The branch OpenSSL_1_0_2-stable has been updated via 0d6710289307d277ebc3354105c965b6e8ba8eb0 (commit) via 64eb614ccc7ccf30cc412b736f509f1d82bbf897 (commit) via 0b199a883e9170cdfe8e61c150bbaf8d8951f3e7 (commit) from c03db40dcfa8b9e0d71837fcc70d1af6b9994cf1 (commit)
- Log ----------------------------------------------------------------- commit 0d6710289307d277ebc3354105c965b6e8ba8eb0 Author: Samuel Weiser <samuel.wei...@iaik.tugraz.at> Date: Fri Feb 9 14:11:47 2018 +0100 consttime flag changed Reviewed-by: Rich Salz <rs...@openssl.org> Reviewed-by: Kurt Roeckx <k...@roeckx.be> Reviewed-by: Matt Caswell <m...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5170) (cherry picked from commit 7150a4720af7913cae16f2e4eaf768b578c0b298) commit 64eb614ccc7ccf30cc412b736f509f1d82bbf897 Author: Samuel Weiser <samuel.wei...@iaik.tugraz.at> Date: Wed Jan 31 13:10:55 2018 +0100 used ERR set/pop mark Reviewed-by: Rich Salz <rs...@openssl.org> Reviewed-by: Kurt Roeckx <k...@roeckx.be> Reviewed-by: Matt Caswell <m...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5170) (cherry picked from commit 011f82e66f4bf131c733fd41a8390039859aafb2) commit 0b199a883e9170cdfe8e61c150bbaf8d8951f3e7 Author: Samuel Weiser <samuel.wei...@iaik.tugraz.at> Date: Tue Dec 5 15:55:17 2017 +0100 Replaced variable-time GCD with consttime inversion to avoid side-channel attacks on RSA key generation Reviewed-by: Rich Salz <rs...@openssl.org> Reviewed-by: Kurt Roeckx <k...@roeckx.be> Reviewed-by: Matt Caswell <m...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5170) (cherry picked from commit 9db724cfede4ba7a3668bff533973ee70145ec07) ----------------------------------------------------------------------- Summary of changes: crypto/rsa/rsa_gen.c | 32 ++++++++++++++++++++++++++------ 1 file changed, 26 insertions(+), 6 deletions(-) diff --git a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c index a85493d..9ca5dfe 100644 --- a/crypto/rsa/rsa_gen.c +++ b/crypto/rsa/rsa_gen.c @@ -109,6 +109,7 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BIGNUM *pr0, *d, *p; int bitsp, bitsq, ok = -1, n = 0; BN_CTX *ctx = NULL; + unsigned long error = 0; /* * When generating ridiculously small keys, we can get stuck @@ -155,16 +156,26 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, if (BN_copy(rsa->e, e_value) == NULL) goto err; + BN_set_flags(r2, BN_FLG_CONSTTIME); /* generate p and q */ for (;;) { if (!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb)) goto err; if (!BN_sub(r2, rsa->p, BN_value_one())) goto err; - if (!BN_gcd(r1, r2, rsa->e, ctx)) - goto err; - if (BN_is_one(r1)) + ERR_set_mark(); + if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) { + /* GCD == 1 since inverse exists */ break; + } + error = ERR_peek_last_error(); + if (ERR_GET_LIB(error) == ERR_LIB_BN + && ERR_GET_REASON(error) == BN_R_NO_INVERSE) { + /* GCD != 1 */ + ERR_pop_to_mark(); + } else { + goto err; + } if (!BN_GENCB_call(cb, 2, n++)) goto err; } @@ -177,10 +188,19 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, } while (BN_cmp(rsa->p, rsa->q) == 0); if (!BN_sub(r2, rsa->q, BN_value_one())) goto err; - if (!BN_gcd(r1, r2, rsa->e, ctx)) - goto err; - if (BN_is_one(r1)) + ERR_set_mark(); + if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) { + /* GCD == 1 since inverse exists */ break; + } + error = ERR_peek_last_error(); + if (ERR_GET_LIB(error) == ERR_LIB_BN + && ERR_GET_REASON(error) == BN_R_NO_INVERSE) { + /* GCD != 1 */ + ERR_pop_to_mark(); + } else { + goto err; + } if (!BN_GENCB_call(cb, 2, n++)) goto err; } _____ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits