Disable DSA_FLAG_NO_EXP_CONSTTIME, always enable constant-time behavior.

Improved patch from Cesar Pereida. See https://github.com/libressl-portable/openbsd/pull/61 for more details. ok beck@
author: bcook <> 2016-06-21 04:16:53 +0000
committer: bcook <> 2016-06-21 04:16:53 +0000
commit: 91d6aae7a299dbce8aafae1d671ec0aa14c5511b (patch)
tree: dd6ba567d5976be5e4a37f408373dc7699d3b21c /src/lib/libcrypto/dsa/dsa_ossl.c
parent: ffe8f7f2079bc1daceb3cf79f5cc7a5370ca8483 (diff)
download: openbsd-91d6aae7a299dbce8aafae1d671ec0aa14c5511b.tar.gz
openbsd-91d6aae7a299dbce8aafae1d671ec0aa14c5511b.tar.bz2
openbsd-91d6aae7a299dbce8aafae1d671ec0aa14c5511b.zip
1 files changed, 33 insertions, 71 deletions
diff --git a/src/lib/libcrypto/dsa/dsa_ossl.c b/src/lib/libcrypto/dsa/dsa_ossl.c
index 7e1d494ff3..a28d3e9d1a 100644
--- a/src/lib/libcrypto/dsa/dsa_ossl.c
+++ b/src/lib/libcrypto/dsa/dsa_ossl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dsa_ossl.c,v 1.25 2016/06/06 23:37:37 tedu Exp $ */
+/* $OpenBSD: dsa_ossl.c,v 1.26 2016/06/21 04:16:53 bcook Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -83,46 +83,6 @@ static DSA_METHOD openssl_dsa_meth = {
        .finish = dsa_finish
 };
-/*
- * These macro wrappers replace attempts to use the dsa_mod_exp() and
- * bn_mod_exp() handlers in the DSA_METHOD structure. We avoid the problem of
- * having a the macro work as an expression by bundling an "err_instr". So;
- * 
- *     if (!dsa->meth->bn_mod_exp(dsa, r,dsa->g,&k,dsa->p,ctx,
- *                 dsa->method_mont_p)) goto err;
- *
- * can be replaced by;
- *
- *     DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, &k, dsa->p, ctx,
- *                 dsa->method_mont_p);
- */
-#define DSA_MOD_EXP(err_instr,dsa,rr,a1,p1,a2,p2,m,ctx,in_mont) \
-do { \
-        int _tmp_res53; \
-        if ((dsa)->meth->dsa_mod_exp) \
-                _tmp_res53 = (dsa)->meth->dsa_mod_exp((dsa), (rr), \
-                    (a1), (p1), (a2), (p2), (m), (ctx), (in_mont)); \
-        else \
-                _tmp_res53 = BN_mod_exp2_mont((rr), (a1), \
-                    (p1), (a2), (p2), (m), (ctx), (in_mont)); \
-        if (!_tmp_res53) \
-                err_instr; \
-} while(0)
-#define DSA_BN_MOD_EXP(err_instr,dsa,r,a,p,m,ctx,m_ctx) \
-do { \
-        int _tmp_res53; \
-        if ((dsa)->meth->bn_mod_exp) \
-                _tmp_res53 = (dsa)->meth->bn_mod_exp((dsa), (r), \
-                    (a), (p), (m), (ctx), (m_ctx)); \
-        else \
-                _tmp_res53 = BN_mod_exp_mont((r), (a), (p), (m), \
-                    (ctx), (m_ctx)); \
-        if (!_tmp_res53) \
-                err_instr; \
-} while(0)
 const DSA_METHOD *
 DSA_OpenSSL(void)
 {
@@ -222,7 +182,7 @@ static int
 dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
 {
        BN_CTX *ctx;
-        BIGNUM k, kq, *K, *kinv = NULL, *r = NULL;
+        BIGNUM k, *kinv = NULL, *r = NULL;
        int ret = 0;
        if (!dsa->p || !dsa->q || !dsa->g) {
@@ -231,7 +191,6 @@ dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
        }
        BN_init(&k);
-        BN_init(&kq);
        if (ctx_in == NULL) {
                if ((ctx = BN_CTX_new()) == NULL)
@@ -248,6 +207,8 @@ dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
                        goto err;
        } while (BN_is_zero(&k));
+        BN_set_flags(&k, BN_FLG_CONSTTIME);
        if (dsa->flags & DSA_FLAG_CACHE_MONT_P) {
                if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p,
                    CRYPTO_LOCK_DSA, dsa->p, ctx))
@@ -256,37 +217,31 @@ dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
        /* Compute r = (g^k mod p) mod q */
-        if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {
+        /*
-                if (!BN_copy(&kq, &k))
+         * We do not want timing information to leak the length of k,
-                        goto err;
+         * so we compute g^k using an equivalent exponent of fixed
+         * length.
