diff options
author | Matt Caswell <matt@openssl.org> | 2016-05-26 10:55:11 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2016-06-06 11:09:06 +0100 |
commit | 5584f65a1027b06fe0cfc4be28d1a232cf180e42 (patch) | |
tree | e1d62f81d9d5a23575e4f4063b47d28e680afcdf /crypto/rsa | |
parent | f943e640efbb5ec30bf57b59468c094083c99eb2 (diff) |
Deprecate the flags that switch off constant time
The flags RSA_FLAG_NO_CONSTTIME, DSA_FLAG_NO_EXP_CONSTTIME and
DH_FLAG_NO_EXP_CONSTTIME which previously provided the ability to switch
off the constant time implementation for RSA, DSA and DH have been made
no-ops and deprecated.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Diffstat (limited to 'crypto/rsa')
-rw-r--r-- | crypto/rsa/rsa_crpt.c | 21 | ||||
-rw-r--r-- | crypto/rsa/rsa_gen.c | 61 | ||||
-rw-r--r-- | crypto/rsa/rsa_ossl.c | 196 |
3 files changed, 106 insertions, 172 deletions
diff --git a/crypto/rsa/rsa_crpt.c b/crypto/rsa/rsa_crpt.c index aca085acbb..9cd733b2c3 100644 --- a/crypto/rsa/rsa_crpt.c +++ b/crypto/rsa/rsa_crpt.c @@ -147,23 +147,18 @@ BN_BLINDING *RSA_setup_blinding(RSA *rsa, BN_CTX *in_ctx) } { - BIGNUM *local_n = NULL, *n; - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { - /* Set BN_FLG_CONSTTIME flag */ - local_n = n = BN_new(); - if (local_n == NULL) { - RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_MALLOC_FAILURE); - goto err; - } - BN_with_flags(n, rsa->n, BN_FLG_CONSTTIME); - } else { - n = rsa->n; + BIGNUM *n = BN_new(); + + if (n == NULL) { + RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_MALLOC_FAILURE); + goto err; } + BN_with_flags(n, rsa->n, BN_FLG_CONSTTIME); ret = BN_BLINDING_create_param(NULL, e, n, ctx, rsa->meth->bn_mod_exp, rsa->_method_mod_n); - /* We MUST free local_n before any further use of rsa->n */ - BN_free(local_n); + /* We MUST free n before any further use of rsa->n */ + BN_free(n); } if (ret == NULL) { RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_BN_LIB); diff --git a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c index b25d76e55c..5c6b6192e6 100644 --- a/crypto/rsa/rsa_gen.c +++ b/crypto/rsa/rsa_gen.c @@ -137,64 +137,51 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, if (!BN_mul(r0, r1, r2, ctx)) goto err; /* (p-1)(q-1) */ { - BIGNUM *local_r0 = NULL, *pr0; - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { - pr0 = local_r0 = BN_new(); - if (local_r0 == NULL) - goto err; - BN_with_flags(pr0, r0, BN_FLG_CONSTTIME); - } else { - pr0 = r0; - } + BIGNUM *pr0 = BN_new(); + + if (pr0 == NULL) + goto err; + BN_with_flags(pr0, r0, BN_FLG_CONSTTIME); if (!BN_mod_inverse(rsa->d, rsa->e, pr0, ctx)) { - BN_free(local_r0); + BN_free(pr0); goto err; /* d */ } - /* We MUST free local_r0 before any further use of r0 */ - BN_free(local_r0); + /* We MUST free pr0 before any further use of r0 */ + BN_free(pr0); } { - BIGNUM *local_d = NULL, *d; - /* set up d for correct BN_FLG_CONSTTIME flag */ - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { - d = local_d = BN_new(); - if (local_d == NULL) - goto err; - BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); - } else { - d = rsa->d; - } + BIGNUM *d = BN_new(); + + if (d == NULL) + goto err; + BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); if ( /* calculate d mod (p-1) */ !BN_mod(rsa->dmp1, d, r1, ctx) /* calculate d mod (q-1) */ || !BN_mod(rsa->dmq1, d, r2, ctx)) { - BN_free(local_d); + BN_free(d); goto err; } - /* We MUST free local_d before any further use of rsa->d */ - BN_free(local_d); + /* We MUST free d before any further use of rsa->d */ + BN_free(d); } { - BIGNUM *local_p = NULL, *p; + BIGNUM *p = BN_new(); + + if (p == NULL) + goto err; + BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME); /* calculate inverse of q mod p */ - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { - p = local_p = BN_new(); - if (local_p == NULL) - goto err; - BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME); - } else { - p = rsa->p; - } if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx)) { - BN_free(local_p); + BN_free(p); goto err; } - /* We MUST free local_p before any further use of rsa->p */ - BN_free(local_p); + /* We MUST free p before any further use of rsa->p */ + BN_free(p); } ok = 1; diff --git a/crypto/rsa/rsa_ossl.c b/crypto/rsa/rsa_ossl.c index 1aeaae929f..d8af92dc6c 100644 --- a/crypto/rsa/rsa_ossl.c +++ b/crypto/rsa/rsa_ossl.c @@ -300,33 +300,27 @@ static int rsa_ossl_private_encrypt(int flen, const unsigned char *from, if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) goto err; } else { - BIGNUM *d = NULL, *local_d = NULL; - - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { - local_d = d = BN_new(); - if (d == NULL) { - RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE); - goto err; - } - BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); - } else { - d = rsa->d; + BIGNUM *d = BN_new(); + if (d == NULL) { + RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE); + goto err; } + BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) if (!BN_MONT_CTX_set_locked (&rsa->_method_mod_n, rsa->lock, rsa->n, ctx)) { - BN_free(local_d); + BN_free(d); goto err; } if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx, rsa->_method_mod_n)) { - BN_free(local_d); + BN_free(d); goto err; } - /* We MUST free local_d before any further use of rsa->d */ - BN_free(local_d); + /* We MUST free d before any further use of rsa->d */ + BN_free(d); } if (blinding) @@ -434,32 +428,26 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) goto err; } else { - BIGNUM *d = NULL, *local_d = NULL; - - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { - local_d = d = BN_new(); - if (d == NULL) { - RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE); - goto err; - } - BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); - } else { - d = rsa->d; + BIGNUM *d = BN_new(); + if (d == NULL) { + RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE); + goto err; } + BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) if (!BN_MONT_CTX_set_locked (&rsa->_method_mod_n, rsa->lock, rsa->n, ctx)) { - BN_free(local_d); + BN_free(d); goto err; } if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx, rsa->_method_mod_n)) { - BN_free(local_d); + BN_free(d); goto err; } - /* We MUST free local_d before any further use of rsa->d */ - BN_free(local_d); + /* We MUST free d before any further use of rsa->d */ + BN_free(d); } if (blinding) @@ -608,46 +596,35 @@ static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) vrfy = BN_CTX_get(ctx); { - BIGNUM *local_p = NULL, *local_q = NULL; - BIGNUM *p = NULL, *q = NULL; + BIGNUM *p = BN_new(), *q = BN_new(); /* * Make sure BN_mod_inverse in Montgomery initialization uses the - * BN_FLG_CONSTTIME flag (unless RSA_FLAG_NO_CONSTTIME is set) + * BN_FLG_CONSTTIME flag */ - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { - local_p = p = BN_new(); - if (p == NULL) - goto err; - BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME); - - local_q = q = BN_new(); - if (q == NULL) { - BN_free(local_p); - goto err; - } - BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME); - } else { - p = rsa->p; - q = rsa->q; + if (p == NULL || q == NULL) { + BN_free(p); + BN_free(q); + goto err; } + BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME); + BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME); if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) { if (!BN_MONT_CTX_set_locked (&rsa->_method_mod_p, rsa->lock, p, ctx) || !BN_MONT_CTX_set_locked(&rsa->_method_mod_q, rsa->lock, q, ctx)) { - BN_free(local_p); - BN_free(local_q); + BN_free(p); + BN_free(q); goto err; } } /* - * We MUST free local_p and local_q before any further use of rsa->p and - * rsa->q + * We MUST free p and q before any further use of