diff options
| author |   beck <beck@openbsd.org> | 2017-01-21 09:38:58 +0000 |
|---|---|---|
| committer | beck <beck@openbsd.org> | 2017-01-21 09:38:58 +0000 |
| commit | 3a88f7af64c9d83ff2897421820b88bbc08b8c3c (patch) | |
| tree | 925330f9f107fcf6d76822e3c46c312356985e6e | |
| parent | whitespace (diff) | |
| download | wireguard-openbsd-3a88f7af64c9d83ff2897421820b88bbc08b8c3c.tar.xz wireguard-openbsd-3a88f7af64c9d83ff2897421820b88bbc08b8c3c.zip | |
Make explicit _ct and _nonct versions of bn_mod_exp funcitons that
matter for constant time, and make the public interface only used
external to the library.
This moves us to a model where the important things are constant time
versions unless you ask for them not to be, rather than the opposite.
I'll continue with this method by method.
Add regress tests for same.
ok jsing@
| -rw-r--r-- | lib/libcrypto/Makefile | 5 | ||||
| -rw-r--r-- | lib/libcrypto/bn/bn.h | 4 | ||||
| -rw-r--r-- | lib/libcrypto/bn/bn_blind.c | 4 | ||||
| -rw-r--r-- | lib/libcrypto/bn/bn_exp.c | 66 | ||||
| -rw-r--r-- | lib/libcrypto/bn/bn_lcl.h | 12 | ||||
| -rw-r--r-- | lib/libcrypto/bn/bn_prime.c | 4 | ||||
| -rw-r--r-- | lib/libcrypto/bn/bn_sqrt.c | 10 | ||||
| -rw-r--r-- | lib/libcrypto/dh/dh_key.c | 6 | ||||
| -rw-r--r-- | lib/libcrypto/dsa/dsa_ameth.c | 6 | ||||
| -rw-r--r-- | lib/libcrypto/dsa/dsa_gen.c | 5 | ||||
| -rw-r--r-- | lib/libcrypto/dsa/dsa_key.c | 5 | ||||
| -rw-r--r-- | lib/libcrypto/dsa/dsa_ossl.c | 6 | ||||
| -rw-r--r-- | lib/libcrypto/pem/pvkfmt.c | 6 | ||||
| -rw-r--r-- | lib/libcrypto/rsa/rsa_eay.c | 6 | ||||
| -rw-r--r-- | regress/lib/libcrypto/bn/general/Makefile | 4 | ||||
| -rw-r--r-- | regress/lib/libcrypto/bn/general/bntest.c | 81 | ||||
| -rw-r--r-- | regress/lib/libcrypto/bn/mont/Makefile | 4 | ||||
| -rw-r--r-- | regress/lib/libcrypto/exp/Makefile | 6 | ||||
| -rw-r--r-- | regress/lib/libcrypto/exp/exptest.c | 56 |
19 files changed, 249 insertions, 47 deletions
diff --git a/lib/libcrypto/Makefile b/lib/libcrypto/Makefile index 29b6669a12a..3fb904b470f 100644 --- a/lib/libcrypto/Makefile +++ b/lib/libcrypto/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.13 2016/12/21 15:49:29 jsing Exp $ +# $OpenBSD: Makefile,v 1.14 2017/01/21 09:38:58 beck Exp $ LIB= crypto @@ -24,7 +24,8 @@ CFLAGS+= -DLIBRESSL_INTERNAL CFLAGS+= -DOPENSSL_NO_HW_PADLOCK # XXX enable this? CFLAGS+= -I${LCRYPTO_SRC} -CFLAGS+= -I${LCRYPTO_SRC}/modes -I${LCRYPTO_SRC}/asn1 -I${LCRYPTO_SRC}/evp +CFLAGS+= -I${LCRYPTO_SRC}/asn1 -I${LCRYPTO_SRC}/bn -I${LCRYPTO_SRC}/evp +CFLAGS+= -I${LCRYPTO_SRC}/modes VERSION_SCRIPT= Symbols.map SYMBOL_LIST= ${.CURDIR}/Symbols.list diff --git a/lib/libcrypto/bn/bn.h b/lib/libcrypto/bn/bn.h index 5f8278faa8e..16ba8ae9810 100644 --- a/lib/libcrypto/bn/bn.h +++ b/lib/libcrypto/bn/bn.h @@ -1,4 +1,4 @@ -/* $OpenBSD: bn.h,v 1.32 2016/12/21 15:49:29 jsing Exp $ */ +/* $OpenBSD: bn.h,v 1.33 2017/01/21 09:38:58 beck Exp $ */ /* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -418,10 +418,12 @@ int BN_lshift(BIGNUM *r, const BIGNUM *a, int n); int BN_lshift1(BIGNUM *r, const BIGNUM *a); int BN_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx); +#ifndef LIBRESSL_INTERNAL int BN_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx); int BN_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); +#endif int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont); int BN_mod_exp_mont_word(BIGNUM *r, BN_ULONG a, const BIGNUM *p, diff --git a/lib/libcrypto/bn/bn_blind.c b/lib/libcrypto/bn/bn_blind.c index c842f76c6ff..01874f62080 100644 --- a/lib/libcrypto/bn/bn_blind.c +++ b/lib/libcrypto/bn/bn_blind.