diff options
| author | bcook <> | 2016-06-30 02:02:06 +0000 |
|---|---|---|
| committer | bcook <> | 2016-06-30 02:02:06 +0000 |
| commit | f38e0f193e7bb5faea955cd4afea248b830afa18 (patch) | |
| tree | 0ceecace65c38593a01c1d41cce469bd98529f43 /src/lib/libcrypto/rsa/rsa_eay.c | |
| parent | aa239d08d6dc87fdd121f62e3130aa5d5357cfff (diff) | |
| download | openbsd-f38e0f193e7bb5faea955cd4afea248b830afa18.tar.gz openbsd-f38e0f193e7bb5faea955cd4afea248b830afa18.tar.bz2 openbsd-f38e0f193e7bb5faea955cd4afea248b830afa18.zip | |
Remove flags for disabling constant-time operations.
This removes support for DSA_FLAG_NO_EXP_CONSTTIME, DH_FLAG_NO_EXP_CONSTTIME,
and RSA_FLAG_NO_CONSTTIME flags, making all of these operations unconditionally
constant-time.
Based on the original patch by César Pereid. ok beck@
Diffstat (limited to 'src/lib/libcrypto/rsa/rsa_eay.c')
| -rw-r--r-- | src/lib/libcrypto/rsa/rsa_eay.c | 138 |
1 files changed, 52 insertions, 86 deletions
diff --git a/src/lib/libcrypto/rsa/rsa_eay.c b/src/lib/libcrypto/rsa/rsa_eay.c index 76863e7220..6edfd7e5fd 100644 --- a/src/lib/libcrypto/rsa/rsa_eay.c +++ b/src/lib/libcrypto/rsa/rsa_eay.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: rsa_eay.c,v 1.40 2015/09/10 15:56:25 jsing Exp $ */ | 1 | /* $OpenBSD: rsa_eay.c,v 1.41 2016/06/30 02:02:06 bcook Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -177,11 +177,13 @@ RSA_eay_public_encrypt(int flen, const unsigned char *from, unsigned char *to, | |||
| 177 | 177 | ||
| 178 | if ((ctx = BN_CTX_new()) == NULL) | 178 | if ((ctx = BN_CTX_new()) == NULL) |
| 179 | goto err; | 179 | goto err; |
| 180 | |||
| 180 | BN_CTX_start(ctx); | 181 | BN_CTX_start(ctx); |
| 181 | f = BN_CTX_get(ctx); | 182 | f = BN_CTX_get(ctx); |
| 182 | ret = BN_CTX_get(ctx); | 183 | ret = BN_CTX_get(ctx); |
| 183 | num = BN_num_bytes(rsa->n); | 184 | num = BN_num_bytes(rsa->n); |
| 184 | buf = malloc(num); | 185 | buf = malloc(num); |
| 186 | |||
| 185 | if (f == NULL || ret == NULL || buf == NULL) { | 187 | if (f == NULL || ret == NULL || buf == NULL) { |
| 186 | RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, ERR_R_MALLOC_FAILURE); | 188 | RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, ERR_R_MALLOC_FAILURE); |
| 187 | goto err; | 189 | goto err; |
| @@ -362,11 +364,13 @@ RSA_eay_private_encrypt(int flen, const unsigned char *from, unsigned char *to, | |||
| 362 | 364 | ||
| 363 | if ((ctx = BN_CTX_new()) == NULL) | 365 | if ((ctx = BN_CTX_new()) == NULL) |
| 364 | goto err; | 366 | goto err; |
| 367 | |||
| 365 | BN_CTX_start(ctx); | 368 | BN_CTX_start(ctx); |
| 366 | f = BN_CTX_get(ctx); | 369 | f = BN_CTX_get(ctx); |
| 367 | ret = BN_CTX_get(ctx); | 370 | ret = BN_CTX_get(ctx); |
| 368 | num = BN_num_bytes(rsa->n); | 371 | num = BN_num_bytes(rsa->n); |
| 369 | buf = malloc(num); | 372 | buf = malloc(num); |
| 373 | |||
| 370 | if (f == NULL || ret == NULL || buf == NULL) { | 374 | if (f == NULL || ret == NULL || buf == NULL) { |
| 371 | RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE); | 375 | RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE); |
| 372 | goto err; | 376 | goto err; |
| @@ -426,24 +430,19 @@ RSA_eay_private_encrypt(int flen, const unsigned char *from, unsigned char *to, | |||
| 426 | if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) | 430 | if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) |
| 427 | goto err; | 431 | goto err; |
| 428 | } else { | 432 | } else { |
| 429 | BIGNUM local_d; | 433 | BIGNUM d; |
| 430 | BIGNUM *d = NULL; | ||
| 431 | 434 | ||
| 432 | if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { | 435 | BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME); |
