From 5584f65a1027b06fe0cfc4be28d1a232cf180e42 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Thu, 26 May 2016 10:55:11 +0100 Subject: [PATCH 1/1] Deprecate the flags that switch off constant time The flags RSA_FLAG_NO_CONSTTIME, DSA_FLAG_NO_EXP_CONSTTIME and DH_FLAG_NO_EXP_CONSTTIME which previously provided the ability to switch off the constant time implementation for RSA, DSA and DH have been made no-ops and deprecated. Reviewed-by: Richard Levitte --- CHANGES | 6 ++ crypto/dh/dh_key.c | 35 ++------ crypto/dsa/dsa_key.c | 20 ++--- crypto/dsa/dsa_ossl.c | 38 ++++---- crypto/rsa/rsa_crpt.c | 21 ++--- crypto/rsa/rsa_gen.c | 61 ++++++------- crypto/rsa/rsa_ossl.c | 196 ++++++++++++++++-------------------------- include/openssl/dh.h | 8 +- include/openssl/dsa.h | 8 +- include/openssl/rsa.h | 14 +-- test/dhtest.c | 4 - test/dsatest.c | 7 -- test/rsa_test.c | 6 +- 13 files changed, 160 insertions(+), 264 deletions(-) diff --git a/CHANGES b/CHANGES index c64d677582..792f602d76 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,12 @@ Changes between 1.0.2h and 1.1.0 [xx XXX 2016] + *) The flags RSA_FLAG_NO_CONSTTIME, DSA_FLAG_NO_EXP_CONSTTIME and + DH_FLAG_NO_EXP_CONSTTIME which previously provided the ability to switch + off the constant time implementation for RSA, DSA and DH have been made + no-ops and deprecated. + [Matt Caswell] + *) Windows RAND implementation was simplified to only get entropy by calling CryptGenRandom(). Various other RAND-related tickets were also closed. diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c index 9b79f394fc..1644003bd9 100644 --- a/crypto/dh/dh_key.c +++ b/crypto/dh/dh_key.c @@ -113,24 +113,18 @@ static int generate_key(DH *dh) } { - BIGNUM *local_prk = NULL; - BIGNUM *prk; + BIGNUM *prk = BN_new(); - if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) { - local_prk = prk = BN_new(); - if (local_prk == NULL) - goto err; - BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME); - } else { - prk = priv_key; - } + if (prk == NULL) + goto err; + BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME); if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, prk, dh->p, ctx, mont)) { - BN_free(local_prk); + BN_free(prk); goto err; } - /* We MUST free local_prk before any further use of priv_key */ - BN_free(local_prk); + /* We MUST free prk before any further use of priv_key */ + BN_free(prk); } dh->pub_key = pub_key; @@ -175,10 +169,7 @@ static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) if (dh->flags & DH_FLAG_CACHE_MONT_P) { mont = BN_MONT_CTX_set_locked(&dh->method_mont_p, dh->lock, dh->p, ctx); - if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) { - /* XXX */ - BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME); - } + BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME); if (!mont) goto err; } @@ -207,15 +198,7 @@ static int dh_bn_mod_exp(const DH *dh, BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx) { - /* - * If a is only one word long and constant time is false, use the faster - * exponentiation function. - */ - if (bn_get_top(a) == 1 && ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) != 0)) { - BN_ULONG A = bn_get_words(a)[0]; - return BN_mod_exp_mont_word(r, A, p, m, ctx, m_ctx); - } else - return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx); + return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx); } static int dh_init(DH *dh) diff --git a/crypto/dsa/dsa_key.c b/crypto/dsa/dsa_key.c index 