Construct a BN_gcd_nonct, based on BN_mod_inverse_no_branch, as suggested

by Alejandro Cabrera <aldaya@gmail.com> to avoid the possibility of a sidechannel timing attack during RSA private key generation. Modify BN_gcd to become not visible under LIBRESSL_INTERNAL and force the use of the _ct or _nonct versions of the function only within the library. ok jsing@
author: beck <> 2017-01-25 06:15:44 +0000
committer: beck <> 2017-01-25 06:15:44 +0000
commit: fe6f3fc2532579fc0941a1603d5e19a11a013179 (patch)
tree: f47c7a81955397655f194db5ae669044f33423bd /src/lib/libcrypto/rsa/rsa_gen.c
parent: 994be17488e885953ca1fef89bbc4d5fb24eba71 (diff)
download: openbsd-fe6f3fc2532579fc0941a1603d5e19a11a013179.tar.gz
openbsd-fe6f3fc2532579fc0941a1603d5e19a11a013179.tar.bz2
openbsd-fe6f3fc2532579fc0941a1603d5e19a11a013179.zip
1 files changed, 3 insertions, 3 deletions
diff --git a/src/lib/libcrypto/rsa/rsa_gen.c b/src/lib/libcrypto/rsa/rsa_gen.c
index 300b292b7b..e09dccb4a8 100644
--- a/src/lib/libcrypto/rsa/rsa_gen.c
+++ b/src/lib/libcrypto/rsa/rsa_gen.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_gen.c,v 1.20 2017/01/21 11:00:47 beck Exp $ */
+/* $OpenBSD: rsa_gen.c,v 1.21 2017/01/25 06:15:44 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -138,7 +138,7 @@ rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
                        goto err;
                if (!BN_sub(r2, rsa->p, BN_value_one()))
                        goto err;
-                if (!BN_gcd(r1, r2, rsa->e, ctx))
+                if (!BN_gcd_ct(r1, r2, rsa->e, ctx))
                        goto err;
                if (BN_is_one(r1))
                        break;
@@ -168,7 +168,7 @@ rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
                }
                if (!BN_sub(r2, rsa->q, BN_value_one()))
                        goto err;
-                if (!BN_gcd(r1, r2, rsa->e, ctx))
+                if (!BN_gcd_ct(r1, r2, rsa->e, ctx))
                        goto err;
                if (BN_is_one(r1))
                        break;
author	beck <>	2017-01-25 06:15:44 +0000
committer	beck <>	2017-01-25 06:15:44 +0000
commit	fe6f3fc2532579fc0941a1603d5e19a11a013179 (patch)
tree	f47c7a81955397655f194db5ae669044f33423bd /src/lib/libcrypto/rsa/rsa_gen.c
parent	994be17488e885953ca1fef89bbc4d5fb24eba71 (diff)
download	openbsd-fe6f3fc2532579fc0941a1603d5e19a11a013179.tar.gz openbsd-fe6f3fc2532579fc0941a1603d5e19a11a013179.tar.bz2 openbsd-fe6f3fc2532579fc0941a1603d5e19a11a013179.zip

diff --git a/src/lib/libcrypto/rsa/rsa_gen.c b/src/lib/libcrypto/rsa/rsa_gen.c index 300b292b7b..e09dccb4a8 100644 --- a/src/lib/libcrypto/rsa/rsa_gen.c +++ b/src/lib/libcrypto/rsa/rsa_gen.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: rsa_gen.c,v 1.20 2017/01/21 11:00:47 beck Exp $ */	1	/* $OpenBSD: rsa_gen.c,v 1.21 2017/01/25 06:15:44 beck Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -138,7 +138,7 @@ rsa_builtin_keygen(RSA rsa, int bits, BIGNUM e_value, BN_GENCB *cb)
138	goto err;	138	goto err;
139	if (!BN_sub(r2, rsa->p, BN_value_one()))	139	if (!BN_sub(r2, rsa->p, BN_value_one()))
140	goto err;	140	goto err;
141	if (!BN_gcd(r1, r2, rsa->e, ctx))	141	if (!BN_gcd_ct(r1, r2, rsa->e, ctx))
142	goto err;	142	goto err;
143	if (BN_is_one(r1))	143	if (BN_is_one(r1))
144	break;	144	break;
@@ -168,7 +168,7 @@ rsa_builtin_keygen(RSA rsa, int bits, BIGNUM e_value, BN_GENCB *cb)
168	}	168	}
169	if (!BN_sub(r2, rsa->q, BN_value_one()))	169	if (!BN_sub(r2, rsa->q, BN_value_one()))
170	goto err;	170	goto err;
171	if (!BN_gcd(r1, r2, rsa->e, ctx))	171	if (!BN_gcd_ct(r1, r2, rsa->e, ctx))
172	goto err;	172	goto err;
173	if (BN_is_one(r1))	173	if (BN_is_one(r1))
174	break;	174	break;