In view of the recent BN_FLG_CONSTTIME vulnerabilities in OpenSSL,

carefully document constant time vs. non-constant time operation of BN_div(3), BN_mod_exp(3), and BN_mod_inverse(3). Until the work that is required on the ill-designed BN_exp(3) and BN_gcd(3) interfaces can be undertaken, also document the imperfections in their behaviour, for now. Finally, mention BN_mod_exp(3) behaviour for even moduli. Delete the vague statement about some functions automatically setting BN_FLG_CONSTTIME. It created a false sense of security. Do not rely on it: not all relevant functions do that. Topic brought up by beck@, significant feedback and OK jsing@.
author: schwarze <> 2018-04-29 15:58:21 +0000
committer: schwarze <> 2018-04-29 15:58:21 +0000
commit: 0cafa356a8c4c7fcd0ceea551f687c5d7fbef24e (patch)
tree: f067081374e9045588229a0f9af9373361fb2cbe /src/lib/libcrypto/man/BN_mod_inverse.3
parent: 1c03f31f80d0bb4684aefa980cad2bd45fccb749 (diff)
download: openbsd-0cafa356a8c4c7fcd0ceea551f687c5d7fbef24e.tar.gz
openbsd-0cafa356a8c4c7fcd0ceea551f687c5d7fbef24e.tar.bz2
openbsd-0cafa356a8c4c7fcd0ceea551f687c5d7fbef24e.zip
1 files changed, 10 insertions, 2 deletions
diff --git a/src/lib/libcrypto/man/BN_mod_inverse.3 b/src/lib/libcrypto/man/BN_mod_inverse.3
index ed6b6def4e..aa509b1ab6 100644
--- a/src/lib/libcrypto/man/BN_mod_inverse.3
+++ b/src/lib/libcrypto/man/BN_mod_inverse.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: BN_mod_inverse.3,v 1.9 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: BN_mod_inverse.3,v 1.10 2018/04/29 15:58:21 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: April 29 2018 $
 .Dt BN_MOD_INVERSE 3
 .Os
 .Sh NAME
@@ -80,6 +80,14 @@ a new
 .Vt BIGNUM
 is created.
 .Pp
+If the flag
+.Dv BN_FLG_CONSTTIME
+is set on
+.Fa a
+or
+.Fa n ,
+it operates in constant time.
+.Pp
 .Fa ctx
 is a previously allocated
 .Vt BN_CTX
author	schwarze <>	2018-04-29 15:58:21 +0000
committer	schwarze <>	2018-04-29 15:58:21 +0000
commit	0cafa356a8c4c7fcd0ceea551f687c5d7fbef24e (patch)
tree	f067081374e9045588229a0f9af9373361fb2cbe /src/lib/libcrypto/man/BN_mod_inverse.3
parent	1c03f31f80d0bb4684aefa980cad2bd45fccb749 (diff)
download	openbsd-0cafa356a8c4c7fcd0ceea551f687c5d7fbef24e.tar.gz openbsd-0cafa356a8c4c7fcd0ceea551f687c5d7fbef24e.tar.bz2 openbsd-0cafa356a8c4c7fcd0ceea551f687c5d7fbef24e.zip

diff --git a/src/lib/libcrypto/man/BN_mod_inverse.3 b/src/lib/libcrypto/man/BN_mod_inverse.3 index ed6b6def4e..aa509b1ab6 100644 --- a/src/lib/libcrypto/man/BN_mod_inverse.3 +++ b/src/lib/libcrypto/man/BN_mod_inverse.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: BN_mod_inverse.3,v 1.9 2018/03/27 17:35:50 schwarze Exp $	1	.\" $OpenBSD: BN_mod_inverse.3,v 1.10 2018/04/29 15:58:21 schwarze Exp $
2	.\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100	2	.\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
3	.\"	3	.\"
4	.\" This file was written by Ulf Moeller <ulf@openssl.org>.	4	.\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -48,7 +48,7 @@
48	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED	48	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
49	.\" OF THE POSSIBILITY OF SUCH DAMAGE.	49	.\" OF THE POSSIBILITY OF SUCH DAMAGE.
50	.\"	50	.\"
51	.Dd $Mdocdate: March 27 2018 $	51	.Dd $Mdocdate: April 29 2018 $
52	.Dt BN_MOD_INVERSE 3	52	.Dt BN_MOD_INVERSE 3
53	.Os	53	.Os
54	.Sh NAME	54	.Sh NAME
@@ -80,6 +80,14 @@ a new
80	.Vt BIGNUM	80	.Vt BIGNUM
81	is created.	81	is created.
82	.Pp	82	.Pp
		83	If the flag
		84	.Dv BN_FLG_CONSTTIME
		85	is set on
		86	.Fa a
		87	or
		88	.Fa n ,
		89	it operates in constant time.
		90	.Pp
83	.Fa ctx	91	.Fa ctx
84	is a previously allocated	92	is a previously allocated
85	.Vt BN_CTX	93	.Vt BN_CTX