Remove flags for disabling constant-time operations.

This removes support for DSA_FLAG_NO_EXP_CONSTTIME, DH_FLAG_NO_EXP_CONSTTIME, and RSA_FLAG_NO_CONSTTIME flags, making all of these operations unconditionally constant-time. Based on the original patch by César Pereid. ok beck@
author: bcook <> 2016-06-30 02:02:06 +0000
committer: bcook <> 2016-06-30 02:02:06 +0000
commit: 3ce2fddbbb0fbded19721d5da476dfdfecb1e48b (patch)
tree: 0ceecace65c38593a01c1d41cce469bd98529f43 /src/lib/libcrypto/rsa/rsa_gen.c
parent: eac403b2ae70a8e948d7db823d992cc131392d78 (diff)
download: openbsd-3ce2fddbbb0fbded19721d5da476dfdfecb1e48b.tar.gz
openbsd-3ce2fddbbb0fbded19721d5da476dfdfecb1e48b.tar.bz2
openbsd-3ce2fddbbb0fbded19721d5da476dfdfecb1e48b.zip
1 files changed, 11 insertions, 22 deletions
diff --git a/src/lib/libcrypto/rsa/rsa_gen.c b/src/lib/libcrypto/rsa/rsa_gen.c
index f6f051c442..d46f4f2478 100644
--- a/src/lib/libcrypto/rsa/rsa_gen.c
+++ b/src/lib/libcrypto/rsa/rsa_gen.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_gen.c,v 1.17 2015/02/09 15:49:22 jsing Exp $ */
+/* $OpenBSD: rsa_gen.c,v 1.18 2016/06/30 02:02:06 bcook Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -90,8 +90,7 @@ static int
 rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
 {
        BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *r3 = NULL, *tmp;
-        BIGNUM local_r0, local_d, local_p;
+        BIGNUM pr0, d, p;
-        BIGNUM *pr0, *d, *p;
        int bitsp, bitsq, ok = -1, n = 0;
        BN_CTX *ctx = NULL;
@@ -193,36 +192,26 @@ rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
                goto err;
        if (!BN_mul(r0, r1, r2, ctx))                   /* (p-1)(q-1) */
                goto err;
-        if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
-                pr0 = &local_r0;
+        BN_with_flags(&pr0, r0, BN_FLG_CONSTTIME);
-                BN_with_flags(pr0, r0, BN_FLG_CONSTTIME);
-        } else
+        if (!BN_mod_inverse(rsa->d, rsa->e, &pr0, ctx)) /* d */
-                pr0 = r0;
-        if (!BN_mod_inverse(rsa->d, rsa->e, pr0, ctx))  /* d */
                goto err;
        /* set up d for correct BN_FLG_CONSTTIME flag */
-        if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
+        BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME);
-                d = &local_d;
-                BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
-        } else
-                d = rsa->d;
        /* calculate d mod (p-1) */
-        if (!BN_mod(rsa->dmp1, d, r1, ctx))
+        if (!BN_mod(rsa->dmp1, &d, r1, ctx))
                goto err;
        /* calculate d mod (q-1) */
-        if (!BN_mod(rsa->dmq1, d, r2, ctx))
+        if (!BN_mod(rsa->dmq1, &d, r2, ctx))
                goto err;
        /* calculate inverse of q mod p */
-        if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
+        BN_with_flags(&p, rsa->p, BN_FLG_CONSTTIME);
-                p = &local_p;
+        if (!BN_mod_inverse(rsa->iqmp, rsa->q, &p, ctx))
-                BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
-        } else
-                p = rsa->p;
-        if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx))