rsa->p and rsa->q */ - BN_free(local_p); - BN_free(local_q); + BN_free(p); + BN_free(q); } if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) @@ -657,72 +634,58 @@ static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) /* compute I mod q */ { - BIGNUM *local_c = NULL; - const BIGNUM *c; - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { - local_c = BN_new(); - if (local_c == NULL) - goto err; - BN_with_flags(local_c, I, BN_FLG_CONSTTIME); - c = local_c; - } else { - c = I; - } + BIGNUM *c = BN_new(); + if (c == NULL) + goto err; + BN_with_flags(c, I, BN_FLG_CONSTTIME); + if (!BN_mod(r1, c, rsa->q, ctx)) { - BN_free(local_c); + BN_free(c); goto err; } { - BIGNUM *local_dmq1 = NULL, *dmq1; - /* compute r1^dmq1 mod q */ - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { - dmq1 = local_dmq1 = BN_new(); - if (local_dmq1 == NULL) { - BN_free(local_c); - goto err; - } - BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME); - } else { - dmq1 = rsa->dmq1; + BIGNUM *dmq1 = BN_new(); + if (dmq1 == NULL) { + BN_free(c); + goto err; } + BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME); + + /* compute r1^dmq1 mod q */ if (!rsa->meth->bn_mod_exp(m1, r1, dmq1, rsa->q, ctx, rsa->_method_mod_q)) { - BN_free(local_c); - BN_free(local_dmq1); + BN_free(c); + BN_free(dmq1); goto err; } - /* We MUST free local_dmq1 before any further use of rsa->dmq1 */ - BN_free(local_dmq1); + /* We MUST free dmq1 before any further use of rsa->dmq1 */ + BN_free(dmq1); } /* compute I mod p */ if (!BN_mod(r1, c, rsa->p, ctx)) { - BN_free(local_c); + BN_free(c); goto err; } - /* We MUST free local_c before any further use of I */ - BN_free(local_c); + /* We MUST free c before any further use of I */ + BN_free(c); } { - BIGNUM *local_dmp1 = NULL, *dmp1; + BIGNUM *dmp1 = BN_new(); + if (dmp1 == NULL) + goto err; + BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME); + /* compute r1^dmp1 mod p */ - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { - dmp1 = local_dmp1 = BN_new(); - if (local_dmp1 == NULL) - goto err; - BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME); - } else { - dmp1 = rsa->dmp1; - } if (!rsa->meth->bn_mod_exp(r0, r1, dmp1, rsa->p, ctx, rsa->_method_mod_p)) { - BN_free(local_dmp1); + BN_free(dmp1); goto err; } - /* We MUST free local_dmp1 before any further use of rsa->dmp1 */ - BN_free(local_dmp1); + /* We MUST free dmp1 before any further use of rsa->dmp1 */ + BN_free(dmp1); } if (!BN_sub(r0, r0, m1)) @@ -739,22 +702,17 @@ static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) goto err; { - BIGNUM *local_r1 = NULL, *pr1; - /* Turn BN_FLG_CONSTTIME flag on before division operation */ - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { - pr1 = local_r1 = BN_new(); - if (local_r1 == NULL) - goto err; - BN_with_flags(pr1, r1, BN_FLG_CONSTTIME); - } else { - pr1 = r1; - } + BIGNUM *pr1 = BN_new(); + if (pr1 == NULL) + goto err; + BN_with_flags(pr1, r1, BN_FLG_CONSTTIME); + if (!BN_mod(r0, pr1, rsa->p, ctx)) { - BN_free(local_r1); + BN_free(pr1); goto err; } - /* We MUST free local_r1 before any further use of r1 */ - BN_free(local_r1); + /* We MUST free pr1 before any further use of r1 */ + BN_free(pr1); } /* @@ -796,24 +754,18 @@ static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) * return that instead. */ - BIGNUM *local_d = NULL; - BIGNUM *d = NULL; + BIGNUM *d = BN_new(); + if (d == NULL) + goto err; + BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { - local_d = d = BN_new(); - if (d == NULL) - goto err; - BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); - } else { - d = rsa->d; - } if (!rsa->meth->bn_mod_exp(r0, I, d, rsa->n, ctx, rsa->_method_mod_n)) { - BN_free(local_d); + BN_free(d); goto err; } - /* We MUST free local_d before any further use of rsa->d */ - BN_free(local_d); + /* We MUST free d before any further use of rsa->d */ + BN_free(d); } } ret = 1; |