Changes between 1.0.2h and 1.1.0 [xx XXX 2016]
+ *) The flags RSA_FLAG_NO_CONSTTIME, DSA_FLAG_NO_EXP_CONSTTIME and
+ DH_FLAG_NO_EXP_CONSTTIME which previously provided the ability to switch
+ off the constant time implementation for RSA, DSA and DH have been made
+ no-ops and deprecated.
+ [Matt Caswell]
+
*) Windows RAND implementation was simplified to only get entropy by
calling CryptGenRandom(). Various other RAND-related tickets
were also closed.
}
{
- BIGNUM *local_prk = NULL;
- BIGNUM *prk;
+ BIGNUM *prk = BN_new();
- if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) {
- local_prk = prk = BN_new();
- if (local_prk == NULL)
- goto err;
- BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
- } else {
- prk = priv_key;
- }
+ if (prk == NULL)
+ goto err;
+ BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, prk, dh->p, ctx, mont)) {
- BN_free(local_prk);
+ BN_free(prk);
goto err;
}
- /* We MUST free local_prk before any further use of priv_key */
- BN_free(local_prk);
+ /* We MUST free prk before any further use of priv_key */
+ BN_free(prk);
}
dh->pub_key = pub_key;
if (dh->flags & DH_FLAG_CACHE_MONT_P) {
mont = BN_MONT_CTX_set_locked(&dh->method_mont_p,
dh->lock, dh->p, ctx);
- if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) {
- /* XXX */
- BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME);
- }
+ BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME);
if (!mont)
goto err;
}
const BIGNUM *a, const BIGNUM *p,
const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
{
- /*
- * If a is only one word long and constant time is false, use the faster
- * exponentiation function.
- */
- if (bn_get_top(a) == 1 && ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) != 0)) {
- BN_ULONG A = bn_get_words(a)[0];
- return BN_mod_exp_mont_word(r, A, p, m, ctx, m_ctx);
- } else
- return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
+ return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
}
static int dh_init(DH *dh)
pub_key = dsa->pub_key;
{
- BIGNUM *local_prk = NULL;
- BIGNUM *prk;
+ BIGNUM *prk = BN_new();
- if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {
- local_prk = prk = BN_new();
- if (local_prk == NULL)
- goto err;
- BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
- } else {
- prk = priv_key;
- }
+ if (prk == NULL)
+ goto err;
+ BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
if (!BN_mod_exp(pub_key, dsa->g, prk, dsa->p, ctx)) {
- BN_free(local_prk);
+ BN_free(prk);
goto err;
}
- /* We MUST free local_prk before any further use of priv_key */
- BN_free(local_prk);
+ /* We MUST free prk before any further use of priv_key */
+ BN_free(prk);
}
dsa->priv_key = priv_key;
const unsigned char *dgst, int dlen)
{
BN_CTX *ctx = NULL;
- BIGNUM *k, *kq, *K, *kinv = NULL, *r = *rp;
+ BIGNUM *k, *kq, *kinv = NULL, *r = *rp;
int ret = 0;
if (!dsa->p || !dsa->q || !dsa->g) {
/* Compute r = (g^k mod p) mod q */
- if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {
- if (!BN_copy(kq, k))
- goto err;
+ if (!BN_copy(kq, k))
+ goto err;
- /*
- * We do not want timing information to leak the length of k, so we
- * compute g^k using an equivalent exponent of fixed length. (This
- * is a kludge that we need because the BN_mod_exp_mont() does not
- * let us specify the desired timing behaviour.)
- */
+ /*
+ * We do not want timing information to leak the length of k, so we
+ * compute g^k using an equivalent exponent of fixed length. (This
+ * is a kludge that we need because the BN_mod_exp_mont() does not
+ * let us specify the desired timing behaviour.)
