CONSTTIME
+flag is set on
+.Fa p ,
+if the modulus
+.Fa m
+is even,
+.Fn BN_mod_exp
+does not operate in constant time, potentially allowing
+timing side-channel attacks.
+.Pp
+If
+.Dv BN_FLG_CONSTTIME
+is set on
+.Fa p ,
+.Fn BN_exp
+fails instead of operating in constant time.
diff --git a/src/lib/libcrypto/man/BN_mod_inverse.3 b/src/lib/libcrypto/man/BN_mod_inverse.3
index ed6b6def4e..aa509b1ab6 100644
--- a/src/lib/libcrypto/man/BN_mod_inverse.3
+++ b/src/lib/libcrypto/man/BN_mod_inverse.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: BN_mod_inverse.3,v 1.9 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: BN_mod_inverse.3,v 1.10 2018/04/29 15:58:21 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: April 29 2018 $
 .Dt BN_MOD_INVERSE 3
 .Os
 .Sh NAME
@@ -80,6 +80,14 @@ a new
 .Vt BIGNUM
 is created.
 .Pp
+If the flag
+.Dv BN_FLG_CONSTTIME
+is set on
+.Fa a
+or
+.Fa n ,
+it operates in constant time.
+.Pp
 .Fa ctx
 is a previously allocated
 .Vt BN_CTX
diff --git a/src/lib/libcrypto/man/BN_new.3 b/src/lib/libcrypto/man/BN_new.3
index e27a83e042..ed2910e645 100644
--- a/src/lib/libcrypto/man/BN_new.3
+++ b/src/lib/libcrypto/man/BN_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BN_new.3,v 1.13 2018/03/27 17:35:50 schwarze Exp $
+.\" $OpenBSD: BN_new.3,v 1.14 2018/04/29 15:58:21 schwarze Exp $
 .\" full merge up to: OpenSSL man3/BN_new 2457c19d Mar 6 08:43:36 2004 +0000
 .\" selective merge up to: man3/BN_new 681acb31 Sep 29 13:10:34 2017 +0200
 .\" full merge up to: OpenSSL man7/bn 05ea606a May 20 20:52:46 2016 -0400
@@ -50,7 +50,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: April 29 2018 $
 .Dt BN_NEW 3
 .Os
 .Sh NAME
@@ -102,7 +102,11 @@ or accessed directly.
 .Fn BN_new
 allocates and initializes a
 .Vt BIGNUM
-structure, in particular setting the value to zero.
+structure, in particular setting the value to zero and the flags to
+.Dv BN_FLG_MALLOCED .
+The security-relevant flag
+.Dv BN_FLG_CONSTTIME
+is not set by default.
 .Pp
 .Fn BN_init
 initializes an existing uninitialized
diff --git a/src/lib/libcrypto/man/BN_set_flags.3 b/src/lib/libcrypto/man/BN_set_flags.3
index a998037534..9b1647cd31 100644
--- a/src/lib/libcrypto/man/BN_set_flags.3
+++ b/src/lib/libcrypto/man/BN_set_flags.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: BN_set_flags.3,v 1.2 2018/03/21 09:03:49 schwarze Exp $
+.\"     $OpenBSD: BN_set_flags.3,v 1.3 2018/04/29 15:58:21 schwarze Exp $
 .\"
 .\" Copyright (c) 2017 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 21 2018 $
+.Dd $Mdocdate: April 29 2018 $
 .Dt BN_SET_FLAGS 3
 .Os
 .Sh NAME
@@ -47,6 +47,8 @@ together:
 .It Dv BN_FLG_CONSTTIME
 If this flag is set on the divident
 .Fa a
+or the divisor
+.Fa d
 in
 .Xr BN_div 3 ,
 on the exponent
@@ -59,27 +61,14 @@ or the modulus
 .Fa n
 in
 .Xr BN_mod_inverse 3 ,
-these functions prefer algorithms with an execution time independent
+these functions select algorithms with an execution time independent
 of the respective numbers, to avoid exposing sensitive information
-to timing attacks.
+to timing side-channel attacks.
 .Pp
-If this flag is set on the exponent
+This flag is off by default for
-.Fa p
+.Vt BIGNUM
-in
+objects created with
-.Xr BN_exp 3
+.Xr BN_new 3 .
-or if the modulus
-.Fa m
-is even for
-.Xr BN_mod_exp 3 ,
-an error occurs.
-.Pp
-Various functions automatically set this flag on sensitive data.
-For example, the default implementations of
-.Xr DH_generate_key 3 ,
-.Xr DSA_generate_key 3 ,
-and
-.Xr RSA_generate_key_ex 3
-set it on the generated private key.
 .It Dv BN_FLG_MALLOCED
 If this flag is set,
 .Xr BN_free 3
@@ -148,3 +137,31 @@ first appeared in SSLeay 0.9.1 and have been available since
 No public interface exists to clear a flag once it is set.
