diff options
author | Cesar Pereida Garcia <cesar.pereidagarcia@tut.fi> | 2019-09-05 17:47:40 +0300 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2019-09-09 08:16:47 +0100 |
commit | adaebd81a01e2926a3106feec0476db7c8d7b362 (patch) | |
tree | 51b5bafbcb1beabc08c2e25b87a5cb6342017387 | |
parent | 6a7bad0fd7a2125d075e459b33145d4ce5ee0de9 (diff) |
[crypto/rsa] Fix multiple SCA vulnerabilities during RSA key validation.
This commit addresses multiple side-channel vulnerabilities present during RSA key validation.
Private key parameters are re-computed using variable-time functions.
This issue was discovered and reported by the NISEC group at TAU Finland.
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9785)
-rw-r--r-- | crypto/rsa/rsa_chk.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/crypto/rsa/rsa_chk.c b/crypto/rsa/rsa_chk.c index 475dfc5628..3ea4e02974 100644 --- a/crypto/rsa/rsa_chk.c +++ b/crypto/rsa/rsa_chk.c @@ -63,6 +63,10 @@ int RSA_check_key(const RSA *key) return 0; } + /* Set consant-time flag on private parameters */ + BN_set_flags(key->p, BN_FLG_CONSTTIME); + BN_set_flags(key->q, BN_FLG_CONSTTIME); + BN_set_flags(key->d, BN_FLG_CONSTTIME); i = BN_new(); j = BN_new(); k = BN_new(); @@ -141,6 +145,10 @@ int RSA_check_key(const RSA *key) } if (key->dmp1 != NULL && key->dmq1 != NULL && key->iqmp != NULL) { + /* Set consant-time flag on CRT parameters */ + BN_set_flags(key->dmp1, BN_FLG_CONSTTIME); + BN_set_flags(key->dmq1, BN_FLG_CONSTTIME); + BN_set_flags(key->iqmp, BN_FLG_CONSTTIME); /* dmp1 = d mod (p-1)? */ if (!BN_sub(i, key->p, BN_value_one())) { ret = -1; |