+ */
+ if (!BN_add(kq, kq, dsa->q))
+ goto err;
+ if (BN_num_bits(kq) <= BN_num_bits(dsa->q)) {
if (!BN_add(kq, kq, dsa->q))
goto err;
- if (BN_num_bits(kq) <= BN_num_bits(dsa->q)) {
- if (!BN_add(kq, kq, dsa->q))
- goto err;
- }
-
- K = kq;
- } else {
- K = k;
}
- if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {
- BN_set_flags(K, BN_FLG_CONSTTIME);
- }
+ BN_set_flags(kq, BN_FLG_CONSTTIME);
if ((dsa)->meth->bn_mod_exp != NULL) {
- if (!dsa->meth->bn_mod_exp(dsa, r, dsa->g, K, dsa->p, ctx,
+ if (!dsa->meth->bn_mod_exp(dsa, r, dsa->g, kq, dsa->p, ctx,
dsa->method_mont_p))
goto err;
} else {
- if (!BN_mod_exp_mont(r, dsa->g, K, dsa->p, ctx, dsa->method_mont_p))
+ if (!BN_mod_exp_mont(r, dsa->g, kq, dsa->p, ctx, dsa->method_mont_p))
goto err;
}
}
{
- BIGNUM *local_n = NULL, *n;
- if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
- /* Set BN_FLG_CONSTTIME flag */
- local_n = n = BN_new();
- if (local_n == NULL) {
- RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_MALLOC_FAILURE);
- goto err;
- }
- BN_with_flags(n, rsa->n, BN_FLG_CONSTTIME);
- } else {
- n = rsa->n;
+ BIGNUM *n = BN_new();
+
+ if (n == NULL) {
+ RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_MALLOC_FAILURE);
+ goto err;
}
+ BN_with_flags(n, rsa->n, BN_FLG_CONSTTIME);
ret = BN_BLINDING_create_param(NULL, e, n, ctx, rsa->meth->bn_mod_exp,
rsa->_method_mod_n);
- /* We MUST free local_n before any further use of rsa->n */
- BN_free(local_n);
+ /* We MUST free n before any further use of rsa->n */
+ BN_free(n);
}
if (ret == NULL) {
RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_BN_LIB);
if (!BN_mul(r0, r1, r2, ctx))
goto err; /* (p-1)(q-1) */
{
- BIGNUM *local_r0 = NULL, *pr0;
- if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
- pr0 = local_r0 = BN_new();
- if (local_r0 == NULL)
- goto err;
- BN_with_flags(pr0, r0, BN_FLG_CONSTTIME);
- } else {
- pr0 = r0;
- }
+ BIGNUM *pr0 = BN_new();
+
+ if (pr0 == NULL)
+ goto err;
+ BN_with_flags(pr0, r0, BN_FLG_CONSTTIME);
if (!BN_mod_inverse(rsa->d, rsa->e, pr0, ctx)) {
- BN_free(local_r0);
+ BN_free(pr0);
goto err; /* d */
}
- /* We MUST free local_r0 before any further use of r0 */
- BN_free(local_r0);
+ /* We MUST free pr0 before any further use of r0 */
+ BN_free(pr0);
}
{
- BIGNUM *local_d = NULL, *d;
- /* set up d for correct BN_FLG_CONSTTIME flag */
- if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
- d = local_d = BN_new();
- if (local_d == NULL)
- goto err;
- BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
- } else {
- d = rsa->d;
- }
+ BIGNUM *d = BN_new();
+
+ if (d == NULL)
+ goto err;
+ BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
if ( /* calculate d mod (p-1) */
!BN_mod(rsa->dmp1, d, r1, ctx)
/* calculate d mod (q-1) */
|| !BN_mod(rsa->dmq1, d, r2, ctx)) {
- BN_free(local_d);
+ BN_free(d);
goto err;
}
- /* We MUST free local_d before any further use of rsa->d */
- BN_free(local_d);
+ /* We MUST free d before any further use of rsa->d */
+ BN_free(d);
}
{
- BIGNUM *local_p = NULL, *p;
+ BIGNUM *p = BN_new();
+
+ if (p == NULL)
+ goto err;
+ BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
/* calculate inverse of q mod p */
- if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
- p = local_p = BN_new();
- if (local_p == NULL)
- goto err;
- BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
- } else {
- p = rsa->p;
- }
if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx)) {
- BN_free(local_p);
+ BN_free(p);
goto err;
}
- /* We MUST free local_p before any further use of rsa->p */
- BN_free(local_p);
+ /* We MUST free p before any further use of rsa->p */
+ BN_free(p);
}
ok = 1;
if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx))
goto err;
} else {
- BIGNUM *d = NULL, *local_d = NULL;
-
- if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
- local_d = d = BN_new();
- if (d == NULL) {
- RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE);
- goto err;
- }
- BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
- } else {
- d = rsa->d;
+ BIGNUM *d = BN_new();
+ if (d == NULL) {
+ RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE);
+ goto err;
}
+ BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
if (!BN_MONT_CTX_set_locked
(&rsa->_method_mod_n, rsa->lock, rsa->n, ctx)) {
- BN_free(local_d);
+ BN_free(d);
goto err;
}
if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,
rsa->_method_mod_n)) {
- BN_free(local_d);
+ BN_free(d);
goto err;
}
- /* We MUST free local_d before any further use of rsa->d */
- BN_free(local_d);
+ /* We MUST free d before any further use of rsa->d */
+ BN_free(d);
}
if (blinding)
if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx))
goto err;
} else {
- BIGNUM *d = NULL, *local_d = NULL;
-
- if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
- local_d = d = BN_new();
- if (d == NULL) {
- RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE);
- goto err;
- }
- BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
- } else {
- d = rsa->d;
+ BIGNUM *d = BN_new();
+ if (d == NULL) {
+ RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE);
+ goto err;
}
+ BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
if (!BN_MONT_CTX_set_locked
(&rsa->_method_mod_n, rsa->lock, rsa->n, ctx)) {
- BN_free(local_d);
+ BN_free(d);
goto err;
}
if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,
rsa->_method_mod_n)) {
- BN_free(local_d);
+ BN_free(d);
goto err;
}
- /* We MUST free local_d before any further use of rsa->d */
- BN_free(local_d);
+ /* We MUST free d before any further use of rsa->d */
+ BN_free(d);
}
if (blinding)
vrfy = BN_CTX_get(ctx);
{
- BIGNUM *local_p = NULL, *local_q = NULL;
- BIGNUM *p = NULL, *q = NULL;
+ BIGNUM *p = BN_new(), *q = BN_new();
/*
* Make sure BN_mod_inverse in Montgomery initialization uses the
- * BN_FLG_CONSTTIME flag (unless RSA_FLAG_NO_CONSTTIME is set)
+ * BN_FLG_CONSTTIME flag
*/
- if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
- local_p = p = BN_new();
- if (p == NULL)
- goto err;
- BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
-
- local_q = q = BN_new();
- if (q == NULL) {
- BN_free(local_p);
- goto err;
- }
- BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME);
- } else {
- p = rsa->p;
- q = rsa->q;
+ if (p == NULL || q == NULL) {
+ BN_free(p);
+ BN_free(q);
+ goto err;
}
+ BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
+ BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME);
if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) {
if (!BN_MONT_CTX_set_locked
(&rsa->_method_mod_p, rsa->lock, p, ctx)
|| !BN_MONT_CTX_set_locked(&rsa->_method_mod_q,
