From 3ce2fddbbb0fbded19721d5da476dfdfecb1e48b Mon Sep 17 00:00:00 2001 From: bcook <> Date: Thu, 30 Jun 2016 02:02:06 +0000 Subject: Remove flags for disabling constant-time operations. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This removes support for DSA_FLAG_NO_EXP_CONSTTIME, DH_FLAG_NO_EXP_CONSTTIME, and RSA_FLAG_NO_CONSTTIME flags, making all of these operations unconditionally constant-time. Based on the original patch by César Pereid. ok beck@ --- src/lib/libcrypto/dh/dh.h | 9 +-------- src/lib/libcrypto/dh/dh_key.c | 37 +++++++++++-------------------------- 2 files changed, 12 insertions(+), 34 deletions(-) (limited to 'src/lib/libcrypto/dh') diff --git a/src/lib/libcrypto/dh/dh.h b/src/lib/libcrypto/dh/dh.h index a20467c9d0..631cd5c685 100644 --- a/src/lib/libcrypto/dh/dh.h +++ b/src/lib/libcrypto/dh/dh.h @@ -1,4 +1,4 @@ -/* $OpenBSD: dh.h,v 1.16 2014/06/12 15:49:28 deraadt Exp $ */ +/* $OpenBSD: dh.h,v 1.17 2016/06/30 02:02:06 bcook Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -78,13 +78,6 @@ #endif #define DH_FLAG_CACHE_MONT_P 0x01 -#define DH_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DH - * implementation now uses constant time - * modular exponentiation for secret exponents - * by default. This flag causes the - * faster variable sliding window method to - * be used for all exponents. - */ /* If this flag is set the DH method is FIPS compliant and can be used * in FIPS mode. This is set in the validated module method. If an diff --git a/src/lib/libcrypto/dh/dh_key.c b/src/lib/libcrypto/dh/dh_key.c index 31bc7b3dfd..25e8968ef5 100644 --- a/src/lib/libcrypto/dh/dh_key.c +++ b/src/lib/libcrypto/dh/dh_key.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dh_key.c,v 1.23 2015/02/09 15:49:22 jsing Exp $ */ +/* $OpenBSD: dh_key.c,v 1.24 2016/06/30 02:02:06 bcook Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -147,21 +147,16 @@ generate_key(DH *dh) } { - BIGNUM local_prk; - BIGNUM *prk; + BIGNUM prk; - if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) { - BN_init(&local_prk); - prk = &local_prk; - BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME); - } else - prk = priv_key; + BN_with_flags(&prk, priv_key, BN_FLG_CONSTTIME); - if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, prk, dh->p, ctx, - mont)) + if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, &prk, dh->p, ctx, + mont)) { goto err; + } } - + dh->pub_key = pub_key; dh->priv_key = priv_key; ok = 1; @@ -206,10 +201,9 @@ compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) if (dh->flags & DH_FLAG_CACHE_MONT_P) { mont = BN_MONT_CTX_set_locked(&dh->method_mont_p, CRYPTO_LOCK_DH, dh->p, ctx); - if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) { - /* XXX */ - BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME); - } + + BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME); + if (!mont) goto err; } @@ -238,16 +232,7 @@ static int dh_bn_mod_exp(const DH *dh, BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx) { - /* - * If a is only one word long and constant time is false, use the faster - * exponenentiation function. - */ - if (a->top == 1 && (dh->flags & DH_FLAG_NO_EXP_CONSTTIME) != 0) { - BN_ULONG A = a->d[0]; - - return BN_mod_exp_mont_word(r, A, p, m, ctx, m_ctx); - } else - return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx); + return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx); } static int -- cgit v1.2.3-55-g6feb