 So think twice before using
 .Fn BN_set_flags .
+.Sh BUGS
+Even if the
+.Dv BN_FLG_CONSTTIME
+flag is set on
+.Fa a
+or
+.Fa b ,
+.Fn BN_gcd
+neither fails nor operates in constant time, potentially allowing
+timing side-channel attacks.
+.Pp
+Even if the
+.Dv BN_FLG_CONSTTIME
+flag is set on
+.Fa p ,
+if the modulus
+.Fa m
+is even,
+.Xr BN_mod_exp 3
+does not operate in constant time, potentially allowing
+timing side-channel attacks.
+.Pp
+If
+.Dv BN_FLG_CONSTTIME
+is set on
+.Fa p ,
+.Fn BN_exp
+fails instead of operating in constant time.
author	schwarze <>	2018-04-29 15:58:21 +0000
committer	schwarze <>	2018-04-29 15:58:21 +0000
commit	a60c20fc32aa2f822c683424f5bd90611e4d452f (patch)
tree	f067081374e9045588229a0f9af9373361fb2cbe
parent	0a991f6de98776a2cd65f3529adb8948b51c275a (diff)
download	openbsd-a60c20fc32aa2f822c683424f5bd90611e4d452f.tar.gz openbsd-a60c20fc32aa2f822c683424f5bd90611e4d452f.tar.bz2 openbsd-a60c20fc32aa2f822c683424f5bd90611e4d452f.zip

diff --git a/src/lib/libcrypto/man/BN_add.3 b/src/lib/libcrypto/man/BN_add.3 index 6001a9a4bd..8a11d7c080 100644 --- a/src/lib/libcrypto/man/BN_add.3 +++ b/src/lib/libcrypto/man/BN_add.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: BN_add.3,v 1.12 2018/03/27 17:35:50 schwarze Exp $	1	.\" $OpenBSD: BN_add.3,v 1.13 2018/04/29 15:58:21 schwarze Exp $
2	.\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100	2	.\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
3	.\"	3	.\"
4	.\" This file was written by Ulf Moeller <ulf@openssl.org>	4	.\" This file was written by Ulf Moeller <ulf@openssl.org>
@@ -49,7 +49,7 @@
49	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED	49	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50	.\" OF THE POSSIBILITY OF SUCH DAMAGE.	50	.\" OF THE POSSIBILITY OF SUCH DAMAGE.
51	.\"	51	.\"
52	.Dd $Mdocdate: March 27 2018 $	52	.Dd $Mdocdate: April 29 2018 $
53	.Dt BN_ADD 3	53	.Dt BN_ADD 3
54	.Os	54	.Os
55	.Sh NAME	55	.Sh NAME
@@ -66,6 +66,13 @@
66	.Nm BN_mod_sqr ,	66	.Nm BN_mod_sqr ,
67	.Nm BN_exp ,	67	.Nm BN_exp ,
68	.Nm BN_mod_exp ,	68	.Nm BN_mod_exp ,
		69	.\" The following are public, but intentionally undocumented for now:
		70	.\" .Nm BN_mod_exp_mont_consttime ,
		71	.\" .Nm BN_mod_exp_mont ,
		72	.\" .Nm BN_mod_exp_mont_word ,
		73	.\" .Nm BN_mod_exp_recp ,
		74	.\" .Nm BN_mod_exp_simple ,
		75	.\" Maybe they should be deleted from <openssl/bn.h>.
69	.Nm BN_gcd	76	.Nm BN_gcd
70	.Nd arithmetic operations on BIGNUMs	77	.Nd arithmetic operations on BIGNUMs
71	.Sh SYNOPSIS	78	.Sh SYNOPSIS
@@ -245,6 +252,13 @@ and places the result in
245	and the remainder in	252	and the remainder in
246	.Fa rem	253	.Fa rem
247	.Pq Li dv=a/d , rem=a%d .	254	.Pq Li dv=a/d , rem=a%d .
		255	If the flag
		256	.Dv BN_FLG_CONSTTIME
		257	is set on
		258	.Fa a
		259	or
		260	.Fa d ,
		261	it operates in constant time.
248	Either of	262	Either of
249	.Fa dv	263	.Fa dv
250	and	264	and
@@ -343,6 +357,11 @@ to the
343	power modulo	357	power modulo
344	.Fa m	358	.Fa m
345	.Pq Li r=(a^p)%m .	359	.Pq Li r=(a^p)%m .
		360	If the flag
		361	.Dv BN_FLG_CONSTTIME
		362	is set on
		363	.Fa p ,
		364	it operates in constant time.
346	This function uses less time and space than	365	This function uses less time and space than
347	.Fn BN_exp .	366	.Fn BN_exp .
