diff options
| author | Nicola Tuveri <nic.tuv@gmail.com> | 2020-06-16 20:12:13 +0300 |
|---|---|---|
| committer | Nicola Tuveri <nic.tuv@gmail.com> | 2020-06-21 13:45:27 +0300 |
| commit | d4bf0d57a84a9bcdeba839b66138949be8221e17 (patch) | |
| tree | 7a9eeb03f3a029c76bd055f00bed8c6898d30058 /crypto/bn | |
| parent | 200ae2ee8e1cec5c9af2ea36298bf6583bcd415d (diff) | |
Flag RSA secret BNs as consttime on keygen and checks
<https://github.com/openssl/openssl/pull/11765> switched the default
code path for keygen.
External testing through TriggerFlow highlighted that in several places
we failed (once more!) to set the `BN_FLG_CONSTTIME` flag on critical
secret values (either long term or temporary values).
This commit tries to make sure that the secret BN values inside the
`rsa struct` are always flagged on creation, and that temporary values
derived from these secrets are flagged when allocated from a BN_CTX.
Acknowledgments
---------------
Thanks to @Voker57, @bbbrumley, @sohhas, @cpereida for the
[OpenSSL Triggerflow CI] ([paper]) through which this defect was detected and
tested, and for providing early feedback to fix the issue!
[OpenSSL Triggerflow CI]: https://gitlab.com/nisec/openssl-triggerflow-ci
[paper]: https://eprint.iacr.org/2019/366
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12167)
Diffstat (limited to 'crypto/bn')
| -rw-r--r-- | crypto/bn/bn_rsa_fips186_4.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/crypto/bn/bn_rsa_fips186_4.c b/crypto/bn/bn_rsa_fips186_4.c index 935320ff2d..a8b0a69aee 100644 --- a/crypto/bn/bn_rsa_fips186_4.c +++ b/crypto/bn/bn_rsa_fips186_4.c @@ -109,6 +109,7 @@ static int bn_rsa_fips186_4_find_aux_prob_prime(const BIGNUM *Xp1, if (BN_copy(p1, Xp1) == NULL) return 0; + BN_set_flags(p1, BN_FLG_CONSTTIME); /* Find the first odd number >= Xp1 that is probably prime */ for(;;) { |