Replaced variable-time GCD with consttime inversion to avoid side-channel attacks...

author Samuel Weiser <samuel.weiser@iaik.tugraz.at>

Tue, 5 Dec 2017 14:55:17 +0000 (15:55 +0100)

committer Matt Caswell <matt@openssl.org>

Wed, 21 Mar 2018 17:36:40 +0000 (17:36 +0000)
author Samuel Weiser <samuel.weiser@iaik.tugraz.at>
Tue, 5 Dec 2017 14:55:17 +0000 (15:55 +0100)
committer Matt Caswell <matt@openssl.org>
Wed, 21 Mar 2018 17:36:40 +0000 (17:36 +0000)
diff --git a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c

index 4ced965519caeafe0a4acd62d37ae6cf9c390ba0..a287ed73856247b5d10801d8427d9accb525949d 100644 (file)
--- a/crypto/rsa/rsa_gen.c
+++ b/crypto/rsa/rsa_gen.c
@@ -42,6 +42,7 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value,
      BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *r3 = NULL, *tmp;
      int bitsp, bitsq, ok = -1, n = 0;
      BN_CTX *ctx = NULL;
+    unsigned long error = 0;
  
      /*
       * When generating ridiculously small keys, we can get stuck
@@ -88,16 +89,25 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value,
      if (BN_copy(rsa->e, e_value) == NULL)
          goto err;
  
+    BN_set_flags(rsa->e, BN_FLG_CONSTTIME);
      /* generate p and q */
      for (;;) {
          if (!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb))
              goto err;
          if (!BN_sub(r2, rsa->p, BN_value_one()))
              goto err;
-        if (!BN_gcd(r1, r2, rsa->e, ctx))
-            goto err;
-        if (BN_is_one(r1))
+        if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) {
+            /* GCD == 1 since inverse exists */
              break;
+        }
+        error = ERR_peek_last_error();
+        if (ERR_GET_LIB(error) == ERR_LIB_BN
+            && ERR_GET_REASON(error) == BN_R_NO_INVERSE) {
+            /* GCD != 1 */
+            ERR_clear_error();
+        } else {
+            goto err;
+        }
          if (!BN_GENCB_call(cb, 2, n++))
              goto err;
      }
@@ -110,10 +120,18 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value,
          } while (BN_cmp(rsa->p, rsa->q) == 0);
          if (!BN_sub(r2, rsa->q, BN_value_one()))
              goto err;
-        if (!BN_gcd(r1, r2, rsa->e, ctx))
-            goto err;
-        if (BN_is_one(r1))
+        if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) {
+            /* GCD == 1 since inverse exists */
              break;
+        }
+        error = ERR_peek_last_error();
+        if (ERR_GET_LIB(error) == ERR_LIB_BN
+            && ERR_GET_REASON(error) == BN_R_NO_INVERSE) {
+            /* GCD != 1 */
+            ERR_clear_error();
+        } else {
+            goto err;
+        }
          if (!BN_GENCB_call(cb, 2, n++))
              goto err;
      }
author	Samuel Weiser <samuel.weiser@iaik.tugraz.at>
	Tue, 5 Dec 2017 14:55:17 +0000 (15:55 +0100)
committer	Matt Caswell <matt@openssl.org>
	Wed, 21 Mar 2018 17:36:40 +0000 (17:36 +0000)