Fixed error in propagating BN_FLG_CONSTTIME flag through BN_MONT_CTX_set, which could lead to information disclosure on RSA primes p and q.

Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4377) (cherry picked from commit 3de81a5912041a70884cf4e52e7213f3b5dfa747)
author: Samuel Weiser <samuel.weiser@iaik.tugraz.at> 2017-09-15 22:12:53 +0200
committer: Matt Caswell <matt@openssl.org> 2017-09-27 10:12:19 +0100
commit: a703f4473f1ce8f0080e420800eefb1fba9258ed (patch)
tree: e45a70251b320690148ff4da48d9913ddf19a9ee /crypto/bn
parent: ed0245e08fdf374cd6351a1ae8117d7382115a21 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/crypto/bn/bn_mont.c b/crypto/bn/bn_mont.c
index be95bd55d0..94e7a8f841 100644
--- a/crypto/bn/bn_mont.c
+++ b/crypto/bn/bn_mont.c
@@ -382,6 +382,8 @@ int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx)
     R = &(mont->RR);            /* grab RR as a temp */
     if (!BN_copy(&(mont->N), mod))
         goto err;               /* Set N */
+    if (BN_get_flags(mod, BN_FLG_CONSTTIME) != 0)
+        BN_set_flags(&(mont->N), BN_FLG_CONSTTIME);
     mont->N.neg = 0;
 
 #ifdef MONT_WORD
@@ -394,6 +396,9 @@ int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx)
         tmod.dmax = 2;
         tmod.neg = 0;
 
+        if (BN_get_flags(mod, BN_FLG_CONSTTIME) != 0)
+            BN_set_flags(&tmod, BN_FLG_CONSTTIME);
+
         mont->ri = (BN_num_bits(mod) + (BN_BITS2 - 1)) / BN_BITS2 * BN_BITS2;
 
 # if defined(OPENSSL_BN_ASM_MONT) && (BN_BITS2<=32)
author	Samuel Weiser <samuel.weiser@iaik.tugraz.at>	2017-09-15 22:12:53 +0200
committer	Matt Caswell <matt@openssl.org>	2017-09-27 10:12:19 +0100
commit	a703f4473f1ce8f0080e420800eefb1fba9258ed (patch)
tree	e45a70251b320690148ff4da48d9913ddf19a9ee /crypto/bn
parent	ed0245e08fdf374cd6351a1ae8117d7382115a21 (diff)