In view of the recent BN_FLG_CONSTTIME vulnerabilities in OpenSSL,

carefully document constant time vs. non-constant time operation of BN_div(3), BN_mod_exp(3), and BN_mod_inverse(3). Until the work that is required on the ill-designed BN_exp(3) and BN_gcd(3) interfaces can be undertaken, also document the imperfections in their behaviour, for now. Finally, mention BN_mod_exp(3) behaviour for even moduli. Delete the vague statement about some functions automatically setting BN_FLG_CONSTTIME. It created a false sense of security. Do not rely on it: not all relevant functions do that. Topic brought up by beck@, significant feedback and OK jsing@.
author: schwarze <> 2018-04-29 15:58:21 +0000
committer: schwarze <> 2018-04-29 15:58:21 +0000
commit: a60c20fc32aa2f822c683424f5bd90611e4d452f (patch)
tree: f067081374e9045588229a0f9af9373361fb2cbe /src/lib/libcrypto/man/BN_add.3
parent: 0a991f6de98776a2cd65f3529adb8948b51c275a (diff)
download: openbsd-a60c20fc32aa2f822c683424f5bd90611e4d452f.tar.gz
openbsd-a60c20fc32aa2f822c683424f5bd90611e4d452f.tar.bz2
openbsd-a60c20fc32aa2f822c683424f5bd90611e4d452f.zip
1 files changed, 49 insertions, 2 deletions
diff --git a/src/lib/libcrypto/man/BN_add.3 b/src/lib/libcrypto/man/BN_add.3
index 6001a9a4bd..8a11d7c080 100644
--- a/src/lib/libcrypto/man/BN_add.3
+++ b/src/lib/libcrypto/man/BN_add.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: BN_add.3,v 1.12 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: BN_add.3,v 1.13 2018/04/29 15:58:21 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: April 29 2018 $
 .Dt BN_ADD 3
 .Os
 .Sh NAME
@@ -66,6 +66,13 @@
 .Nm BN_mod_sqr ,
 .Nm BN_exp ,
 .Nm BN_mod_exp ,
+.\" The following are public, but intentionally undocumented for now:
+.\" .Nm BN_mod_exp_mont_consttime ,
+.\" .Nm BN_mod_exp_mont ,
+.\" .Nm BN_mod_exp_mont_word ,
+.\" .Nm BN_mod_exp_recp ,
+.\" .Nm BN_mod_exp_simple ,
+.\" Maybe they should be deleted from <openssl/bn.h>.
 .Nm BN_gcd
 .Nd arithmetic operations on BIGNUMs
 .Sh SYNOPSIS
@@ -245,6 +252,13 @@ and places the result in
 and the remainder in
 .Fa rem
 .Pq Li dv=a/d , rem=a%d .
+If the flag
+.Dv BN_FLG_CONSTTIME
+is set on
+.Fa a
+or
+.Fa d ,
+it operates in constant time.
 Either of
 .Fa dv
 and
@@ -343,6 +357,11 @@ to the
 power modulo
 .Fa m
 .Pq Li r=(a^p)%m .
+If the flag
+.Dv BN_FLG_CONSTTIME
+is set on
+.Fa p ,
+it operates in constant time.
 This function uses less time and space than
 .Fn BN_exp .
 .Pp
@@ -417,3 +436,31 @@ and
 .Fn BN_mod_sqr
 first appeared in OpenSSL 0.9.7 and have been available since
 .Ox 3.2 .
+.Sh BUGS
+Even if the
+.Dv BN_FLG_CONSTTIME
+flag is set on
+.Fa a
+or
+.Fa b ,
+.Fn BN_gcd
+neither fails nor operates in constant time, potentially allowing
+timing side-channel attacks.
+.Pp
+Even if the
+.Dv BN_FLG_CONSTTIME
+flag is set on
+.Fa p ,
+if the modulus
+.Fa m
+is even,
+.Fn BN_mod_exp
+does not operate in constant time, potentially allowing
+timing side-channel attacks.
