Flag RSA secret BNs as consttime on keygen and checks

<https://github.com/openssl/openssl/pull/11765> switched the default code path for keygen. External testing through TriggerFlow highlighted that in several places we failed (once more!) to set the `BN_FLG_CONSTTIME` flag on critical secret values (either long term or temporary values). This commit tries to make sure that the secret BN values inside the `rsa struct` are always flagged on creation, and that temporary values derived from these secrets are flagged when allocated from a BN_CTX. Acknowledgments --------------- Thanks to @Voker57, @bbbrumley, @sohhas, @cpereida for the [OpenSSL Triggerflow CI] ([paper]) through which this defect was detected and tested, and for providing early feedback to fix the issue! [OpenSSL Triggerflow CI]: https://gitlab.com/nisec/openssl-triggerflow-ci [paper]: https://eprint.iacr.org/2019/366 Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12167)
author: Nicola Tuveri <nic.tuv@gmail.com> 2020-06-16 20:12:13 +0300
committer: Nicola Tuveri <nic.tuv@gmail.com> 2020-06-21 13:45:27 +0300
commit: d4bf0d57a84a9bcdeba839b66138949be8221e17 (patch)
tree: 7a9eeb03f3a029c76bd055f00bed8c6898d30058 /crypto/rsa/rsa_gen.c
parent: 200ae2ee8e1cec5c9af2ea36298bf6583bcd415d (diff)
download: openssl-new-d4bf0d57a84a9bcdeba839b66138949be8221e17.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c
index 1495cefa83..e391f6419a 100644
--- a/crypto/rsa/rsa_gen.c
+++ b/crypto/rsa/rsa_gen.c
@@ -126,18 +126,24 @@ static int rsa_multiprime_keygen(RSA *rsa, int bits, int primes,
         goto err;
     if (!rsa->d && ((rsa->d = BN_secure_new()) == NULL))
         goto err;
+    BN_set_flags(rsa->d, BN_FLG_CONSTTIME);
     if (!rsa->e && ((rsa->e = BN_new()) == NULL))
         goto err;
     if (!rsa->p && ((rsa->p = BN_secure_new()) == NULL))
         goto err;
+    BN_set_flags(rsa->p, BN_FLG_CONSTTIME);
     if (!rsa->q && ((rsa->q = BN_secure_new()) == NULL))
         goto err;
+    BN_set_flags(rsa->q, BN_FLG_CONSTTIME);
     if (!rsa->dmp1 && ((rsa->dmp1 = BN_secure_new()) == NULL))
         goto err;
+    BN_set_flags(rsa->dmp1, BN_FLG_CONSTTIME);
     if (!rsa->dmq1 && ((rsa->dmq1 = BN_secure_new()) == NULL))
         goto err;
+    BN_set_flags(rsa->dmq1, BN_FLG_CONSTTIME);
     if (!rsa->iqmp && ((rsa->iqmp = BN_secure_new()) == NULL))
         goto err;
+    BN_set_flags(rsa->iqmp, BN_FLG_CONSTTIME);
 
     /* initialize multi-prime components */
     if (primes > RSA_DEFAULT_PRIME_NUM) {
author	Nicola Tuveri <nic.tuv@gmail.com>	2020-06-16 20:12:13 +0300
committer	Nicola Tuveri <nic.tuv@gmail.com>	2020-06-21 13:45:27 +0300
commit	d4bf0d57a84a9bcdeba839b66138949be8221e17 (patch)
tree	7a9eeb03f3a029c76bd055f00bed8c6898d30058 /crypto/rsa/rsa_gen.c
parent	200ae2ee8e1cec5c9af2ea36298bf6583bcd415d (diff)
download	openssl-new-d4bf0d57a84a9bcdeba839b66138949be8221e17.tar.gz