-                /*
+         *
-                 * We do not want timing information to leak the length of k,
+         * (This is a kludge that we need because the BN_mod_exp_mont()
-                 * so we compute g^k using an equivalent exponent of fixed
+         * does not let us specify the desired timing behaviour.)
-                 * length.
+         */
-                 *
-                 * (This is a kludge that we need because the BN_mod_exp_mont()
-                 * does not let us specify the desired timing behaviour.)
-                 */
-                if (!BN_add(&kq, &kq, dsa->q))
+        if (!BN_add(&k, &k, dsa->q))
+                goto err;
+        if (BN_num_bits(&k) <= BN_num_bits(dsa->q)) {
+                if (!BN_add(&k, &k, dsa->q))
                        goto err;
-                if (BN_num_bits(&kq) <= BN_num_bits(dsa->q)) {
-                        if (!BN_add(&kq, &kq, dsa->q))
-                                goto err;
-                }
-                K = &kq;
-        } else {
-                K = &k;
        }
-        if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {
+        if (dsa->meth->bn_mod_exp != NULL) {
-                BN_set_flags(K, BN_FLG_CONSTTIME);
+                if (!dsa->meth->bn_mod_exp(dsa, r, dsa->g, &k, dsa->p, ctx,
+                                        dsa->method_mont_p))
+                        goto err;
+        } else {
+                if (!BN_mod_exp_mont(r, dsa->g, &k, dsa->p, ctx, dsa->method_mont_p))
+                        goto err;
        }
-        DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, K, dsa->p, ctx,
-            dsa->method_mont_p);
        if (!BN_mod(r,r,dsa->q,ctx))
                goto err;
@@ -308,7 +263,6 @@ err:
        if (ctx_in == NULL)
                BN_CTX_free(ctx);
        BN_clear_free(&k);
-        BN_clear_free(&kq);
        return ret;
 }
@@ -386,8 +340,16 @@ dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, DSA *dsa)
                        goto err;
        }
-        DSA_MOD_EXP(goto err, dsa, &t1, dsa->g, &u1, dsa->pub_key, &u2, dsa->p,
+        if (dsa->meth->dsa_mod_exp != NULL) {
-            ctx, mont);
+                if (!dsa->meth->dsa_mod_exp(dsa, &t1, dsa->g, &u1, dsa->pub_key, &u2,
+                                                dsa->p, ctx, mont))
+                        goto err;
+        } else {
+                if (!BN_mod_exp2_mont(&t1, dsa->g, &u1, dsa->pub_key, &u2, dsa->p, ctx,
+                                                mont))
+                        goto err;
+        }
+                
        /* BN_copy(&u1,&t1); */
        /* let u1 = u1 mod q */
        if (!BN_mod(&u1, &t1, dsa->q, ctx))
author	bcook <>	2016-06-21 04:16:53 +0000
committer	bcook <>	2016-06-21 04:16:53 +0000
commit	91d6aae7a299dbce8aafae1d671ec0aa14c5511b (patch)
tree	dd6ba567d5976be5e4a37f408373dc7699d3b21c /src/lib/libcrypto/dsa/dsa_ossl.c
parent	ffe8f7f2079bc1daceb3cf79f5cc7a5370ca8483 (diff)
download	openbsd-91d6aae7a299dbce8aafae1d671ec0aa14c5511b.tar.gz openbsd-91d6aae7a299dbce8aafae1d671ec0aa14c5511b.tar.bz2 openbsd-91d6aae7a299dbce8aafae1d671ec0aa14c5511b.zip

