diff options
| author | Matt Caswell <matt@openssl.org> | 2016-05-26 10:55:11 +0100 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2016-06-06 11:09:06 +0100 |
| commit | 5584f65a1027b06fe0cfc4be28d1a232cf180e42 (patch) | |
| tree | e1d62f81d9d5a23575e4f4063b47d28e680afcdf /crypto | |
| parent | f943e640efbb5ec30bf57b59468c094083c99eb2 (diff) | |
Deprecate the flags that switch off constant time
The flags RSA_FLAG_NO_CONSTTIME, DSA_FLAG_NO_EXP_CONSTTIME and
DH_FLAG_NO_EXP_CONSTTIME which previously provided the ability to switch
off the constant time implementation for RSA, DSA and DH have been made
no-ops and deprecated.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Diffstat (limited to 'crypto')
| -rw-r--r-- | crypto/dh/dh_key.c | 35 | ||||
| -rw-r--r-- | crypto/dsa/dsa_key.c | 20 | ||||
| -rw-r--r-- | crypto/dsa/dsa_ossl.c | 38 | ||||
| -rw-r--r-- | crypto/rsa/rsa_crpt.c | 21 | ||||
| -rw-r--r-- | crypto/rsa/rsa_gen.c | 61 | ||||
| -rw-r--r-- | crypto/rsa/rsa_ossl.c | 196 |
6 files changed, 137 insertions, 234 deletions
diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c index 9b79f394fc..1644003bd9 100644 --- a/crypto/dh/dh_key.c +++ b/crypto/dh/dh_key.c @@ -113,24 +113,18 @@ static int generate_key(DH *dh) } { - BIGNUM *local_prk = NULL; - BIGNUM *prk; + BIGNUM *prk = BN_new(); - if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) { - local_prk = prk = BN_new(); - if (local_prk == NULL) - goto err; - BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME); - } else { - prk = priv_key; - } + if (prk == NULL) + goto err; + BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME); if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, prk, dh->p, ctx, mont)) { - BN_free(local_prk); + BN_free(prk); goto err; } - /* We MUST free local_prk before any further use of priv_key */ - BN_free(local_prk); + /* We MUST free prk before any further use of priv_key */ + BN_free(prk); } dh->pub_key = pub_key; @@ -175,10 +169,7 @@ static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) if (dh->flags & DH_FLAG_CACHE_MONT_P) { mont = BN_MONT_CTX_set_locked(&dh->method_mont_p, dh->lock, dh->p, ctx); - if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) { - /* XXX */ - BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME); - } + BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME); if (!mont) goto err; } @@ -207,15 +198,7 @@ static int dh_bn_mod_exp(const DH *dh, BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx) { - /* - * If a is only one word long and constant time is false, use the faster - * exponentiation function. - */ - if (bn_get_top(a) == 1 && ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) != 0)) { - BN_ULONG A = bn_get_words(a)[0]; - return BN_mod_exp_mont_word(r, A, p, m, ctx, m_ctx); - } else - return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx); + return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx); } static int dh_init(DH *dh) diff --git a/crypto/dsa/dsa_key.c b/crypto/dsa/dsa_key.c index 2bb84543d6..aa5d42ce17 100644 --- a/crypto/dsa/dsa_key.c +++ b/crypto/dsa/dsa_key.c @@ -50,24 +50,18 @@ static int dsa_builtin_keygen(DSA *dsa) pub_key = dsa->pub_key; { - BIGNUM *local_prk = NULL; - BIGNUM *prk; + BIGNUM *prk = BN_new(); - if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) { - local_prk = prk = BN_new(); - if (local_prk == NULL) - goto err; - BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME); - } else { - prk = priv_key; - } + if (prk == NULL) + goto err; + BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME); if (!BN_mod_exp(pub_key, dsa->g, prk, dsa->p, ctx)) { - BN_free(local_prk); + BN_free(prk); goto err; } - /* We MUST free local_prk before any further use of priv_key */ - BN_free(local_prk); + /* We MUST free prk before any further use of priv_key */ + BN_free(prk); } dsa->priv_key = priv_key; diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c index 2bc1887a98..ea09afd953 100644 --- a/crypto/dsa/dsa_ossl.c +++ b/crypto/dsa/dsa_ossl.c @@ -135,7 +135,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, const unsigned char *dgst, int dlen) { BN_CTX *ctx = NULL; - BIGNUM *k, *kq, *K, *kinv = NULL, *r = *rp; + BIGNUM *k, *kq, *kinv = NULL, *r = *rp; int ret = 0; if (!dsa->p || !dsa->q || !dsa->g) { @@ -176,39 +176,31 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, /* Compute r = (g^k mod p) mod q */ - if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) { - if (!BN_copy(kq, k)) - goto err; + if (!BN_copy(kq, k)) + goto err; - /* - * We do not want timing information to leak the length of k, so we - * compute g^k using an equivalent exponent of fixed length. (This - * is a kludge that we need because the BN_mod_exp_mont() does not - * let us specify the desired timing behaviour.) - */ + /* + * We do not want timing information to leak the length of k, so we + * compute g^k using an equivalent exponent of fixed length. (This + * is a kludge that we need because the BN_mod_exp_mont() does not + * let us specify the desired timing behaviour.) + */ + if (!BN_add(kq, kq, dsa->q)) + goto err; + if (BN_num_bits(kq) <= BN_num_bits(dsa->q)) { if (!BN_add(kq, kq, dsa->q)) goto err; - if (BN_num_bits(kq) <= BN_num_bits(dsa->q)) { - if (!BN_add(kq, kq, dsa->q)) - goto err; - } - - K = kq; - } else { - K = k; } - if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) { - BN_set_flags(K, BN_FLG_CONSTTIME); - } + BN_set_flags(kq, BN_FLG_CONSTTIME); if ((dsa)->meth->bn_mod_exp != NULL) { - if (!dsa->meth->bn_mod_exp(dsa, r, dsa->g, K, dsa->p, ctx, + if (!dsa->meth->bn_mod_exp(dsa, r, dsa->g, kq, dsa->p, ctx, dsa->method_mont_p)) goto err; } else { - if (!BN_mod_exp_mont(r, dsa->g, K, dsa->p, ctx, dsa->method_mont_p)) + if (!BN_mod_exp_mont(r, dsa->g, kq, dsa->p, ctx, dsa->method_mont_p)) goto err; } diff --git a/crypto/rsa/rsa_crpt.c b/crypto/rsa/rsa_crpt.c index aca085acbb..9cd733b2c3 100644 --- a/crypto/rsa/rsa_crpt.c +++ b/crypto/rsa/rsa_crpt.c @@ -147,23 +147,18 @@ BN_BLINDING *RSA_setup_blinding(RSA *rsa, BN_CTX *in_ctx) } { - BIGNUM *local_n = NULL, *n; - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { - /* Set BN_FLG_CONSTTIME flag */ - local_n = n = BN_new(); - if (local_n == NULL) { - RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_MALLOC_FAILURE); - goto err; - } - BN_with_flags(n, rsa->n, BN_FLG_CONSTTIME); - } else { - n = rsa->n; + BIGNUM *n = BN_new(); + + if (n == NULL) { + RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_MALLOC_FAILURE); + goto err; } + BN_with_flags(n, rsa->n, BN_FLG_CONSTTIME); ret = BN_BLINDING_create_param(NULL, e, n, ctx, rsa->meth->bn_mod_exp, rsa->_method_mod_n); - /* We MUST free local_n before any further use of rsa->n */ - BN_free(local_n); + /* We MUST free n before any further use of rsa->n */ + BN_free(n); } if (ret == NULL) { RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_BN_LIB); diff --git a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c index b25d76e55c..5c6b6192e6 100644 --- a/crypto/rsa/rsa_gen.c +++ b/crypto/rsa/rsa_gen.c @@ -137,64 +137,51 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, if (!BN_mul(r0, r1, r2, ctx)) goto err; /* (p-1)(q-1) */ { - BIGNUM *local_r0 = NULL, *pr0; - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { - pr0 = local_r0 = BN_new(); - if (local_r0 == NULL) - goto err; - BN_with_flags(pr0, r0, BN_FLG_CONSTTIME); - } else { - pr0 = r0; - } + BIGNUM *pr0 = BN_new(); + + if (pr0 == NULL) + goto err; + BN_with_flags(pr0, r0, BN_FLG_CONSTTIME); if (!BN_mod_inverse(rsa->d, rsa->e, pr0, ctx)) { - BN_free(local_r0); + BN_free(pr0); goto err; /* d */ } - /* We MUST free local_r0 before any further use of r0 */ - BN_free(local_r0); + /* We MUST free pr0 before any further use of r0 */ + BN_free(pr0); } { - BIGNUM *local_d = NULL, *d; - /* set up d for correct BN_FLG_CONSTTIME flag */ - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { - d = local_d = BN_new(); - if (local_d == NULL) - goto err; - BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); - } else { - d = rsa->d; - } + BIGNUM *d = BN_new(); + + if (d == NULL) + goto err; + BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); if ( /* calculate d mod (p-1) */ !BN_mod(rsa->dmp1, d, r1, ctx) /* calculate d mod (q-1) */ || !BN_mod(rsa->dmq1, d, r2, ctx)) { - BN_free(local_d); + BN_free(d); goto