diff options
| author | Cesar Pereida Garcia <cesar.pereidagarcia@tut.fi> | 2019-09-05 12:13:11 +0300 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2019-09-06 16:11:27 +0100 |
| commit | 311e903d8468e2a380d371609a10eda71de16c0e (patch) | |
| tree | 735af77d22a8078830dd70b50119c3cfbb23fba8 | |
| parent | c7bfb138acf6103ae6fd178eb212b110bfb39c0d (diff) | |
[crypto/asn1] Fix multiple SCA vulnerabilities during RSA key validation.
This commit addresses multiple side-channel vulnerabilities present
during RSA key validation.
Private key parameters are re-computed using variable-time functions.
This issue was discovered and reported by the NISEC group at TAU Finland.
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9779)
| -rw-r--r-- | crypto/asn1/x_bignum.c | 17 | ||||
| -rw-r--r-- | crypto/rsa/rsa_lib.c | 6 |
2 files changed, 20 insertions, 3 deletions
diff --git a/crypto/asn1/x_bignum.c b/crypto/asn1/x_bignum.c index d7abca6c76..c5e892900e 100644 --- a/crypto/asn1/x_bignum.c +++ b/crypto/asn1/x_bignum.c @@ -130,9 +130,20 @@ static int bn_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, static int bn_secure_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, int utype, char *free_cont, const ASN1_ITEM *it) { - if (!*pval) - bn_secure_new(pval, it); - return bn_c2i(pval, cont, len, utype, free_cont, it); + int ret; + BIGNUM *bn; + + if (!*pval && !bn_secure_new(pval, it)) + return 0; + + ret = bn_c2i(pval, cont, len, utype, free_cont, it); + if (!ret) + return 0; + + /* Set constant-time flag for all secure BIGNUMS */ + bn = (BIGNUM *)*pval; + BN_set_flags(bn, BN_FLG_CONSTTIME); + return ret; } static int bn_print(BIO *out, const ASN1_VALUE **pval, const ASN1_ITEM *it, diff --git a/crypto/rsa/rsa_lib.c b/crypto/rsa/rsa_lib.c index f337a0df08..e7fdbc2aab 100644 --- a/crypto/rsa/rsa_lib.c +++ b/crypto/rsa/rsa_lib.c @@ -325,6 +325,7 @@ int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) if (d != NULL) { BN_clear_free(r->d); r->d = d; + BN_set_flags(r->d, BN_FLG_CONSTTIME); } return 1; @@ -342,10 +343,12 @@ int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q) if (p != NULL) { BN_clear_free(r->p); r->p = p; + BN_set_flags(r->p, BN_FLG_CONSTTIME); } if (q != NULL) { BN_clear_free(r->q); r->q = q; + BN_set_flags(r->q, BN_FLG_CONSTTIME); } return 1; @@ -364,14 +367,17 @@ int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp) if (dmp1 != NULL) { BN_clear_free(r->dmp1); r->dmp1 = dmp1; + BN_set_flags(r->dmp1, BN_FLG_CONSTTIME); } if (dmq1 != NULL) { BN_clear_free(r->dmq1); r->dmq1 = dmq1; + BN_set_flags(r->dmq1, BN_FLG_CONSTTIME); } if (iqmp != NULL) { BN_clear_free(r->iqmp); r->iqmp = iqmp; + BN_set_flags(r->iqmp, BN_FLG_CONSTTIME); } return 1; |