From 46a643763de6d8e39ecf6f76fa79b4d04885aa59 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bodo=20M=C3=B6ller?= Date: Mon, 16 May 2005 01:43:31 +0000 Subject: Implement fixed-window exponentiation to mitigate hyper-threading timing attacks. BN_FLG_EXP_CONSTTIME requests this algorithm, and this done by default for RSA/DSA/DH private key computations unless RSA_FLAG_NO_EXP_CONSTTIME/DSA_FLAG_NO_EXP_CONSTTIME/ DH_FLAG_NO_EXP_CONSTTIME is set. Submitted by: Matthew D Wood Reviewed by: Bodo Moeller --- crypto/dh/dh_key.c | 27 ++++++++++++++++++++++++--- 1 file changed, 24 insertions(+), 3 deletions(-) (limited to 'crypto/dh/dh_key.c') diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c index 9148f179f7..e384286c73 100644 --- a/crypto/dh/dh_key.c +++ b/crypto/dh/dh_key.c @@ -141,8 +141,21 @@ static int generate_key(DH *dh) l = dh->length ? dh->length : BN_num_bits(dh->p)-1; /* secret exponent length */ if (!BN_rand(priv_key, l, 0, 0)) goto err; } - if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, priv_key,dh->p,ctx,mont)) - goto err; + + { + BIGNUM local_prk; + BIGNUM *prk; + + if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) + { + prk = &local_prk; + BN_with_flags(prk, priv_key, BN_FLG_EXP_CONSTTIME); + } + else + prk = priv_key; + + if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, prk, dh->p, ctx, mont)) goto err; + } dh->pub_key=pub_key; dh->priv_key=priv_key; @@ -179,6 +192,11 @@ static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) { mont = BN_MONT_CTX_set_locked(&dh->method_mont_p, CRYPTO_LOCK_DH, dh->p, ctx); + if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) + { + /* XXX */ + BN_set_flags(dh->priv_key, BN_FLG_EXP_CONSTTIME); + } if (!mont) goto err; } @@ -201,7 +219,10 @@ static int dh_bn_mod_exp(const DH *dh, BIGNUM *r, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx) { - if (a->top == 1) + /* If a is only one word long and constant time is false, use the faster + * exponenentiation function. + */ + if (a->top == 1 && ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) != 0)) { BN_ULONG A = a->d[0]; return BN_mod_exp_mont_word(r,A,p,m,ctx,m_ctx); -- cgit v1.2.3