Implement fixed-window exponentiation to mitigate hyper-threading

timing attacks. BN_FLG_EXP_CONSTTIME requests this algorithm, and this done by default for RSA/DSA/DH private key computations unless RSA_FLAG_NO_EXP_CONSTTIME/DSA_FLAG_NO_EXP_CONSTTIME/ DH_FLAG_NO_EXP_CONSTTIME is set. Submitted by: Matthew D Wood Reviewed by: Bodo Moeller
2005-05-16 01:26:08 +00:00
parent 64c32bf9eb
commit ecb1445ce2
20 changed files with 598 additions and 33 deletions
--- a/crypto/dsa/dsa.h
+++ b/crypto/dsa/dsa.h
@@ -80,6 +80,13 @@
 #endif

 #define DSA_FLAG_CACHE_MONT_P	0x01
+#define DSA_FLAG_NO_EXP_CONSTTIME       0x02 /* new with 0.9.7h; the built-in DSA
+                                              * implementation now uses constant time
+                                              * modular exponentiation for secret exponents
+                                              * by default. This flag causes the
+                                              * faster variable sliding window method to
+                                              * be used for all exponents.
+                                              */

 #if defined(OPENSSL_FIPS)
 #define FIPS_DSA_SIZE_T	int