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bn_blind.c,v 1.14 2014/07/12 16:03:36 miod Exp $ */ +/* $OpenBSD: bn_blind.c,v 1.15 2017/01/21 09:38:58 beck Exp $ */ /* ==================================================================== * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. * @@ -372,7 +372,7 @@ BN_BLINDING_create_param(BN_BLINDING *b, const BIGNUM *e, BIGNUM *m, ctx, ret->m_ctx)) goto err; } else { - if (!BN_mod_exp(ret->A, ret->A, ret->e, ret->mod, ctx)) + if (!BN_mod_exp_ct(ret->A, ret->A, ret->e, ret->mod, ctx)) goto err; } diff --git a/lib/libcrypto/bn/bn_exp.c b/lib/libcrypto/bn/bn_exp.c index 83c62be25aa..ed4bc666bf2 100644 --- a/lib/libcrypto/bn/bn_exp.c +++ b/lib/libcrypto/bn/bn_exp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bn_exp.c,v 1.27 2017/01/21 04:34:16 beck Exp $ */ +/* $OpenBSD: bn_exp.c,v 1.28 2017/01/21 09:38:58 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -172,9 +172,9 @@ err: return (ret); } -int -BN_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, - BN_CTX *ctx) +static int +BN_mod_exp_internal(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, + BN_CTX *ctx, int ct) { int ret; @@ -213,12 +213,11 @@ BN_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, */ if (BN_is_odd(m)) { - if (a->top == 1 && !a->neg && - (BN_get_flags(p, BN_FLG_CONSTTIME) == 0)) { + if (a->top == 1 && !a->neg && !ct) { BN_ULONG A = a->d[0]; ret = BN_mod_exp_mont_word(r, A,p, m,ctx, NULL); } else - ret = BN_mod_exp_mont(r, a,p, m,ctx, NULL); + ret = BN_mod_exp_mont_ct(r, a,p, m,ctx, NULL); } else { ret = BN_mod_exp_recp(r, a,p, m, ctx); } @@ -228,6 +227,30 @@ BN_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, } int +BN_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, + BN_CTX *ctx) +{ + return BN_mod_exp_internal(r, a, p, m, ctx, + (BN_get_flags(p, BN_FLG_CONSTTIME) != 0)); +} + +int +BN_mod_exp_ct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, + BN_CTX *ctx) +{ + return BN_mod_exp_internal(r, a, p, m, ctx, 1); +} + + +int +BN_mod_exp_nonct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, + BN_CTX *ctx) +{ + return BN_mod_exp_internal(r, a, p, m, ctx, 0); +} + + +int BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx) { @@ -361,9 +384,9 @@ err: return (ret); } -int -BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, - BN_CTX *ctx, BN_MONT_CTX *in_mont) +static int +BN_mod_exp_mont_internal(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, + BN_CTX *ctx, BN_MONT_CTX *in_mont, int ct) { int i, j, bits, ret = 0, wstart, wend, window, wvalue; int start = 1; @@ -373,7 +396,7 @@ BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, BIGNUM *val[TABLE_SIZE]; BN_MONT_CTX *mont = NULL; - if (BN_get_flags(p, BN_FLG_CONSTTIME) != 0) { + if (ct) { return BN_mod_exp_mont_consttime(rr, a, p, m, ctx, in_mont); } @@ -513,6 +536,27 @@ err: return (ret); } +int +BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, + BN_CTX *ctx, BN_MONT_CTX *in_mont) +{ + return BN_mod_exp_mont_internal(rr, a, p, m, ctx, in_mont, + (BN_get_flags(p, BN_FLG_CONSTTIME) != 0)); +} + +int +BN_mod_exp_mont_ct(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, + BN_CTX *ctx, BN_MONT_CTX *in_mont) +{ + return BN_mod_exp_mont_internal(rr, a, p, m, ctx, in_mont, 1); +} + +int +BN_mod_exp_mont_nonct(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, + BN_CTX *ctx, BN_MONT_CTX *in_mont) +{ + return BN_mod_exp_mont_internal(rr, a, p, m, ctx, in_mont, 0); +} /* BN_mod_exp_mont_consttime() stores the precomputed