2bb84543d6..aa5d42ce17 100644 --- a/crypto/dsa/dsa_key.c +++ b/crypto/dsa/dsa_key.c @@ -50,24 +50,18 @@ static int dsa_builtin_keygen(DSA *dsa) pub_key = dsa->pub_key; { - BIGNUM *local_prk = NULL; - BIGNUM *prk; + BIGNUM *prk = BN_new(); - if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) { - local_prk = prk = BN_new(); - if (local_prk == NULL) - goto err; - BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME); - } else { - prk = priv_key; - } + if (prk == NULL) + goto err; + BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME); if (!BN_mod_exp(pub_key, dsa->g, prk, dsa->p, ctx)) { - BN_free(local_prk); + BN_free(prk); goto err; } - /* We MUST free local_prk before any further use of priv_key */ - BN_free(local_prk); + /* We MUST free prk before any further use of priv_key */ + BN_free(prk); } dsa->priv_key = priv_key; diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c index 2bc1887a98..ea09afd953 100644 --- a/crypto/dsa/dsa_ossl.c +++ b/crypto/dsa/dsa_ossl.c @@ -135,7 +135,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, const unsigned char *dgst, int dlen) { BN_CTX *ctx = NULL; - BIGNUM *k, *kq, *K, *kinv = NULL, *r = *rp; + BIGNUM *k, *kq, *kinv = NULL, *r = *rp; int ret = 0; if (!dsa->p || !dsa->q || !dsa->g) { @@ -176,39 +176,31 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, /* Compute r = (g^k mod p) mod q */ - if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) { - if (!BN_copy(kq, k)) - goto err; + if (!BN_copy(kq, k)) + goto err; - /* - * We do not want timing information to leak the length of k, so we - * compute g^k using an equivalent exponent of fixed length. (This - * is a kludge that we need because the BN_mod_exp_mont() does not - * let us specify the desired timing behaviour.) - */ + /* + * We do not want timing information to leak the length of k, so we + * compute g^k using an equivalent exponent of fixed length. (This + * is a kludge that we need because the BN_mod_exp_mont() does not + * let us specify the desired timing behaviour.) + */ + if (!BN_add(kq, kq, dsa->q)) + goto err; + if (BN_num_bits(kq) <= BN_num_bits(dsa->q)) { if (!BN_add(kq, kq, dsa->q)) goto err; - if (BN_num_bits(kq) <= BN_num_bits(dsa->q)) { - if (!BN_add(kq, kq, dsa->q)) - goto err; - } - - K = kq; - } else { - K = k; } - if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) { - BN_set_flags(K, BN_FLG_CONSTTIME); - } + BN_set_flags(kq, BN_FLG_CONSTTIME); if ((dsa)->meth->bn_mod_exp != NULL) { - if (!dsa->meth->bn_mod_exp(dsa, r, dsa->g, K, dsa->p, ctx, + if (!dsa->meth->bn_mod_exp(dsa, r, dsa->g, kq, dsa->p, ctx, dsa->method_mont_p)) goto err; } else { - if (!BN_mod_exp_mont(r, dsa->g, K, dsa->p, ctx, dsa->method_mont_p)) + if (!BN_mod_exp_mont(r, dsa->g, kq, dsa->p, ctx, dsa->method_mont_p)) goto err; } diff --git a/crypto/rsa/rsa_crpt.c b/crypto/rsa/rsa_crpt.c index aca085acbb..9cd733b2c3 100644 --- a/crypto/rsa/rsa_crpt.c +++ b/crypto/rsa/rsa_crpt.c @@ -147,23 +147,18 @@ BN_BLINDING *RSA_setup_blinding(RSA *rsa, BN_CTX *in_ctx) } { - BIGNUM *local_n = NULL, *n; - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { - /* Set BN_FLG_CONSTTIME flag */ - local_n = n = BN_new(); - if (local_n == NULL) { - RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_MALLOC_FAILURE); - goto err; - } - BN_with_flags(n, rsa->n, BN_FLG_CONSTTIME); - } else { - n = rsa->n; + BIGNUM *n = BN_new(); + + if (n == NULL) { + RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_MALLOC_FAILURE); + goto