rsa->lock, q, ctx)) {
- BN_free(local_p);
- BN_free(local_q);
+ BN_free(p);
+ BN_free(q);
goto err;
}
}
/*
- * We MUST free local_p and local_q before any further use of rsa->p and
- * rsa->q
+ * We MUST free p and q before any further use of rsa->p and rsa->q
*/
- BN_free(local_p);
- BN_free(local_q);
+ BN_free(p);
+ BN_free(q);
}
if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
/* compute I mod q */
{
- BIGNUM *local_c = NULL;
- const BIGNUM *c;
- if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
- local_c = BN_new();
- if (local_c == NULL)
- goto err;
- BN_with_flags(local_c, I, BN_FLG_CONSTTIME);
- c = local_c;
- } else {
- c = I;
- }
+ BIGNUM *c = BN_new();
+ if (c == NULL)
+ goto err;
+ BN_with_flags(c, I, BN_FLG_CONSTTIME);
+
if (!BN_mod(r1, c, rsa->q, ctx)) {
- BN_free(local_c);
+ BN_free(c);
goto err;
}
{
- BIGNUM *local_dmq1 = NULL, *dmq1;
- /* compute r1^dmq1 mod q */
- if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
- dmq1 = local_dmq1 = BN_new();
- if (local_dmq1 == NULL) {
- BN_free(local_c);
- goto err;
- }
- BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
- } else {
- dmq1 = rsa->dmq1;
+ BIGNUM *dmq1 = BN_new();
+ if (dmq1 == NULL) {
+ BN_free(c);
+ goto err;
}
+ BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
+
+ /* compute r1^dmq1 mod q */
if (!rsa->meth->bn_mod_exp(m1, r1, dmq1, rsa->q, ctx,
rsa->_method_mod_q)) {
- BN_free(local_c);
- BN_free(local_dmq1);
+ BN_free(c);
+ BN_free(dmq1);
goto err;
}
- /* We MUST free local_dmq1 before any further use of rsa->dmq1 */
- BN_free(local_dmq1);
+ /* We MUST free dmq1 before any further use of rsa->dmq1 */
+ BN_free(dmq1);
}
/* compute I mod p */
if (!BN_mod(r1, c, rsa->p, ctx)) {
- BN_free(local_c);
+ BN_free(c);
goto err;
}
- /* We MUST free local_c before any further use of I */
- BN_free(local_c);
+ /* We MUST free c before any further use of I */
+ BN_free(c);
}
{
- BIGNUM *local_dmp1 = NULL, *dmp1;
+ BIGNUM *dmp1 = BN_new();
+ if (dmp1 == NULL)
+ goto err;
+ BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
+
/* compute r1^dmp1 mod p */
- if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
- dmp1 = local_dmp1 = BN_new();
- if (local_dmp1 == NULL)
- goto err;
- BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
- } else {
- dmp1 = rsa->dmp1;
- }
if (!rsa->meth->bn_mod_exp(r0, r1, dmp1, rsa->p, ctx,
rsa->_method_mod_p)) {
- BN_free(local_dmp1);
+ BN_free(dmp1);
goto err;
}
- /* We MUST free local_dmp1 before any further use of rsa->dmp1 */
- BN_free(local_dmp1);
+ /* We MUST free dmp1 before any further use of rsa->dmp1 */
+ BN_free(dmp1);
}
if (!BN_sub(r0, r0, m1))
goto err;
{
- BIGNUM *local_r1 = NULL, *pr1;
- /* Turn BN_FLG_CONSTTIME flag on before division operation */
- if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
- pr1 = local_r1 = BN_new();
- if (local_r1 == NULL)
- goto err;
- BN_with_flags(pr1, r1, BN_FLG_CONSTTIME);
- } else {
- pr1 = r1;
- }
+ BIGNUM *pr1 = BN_new();
+ if (pr1 == NULL)
+ goto err;
+ BN_with_flags(pr1, r1, BN_FLG_CONSTTIME);
+
if (!BN_mod(r0, pr1, rsa->p, ctx)) {
- BN_free(local_r1);
+ BN_free(pr1);
goto err;
}
- /* We MUST free local_r1 before any further use of r1 */
- BN_free(local_r1);
+ /* We MUST free pr1 before any further use of r1 */
+ BN_free(pr1);
}
/*
* return that instead.