| 433 | BN_init(&local_d); | ||
| 434 | d = &local_d; | ||
| 435 | BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); | ||
| 436 | } else | ||
| 437 | d = rsa->d; | ||
| 438 | 436 | ||
| 439 | if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) | 437 | if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) |
| 440 | if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, | 438 | if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, |
| 441 | CRYPTO_LOCK_RSA, rsa->n, ctx)) | 439 | CRYPTO_LOCK_RSA, rsa->n, ctx)) |
| 442 | goto err; | 440 | goto err; |
| 443 | 441 | ||
| 444 | if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx, | 442 | if (!rsa->meth->bn_mod_exp(ret, f, &d, rsa->n, ctx, |
| 445 | rsa->_method_mod_n)) | 443 | rsa->_method_mod_n)) { |
| 446 | goto err; | 444 | goto err; |
| 445 | } | ||
| 447 | } | 446 | } |
| 448 | 447 | ||
| 449 | if (blinding) | 448 | if (blinding) |
| @@ -499,11 +498,13 @@ RSA_eay_private_decrypt(int flen, const unsigned char *from, unsigned char *to, | |||
| 499 | 498 | ||
| 500 | if ((ctx = BN_CTX_new()) == NULL) | 499 | if ((ctx = BN_CTX_new()) == NULL) |
| 501 | goto err; | 500 | goto err; |
| 501 | |||
| 502 | BN_CTX_start(ctx); | 502 | BN_CTX_start(ctx); |
| 503 | f = BN_CTX_get(ctx); | 503 | f = BN_CTX_get(ctx); |
| 504 | ret = BN_CTX_get(ctx); | 504 | ret = BN_CTX_get(ctx); |
| 505 | num = BN_num_bytes(rsa->n); | 505 | num = BN_num_bytes(rsa->n); |
| 506 | buf = malloc(num); | 506 | buf = malloc(num); |
| 507 | |||
| 507 | if (!f || !ret || !buf) { | 508 | if (!f || !ret || !buf) { |
| 508 | RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE); | 509 | RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE); |
| 509 | goto err; | 510 | goto err; |
| @@ -553,22 +554,19 @@ RSA_eay_private_decrypt(int flen, const unsigned char *from, unsigned char *to, | |||
| 553 | if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) | 554 | if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) |
| 554 | goto err; | 555 | goto err; |
| 555 | } else { | 556 | } else { |
| 556 | BIGNUM local_d; | 557 | BIGNUM d; |
| 557 | BIGNUM *d = NULL; | ||
| 558 | 558 | ||
| 559 | if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { | 559 | BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME); |
| 560 | d = &local_d; | ||
| 561 | BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); | ||
| 562 | } else | ||
| 563 | d = rsa->d; | ||
| 564 | 560 | ||
| 565 | if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) | 561 | if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) |
| 566 | if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, | 562 | if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, |
| 567 | CRYPTO_LOCK_RSA, rsa->n, ctx)) | 563 | CRYPTO_LOCK_RSA, rsa->n, ctx)) |
| 568 | goto err; | 564 | goto err; |
| 569 | if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx, | 565 | |
| 570 | rsa->_method_mod_n)) | 566 | if (!rsa->meth->bn_mod_exp(ret, f, &d, rsa->n, ctx, |
| 567 | rsa->_method_mod_n)) { | ||
| 571 | goto err; | 568 | goto err; |
| 569 | } | ||
| 572 | } | 570 | } |
| 573 | 571 | ||
| 574 | if (blinding) | 572 | if (blinding) |
| @@ -645,11 +643,13 @@ RSA_eay_public_decrypt(int flen, const unsigned char *from, unsigned char *to, | |||
| 645 | 643 | ||
| 646 | if ((ctx = BN_CTX_new()) == NULL) | 644 | if ((ctx = BN_CTX_new()) == NULL) |
| 647 | goto err; | 645 | goto err; |
| 646 | |||
| 648 | BN_CTX_start(ctx); | 647 | BN_CTX_start(ctx); |
| 649 | f = BN_CTX_get(ctx); | 648 | f = BN_CTX_get(ctx); |