err; } + BN_with_flags(n, rsa->n, BN_FLG_CONSTTIME); ret = BN_BLINDING_create_param(NULL, e, n, ctx, rsa->meth->bn_mod_exp, rsa->_method_mod_n); - /* We MUST free local_n before any further use of rsa->n */ - BN_free(local_n); + /* We MUST free n before any further use of rsa->n */ + BN_free(n); } if (ret == NULL) { RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_BN_LIB); diff --git a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c index b25d76e55c..5c6b6192e6 100644 --- a/crypto/rsa/rsa_gen.c +++ b/crypto/rsa/rsa_gen.c @@ -137,64 +137,51 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, if (!BN_mul(r0, r1, r2, ctx)) goto err; /* (p-1)(q-1) */ { - BIGNUM *local_r0 = NULL, *pr0; - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { - pr0 = local_r0 = BN_new(); - if (local_r0 == NULL) - goto err; - BN_with_flags(pr0, r0, BN_FLG_CONSTTIME); - } else { - pr0 = r0; - } + BIGNUM *pr0 = BN_new(); + + if (pr0 == NULL) + goto err; + BN_with_flags(pr0, r0, BN_FLG_CONSTTIME); if (!BN_mod_inverse(rsa->d, rsa->e, pr0, ctx)) { - BN_free(local_r0); + BN_free(pr0); goto err; /* d */ } - /* We MUST free local_r0 before any further use of r0 */ - BN_free(local_r0); + /* We MUST free pr0 before any further use of r0 */ + BN_free(pr0); } { - BIGNUM *local_d = NULL, *d; - /* set up d for correct BN_FLG_CONSTTIME flag */ - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { - d = local_d = BN_new(); - if (local_d == NULL) - goto err; - BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); - } else { - d = rsa->d; - } + BIGNUM *d = BN_new(); + + if (d == NULL) + goto err; + BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); if ( /* calculate d mod (p-1) */ !BN_mod(rsa->dmp1, d, r1, ctx) /* calculate d mod (q-1) */ || !BN_mod(rsa->dmq1, d, r2, ctx)) { - BN_free(local_d); + BN_free(d); goto err; } - /* We MUST free local_d before any further use of rsa->d */ - BN_free(local_d); + /* We MUST free d before any further use of rsa->d */ + BN_free(d); } { - BIGNUM *local_p = NULL, *p; + BIGNUM *p = BN_new(); + + if (p == NULL) + goto err; + BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME); /* calculate inverse of q mod p */ - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { - p = local_p = BN_new(); - if (local_p == NULL) - goto err; - BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME); - } else { - p = rsa->p; - } if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx)) { - BN_free(local_p); + BN_free(p); goto err; } - /* We MUST free local_p before any further use of rsa->p */ - BN_free(local_p); + /* We MUST free p before any further use of rsa->p */ + BN_free(p); } ok = 1; diff --git a/crypto/rsa/rsa_ossl.c b/crypto/rsa/rsa_ossl.c index 1aeaae929f..d8af92dc6c 100644 --- a/crypto/rsa/rsa_ossl.c +++ b/crypto/rsa/rsa_ossl.c @@ -300,33 +300,27 @@ static int rsa_ossl_private_encrypt(int flen, const unsigned char *from, if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) goto err; } else { - BIGNUM *d = NULL, *local_d = NULL; - - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { - local_d = d = BN_new(); - if (d == NULL) { - RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE); - goto err; - } - BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); - } else { - d = rsa->d; + BIGNUM *d = BN_new(); + if (d == NULL) { + RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE); + goto err; } + BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) if (!BN_MONT_CTX_set_locked (&rsa->_method_mod_n, rsa->lock, rsa->n, ctx)) { - BN_free(local_d); + BN_free(d); goto err; } if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx, rsa->_method_mod_n)) { - BN_free(local_d); + BN_free(d); goto err; } - /* We MUST free local_d before any further use of rsa->d */ - BN_free(local_d); + /* We MUST free d before any further use of rsa->d */ + BN_free(d); } if (blinding) @@ -434,32 +428,26 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) goto err; } else { - BIGNUM *d = NULL, *local_d = NULL; - - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { - local_d = d = BN_new(); - if (d == NULL) { - RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE); - goto err; - } - BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); - } else { - d = rsa->d; + BIGNUM *d = BN_new(); + if (d == NULL) { + RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE); + goto err; } + BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) if (!BN_MONT_CTX_set_locked (&rsa->_method_mod_n, rsa->lock, rsa->n, ctx)) { - BN_free(local_d); + BN_free(d); goto err; } if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx, rsa->_method_mod_n)) { - BN_free(local_d); + BN_free(d); goto err; } - /* We MUST free local_d before any further use of rsa->d */ - BN_free(local_d); + /* We MUST free d before any further use of rsa->d */ + BN_free(d); } if (blinding) @@ -608,46 +596,35 @@ static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) vrfy = BN_CTX_get(ctx); { - BIGNUM *local_p = NULL, *local_q = NULL; - BIGNUM *p = NULL, *q = NULL; + BIGNUM *p = BN_new(), *q = BN_new(); /* * Make sure BN_mod_inverse in Montgomery initialization uses the - * BN_FLG_CONSTTIME flag (unless RSA_FLAG_NO_CONSTTIME is set) + * BN_FLG_CONSTTIME flag */ - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { - local_p = p = BN_new(); - if (p == NULL) - goto err; - BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME); - - local_q = q = BN_new(); - if (q == NULL) { - BN_free(local_p); - goto err; - } - BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME); - } else { - p = rsa->p; - q = rsa->q; + if (p == NULL || q == NULL) { + BN_free(p); + BN_free(q); + goto err; } + BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME); + BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME); if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) { if (!BN_MONT_CTX_set_locked (&rsa->_method_mod_p, rsa->lock, p, ctx) || !BN_MONT_CTX_set_locked(&rsa->_method_mod_q, rsa->lock, q, ctx)) { - BN_free(local_p); - BN_free(local_q); + BN_free(p); + BN_free(q); goto err; } } /* - * We MUST free local_p and local_q before any further use of rsa->p and - * rsa->q + * We MUST free p and q before any further use of rsa->p and rsa->q */ - BN_free(local_p); - BN_free(local_q); + BN_free(p); + BN_free(q); } if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) @@ -657,72 +634,58 @@ static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) /* compute I mod q */ { - BIGNUM *local_c = NULL; - const BIGNUM *c; - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { - local_c = BN_new(); - if (local_c == NULL) - goto err; - BN_with_flags(local_c, I, BN_FLG_CONSTTIME); - c = local_c; - } else { - c = I; - } + BIGNUM *c = BN_new(); + if (c == NULL) + goto err; + BN_with_flags(c, I, BN_FLG_CONSTTIME); + if (!BN_mod(r1, c, rsa->q, ctx)) { - BN_free(local_c); + BN_free(c); goto err; } { - BIGNUM *local_dmq1 = NULL, *dmq1; - /* compute r1^dmq1 mod q */ - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { - dmq1 = local_dmq1 = BN_new(); - if (local_dmq1 == NULL) { - BN_free(local_c); - goto err; - } - BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME); - } else { - dmq1 = rsa->dmq1; + BIGNUM *dmq1 = BN_new(); + if (dmq1 == NULL) { + BN_free(c); + goto err; } + BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME); + + /* compute r1^dmq1 mod q */ if (!rsa->meth->bn_mod_exp(m1, r1, dmq1, rsa->q, ctx, rsa->_method_mod_q)) { - BN_free(local_c); - BN_free(local_dmq1); + BN_free(c); + BN_free(dmq1); goto err; } - /* We MUST free local_dmq1 before any further use of rsa->dmq1 */ - BN_free(local_dmq1); + /* We MUST free dmq1 before any further use of rsa->dmq1 */ + BN_free(dmq1); } /* compute I mod p */ if (!BN_mod(r1, c, rsa->p, ctx)) { - BN_free(local_c); + BN_free(c); goto err; } - /* We MUST free local_c before any further use of I */ - BN_free(local_c); + /* We MUST free c before any further use of I */ + BN_free(c); } { - BIGNUM *local_dmp1 = NULL, *dmp1; + BIGNUM *dmp1 = BN_new(); + if (dmp1 == NULL) + goto err; + BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME); + /* compute r1^dmp1 mod p */ - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { - dmp1 = local_dmp1 = BN_new(); - if (local_dmp1 == NULL) - goto err; - BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME); - } else { - dmp1 = rsa->dmp1; - } if (!rsa->meth->bn_mod_exp(r0, r1, dmp1, rsa->p, ctx, rsa->_method_mod_p)) { - BN_free(local_dmp1); + BN_free(dmp1); goto err; } - /* We MUST free local_dmp1 before any further use of rsa->dmp1 */ - BN_free(local_dmp1); + /* We MUST free dmp1 before any further use of rsa->dmp1 */ + BN_free(dmp1); } if (!BN_sub(r0, r0, m1)) @@ -739,22 +702,17 @@ static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) goto err; { - BIGNUM *local_r1 = NULL, *pr1; - /* Turn BN_FLG_CONSTTIME flag on before division operation */ - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { - pr1 = local_r1 = BN_new(); - if (local_r1 == NULL) - goto err; - BN_with_flags(pr1, r1, BN_FLG_CONSTTIME); - } else { - pr1 = r1; - } + BIGNUM *pr1 = BN_new(); + if (pr1 == NULL) + goto err; + BN_with_flags(pr1, r1, BN_FLG_CONSTTIME); + if (!BN_mod(r0, pr1, rsa->p, ctx)) { - BN_free(local_r1); + BN_free(pr1); goto err; } - /* We MUST free local_r1 before any further use of r1 */ - BN_free(local_r1); + /* We MUST free pr1 before any further use of r1 */ + BN_free(pr1); } /* @@ -796,24 +754,18 @@ static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) * return that instead. */ - BIGNUM *local_d = NULL; - BIGNUM *d = NULL; + BIGNUM *d = BN_new(); + if (d == NULL) + goto err; + BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { - local_d = d = BN_new(); - if (d == NULL) - goto err; - BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); - } else { - d = rsa->d; - } if (!rsa->meth->bn_mod_exp(r0, I, d, rsa->n, ctx, rsa->_method_mod_n)) { - BN_free(local_d); + BN_free(d); goto err; } - /* We MUST free local_d before any further use of rsa->d */ - BN_free(local_d); + /* We MUST free d before any further use of rsa->d */ + BN_free(d); } } ret = 1; diff --git a/include/openssl/dh.h b/include/openssl/dh.h index beb0f9f80c..2eb596d2ba 100644 --- a/include/openssl/dh.h +++ b/include/openssl/dh.h @@ -32,7 +32,13 @@ extern "C" { # define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024 # define DH_FLAG_CACHE_MONT_P 0x01 -# define DH_FLAG_NO_EXP_CONSTTIME 0x02 + +# if OPENSSL_API_COMPAT < 