powers in a specific layout * so that accessing any of these table values shows the same access pattern as far diff --git a/lib/libcrypto/bn/bn_lcl.h b/lib/libcrypto/bn/bn_lcl.h index ca130a63cb2..f8ce4bdc513 100644 --- a/lib/libcrypto/bn/bn_lcl.h +++ b/lib/libcrypto/bn/bn_lcl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: bn_lcl.h,v 1.23 2016/12/21 15:49:29 jsing Exp $ */ +/* $OpenBSD: bn_lcl.h,v 1.24 2017/01/21 09:38:58 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -584,6 +584,16 @@ BN_ULONG bn_sub_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, int int BN_bntest_rand(BIGNUM *rnd, int bits, int top, int bottom); +/* Explicitly const time / non-const time versions for internal use */ +int BN_mod_exp_ct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, + const BIGNUM *m, BN_CTX *ctx); +int BN_mod_exp_nonct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, + const BIGNUM *m, BN_CTX *ctx); +int BN_mod_exp_mont_ct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, + const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); +int BN_mod_exp_mont_nonct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, + const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); + __END_HIDDEN_DECLS #endif diff --git a/lib/libcrypto/bn/bn_prime.c b/lib/libcrypto/bn/bn_prime.c index fb39756de24..b2f32684e4a 100644 --- a/lib/libcrypto/bn/bn_prime.c +++ b/lib/libcrypto/bn/bn_prime.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bn_prime.c,v 1.15 2016/07/05 02:54:35 bcook Exp $ */ +/* $OpenBSD: bn_prime.c,v 1.16 2017/01/21 09:38:58 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -369,7 +369,7 @@ static int witness(BIGNUM *w, const BIGNUM *a, const BIGNUM *a1, const BIGNUM *a1_odd, int k, BN_CTX *ctx, BN_MONT_CTX *mont) { - if (!BN_mod_exp_mont(w, w, a1_odd, a, ctx, mont)) + if (!BN_mod_exp_mont_ct(w, w, a1_odd, a, ctx, mont)) /* w := w^a1_odd mod a */ return -1; if (BN_is_one(w)) diff --git a/lib/libcrypto/bn/bn_sqrt.c b/lib/libcrypto/bn/bn_sqrt.c index e5231d2a952..5928dfc79de 100644 --- a/lib/libcrypto/bn/bn_sqrt.c +++ b/lib/libcrypto/bn/bn_sqrt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bn_sqrt.c,v 1.7 2016/11/08 01:40:22 guenther Exp $ */ +/* $OpenBSD: bn_sqrt.c,v 1.8 2017/01/21 09:38:58 beck Exp $ */ /* Written by Lenka Fibikova <fibikova@exp-math.uni-essen.de> * and Bodo Moeller for the OpenSSL project. */ /* ==================================================================== @@ -149,7 +149,7 @@ BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) q->neg = 0; if (!BN_add_word(q, 1)) goto end; - if (!BN_mod_exp(ret, A, q, p, ctx)) + if (!BN_mod_exp_ct(ret, A, q, p, ctx)) goto end; err = 0; goto vrfy; @@ -190,7 +190,7 @@ BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) if (!BN_rshift(q, p, 3)) goto end; q->neg = 0; - if (!BN_mod_exp(b, t, q, p, ctx)) + if (!BN_mod_exp_ct(b, t, q, p, ctx)) goto end; /* y := b^2 */ @@ -272,7 +272,7 @@ BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) /* Now that we have some non-square, we can find an element * of order 2^e by computing its q'th power. */ - if (!BN_mod_exp(y, y, q, p, ctx)) + if (!BN_mod_exp_ct(y, y, q, p, ctx)) goto end; if (BN_is_one(y)) { BNerr(BN_F_BN_MOD_SQRT, BN_R_P_IS_NOT_PRIME); @@ -314,7 +314,7 @@ BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) } else if (!BN_one(x)) goto end; } else { - if (!BN_mod_exp(x, A, t, p, ctx)) + if (!BN_mod_exp_ct(x, A, t, p, ctx)) goto end; if (BN_is_zero(x)) { /* special case: a == 0 (mod p) */ diff --git a/lib/libcrypto/dh/dh_key.c b/lib/libcrypto/dh/dh_key.c index 6eb1365bf64..5b365cdd06b 100644 --- a/lib/libcrypto/dh/dh_key.c +++ b/lib/libcrypto/dh/dh_key.