diff options
author | Nicola Tuveri <nic.tuv@gmail.com> | 2020-06-16 20:12:13 +0300 |
---|---|---|
committer | Nicola Tuveri <nic.tuv@gmail.com> | 2020-06-21 13:45:27 +0300 |
commit | d4bf0d57a84a9bcdeba839b66138949be8221e17 (patch) | |
tree | 7a9eeb03f3a029c76bd055f00bed8c6898d30058 /crypto/rsa/rsa_gen.c | |
parent | 200ae2ee8e1cec5c9af2ea36298bf6583bcd415d (diff) | |
download | openssl-new-d4bf0d57a84a9bcdeba839b66138949be8221e17.tar.gz |
Flag RSA secret BNs as consttime on keygen and checks
<https://github.com/openssl/openssl/pull/11765> switched the default
code path for keygen.
External testing through TriggerFlow highlighted that in several places
we failed (once more!) to set the `BN_FLG_CONSTTIME` flag on critical
secret values (either long term or temporary values).
This commit tries to make sure that the secret BN values inside the
`rsa struct` are always flagged on creation, and that temporary values
derived from these secrets are flagged when allocated from a BN_CTX.
Acknowledgments
---------------
Thanks to @Voker57, @bbbrumley, @sohhas, @cpereida for the
[OpenSSL Triggerflow CI] ([paper]) through which this defect was detected and
tested, and for providing early feedback to fix the issue!
[OpenSSL Triggerflow CI]: https://gitlab.com/nisec/openssl-triggerflow-ci
[paper]: https://eprint.iacr.org/2019/366
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12167)
Diffstat (limited to 'crypto/rsa/rsa_gen.c')
-rw-r--r-- | crypto/rsa/rsa_gen.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c index 1495cefa83..e391f6419a 100644 --- a/crypto/rsa/rsa_gen.c +++ b/crypto/rsa/rsa_gen.c @@ -126,18 +126,24 @@ static int rsa_multiprime_keygen(RSA *rsa, int bits, int primes, goto err; if (!rsa->d && ((rsa->d = BN_secure_new()) == NULL)) goto err; + BN_set_flags(rsa->d, BN_FLG_CONSTTIME); if (!rsa->e && ((rsa->e = BN_new()) == NULL)) goto err; if (!rsa->p && ((rsa->p = BN_secure_new()) == NULL)) goto err; + BN_set_flags(rsa->p, BN_FLG_CONSTTIME); if (!rsa->q && ((rsa->q = BN_secure_new()) == NULL)) goto err; + BN_set_flags(rsa->q, BN_FLG_CONSTTIME); if (!rsa->dmp1 && ((rsa->dmp1 = BN_secure_new()) == NULL)) goto err; + BN_set_flags(rsa->dmp1, BN_FLG_CONSTTIME); if (!rsa->dmq1 && ((rsa->dmq1 = BN_secure_new()) == NULL)) goto err; + BN_set_flags(rsa->dmq1, BN_FLG_CONSTTIME); if (!rsa->iqmp && ((rsa->iqmp = BN_secure_new()) == NULL)) goto err; + BN_set_flags(rsa->iqmp, BN_FLG_CONSTTIME); /* initialize multi-prime components */ if (primes > RSA_DEFAULT_PRIME_NUM) { |