*/
- BIGNUM *local_d = NULL;
- BIGNUM *d = NULL;
+ BIGNUM *d = BN_new();
+ if (d == NULL)
+ goto err;
+ BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
- if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
- local_d = d = BN_new();
- if (d == NULL)
- goto err;
- BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
- } else {
- d = rsa->d;
- }
if (!rsa->meth->bn_mod_exp(r0, I, d, rsa->n, ctx,
rsa->_method_mod_n)) {
- BN_free(local_d);
+ BN_free(d);
goto err;
}
- /* We MUST free local_d before any further use of rsa->d */
- BN_free(local_d);
+ /* We MUST free d before any further use of rsa->d */
+ BN_free(d);
}
}
ret = 1;
# define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024
# define DH_FLAG_CACHE_MONT_P 0x01
-# define DH_FLAG_NO_EXP_CONSTTIME 0x02
+
+# if OPENSSL_API_COMPAT < 0x10100000L
+/*
+ * Does nothing. Previously this switched off constant time behaviour.
+ */
+# define DH_FLAG_NO_EXP_CONSTTIME 0x00
+# endif
/*
* If this flag is set the DH method is FIPS compliant and can be used in
# define OPENSSL_DSA_FIPS_MIN_MODULUS_BITS 1024
# define DSA_FLAG_CACHE_MONT_P 0x01
+# if OPENSSL_API_COMPAT < 0x10100000L
/*
- * new with 0.9.7h; the built-in DSA implementation now uses constant time
- * modular exponentiation for secret exponents by default. This flag causes
- * the faster variable sliding window method to be used for all exponents.
+ * Does nothing. Previously this switched off constant time behaviour.
*/
-# define DSA_FLAG_NO_EXP_CONSTTIME 0x02
+# define DSA_FLAG_NO_EXP_CONSTTIME 0x00
+# endif
/*
* If this flag is set the DSA method is FIPS compliant and can be used in
* but other engines might not need it
*/
# define RSA_FLAG_NO_BLINDING 0x0080
+# if OPENSSL_API_COMPAT < 0x10100000L
/*
- * new with 0.9.8f; the built-in RSA
- * implementation now uses constant time
- * operations by default in private key operations,
- * e.g., constant time modular exponentiation,
- * modular inverse without leaking branches,
- * division without leaking branches. This
- * flag disables these constant time
- * operations and results in faster RSA
- * private key operations.
+ * Does nothing. Previously this switched off constant time behaviour.
*/
-# define RSA_FLAG_NO_CONSTTIME 0x0100
+# define RSA_FLAG_NO_CONSTTIME 0x0000
+# endif
# if OPENSSL_API_COMPAT < 0x00908000L
/* deprecated name for the flag*/
/*
goto err;
bp = bg = NULL;
- /* Set a to run with normal modexp and b to use constant time */
- DH_clear_flags(a, DH_FLAG_NO_EXP_CONSTTIME);
- DH_set_flags(b, DH_FLAG_NO_EXP_CONSTTIME);
-
if (!DH_generate_key(a))
goto err;
DH_get0_key(a, &apub_key, &priv_key);
goto end;
}
- DSA_set_flags(dsa, DSA_FLAG_NO_EXP_CONSTTIME);
- DSA_generate_key(dsa);
- DSA_sign(0, str1, 20, sig, &siglen, dsa);
- if (DSA_verify(0, str1, 20, sig, siglen, dsa) == 1)
- ret = 1;
-
- DSA_clear_flags(dsa, DSA_FLAG_NO_EXP_CONSTTIME);
DSA_generate_key(dsa);
DSA_sign(0, str1, 20, sig, &siglen, dsa);
if (DSA_verify(0, str1, 20, sig, siglen, dsa) == 1)
plen = sizeof(ptext_ex) - 1;
- for (v = 0; v < 6; v++) {
+ for (v = 0; v < 3; v++) {
key = RSA_new();
- switch (v % 3) {
+ switch (v) {
case 0:
clen = key1(key, ctext_ex);
break;
clen = key3(key, ctext_ex);
break;
}
- if (v / 3 >= 1)
- RSA_set_flags(key, RSA_FLAG_NO_CONSTTIME);
num = RSA_public_encrypt(plen, ptext_ex, ctext, key,
RSA_PKCS1_PADDING);
projects / openssl.git / commitdiff