err; } - /* We MUST free local_d before any further use of rsa->d */ - BN_free(local_d); + /* We MUST free d before any further use of rsa->d */ + BN_free(d); } { - BIGNUM *local_p = NULL, *p; + BIGNUM *p = BN_new(); + + if (p == NULL) + goto err; + BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME); /* calculate inverse of q mod p */ - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { - p = local_p = BN_new(); - if (local_p == NULL) - goto err; - BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME); - } else { - p = rsa->p; - } if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx)) { - BN_free(local_p); + BN_free(p); goto err; } - /* We MUST free local_p before any further use of rsa->p */ - BN_free(local_p); + /* We MUST free p before any further use of rsa->p */ + BN_free(p); } ok = 1; diff --git a/crypto/rsa/rsa_ossl.c b/crypto/rsa/rsa_ossl.c index 1aeaae929f..d8af92dc6c 100644 --- a/crypto/rsa/rsa_ossl.c +++ b/crypto/rsa/rsa_ossl.c @@ -300,33 +300,27 @@ static int rsa_ossl_private_encrypt(int flen, const unsigned char *from, if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) goto err; } else { - BIGNUM *d = NULL, *local_d = NULL; - - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { - local_d = d = BN_new(); - if (d == NULL) { - RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE); - goto err; - } - BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); - } else { - d = rsa->d; + BIGNUM *d = BN_new(); + if (d == NULL) { + RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE); + goto err; } + BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) if (!BN_MONT_CTX_set_locked (&rsa->_method_mod_n, rsa->lock, rsa->n, ctx)) { - BN_free(local_d); + BN_free(d); goto err; } if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx, rsa->_method_mod_n)) { - BN_free(local_d); + BN_free(d); goto err; } - /* We MUST free local_d before any further use of rsa->d */ - BN_free(local_d); + /* We MUST free d before any further use of rsa->d */ + BN_free(d); } if (blinding) @@ -434,32 +428,26 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) goto err; } else { - BIGNUM *d = NULL, *local_d = NULL; - - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { - local_d = d = BN_new(); - if (d == NULL) { - RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE); - goto err; - } - BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); - } else { - d = rsa->d; + BIGNUM *d = BN_new(); + if (d == NULL) { + RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE); + goto err; } + BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) if (!BN_MONT_CTX_set_locked (&rsa->_method_mod_n, rsa->lock, rsa->n, ctx)) { - BN_free(local_d); + BN_free(d); goto err; } if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx, rsa->_method_mod_n)) { - BN_free(local_d); + BN_free(d); goto err; } - /* We MUST free local_d before any further use of rsa->d */ - BN_free(local_d); + /* We MUST free d before any further use of rsa->d */ + BN_free(d); } if (blinding) @@ -608,46 +596,35 @@ static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) vrfy = BN_CTX_get(ctx); { - BIGNUM *local_p = NULL, *local_q = NULL; - BIGNUM *p = NULL, *q = NULL; + BIGNUM *p = BN_new(), *q = BN_new(); /* * Make sure BN_mod_inverse in Montgomery initialization uses the - * BN_FLG_CONSTTIME flag (unless RSA_FLAG_NO_CONSTTIME is set) + * BN_FLG_CONSTTIME flag */ - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { - local_p = p = BN_new(); - if (p == NULL) - goto err; - BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME); - - local_q = q = BN_new(); - if (q == NULL) { - BN_free(local_p); - goto err; - } - BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME); - } else { - p = rsa->p; - q = rsa->q; + if (p == NULL || q == NULL) { + BN_free(p); + BN_free(q); + goto err; } + BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME); + BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME); if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) { if (!BN_MONT_CTX_set_locked (&rsa->_method_mod_p, rsa->lock, p, ctx) || !BN_MONT_CTX_set_locked(&rsa->_method_mod_q, rsa->lock, q, ctx)) { - BN_free(local_p); - BN_free(local_q); + BN_free(p); + BN_free(q); goto err; } } /* - * We MUST free local_p and local_q before any further use of rsa->p and - * rsa->q + * We MUST free p and q before any further use of rsa->p and rsa->q */ - BN_free(local_p); - BN_free(local_q); + BN_free(p); + BN_free(q); } if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) @@ -657,72 +634,58 @@ static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) /* compute I mod q */ { - BIGNUM *local_c = NULL; - const BIGNUM *c; - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { - local_c = BN_new(); - if (local_c == NULL) - goto err; - BN_with_flags(local_c, I, BN_FLG_CONSTTIME); - c = local_c; - } else { - c = I; - } + BIGNUM *c = BN_new(); + if (c == NULL) + goto err; + BN_with_flags(c, I, BN_FLG_CONSTTIME); + if (!BN_mod(r1, c, rsa->q, ctx)) { - BN_free(local_c); + BN_free(c); goto err; } { - BIGNUM *local_dmq1 = NULL, *dmq1; - /* compute r1^dmq1 mod q */ - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { - dmq1 = local_dmq1 = BN_new(); - if (local_dmq1 == NULL) { - BN_free(local_c); - goto err; - } - BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME); - } else { - dmq1 = rsa->dmq1; + BIGNUM *dmq1 = BN_new(); + if (dmq1 == NULL) { + BN_free(c); + goto err; } + BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME); + + /* compute r1^dmq1 mod q */ if (!rsa->meth->bn_mod_exp(m1, r1, dmq1, rsa->q, ctx, rsa->_method_mod_q)) { - BN_free(local_c); - BN_free(local_dmq1); + BN_free(c); + BN_free(dmq1); goto err; } - /* We MUST free local_dmq1 before any further use of rsa->dmq1 */ - BN_free(local_dmq1); + /* We MUST free dmq1 before any further use of rsa->dmq1 */ + BN_free(dmq1); } /* compute I mod p */ if (!BN_mod(r1, c, rsa->p, ctx)) { - BN_free(local_c); + BN_free(c); goto err; } - /* We MUST free local_c before any further use of I */ - BN_free(local_c); + /* We MUST free c before any further use of I */ + BN_free(c); } { - BIGNUM *local_dmp1 = NULL, *dmp1; + BIGNUM *dmp1 = BN_new(); + if (dmp1 == NULL) + goto err; + BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME); + /* compute r1^dmp1 mod p */ - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { - dmp1 = local_dmp1 = BN_new(); - if (local_dmp1 == NULL) - goto err; - BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME); - } else { - dmp1 = rsa->dmp1; - } if (!rsa->meth->bn_mod_exp(r0, r1, dmp1, rsa->p, ctx, rsa->_method_mod_p)) { - BN_free(local_dmp1); + BN_free(dmp1); goto err; } - /* We MUST free local_dmp1 before any further use of rsa->dmp1 */ - BN_free(local_dmp1); + /* We MUST free dmp1 before any further use of rsa->dmp1 */ + BN_free(dmp1); } if (!BN_sub(r0, r0, m1)) @@ -739,22 +702,17 @@ static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) goto err; { - BIGNUM *local_r1 = NULL, *pr1; - /* Turn BN_FLG_CONSTTIME flag on before division operation */ - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { - pr1 = local_r1 = BN_new(); - if (local_r1 == NULL) - goto err; - BN_with_flags(pr1, r1, BN_FLG_CONSTTIME); - } else { - pr1 = r1; - } + BIGNUM *pr1 = BN_new(); + if (pr1 == NULL) + goto err; + BN_with_flags(pr1, r1, BN_FLG_CONSTTIME); + if (!BN_mod(r0, pr1, rsa->p, ctx)) { - BN_free(local_r1); + BN_free(pr1); goto err; } - /* We MUST free local_r1 before any further use of r1 */ - BN_free(local_r1); + /* We MUST free pr1 before any further use of r1 */ + BN_free(pr1); } /* @@ -796,24 +754,18 @@ static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) * return that instead. */ - BIGNUM *local_d = NULL; - BIGNUM *d = NULL; + BIGNUM *d = BN_new(); + if (d == NULL) + goto err; + BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { - local_d = d = BN_new(); - if (d == NULL) - goto err; - BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); - } else { - d = rsa->d; - } if (!rsa->meth->bn_mod_exp(r0, I, d, rsa->n, ctx, rsa->_method_mod_n)) { - BN_free(local_d); + BN_free(d); goto err; } - /* We MUST free local_d before any further use of rsa->d */ - BN_free(local_d); + /* We MUST free d before any further use of rsa->d */ + BN_free(d); } } ret = 1; |