+.Pp
+If
+.Dv BN_FLG_CONSTTIME
+is set on
+.Fa p ,
+.Fn BN_exp
+fails instead of operating in constant time.
author	schwarze <>	2018-04-29 15:58:21 +0000
committer	schwarze <>	2018-04-29 15:58:21 +0000
commit	a60c20fc32aa2f822c683424f5bd90611e4d452f (patch)
tree	f067081374e9045588229a0f9af9373361fb2cbe /src/lib/libcrypto/man/BN_add.3
parent	0a991f6de98776a2cd65f3529adb8948b51c275a (diff)
download	openbsd-a60c20fc32aa2f822c683424f5bd90611e4d452f.tar.gz openbsd-a60c20fc32aa2f822c683424f5bd90611e4d452f.tar.bz2 openbsd-a60c20fc32aa2f822c683424f5bd90611e4d452f.zip

diff --git a/src/lib/libcrypto/man/BN_add.3 b/src/lib/libcrypto/man/BN_add.3 index 6001a9a4bd..8a11d7c080 100644 --- a/src/lib/libcrypto/man/BN_add.3 +++ b/src/lib/libcrypto/man/BN_add.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: BN_add.3,v 1.12 2018/03/27 17:35:50 schwarze Exp $	1	.\" $OpenBSD: BN_add.3,v 1.13 2018/04/29 15:58:21 schwarze Exp $
2	.\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100	2	.\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
3	.\"	3	.\"
4	.\" This file was written by Ulf Moeller <ulf@openssl.org>	4	.\" This file was written by Ulf Moeller <ulf@openssl.org>
@@ -49,7 +49,7 @@
49	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED	49	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50	.\" OF THE POSSIBILITY OF SUCH DAMAGE.	50	.\" OF THE POSSIBILITY OF SUCH DAMAGE.
51	.\"	51	.\"
52	.Dd $Mdocdate: March 27 2018 $	52	.Dd $Mdocdate: April 29 2018 $
53	.Dt BN_ADD 3	53	.Dt BN_ADD 3
54	.Os	54	.Os
55	.Sh NAME	55	.Sh NAME
@@ -66,6 +66,13 @@
66	.Nm BN_mod_sqr ,	66	.Nm BN_mod_sqr ,
67	.Nm BN_exp ,	67	.Nm BN_exp ,
68	.Nm BN_mod_exp ,	68	.Nm BN_mod_exp ,
		69	.\" The following are public, but intentionally undocumented for now:
		70	.\" .Nm BN_mod_exp_mont_consttime ,
		71	.\" .Nm BN_mod_exp_mont ,
		72	.\" .Nm BN_mod_exp_mont_word ,
		73	.\" .Nm BN_mod_exp_recp ,
		74	.\" .Nm BN_mod_exp_simple ,
		75	.\" Maybe they should be deleted from <openssl/bn.h>.
69	.Nm BN_gcd	76	.Nm BN_gcd
70	.Nd arithmetic operations on BIGNUMs	77	.Nd arithmetic operations on BIGNUMs
71	.Sh SYNOPSIS	78	.Sh SYNOPSIS
@@ -245,6 +252,13 @@ and places the result in
245	and the remainder in	252	and the remainder in
246	.Fa rem	253	.Fa rem
247	.Pq Li dv=a/d , rem=a%d .	254	.Pq Li dv=a/d , rem=a%d .
		255	If the flag
		256	.Dv BN_FLG_CONSTTIME
		257	is set on
		258	.Fa a
		259	or
		260	.Fa d ,
		261	it operates in constant time.
248	Either of	262	Either of
249	.Fa dv	263	.Fa dv
250	and	264	and
@@ -343,6 +357,11 @@ to the
343	power modulo	357	power modulo
344	.Fa m	358	.Fa m
345	.Pq Li r=(a^p)%m .	359	.Pq Li r=(a^p)%m .
		360	If the flag
		361	.Dv BN_FLG_CONSTTIME
		362	is set on
		363	.Fa p ,
		364	it operates in constant time.
346	This function uses less time and space than	365	This function uses less time and space than
347	.Fn BN_exp .	366	.Fn BN_exp .
348	.Pp	367	.Pp
@@ -417,3 +436,31 @@ and
417	.Fn BN_mod_sqr	436	.Fn BN_mod_sqr
418	first appeared in OpenSSL 0.9.7 and have been available since	437	first appeared in OpenSSL 0.9.7 and have been available since
419	.Ox 3.2 .	438	.Ox 3.2 .
		439	.Sh BUGS
		440	Even if the
		441	.Dv BN_FLG_CONSTTIME
		442	flag is set on
		443	.Fa a
		444	or
		445	.Fa b ,
		446	.Fn BN_gcd
		447	neither fails nor operates in constant time, potentially allowing
		448	timing side-channel attacks.
		449	.Pp
		450	Even if the
		451	.Dv BN_FLG_CONSTTIME
		452	flag is set on
		453	.Fa p ,
		454	if the modulus
		455	.Fa m
		456	is even,
		457	.Fn BN_mod_exp
		458	does not operate in constant time, potentially allowing
		459	timing side-channel attacks.
		460	.Pp
		461	If
		462	.Dv BN_FLG_CONSTTIME
		463	is set on
		464	.Fa p ,
		465	.Fn BN_exp
		466	fails instead of operating in constant time.