                goto err;
        ok = 1;
author	bcook <>	2016-06-30 02:02:06 +0000
committer	bcook <>	2016-06-30 02:02:06 +0000
commit	3ce2fddbbb0fbded19721d5da476dfdfecb1e48b (patch)
tree	0ceecace65c38593a01c1d41cce469bd98529f43 /src/lib/libcrypto/rsa/rsa_gen.c
parent	eac403b2ae70a8e948d7db823d992cc131392d78 (diff)
download	openbsd-3ce2fddbbb0fbded19721d5da476dfdfecb1e48b.tar.gz openbsd-3ce2fddbbb0fbded19721d5da476dfdfecb1e48b.tar.bz2 openbsd-3ce2fddbbb0fbded19721d5da476dfdfecb1e48b.zip

diff --git a/src/lib/libcrypto/rsa/rsa_gen.c b/src/lib/libcrypto/rsa/rsa_gen.c index f6f051c442..d46f4f2478 100644 --- a/src/lib/libcrypto/rsa/rsa_gen.c +++ b/src/lib/libcrypto/rsa/rsa_gen.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: rsa_gen.c,v 1.17 2015/02/09 15:49:22 jsing Exp $ */	1	/* $OpenBSD: rsa_gen.c,v 1.18 2016/06/30 02:02:06 bcook Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -90,8 +90,7 @@ static int
90	rsa_builtin_keygen(RSA rsa, int bits, BIGNUM e_value, BN_GENCB *cb)	90	rsa_builtin_keygen(RSA rsa, int bits, BIGNUM e_value, BN_GENCB *cb)
91	{	91	{
92	BIGNUM r0 = NULL, r1 = NULL, r2 = NULL, r3 = NULL, *tmp;	92	BIGNUM r0 = NULL, r1 = NULL, r2 = NULL, r3 = NULL, *tmp;
93	BIGNUM local_r0, local_d, local_p;	93	BIGNUM pr0, d, p;
94	BIGNUM pr0, d, *p;
95	int bitsp, bitsq, ok = -1, n = 0;	94	int bitsp, bitsq, ok = -1, n = 0;
96	BN_CTX *ctx = NULL;	95	BN_CTX *ctx = NULL;
97		96
@@ -193,36 +192,26 @@ rsa_builtin_keygen(RSA rsa, int bits, BIGNUM e_value, BN_GENCB *cb)
193	goto err;	192	goto err;
194	if (!BN_mul(r0, r1, r2, ctx)) /* (p-1)(q-1) */	193	if (!BN_mul(r0, r1, r2, ctx)) /* (p-1)(q-1) */
195	goto err;	194	goto err;
196	if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {	195
197	pr0 = &local_r0;	196	BN_with_flags(&pr0, r0, BN_FLG_CONSTTIME);
198	BN_with_flags(pr0, r0, BN_FLG_CONSTTIME);	197
199	} else	198	if (!BN_mod_inverse(rsa->d, rsa->e, &pr0, ctx)) /* d */
200	pr0 = r0;
201	if (!BN_mod_inverse(rsa->d, rsa->e, pr0, ctx)) /* d */
202	goto err;	199	goto err;
203		200
204	/* set up d for correct BN_FLG_CONSTTIME flag */	201	/* set up d for correct BN_FLG_CONSTTIME flag */
205	if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {	202	BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME);
206	d = &local_d;
207	BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
208	} else
209	d = rsa->d;
210		203
211	/* calculate d mod (p-1) */	204	/* calculate d mod (p-1) */
212	if (!BN_mod(rsa->dmp1, d, r1, ctx))	205	if (!BN_mod(rsa->dmp1, &d, r1, ctx))
213	goto err;	206	goto err;
214		207
215	/* calculate d mod (q-1) */	208	/* calculate d mod (q-1) */
216	if (!BN_mod(rsa->dmq1, d, r2, ctx))	209	if (!BN_mod(rsa->dmq1, &d, r2, ctx))
217	goto err;	210	goto err;
218		211
219	/* calculate inverse of q mod p */	212	/* calculate inverse of q mod p */
220	if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {	213	BN_with_flags(&p, rsa->p, BN_FLG_CONSTTIME);
221	p = &local_p;	214	if (!BN_mod_inverse(rsa->iqmp, rsa->q, &p, ctx))
222	BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
223	} else
224	p = rsa->p;
225	if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx))
226	goto err;	215	goto err;
227		216
228	ok = 1;	217	ok = 1;