| 650 | ret = BN_CTX_get(ctx); | 649 | ret = BN_CTX_get(ctx); |
| 651 | num = BN_num_bytes(rsa->n); | 650 | num = BN_num_bytes(rsa->n); |
| 652 | buf = malloc(num); | 651 | buf = malloc(num); |
| 652 | |||
| 653 | if (!f || !ret || !buf) { | 653 | if (!f || !ret || !buf) { |
| 654 | RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, ERR_R_MALLOC_FAILURE); | 654 | RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, ERR_R_MALLOC_FAILURE); |
| 655 | goto err; | 655 | goto err; |
| @@ -723,8 +723,7 @@ static int | |||
| 723 | RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) | 723 | RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) |
| 724 | { | 724 | { |
| 725 | BIGNUM *r1, *m1, *vrfy; | 725 | BIGNUM *r1, *m1, *vrfy; |
| 726 | BIGNUM local_dmp1, local_dmq1, local_c, local_r1; | 726 | BIGNUM dmp1, dmq1, c, pr1; |
| 727 | BIGNUM *dmp1, *dmq1, *c, *pr1; | ||
| 728 | int ret = 0; | 727 | int ret = 0; |
| 729 | 728 | ||
| 730 | BN_CTX_start(ctx); | 729 | BN_CTX_start(ctx); |
| @@ -737,33 +736,22 @@ RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) | |||
| 737 | } | 736 | } |
| 738 | 737 | ||
| 739 | { | 738 | { |
| 740 | BIGNUM local_p, local_q; | 739 | BIGNUM p, q; |
| 741 | BIGNUM *p = NULL, *q = NULL; | ||
| 742 | 740 | ||
| 743 | /* | 741 | /* |
| 744 | * Make sure BN_mod_inverse in Montgomery intialization uses the | 742 | * Make sure BN_mod_inverse in Montgomery intialization uses the |
| 745 | * BN_FLG_CONSTTIME flag (unless RSA_FLAG_NO_CONSTTIME is set) | 743 | * BN_FLG_CONSTTIME flag |
| 746 | */ | 744 | */ |
| 747 | if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { | 745 | BN_with_flags(&p, rsa->p, BN_FLG_CONSTTIME); |
| 748 | BN_init(&local_p); | 746 | BN_with_flags(&q, rsa->q, BN_FLG_CONSTTIME); |
| 749 | p = &local_p; | ||
| 750 | BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME); | ||
| 751 | |||
| 752 | BN_init(&local_q); | ||
| 753 | q = &local_q; | ||
| 754 | BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME); | ||
| 755 | } else { | ||
| 756 | p = rsa->p; | ||
| 757 | q = rsa->q; | ||
| 758 | } | ||
| 759 | 747 | ||
| 760 | if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) { | 748 | if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) { |
| 761 | if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p, | 749 | if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p, |
| 762 | CRYPTO_LOCK_RSA, p, ctx)) | 750 | CRYPTO_LOCK_RSA, &p, ctx) || |
| 763 | goto err; | 751 | !BN_MONT_CTX_set_locked(&rsa->_method_mod_q, |
| 764 | if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q, | 752 | CRYPTO_LOCK_RSA, &q, ctx)) { |
| 765 | CRYPTO_LOCK_RSA, q, ctx)) | ||
| 766 | goto err; | 753 | goto err; |
| 754 | } | ||
| 767 | } | 755 | } |
| 768 | } | 756 | } |
| 769 | 757 | ||
| @@ -773,49 +761,34 @@ RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) | |||
| 773 | goto err; | 761 | goto err; |
| 774 | 762 | ||
| 775 | /* compute I mod q */ | 763 | /* compute I mod q */ |
| 776 | if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { | 764 | BN_with_flags(&c, I, BN_FLG_CONSTTIME); |
| 777 | c = &local_c; | 765 | |
| 778 | BN_with_flags(c, I, BN_FLG_CONSTTIME); | 766 | if (!BN_mod(r1, &c, rsa->q, ctx)) |
| 779 | if (!BN_mod(r1, c, rsa->q, ctx)) | 767 | goto err; |
| 780 | goto err; | ||
| 781 | } else { | ||
| 782 | if (!BN_mod(r1, I, rsa->q, ctx)) | ||
| 783 | goto err; | ||
| 784 | } | ||
| 785 | 768 | ||
| 786 | /* compute r1^dmq1 mod q */ | 769 | /* compute r1^dmq1 mod q */ |
| 787 | if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { | 770 | BN_with_flags(&dmq1, rsa->dmq1, BN_FLG_CONSTTIME); |
| 788 | dmq1 = &local_dmq1; | 771 | |
