In view of the recent BN_FLG_CONSTTIME vulnerabilities in OpenSSL,

carefully document constant time vs. non-constant time operation of BN_div(3), BN_mod_exp(3), and BN_mod_inverse(3). Until the work that is required on the ill-designed BN_exp(3) and BN_gcd(3) interfaces can be undertaken, also document the imperfections in their behaviour, for now. Finally, mention BN_mod_exp(3) behaviour for even moduli. Delete the vague statement about some functions automatically setting BN_FLG_CONSTTIME. It created a false sense of security. Do not rely on it: not all relevant functions do that. Topic brought up by beck@, significant feedback and OK jsing@.
author: schwarze <> 2018-04-29 15:58:21 +0000
committer: schwarze <> 2018-04-29 15:58:21 +0000
commit: a60c20fc32aa2f822c683424f5bd90611e4d452f (patch)
tree: f067081374e9045588229a0f9af9373361fb2cbe /src/lib/libcrypto/man/BN_set_flags.3
parent: 0a991f6de98776a2cd65f3529adb8948b51c275a (diff)
download: openbsd-a60c20fc32aa2f822c683424f5bd90611e4d452f.tar.gz
openbsd-a60c20fc32aa2f822c683424f5bd90611e4d452f.tar.bz2
openbsd-a60c20fc32aa2f822c683424f5bd90611e4d452f.zip
1 files changed, 38 insertions, 21 deletions
diff --git a/src/lib/libcrypto/man/BN_set_flags.3 b/src/lib/libcrypto/man/BN_set_flags.3
index a998037534..9b1647cd31 100644
--- a/src/lib/libcrypto/man/BN_set_flags.3
+++ b/src/lib/libcrypto/man/BN_set_flags.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: BN_set_flags.3,v 1.2 2018/03/21 09:03:49 schwarze Exp $
+.\"     $OpenBSD: BN_set_flags.3,v 1.3 2018/04/29 15:58:21 schwarze Exp $
 .\"
 .\" Copyright (c) 2017 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 21 2018 $
+.Dd $Mdocdate: April 29 2018 $
 .Dt BN_SET_FLAGS 3
 .Os
 .Sh NAME
@@ -47,6 +47,8 @@ together:
 .It Dv BN_FLG_CONSTTIME
 If this flag is set on the divident
 .Fa a
+or the divisor
+.Fa d
 in
 .Xr BN_div 3 ,
 on the exponent
@@ -59,27 +61,14 @@ or the modulus
 .Fa n
 in
 .Xr BN_mod_inverse 3 ,
-these functions prefer algorithms with an execution time independent
+these functions select algorithms with an execution time independent
 of the respective numbers, to avoid exposing sensitive information
-to timing attacks.
+to timing side-channel attacks.
 .Pp
-If this flag is set on the exponent
+This flag is off by default for
-.Fa p
+.Vt BIGNUM
-in
+objects created with
-.Xr BN_exp 3
+.Xr BN_new 3 .
-or if the modulus
-.Fa m
-is even for
-.Xr BN_mod_exp 3 ,
-an error occurs.
-.Pp
-Various functions automatically set this flag on sensitive data.
-For example, the default implementations of
-.Xr DH_generate_key 3 ,
-.Xr DSA_generate_key 3 ,
-and
-.Xr RSA_generate_key_ex 3
-set it on the generated private key.
 .It Dv BN_FLG_MALLOCED
 If this flag is set,
 .Xr BN_free 3
@@ -148,3 +137,31 @@ first appeared in SSLeay 0.9.1 and have been available since
 No public interface exists to clear a flag once it is set.
 So think twice before using
 .Fn BN_set_flags .
+.Sh BUGS
+Even if the
+.Dv BN_FLG_CONSTTIME
+flag is set on
+.Fa a
+or
+.Fa b ,
+.Fn BN_gcd
+neither fails nor operates in constant time, potentially allowing
+timing side-channel attacks.
+.Pp
+Even if the
+.Dv BN_FLG_CONSTTIME
+flag is set on
+.Fa p ,
+if the modulus
+.Fa m
+is even,
+.Xr BN_mod_exp 3
+does not operate in constant time, potentially allowing
+timing side-channel attacks.
