diff options
author | Nicola Tuveri <nic.tuv@gmail.com> | 2019-02-12 00:37:25 +0200 |
---|---|---|
committer | Nicola Tuveri <nic.tuv@gmail.com> | 2019-02-20 22:57:19 +0200 |
commit | d769ce09b690237c35c32032edbaf0339c480e85 (patch) | |
tree | ef088a7d1d31d4eb700634918eade65237ad2460 | |
parent | e30dfbebe7fa3af40fd840fc89b004376fc2b21f (diff) |
Test for constant-time flag leakage in BN_CTX
This commit adds a simple unit test to make sure that the constant-time
flag does not "leak" among BN_CTX frames:
- test_ctx_consttime_flag() initializes (and later frees before
returning) a BN_CTX object, then it calls in sequence
test_ctx_set_ct_flag() and test_ctx_check_ct_flag() using the same
BN_CTX object.
- test_ctx_set_ct_flag() starts a frame in the given BN_CTX and sets the
BN_FLG_CONSTTIME flag on some of the BIGNUMs obtained from the frame
before ending it.
- test_ctx_check_ct_flag() then starts a new frame and gets a number of
BIGNUMs from it. In absence of leaks, none of the BIGNUMs in the new
frame should have BN_FLG_CONSTTIME set.
In actual BN_CTX usage inside libcrypto the leak could happen at any
depth level in the BN_CTX stack, with varying results depending on the
patterns of sibling trees of nested function calls sharing the same
BN_CTX object, and the effect of unintended BN_FLG_CONSTTIME on the
called BN_* functions.
This simple unit test abstracts away this complexity and verifies that
the leak does not happen between two sibling functions sharing the same
BN_CTX object at the same level of nesting.
(manually cherry picked from commit fe16ae5f95fa86ddb049a8d1e2caee0b80b32282)
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8295)
-rw-r--r-- | crypto/bn/bntest.c | 101 |
1 files changed, 101 insertions, 0 deletions
diff --git a/crypto/bn/bntest.c b/crypto/bn/bntest.c index abe5dbe0b0..75aa7075ab 100644 --- a/crypto/bn/bntest.c +++ b/crypto/bn/bntest.c @@ -89,6 +89,10 @@ #include <openssl/x509.h> #include <openssl/err.h> +#ifndef OSSL_NELEM +# define OSSL_NELEM(x) (sizeof(x)/sizeof(x[0])) +#endif + const int num0 = 100; /* number of tests */ const int num1 = 50; /* additional tests for some functions */ const int num2 = 5; /* number of tests for slow functions */ @@ -123,6 +127,7 @@ int test_gf2m_mod_solve_quad(BIO *bp, BN_CTX *ctx); int test_kron(BIO *bp, BN_CTX *ctx); int test_sqrt(BIO *bp, BN_CTX *ctx); int rand_neg(void); +static int test_ctx_consttime_flag(void); static int results = 0; static unsigned char lst[] = @@ -330,6 +335,15 @@ int main(int argc, char *argv[]) goto err; (void)BIO_flush(out); #endif + + /* silently flush any pre-existing error on the stack */ + ERR_clear_error(); + + message(out, "BN_CTX_get BN_FLG_CONSTTIME"); + if (!test_ctx_consttime_flag()) + goto err; + (void)BIO_flush(out); + BN_CTX_free(ctx); BIO_free(out); @@ -2158,3 +2172,90 @@ int rand_neg(void) return (sign[(neg++) % 8]); } + +static int test_ctx_set_ct_flag(BN_CTX *c) +{ + int st = 0; + size_t i; + BIGNUM *b[15]; + + BN_CTX_start(c); + for (i = 0; i < OSSL_NELEM(b); i++) { + if (NULL == (b[i] = BN_CTX_get(c))) { + fprintf(stderr, "ERROR: BN_CTX_get() failed.\n"); + goto err; + } + if (i % 2 == 1) + BN_set_flags(b[i], BN_FLG_CONSTTIME); + } + + st = 1; + err: + BN_CTX_end(c); + return st; +} + +static int test_ctx_check_ct_flag(BN_CTX *c) +{ + int st = 0; + size_t i; + BIGNUM *b[30]; + + BN_CTX_start(c); + for (i = 0; i < OSSL_NELEM(b); i++) { + if (NULL == (b[i] = BN_CTX_get(c))) { + fprintf(stderr, "ERROR: BN_CTX_get() failed.\n"); + goto err; + } + if (BN_get_flags(b[i], BN_FLG_CONSTTIME) != 0) { + fprintf(stderr, "ERROR: BN_FLG_CONSTTIME should not be set.\n"); + goto err; + } + } + + st = 1; + err: + BN_CTX_end(c); + return st; +} + +static int test_ctx_consttime_flag(void) +{ + /*- + * The constant-time flag should not "leak" among BN_CTX frames: + * + * - test_ctx_set_ct_flag() starts a frame in the given BN_CTX and + * sets the BN_FLG_CONSTTIME flag on some of the BIGNUMs obtained + * from the frame before ending it. + * - test_ctx_check_ct_flag() then starts a new frame and gets a + * number of BIGNUMs from it. In absence of leaks, none of the + * BIGNUMs in the new frame should have BN_FLG_CONSTTIME set. + * + * In actual BN_CTX usage inside libcrypto the leak could happen at + * any depth level in the BN_CTX stack, with varying results + * depending on the patterns of sibling trees of nested function + * calls sharing the same BN_CTX object, and the effect of + * unintended BN_FLG_CONSTTIME on the called BN_* functions. + * + * This simple unit test abstracts away this complexity and verifies + * that the leak does not happen between two sibling functions + * sharing the same BN_CTX object at the same level of nesting. + * + */ + BN_CTX *c = NULL; + int st = 0; + + if (NULL == (c = BN_CTX_new())) { + fprintf(stderr, "ERROR: BN_CTX_new() failed.\n"); + goto err; + } + + if (!test_ctx_set_ct_flag(c) + || !test_ctx_check_ct_flag(c)) + goto err; + + st = 1; + err: + BN_CTX_free(c); + return st; +} |