The branch OpenSSL_1_1_0-stable has been updated
via 0cf65a0f5fdd72b950887e717f1f20d66ba30942 (commit)
from 24806f0944d48498cf6c28e3b7b3661416bc1470 (commit)
- Log -----------------------------------------------------------------
commit 0cf65a0f5fdd72b950887e717f1f20d66ba30942
Author: Matt Caswell <[email protected]>
Date: Wed Sep 27 11:13:47 2017 +0100
Ensure we test all parameters for BN_FLG_CONSTTIME
RSA_setup_blinding() calls BN_BLINDING_create_param() which later calls
BN_mod_exp() as follows:
BN_mod_exp(ret->A, ret->A, ret->e, ret->mod, ctx)
ret->mod will have BN_FLG_CONSTTIME set, but ret->e does not. In
BN_mod_exp() we only test the third param for the existence of this flag.
We should test all the inputs.
Thanks to Samuel Weiser ([email protected]) for reporting this
issue.
This typically only happens once at key load, so this is unlikely to be
exploitable in any real scenario.
Reviewed-by: Rich Salz <[email protected]>
(Merged from https://github.com/openssl/openssl/pull/4477)
(cherry picked from commit e913d11f444e0b46ec1ebbf3340813693f4d869d)
-----------------------------------------------------------------------
Summary of changes:
crypto/bn/bn_exp.c | 22 ++++++++++++++++------
1 file changed, 16 insertions(+), 6 deletions(-)
diff --git a/crypto/bn/bn_exp.c b/crypto/bn/bn_exp.c
index feeb764..7ebaeb0 100644
--- a/crypto/bn/bn_exp.c
+++ b/crypto/bn/bn_exp.c
@@ -43,7 +43,8 @@ int BN_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
BN_CTX *ctx)
int i, bits, ret = 0;
BIGNUM *v, *rr;
- if (BN_get_flags(p, BN_FLG_CONSTTIME) != 0) {
+ if (BN_get_flags(p, BN_FLG_CONSTTIME) != 0
+ || BN_get_flags(a, BN_FLG_CONSTTIME) != 0) {
/* BN_FLG_CONSTTIME only supported by BN_mod_exp_mont() */
BNerr(BN_F_BN_EXP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
return 0;
@@ -143,7 +144,9 @@ int BN_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
const BIGNUM *m,
if (BN_is_odd(m)) {
# ifdef MONT_EXP_WORD
if (a->top == 1 && !a->neg
- && (BN_get_flags(p, BN_FLG_CONSTTIME) == 0)) {
+ && (BN_get_flags(p, BN_FLG_CONSTTIME) == 0)
+ && (BN_get_flags(a, BN_FLG_CONSTTIME) == 0)
+ && (BN_get_flags(m, BN_FLG_CONSTTIME) == 0)) {
BN_ULONG A = a->d[0];
ret = BN_mod_exp_mont_word(r, A, p, m, ctx, NULL);
} else
@@ -175,7 +178,9 @@ int BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const
BIGNUM *p,
BIGNUM *val[TABLE_SIZE];
BN_RECP_CTX recp;
- if (BN_get_flags(p, BN_FLG_CONSTTIME) != 0) {
+ if (BN_get_flags(p, BN_FLG_CONSTTIME) != 0
+ || BN_get_flags(a, BN_FLG_CONSTTIME) != 0
+ || BN_get_flags(m, BN_FLG_CONSTTIME) != 0) {
/* BN_FLG_CONSTTIME only supported by BN_mod_exp_mont() */
BNerr(BN_F_BN_MOD_EXP_RECP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
return 0;
@@ -309,7 +314,9 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const
BIGNUM *p,
BIGNUM *val[TABLE_SIZE];
BN_MONT_CTX *mont = NULL;
- if (BN_get_flags(p, BN_FLG_CONSTTIME) != 0) {
+ if (BN_get_flags(p, BN_FLG_CONSTTIME) != 0
+ || BN_get_flags(a, BN_FLG_CONSTTIME) != 0
+ || BN_get_flags(m, BN_FLG_CONSTTIME) != 0) {
return BN_mod_exp_mont_consttime(rr, a, p, m, ctx, in_mont);
}
@@ -1121,7 +1128,8 @@ int BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const
BIGNUM *p,
#define BN_TO_MONTGOMERY_WORD(r, w, mont) \
(BN_set_word(r, (w)) && BN_to_montgomery(r, r, (mont), ctx))
- if (BN_get_flags(p, BN_FLG_CONSTTIME) != 0) {
+ if (BN_get_flags(p, BN_FLG_CONSTTIME) != 0
+ || BN_get_flags(m, BN_FLG_CONSTTIME) != 0) {
/* BN_FLG_CONSTTIME only supported by BN_mod_exp_mont() */
BNerr(BN_F_BN_MOD_EXP_MONT_WORD, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
return 0;
@@ -1252,7 +1260,9 @@ int BN_mod_exp_simple(BIGNUM *r, const BIGNUM *a, const
BIGNUM *p,
/* Table of variables obtained from 'ctx' */
BIGNUM *val[TABLE_SIZE];
- if (BN_get_flags(p, BN_FLG_CONSTTIME) != 0) {
+ if (BN_get_flags(p, BN_FLG_CONSTTIME) != 0
+ || BN_get_flags(a, BN_FLG_CONSTTIME) != 0
+ || BN_get_flags(m, BN_FLG_CONSTTIME) != 0) {
/* BN_FLG_CONSTTIME only supported by BN_mod_exp_mont() */
BNerr(BN_F_BN_MOD_EXP_SIMPLE, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
return 0;
_____
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