0x10100000L +/* + * Does nothing. Previously this switched off constant time behaviour. + */ +# define DH_FLAG_NO_EXP_CONSTTIME 0x00 +# endif /* * If this flag is set the DH method is FIPS compliant and can be used in diff --git a/include/openssl/dsa.h b/include/openssl/dsa.h index f65ee5d0c8..48d2b56ee9 100644 --- a/include/openssl/dsa.h +++ b/include/openssl/dsa.h @@ -38,12 +38,12 @@ extern "C" { # define OPENSSL_DSA_FIPS_MIN_MODULUS_BITS 1024 # define DSA_FLAG_CACHE_MONT_P 0x01 +# if OPENSSL_API_COMPAT < 0x10100000L /* - * new with 0.9.7h; the built-in DSA implementation now uses constant time - * modular exponentiation for secret exponents by default. This flag causes - * the faster variable sliding window method to be used for all exponents. + * Does nothing. Previously this switched off constant time behaviour. */ -# define DSA_FLAG_NO_EXP_CONSTTIME 0x02 +# define DSA_FLAG_NO_EXP_CONSTTIME 0x00 +# endif /* * If this flag is set the DSA method is FIPS compliant and can be used in diff --git a/include/openssl/rsa.h b/include/openssl/rsa.h index 6a680582ec..4b82081d93 100644 --- a/include/openssl/rsa.h +++ b/include/openssl/rsa.h @@ -66,18 +66,12 @@ extern "C" { * but other engines might not need it */ # define RSA_FLAG_NO_BLINDING 0x0080 +# if OPENSSL_API_COMPAT < 0x10100000L /* - * new with 0.9.8f; the built-in RSA - * implementation now uses constant time - * operations by default in private key operations, - * e.g., constant time modular exponentiation, - * modular inverse without leaking branches, - * division without leaking branches. This - * flag disables these constant time - * operations and results in faster RSA - * private key operations. + * Does nothing. Previously this switched off constant time behaviour. */ -# define RSA_FLAG_NO_CONSTTIME 0x0100 +# define RSA_FLAG_NO_CONSTTIME 0x0000 +# endif # if OPENSSL_API_COMPAT < 0x00908000L /* deprecated name for the flag*/ /* diff --git a/test/dhtest.c b/test/dhtest.c index c0551d5a3f..1dc395b44e 100644 --- a/test/dhtest.c +++ b/test/dhtest.c @@ -95,10 +95,6 @@ int main(int argc, char *argv[]) goto err; bp = bg = NULL; - /* Set a to run with normal modexp and b to use constant time */ - DH_clear_flags(a, DH_FLAG_NO_EXP_CONSTTIME); - DH_set_flags(b, DH_FLAG_NO_EXP_CONSTTIME); - if (!DH_generate_key(a)) goto err; DH_get0_key(a, &apub_key, &priv_key); diff --git a/test/dsatest.c b/test/dsatest.c index c64a91138c..b99c467e17 100644 --- a/test/dsatest.c +++ b/test/dsatest.c @@ -147,13 +147,6 @@ int main(int argc, char **argv) goto end; } - DSA_set_flags(dsa, DSA_FLAG_NO_EXP_CONSTTIME); - DSA_generate_key(dsa); - DSA_sign(0, str1, 20, sig, &siglen, dsa); - if (DSA_verify(0, str1, 20, sig, siglen, dsa) == 1) - ret = 1; - - DSA_clear_flags(dsa, DSA_FLAG_NO_EXP_CONSTTIME); DSA_generate_key(dsa); DSA_sign(0, str1, 20, sig, &siglen, dsa); if (DSA_verify(0, str1, 20, sig, siglen, dsa) == 1) diff --git a/test/rsa_test.c b/test/rsa_test.c index c8e68db83b..7d06394c6c 100644 --- a/test/rsa_test.c +++ b/test/rsa_test.c @@ -241,9 +241,9 @@ int main(int argc, char *argv[]) plen = sizeof(ptext_ex) - 1; - for (v = 0; v < 6; v++) { + for (v = 0; v < 3; v++) { key = RSA_new(); - switch (v % 3) { + switch (v) { case 0: clen = key1(key, ctext_ex); break; @@ -254,8 +254,6 @@ int main(int argc, char *argv[]) clen = key3(key, ctext_ex); break; } - if (v / 3 >= 1) - RSA_set_flags(key, RSA_FLAG_NO_CONSTTIME); num = RSA_public_encrypt(plen, ptext_ex, ctext, key, RSA_PKCS1_PADDING); -- 2.34.1