diff --git a/src/lib/libcrypto/dsa/dsa_ossl.c b/src/lib/libcrypto/dsa/dsa_ossl.c index 7e1d494ff3..a28d3e9d1a 100644 --- a/src/lib/libcrypto/dsa/dsa_ossl.c +++ b/src/lib/libcrypto/dsa/dsa_ossl.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: dsa_ossl.c,v 1.25 2016/06/06 23:37:37 tedu Exp $ */	1	/* $OpenBSD: dsa_ossl.c,v 1.26 2016/06/21 04:16:53 bcook Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -83,46 +83,6 @@ static DSA_METHOD openssl_dsa_meth = {
83	.finish = dsa_finish	83	.finish = dsa_finish
84	};	84	};
85		85
86	/*
87	* These macro wrappers replace attempts to use the dsa_mod_exp() and
88	* bn_mod_exp() handlers in the DSA_METHOD structure. We avoid the problem of
89	* having a the macro work as an expression by bundling an "err_instr". So;
90	*
91	* if (!dsa->meth->bn_mod_exp(dsa, r,dsa->g,&k,dsa->p,ctx,
92	* dsa->method_mont_p)) goto err;
93	*
94	* can be replaced by;
95	*
96	* DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, &k, dsa->p, ctx,
97	* dsa->method_mont_p);
98	*/
99
100	#define DSA_MOD_EXP(err_instr,dsa,rr,a1,p1,a2,p2,m,ctx,in_mont) \
101	do { \
102	int _tmp_res53; \
103	if ((dsa)->meth->dsa_mod_exp) \
104	_tmp_res53 = (dsa)->meth->dsa_mod_exp((dsa), (rr), \
105	(a1), (p1), (a2), (p2), (m), (ctx), (in_mont)); \
106	else \
107	_tmp_res53 = BN_mod_exp2_mont((rr), (a1), \
108	(p1), (a2), (p2), (m), (ctx), (in_mont)); \
109	if (!_tmp_res53) \
110	err_instr; \
111	} while(0)
112
113	#define DSA_BN_MOD_EXP(err_instr,dsa,r,a,p,m,ctx,m_ctx) \
114	do { \
115	int _tmp_res53; \
116	if ((dsa)->meth->bn_mod_exp) \
117	_tmp_res53 = (dsa)->meth->bn_mod_exp((dsa), (r), \
118	(a), (p), (m), (ctx), (m_ctx)); \
119	else \
120	_tmp_res53 = BN_mod_exp_mont((r), (a), (p), (m), \
121	(ctx), (m_ctx)); \
122	if (!_tmp_res53) \
123	err_instr; \
124	} while(0)
125
126	const DSA_METHOD *	86	const DSA_METHOD *
127	DSA_OpenSSL(void)	87	DSA_OpenSSL(void)
128	{	88	{
@@ -222,7 +182,7 @@ static int
222	dsa_sign_setup(DSA dsa, BN_CTX ctx_in, BIGNUM kinvp, BIGNUM rp)	182	dsa_sign_setup(DSA dsa, BN_CTX ctx_in, BIGNUM kinvp, BIGNUM rp)
223	{	183	{
224	BN_CTX *ctx;	184	BN_CTX *ctx;
225	BIGNUM k, kq, K, kinv = NULL, *r = NULL;	185	BIGNUM k, kinv = NULL, r = NULL;
226	int ret = 0;	186	int ret = 0;
227		187
228	if (!dsa->p \|\| !dsa->q \|\| !dsa->g) {	188	if (!dsa->p \|\| !dsa->q \|\| !dsa->g) {
@@ -231,7 +191,6 @@ dsa_sign_setup(DSA dsa, BN_CTX ctx_in, BIGNUM kinvp, BIGNUM rp)
231	}	191	}
232		192
233	BN_init(&k);	193	BN_init(&k);
234	BN_init(&kq);
235		194
236	if (ctx_in == NULL) {	195	if (ctx_in == NULL) {
237	if ((ctx = BN_CTX_new()) == NULL)	196	if ((ctx = BN_CTX_new()) == NULL)
@@ -248,6 +207,8 @@ dsa_sign_setup(DSA dsa, BN_CTX ctx_in, BIGNUM kinvp, BIGNUM rp)
248	goto err;	207	goto err;
249	} while (BN_is_zero(&k));	208	} while (BN_is_zero(&k));
250		209
		210	BN_set_flags(&k, BN_FLG_CONSTTIME);
		211
251	if (dsa->flags & DSA_FLAG_CACHE_MONT_P) {	212	if (dsa->flags & DSA_FLAG_CACHE_MONT_P) {
252	if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p,	213	if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p,
253	CRYPTO_LOCK_DSA, dsa->p, ctx))	214	CRYPTO_LOCK_DSA, dsa->p, ctx))
@@ -256,37 +217,31 @@ dsa_sign_setup(DSA dsa, BN_CTX ctx_in, BIGNUM kinvp, BIGNUM rp)
256		217
257	/* Compute r = (g^k mod p) mod q */	218	/* Compute r = (g^k mod p) mod q */
258		219
259	if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {	220	/*
260	if (!BN_copy(&kq, &k))	221	* We do not want timing information to leak the length of k,
261	goto err;	222	* so we compute g^k using an equivalent exponent of fixed
262		223	* length.