+.Pp
+If
+.Dv BN_FLG_CONSTTIME
+is set on
+.Fa p ,
+.Fn BN_exp
+fails instead of operating in constant time.
author	schwarze <>	2018-04-29 15:58:21 +0000
committer	schwarze <>	2018-04-29 15:58:21 +0000
commit	a60c20fc32aa2f822c683424f5bd90611e4d452f (patch)
tree	f067081374e9045588229a0f9af9373361fb2cbe /src/lib/libcrypto/man/BN_set_flags.3
parent	0a991f6de98776a2cd65f3529adb8948b51c275a (diff)
download	openbsd-a60c20fc32aa2f822c683424f5bd90611e4d452f.tar.gz openbsd-a60c20fc32aa2f822c683424f5bd90611e4d452f.tar.bz2 openbsd-a60c20fc32aa2f822c683424f5bd90611e4d452f.zip

diff --git a/src/lib/libcrypto/man/BN_set_flags.3 b/src/lib/libcrypto/man/BN_set_flags.3 index a998037534..9b1647cd31 100644 --- a/src/lib/libcrypto/man/BN_set_flags.3 +++ b/src/lib/libcrypto/man/BN_set_flags.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: BN_set_flags.3,v 1.2 2018/03/21 09:03:49 schwarze Exp $	1	.\" $OpenBSD: BN_set_flags.3,v 1.3 2018/04/29 15:58:21 schwarze Exp $
2	.\"	2	.\"
3	.\" Copyright (c) 2017 Ingo Schwarze <schwarze@openbsd.org>	3	.\" Copyright (c) 2017 Ingo Schwarze <schwarze@openbsd.org>
4	.\"	4	.\"
@@ -14,7 +14,7 @@
14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF	14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.	15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16	.\"	16	.\"
17	.Dd $Mdocdate: March 21 2018 $	17	.Dd $Mdocdate: April 29 2018 $
18	.Dt BN_SET_FLAGS 3	18	.Dt BN_SET_FLAGS 3
19	.Os	19	.Os
20	.Sh NAME	20	.Sh NAME
@@ -47,6 +47,8 @@ together:
47	.It Dv BN_FLG_CONSTTIME	47	.It Dv BN_FLG_CONSTTIME
48	If this flag is set on the divident	48	If this flag is set on the divident
49	.Fa a	49	.Fa a
		50	or the divisor
		51	.Fa d
50	in	52	in
51	.Xr BN_div 3 ,	53	.Xr BN_div 3 ,
52	on the exponent	54	on the exponent
@@ -59,27 +61,14 @@ or the modulus
59	.Fa n	61	.Fa n
60	in	62	in
61	.Xr BN_mod_inverse 3 ,	63	.Xr BN_mod_inverse 3 ,
62	these functions prefer algorithms with an execution time independent	64	these functions select algorithms with an execution time independent
63	of the respective numbers, to avoid exposing sensitive information	65	of the respective numbers, to avoid exposing sensitive information
64	to timing attacks.	66	to timing side-channel attacks.
65	.Pp	67	.Pp
66	If this flag is set on the exponent	68	This flag is off by default for
67	.Fa p	69	.Vt BIGNUM
68	in	70	objects created with
69	.Xr BN_exp 3	71	.Xr BN_new 3 .
70	or if the modulus
71	.Fa m
72	is even for
73	.Xr BN_mod_exp 3 ,
74	an error occurs.
75	.Pp
76	Various functions automatically set this flag on sensitive data.
77	For example, the default implementations of
78	.Xr DH_generate_key 3 ,
79	.Xr DSA_generate_key 3 ,
80	and
81	.Xr RSA_generate_key_ex 3
82	set it on the generated private key.
83	.It Dv BN_FLG_MALLOCED	72	.It Dv BN_FLG_MALLOCED
84	If this flag is set,	73	If this flag is set,
85	.Xr BN_free 3	74	.Xr BN_free 3
@@ -148,3 +137,31 @@ first appeared in SSLeay 0.9.1 and have been available since
148	No public interface exists to clear a flag once it is set.	137	No public interface exists to clear a flag once it is set.
149	So think twice before using	138	So think twice before using
150	.Fn BN_set_flags .	139	.Fn BN_set_flags .
		140	.Sh BUGS
		141	Even if the
		142	.Dv BN_FLG_CONSTTIME
		143	flag is set on
		144	.Fa a
		145	or
		146	.Fa b ,
		147	.Fn BN_gcd
		148	neither fails nor operates in constant time, potentially allowing
		149	timing side-channel attacks.
		150	.Pp
		151	Even if the
		152	.Dv BN_FLG_CONSTTIME
		153	flag is set on
		154	.Fa p ,
		155	if the modulus
		156	.Fa m
		157	is even,
		158	.Xr BN_mod_exp 3
		159	does not operate in constant time, potentially allowing
		160	timing side-channel attacks.
		161	.Pp
		162	If
		163	.Dv BN_FLG_CONSTTIME
		164	is set on
		165	.Fa p ,
		166	.Fn BN_exp
		167	fails instead of operating in constant time.