348	.Pp	367	.Pp
@@ -417,3 +436,31 @@ and
417	.Fn BN_mod_sqr	436	.Fn BN_mod_sqr
418	first appeared in OpenSSL 0.9.7 and have been available since	437	first appeared in OpenSSL 0.9.7 and have been available since
419	.Ox 3.2 .	438	.Ox 3.2 .
		439	.Sh BUGS
		440	Even if the
		441	.Dv BN_FLG_CONSTTIME
		442	flag is set on
		443	.Fa a
		444	or
		445	.Fa b ,
		446	.Fn BN_gcd
		447	neither fails nor operates in constant time, potentially allowing
		448	timing side-channel attacks.
		449	.Pp
		450	Even if the
		451	.Dv BN_FLG_CONSTTIME
		452	flag is set on
		453	.Fa p ,
		454	if the modulus
		455	.Fa m
		456	is even,
		457	.Fn BN_mod_exp
		458	does not operate in constant time, potentially allowing
		459	timing side-channel attacks.
		460	.Pp
		461	If
		462	.Dv BN_FLG_CONSTTIME
		463	is set on
		464	.Fa p ,
		465	.Fn BN_exp
		466	fails instead of operating in constant time.


diff --git a/src/lib/libcrypto/man/BN_mod_inverse.3 b/src/lib/libcrypto/man/BN_mod_inverse.3 index ed6b6def4e..aa509b1ab6 100644 --- a/src/lib/libcrypto/man/BN_mod_inverse.3 +++ b/src/lib/libcrypto/man/BN_mod_inverse.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: BN_mod_inverse.3,v 1.9 2018/03/27 17:35:50 schwarze Exp $	1	.\" $OpenBSD: BN_mod_inverse.3,v 1.10 2018/04/29 15:58:21 schwarze Exp $
2	.\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100	2	.\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
3	.\"	3	.\"
4	.\" This file was written by Ulf Moeller <ulf@openssl.org>.	4	.\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -48,7 +48,7 @@
48	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED	48	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
49	.\" OF THE POSSIBILITY OF SUCH DAMAGE.	49	.\" OF THE POSSIBILITY OF SUCH DAMAGE.
50	.\"	50	.\"
51	.Dd $Mdocdate: March 27 2018 $	51	.Dd $Mdocdate: April 29 2018 $
52	.Dt BN_MOD_INVERSE 3	52	.Dt BN_MOD_INVERSE 3
53	.Os	53	.Os
54	.Sh NAME	54	.Sh NAME
@@ -80,6 +80,14 @@ a new
80	.Vt BIGNUM	80	.Vt BIGNUM
81	is created.	81	is created.
82	.Pp	82	.Pp
		83	If the flag
		84	.Dv BN_FLG_CONSTTIME
		85	is set on
		86	.Fa a
		87	or
		88	.Fa n ,
		89	it operates in constant time.
		90	.Pp
83	.Fa ctx	91	.Fa ctx
84	is a previously allocated	92	is a previously allocated
85	.Vt BN_CTX	93	.Vt BN_CTX


diff --git a/src/lib/libcrypto/man/BN_new.3 b/src/lib/libcrypto/man/BN_new.3 index e27a83e042..ed2910e645 100644 --- a/src/lib/libcrypto/man/BN_new.3 +++ b/src/lib/libcrypto/man/BN_new.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: BN_new.3,v 1.13 2018/03/27 17:35:50 schwarze Exp $	1	.\" $OpenBSD: BN_new.3,v 1.14 2018/04/29 15:58:21 schwarze Exp $
2	.\" full merge up to: OpenSSL man3/BN_new 2457c19d Mar 6 08:43:36 2004 +0000	2	.\" full merge up to: OpenSSL man3/BN_new 2457c19d Mar 6 08:43:36 2004 +0000
3	.\" selective merge up to: man3/BN_new 681acb31 Sep 29 13:10:34 2017 +0200	3	.\" selective merge up to: man3/BN_new 681acb31 Sep 29 13:10:34 2017 +0200
4	.\" full merge up to: OpenSSL man7/bn 05ea606a May 20 20:52:46 2016 -0400	4	.\" full merge up to: OpenSSL man7/bn 05ea606a May 20 20:52:46 2016 -0400
@@ -50,7 +50,7 @@
50	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED	50	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
51	.\" OF THE POSSIBILITY OF SUCH DAMAGE.	51	.\" OF THE POSSIBILITY OF SUCH DAMAGE.
52	.\"	52	.\"
53	.Dd $Mdocdate: March 27 2018 $	53	.Dd $Mdocdate: April 29 2018 $
54	.Dt BN_NEW 3	54	.Dt BN_NEW 3
55	.Os	55	.Os
56	.Sh NAME	56	.Sh NAME
@@ -102,7 +102,11 @@ or accessed directly.