| 789 | BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME); | 772 | if (!rsa->meth->bn_mod_exp(m1, r1, &dmq1, rsa->q, ctx, |
| 790 | } else | ||
| 791 | dmq1 = rsa->dmq1; | ||
| 792 | if (!rsa->meth->bn_mod_exp(m1, r1, dmq1, rsa->q, ctx, | ||
| 793 | rsa->_method_mod_q)) | 773 | rsa->_method_mod_q)) |
| 794 | goto err; | 774 | goto err; |
| 795 | 775 | ||
| 796 | /* compute I mod p */ | 776 | /* compute I mod p */ |
| 797 | if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { | 777 | BN_with_flags(&c, I, BN_FLG_CONSTTIME); |
| 798 | c = &local_c; | 778 | |
| 799 | BN_with_flags(c, I, BN_FLG_CONSTTIME); | 779 | if (!BN_mod(r1, &c, rsa->p, ctx)) |
| 800 | if (!BN_mod(r1, c, rsa->p, ctx)) | 780 | goto err; |
| 801 | goto err; | ||
| 802 | } else { | ||
| 803 | if (!BN_mod(r1, I, rsa->p, ctx)) | ||
| 804 | goto err; | ||
| 805 | } | ||
| 806 | 781 | ||
| 807 | /* compute r1^dmp1 mod p */ | 782 | /* compute r1^dmp1 mod p */ |
| 808 | if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { | 783 | BN_with_flags(&dmp1, rsa->dmp1, BN_FLG_CONSTTIME); |
| 809 | dmp1 = &local_dmp1; | 784 | |
| 810 | BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME); | 785 | if (!rsa->meth->bn_mod_exp(r0, r1, &dmp1, rsa->p, ctx, |
| 811 | } else | ||
| 812 | dmp1 = rsa->dmp1; | ||
| 813 | if (!rsa->meth->bn_mod_exp(r0, r1, dmp1, rsa->p, ctx, | ||
| 814 | rsa->_method_mod_p)) | 786 | rsa->_method_mod_p)) |
| 815 | goto err; | 787 | goto err; |
| 816 | 788 | ||
| 817 | if (!BN_sub(r0, r0, m1)) | 789 | if (!BN_sub(r0, r0, m1)) |
| 818 | goto err; | 790 | goto err; |
| 791 | |||
| 819 | /* | 792 | /* |
| 820 | * This will help stop the size of r0 increasing, which does | 793 | * This will help stop the size of r0 increasing, which does |
| 821 | * affect the multiply if it optimised for a power of 2 size | 794 | * affect the multiply if it optimised for a power of 2 size |
| @@ -828,12 +801,9 @@ RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) | |||
| 828 | goto err; | 801 | goto err; |
| 829 | 802 | ||
| 830 | /* Turn BN_FLG_CONSTTIME flag on before division operation */ | 803 | /* Turn BN_FLG_CONSTTIME flag on before division operation */ |
| 831 | if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { | 804 | BN_with_flags(&pr1, r1, BN_FLG_CONSTTIME); |
| 832 | pr1 = &local_r1; | 805 | |
| 833 | BN_with_flags(pr1, r1, BN_FLG_CONSTTIME); | 806 | if (!BN_mod(r0, &pr1, rsa->p, ctx)) |
| 834 | } else | ||
| 835 | pr1 = r1; | ||
| 836 | if (!BN_mod(r0, pr1, rsa->p, ctx)) | ||
| 837 | goto err; | 807 | goto err; |
| 838 | 808 | ||
| 839 | /* | 809 | /* |
| @@ -875,18 +845,14 @@ RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) | |||
| 875 | * miscalculated CRT output, just do a raw (slower) | 845 | * miscalculated CRT output, just do a raw (slower) |
| 876 | * mod_exp and return that instead. | 846 | * mod_exp and return that instead. |
| 877 | */ | 847 | */ |
| 848 | BIGNUM d; | ||
| 878 | 849 | ||
| 879 | BIGNUM local_d; | 850 | BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME); |
| 880 | BIGNUM *d = NULL; | ||
| 881 | 851 | ||
| 882 | if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { | 852 | if (!rsa->meth->bn_mod_exp(r0, I, &d, rsa->n, ctx, |
| 883 | d = &local_d; | 853 | rsa->_method_mod_n)) { |
| 884 | BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); | ||
| 885 | } else | ||
| 886 | d = rsa->d; | ||
| 887 | if (!rsa->meth->bn_mod_exp(r0, I, d, rsa->n, ctx, | ||
| 888 | rsa->_method_mod_n)) | ||
| 889 | goto err; | 854 | goto err; |
| 855 | } | ||
| 890 | } | 856 | } |
| 891 | } | 857 | } |
| 892 | ret = 1; | 858 | ret = 1; |