From a60c20fc32aa2f822c683424f5bd90611e4d452f Mon Sep 17 00:00:00 2001 From: schwarze <> Date: Sun, 29 Apr 2018 15:58:21 +0000 Subject: In view of the recent BN_FLG_CONSTTIME vulnerabilities in OpenSSL, carefully document constant time vs. non-constant time operation of BN_div(3), BN_mod_exp(3), and BN_mod_inverse(3). Until the work that is required on the ill-designed BN_exp(3) and BN_gcd(3) interfaces can be undertaken, also document the imperfections in their behaviour, for now. Finally, mention BN_mod_exp(3) behaviour for even moduli. Delete the vague statement about some functions automatically setting BN_FLG_CONSTTIME. It created a false sense of security. Do not rely on it: not all relevant functions do that. Topic brought up by beck@, significant feedback and OK jsing@. --- src/lib/libcrypto/man/BN_mod_inverse.3 | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) (limited to 'src/lib/libcrypto/man/BN_mod_inverse.3') diff --git a/src/lib/libcrypto/man/BN_mod_inverse.3 b/src/lib/libcrypto/man/BN_mod_inverse.3 index ed6b6def4e..aa509b1ab6 100644 --- a/src/lib/libcrypto/man/BN_mod_inverse.3 +++ b/src/lib/libcrypto/man/BN_mod_inverse.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: BN_mod_inverse.3,v 1.9 2018/03/27 17:35:50 schwarze Exp $ +.\" $OpenBSD: BN_mod_inverse.3,v 1.10 2018/04/29 15:58:21 schwarze Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Ulf Moeller . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: March 27 2018 $ +.Dd $Mdocdate: April 29 2018 $ .Dt BN_MOD_INVERSE 3 .Os .Sh NAME @@ -80,6 +80,14 @@ a new .Vt BIGNUM is created. .Pp +If the flag +.Dv BN_FLG_CONSTTIME +is set on +.Fa a +or +.Fa n , +it operates in constant time. +.Pp .Fa ctx is a previously allocated .Vt BN_CTX -- cgit v1.2.3-55-g6feb