102	.Fn BN_new	102	.Fn BN_new
103	allocates and initializes a	103	allocates and initializes a
104	.Vt BIGNUM	104	.Vt BIGNUM
105	structure, in particular setting the value to zero.	105	structure, in particular setting the value to zero and the flags to
		106	.Dv BN_FLG_MALLOCED .
		107	The security-relevant flag
		108	.Dv BN_FLG_CONSTTIME
		109	is not set by default.
106	.Pp	110	.Pp
107	.Fn BN_init	111	.Fn BN_init
108	initializes an existing uninitialized	112	initializes an existing uninitialized


diff --git a/src/lib/libcrypto/man/BN_set_flags.3 b/src/lib/libcrypto/man/BN_set_flags.3 index a998037534..9b1647cd31 100644 --- a/src/lib/libcrypto/man/BN_set_flags.3 +++ b/src/lib/libcrypto/man/BN_set_flags.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: BN_set_flags.3,v 1.2 2018/03/21 09:03:49 schwarze Exp $	1	.\" $OpenBSD: BN_set_flags.3,v 1.3 2018/04/29 15:58:21 schwarze Exp $
2	.\"	2	.\"
3	.\" Copyright (c) 2017 Ingo Schwarze <schwarze@openbsd.org>	3	.\" Copyright (c) 2017 Ingo Schwarze <schwarze@openbsd.org>
4	.\"	4	.\"
@@ -14,7 +14,7 @@
14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF	14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.	15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16	.\"	16	.\"
17	.Dd $Mdocdate: March 21 2018 $	17	.Dd $Mdocdate: April 29 2018 $
18	.Dt BN_SET_FLAGS 3	18	.Dt BN_SET_FLAGS 3
19	.Os	19	.Os
20	.Sh NAME	20	.Sh NAME
@@ -47,6 +47,8 @@ together:
47	.It Dv BN_FLG_CONSTTIME	47	.It Dv BN_FLG_CONSTTIME
48	If this flag is set on the divident	48	If this flag is set on the divident
49	.Fa a	49	.Fa a
		50	or the divisor
		51	.Fa d
50	in	52	in
51	.Xr BN_div 3 ,	53	.Xr BN_div 3 ,
52	on the exponent	54	on the exponent
@@ -59,27 +61,14 @@ or the modulus
59	.Fa n	61	.Fa n
60	in	62	in
61	.Xr BN_mod_inverse 3 ,	63	.Xr BN_mod_inverse 3 ,
62	these functions prefer algorithms with an execution time independent	64	these functions select algorithms with an execution time independent
63	of the respective numbers, to avoid exposing sensitive information	65	of the respective numbers, to avoid exposing sensitive information
64	to timing attacks.	66	to timing side-channel attacks.
65	.Pp	67	.Pp
66	If this flag is set on the exponent	68	This flag is off by default for
67	.Fa p	69	.Vt BIGNUM
68	in	70	objects created with
69	.Xr BN_exp 3	71	.Xr BN_new 3 .
70	or if the modulus
71	.Fa m
72	is even for
73	.Xr BN_mod_exp 3 ,
74	an error occurs.
75	.Pp
76	Various functions automatically set this flag on sensitive data.
77	For example, the default implementations of
78	.Xr DH_generate_key 3 ,
79	.Xr DSA_generate_key 3 ,
80	and
81	.Xr RSA_generate_key_ex 3
82	set it on the generated private key.
83	.It Dv BN_FLG_MALLOCED	72	.It Dv BN_FLG_MALLOCED
84	If this flag is set,	73	If this flag is set,
85	.Xr BN_free 3	74	.Xr BN_free 3
@@ -148,3 +137,31 @@ first appeared in SSLeay 0.9.1 and have been available since
148	No public interface exists to clear a flag once it is set.	137	No public interface exists to clear a flag once it is set.
149	So think twice before using	138	So think twice before using
150	.Fn BN_set_flags .	139	.Fn BN_set_flags .
		140	.Sh BUGS
		141	Even if the
		142	.Dv BN_FLG_CONSTTIME
		143	flag is set on
		144	.Fa a
		145	or
		146	.Fa b ,
		147	.Fn BN_gcd
		148	neither fails nor operates in constant time, potentially allowing
		149	timing side-channel attacks.
		150	.Pp
		151	Even if the
		152	.Dv BN_FLG_CONSTTIME
		153	flag is set on
		154	.Fa p ,
		155	if the modulus
		156	.Fa m
		157	is even,
		158	.Xr BN_mod_exp 3
		159	does not operate in constant time, potentially allowing
		160	timing side-channel attacks.
		161	.Pp
		162	If
		163	.Dv BN_FLG_CONSTTIME
		164	is set on
		165	.Fa p ,
		166	.Fn BN_exp
		167	fails instead of operating in constant time.