Change to mitigate branch prediction attacks
Submitted by: Matthew D Wood Reviewed by: Bodo Moeller
This commit is contained in:
Bodo Möller
@@ -429,11 +429,11 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
|
||||
BIGNUM local_d;
|
||||
BIGNUM *d = NULL;
|
||||
|
||||
if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME))
|
||||
if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
|
||||
{
|
||||
BN_init(&local_d);
|
||||
d = &local_d;
|
||||
BN_with_flags(d, rsa->d, BN_FLG_EXP_CONSTTIME);
|
||||
BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
|
||||
}
|
||||
else
|
||||
d = rsa->d;
|
||||
@@ -551,10 +551,10 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
|
||||
BIGNUM local_d;
|
||||
BIGNUM *d = NULL;
|
||||
|
||||
if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME))
|
||||
if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
|
||||
{
|
||||
d = &local_d;
|
||||
BN_with_flags(d, rsa->d, BN_FLG_EXP_CONSTTIME);
|
||||
BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
|
||||
}
|
||||
else
|
||||
d = rsa->d;
|
||||
@@ -715,8 +715,9 @@ err:
|
||||
static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
|
||||
{
|
||||
BIGNUM *r1,*m1,*vrfy;
|
||||
BIGNUM local_dmp1, local_dmq1;
|
||||
BIGNUM *dmp1, *dmq1;
|
||||
BIGNUM local_dmp1,local_dmq1,local_c,local_r1;
|
||||
BIGNUM *dmp1,*dmq1,*c,*pr1;
|
||||
int bn_flags;
|
||||
int ret=0;
|
||||
|
||||
BN_CTX_start(ctx);
|
||||
@@ -724,26 +725,72 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
|
||||
m1 = BN_CTX_get(ctx);
|
||||
vrfy = BN_CTX_get(ctx);
|
||||
|
||||
/* Make sure mod_inverse in montgomerey intialization use correct
|
||||
* BN_FLG_CONSTTIME flag.
|
||||
*/
|
||||
bn_flags = rsa->p->flags;
|
||||
if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
|
||||
{
|
||||
rsa->p->flags |= BN_FLG_CONSTTIME;
|
||||
}
|
||||
MONT_HELPER(rsa, ctx, p, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
|
||||
/* We restore bn_flags back */
|
||||
rsa->p->flags = bn_flags;
|
||||
|
||||
/* Make sure mod_inverse in montgomerey intialization use correct
|
||||
* BN_FLG_CONSTTIME flag.
|
||||
*/
|
||||
bn_flags = rsa->q->flags;
|
||||
if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
|
||||
{
|
||||
rsa->q->flags |= BN_FLG_CONSTTIME;
|
||||
}
|
||||
MONT_HELPER(rsa, ctx, q, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
|
||||
/* We restore bn_flags back */
|
||||
rsa->q->flags = bn_flags;
|
||||
|
||||
MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
|
||||
|
||||
if (!BN_mod(r1,I,rsa->q,ctx)) goto err;
|
||||
if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME))
|
||||
/* compute I mod q */
|
||||
if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
|
||||
{
|
||||
c = &local_c;
|
||||
BN_with_flags(c, I, BN_FLG_CONSTTIME);
|
||||
if (!BN_mod(r1,c,rsa->q,ctx)) goto err;
|
||||
}
|
||||
else
|
||||
{
|
||||
if (!BN_mod(r1,I,rsa->q,ctx)) goto err;
|
||||
}
|
||||
|
||||
/* compute r1^dmq1 mod q */
|
||||
if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
|
||||
{
|
||||
dmq1 = &local_dmq1;
|
||||
BN_with_flags(dmq1, rsa->dmq1, BN_FLG_EXP_CONSTTIME);
|
||||
BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
|
||||
}
|
||||
else
|
||||
dmq1 = rsa->dmq1;
|
||||
if (!rsa->meth->bn_mod_exp(m1,r1,dmq1,rsa->q,ctx,
|
||||
rsa->_method_mod_q)) goto err;
|
||||
|
||||
if (!BN_mod(r1,I,rsa->p,ctx)) goto err;
|
||||
if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME))
|
||||
/* compute I mod p */
|
||||
if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
|
||||
{
|
||||
c = &local_c;
|
||||
BN_with_flags(c, I, BN_FLG_CONSTTIME);
|
||||
if (!BN_mod(r1,c,rsa->p,ctx)) goto err;
|
||||
}
|
||||
else
|
||||
{
|
||||
if (!BN_mod(r1,I,rsa->p,ctx)) goto err;
|
||||
}
|
||||
|
||||
/* compute r1^dmp1 mod p */
|
||||
if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
|
||||
{
|
||||
dmp1 = &local_dmp1;
|
||||
BN_with_flags(dmp1, rsa->dmp1, BN_FLG_EXP_CONSTTIME);
|
||||
BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
|
||||
}
|
||||
else
|
||||
dmp1 = rsa->dmp1;
|
||||
@@ -757,7 +804,17 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
|
||||
if (!BN_add(r0,r0,rsa->p)) goto err;
|
||||
|
||||
if (!BN_mul(r1,r0,rsa->iqmp,ctx)) goto err;
|
||||
if (!BN_mod(r0,r1,rsa->p,ctx)) goto err;
|
||||
|
||||
/* Turn BN_FLG_CONSTTIME flag on before division operation */
|
||||
if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
|
||||
{
|
||||
pr1 = &local_r1;
|
||||
BN_with_flags(pr1, r1, BN_FLG_CONSTTIME);
|
||||
}
|
||||
else
|
||||
pr1 = r1;
|
||||
if (!BN_mod(r0,pr1,rsa->p,ctx)) goto err;
|
||||
|
||||
/* If p < q it is occasionally possible for the correction of
|
||||
* adding 'p' if r0 is negative above to leave the result still
|
||||
* negative. This can break the private key operations: the following
|
||||
@@ -790,10 +847,10 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
|
||||
BIGNUM local_d;
|
||||
BIGNUM *d = NULL;
|
||||
|
||||
if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME))
|
||||
if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
|
||||
{
|
||||
d = &local_d;
|
||||
BN_with_flags(d, rsa->d, BN_FLG_EXP_CONSTTIME);
|
||||
BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
|
||||
}
|
||||
else
|
||||
d = rsa->d;
|
||||
|
||||
Reference in New Issue
Block a user