263	/*	224	*
264	* We do not want timing information to leak the length of k,	225	* (This is a kludge that we need because the BN_mod_exp_mont()
265	* so we compute g^k using an equivalent exponent of fixed	226	* does not let us specify the desired timing behaviour.)
266	* length.	227	*/
267	*
268	* (This is a kludge that we need because the BN_mod_exp_mont()
269	* does not let us specify the desired timing behaviour.)
270	*/
271		228
272	if (!BN_add(&kq, &kq, dsa->q))	229	if (!BN_add(&k, &k, dsa->q))
		230	goto err;
		231	if (BN_num_bits(&k) <= BN_num_bits(dsa->q)) {
		232	if (!BN_add(&k, &k, dsa->q))
273	goto err;	233	goto err;
274	if (BN_num_bits(&kq) <= BN_num_bits(dsa->q)) {
275	if (!BN_add(&kq, &kq, dsa->q))
276	goto err;
277	}
278
279	K = &kq;
280	} else {
281	K = &k;
282	}	234	}
283		235
284	if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {	236	if (dsa->meth->bn_mod_exp != NULL) {
285	BN_set_flags(K, BN_FLG_CONSTTIME);	237	if (!dsa->meth->bn_mod_exp(dsa, r, dsa->g, &k, dsa->p, ctx,
		238	dsa->method_mont_p))
		239	goto err;
		240	} else {
		241	if (!BN_mod_exp_mont(r, dsa->g, &k, dsa->p, ctx, dsa->method_mont_p))
		242	goto err;
286	}	243	}
287		244
288	DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, K, dsa->p, ctx,
289	dsa->method_mont_p);
290	if (!BN_mod(r,r,dsa->q,ctx))	245	if (!BN_mod(r,r,dsa->q,ctx))
291	goto err;	246	goto err;
292		247
@@ -308,7 +263,6 @@ err:
308	if (ctx_in == NULL)	263	if (ctx_in == NULL)
309	BN_CTX_free(ctx);	264	BN_CTX_free(ctx);
310	BN_clear_free(&k);	265	BN_clear_free(&k);
311	BN_clear_free(&kq);
312	return ret;	266	return ret;
313	}	267	}
314		268
@@ -386,8 +340,16 @@ dsa_do_verify(const unsigned char dgst, int dgst_len, DSA_SIG sig, DSA *dsa)
386	goto err;	340	goto err;
387	}	341	}
388		342
389	DSA_MOD_EXP(goto err, dsa, &t1, dsa->g, &u1, dsa->pub_key, &u2, dsa->p,	343	if (dsa->meth->dsa_mod_exp != NULL) {
390	ctx, mont);	344	if (!dsa->meth->dsa_mod_exp(dsa, &t1, dsa->g, &u1, dsa->pub_key, &u2,
		345	dsa->p, ctx, mont))
		346	goto err;
		347	} else {
		348	if (!BN_mod_exp2_mont(&t1, dsa->g, &u1, dsa->pub_key, &u2, dsa->p, ctx,
		349	mont))
		350	goto err;
		351	}
		352
391	/* BN_copy(&u1,&t1); */	353	/* BN_copy(&u1,&t1); */
392	/* let u1 = u1 mod q */	354	/* let u1 = u1 mod q */
393	if (!BN_mod(&u1, &t1, dsa->q, ctx))	355	if (!BN_mod(&u1, &t1, dsa->q, ctx))