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dh_key.c,v 1.25 2016/07/07 11:53:12 bcook Exp $ */ +/* $OpenBSD: dh_key.c,v 1.26 2017/01/21 09:38:58 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -62,6 +62,8 @@ #include <openssl/dh.h> #include <openssl/err.h> +#include "bn_lcl.h" + static int generate_key(DH *dh); static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh); static int dh_bn_mod_exp(const DH *dh, BIGNUM *r, const BIGNUM *a, @@ -233,7 +235,7 @@ static int dh_bn_mod_exp(const DH *dh, BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx) { - return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx); + return BN_mod_exp_mont_ct(r, a, p, m, ctx, m_ctx); } static int diff --git a/lib/libcrypto/dsa/dsa_ameth.c b/lib/libcrypto/dsa/dsa_ameth.c index 3e434701aaf..92ad02e1872 100644 --- a/lib/libcrypto/dsa/dsa_ameth.c +++ b/lib/libcrypto/dsa/dsa_ameth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dsa_ameth.c,v 1.20 2016/10/19 16:49:11 jsing Exp $ */ +/* $OpenBSD: dsa_ameth.c,v 1.21 2017/01/21 09:38:59 beck Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2006. */ @@ -66,8 +66,8 @@ #include <openssl/err.h> #include <openssl/x509.h> - #include "asn1_locl.h" +#include "bn_lcl.h" static int dsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey) @@ -224,7 +224,7 @@ dsa_priv_decode(EVP_PKEY *pkey, PKCS8_PRIV_KEY_INFO *p8) goto dsaerr; } - if (!BN_mod_exp(dsa->pub_key, dsa->g, dsa->priv_key, dsa->p, ctx)) { + if (!BN_mod_exp_ct(dsa->pub_key, dsa->g, dsa->priv_key, dsa->p, ctx)) { DSAerr(DSA_F_DSA_PRIV_DECODE,DSA_R_BN_ERROR); goto dsaerr; } diff --git a/lib/libcrypto/dsa/dsa_gen.c b/lib/libcrypto/dsa/dsa_gen.c index 7ddb7fec5e4..d627e5ae9ca 100644 --- a/lib/libcrypto/dsa/dsa_gen.c +++ b/lib/libcrypto/dsa/dsa_gen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dsa_gen.c,v 1.22 2015/07/15 18:34:37 miod Exp $ */ +/* $OpenBSD: dsa_gen.c,v 1.23 2017/01/21 09:38:59 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -68,6 +68,7 @@ #include <openssl/evp.h> #include <openssl/sha.h> +#include "bn_lcl.h" #include "dsa_locl.h" int @@ -315,7 +316,7 @@ end: for (;;) { /* g=test^r0%p */ - if (!BN_mod_exp_mont(g, test, r0, p, ctx, mont)) + if (!BN_mod_exp_mont_ct(g, test, r0, p, ctx, mont)) goto err; if (!BN_is_one(g)) break; diff --git a/lib/libcrypto/dsa/dsa_key.c b/lib/libcrypto/dsa/dsa_key.c index fc4eb9c4331..cb95e1369cb 100644 --- a/lib/libcrypto/dsa/dsa_key.c +++ b/lib/libcrypto/dsa/dsa_key.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dsa_key.c,v 1.22 2016/06/30 02:02:06 bcook Exp $ */ +/* $OpenBSD: dsa_key.c,v 1.23 2017/01/21 09:38:59 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -65,6 +65,7 @@ #include <openssl/bn.h> #include <openssl/dsa.h> +#include "bn_lcl.h" static int dsa_builtin_keygen(DSA *dsa); @@ -108,7 +109,7 @@ dsa_builtin_keygen(DSA *dsa) BN_with_flags(&prk, priv_key, BN_FLG_CONSTTIME); - if (!BN_mod_exp(pub_key, dsa->g, &prk, dsa->p, ctx)) + if (!BN_mod_exp_ct(pub_key, dsa->g, &prk, dsa->p, ctx)) goto err; } diff --git a/lib/libcrypto/dsa/dsa_ossl.c b/lib/libcrypto/dsa/dsa_ossl.c index a28d3e9d1a4..3f01a83a446 100644 --- a/lib/libcrypto/dsa/dsa_ossl.c +++ b/lib/libcrypto/dsa/dsa_ossl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dsa_ossl.c,v 1.26 2016/06/21 04:16:53 bcook Exp $ */ +/* $OpenBSD: dsa_ossl.c,v 1.27 2017/01/21 09:38:59 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -66,6 +66,8 @@ #include <openssl/err.h> #include <openssl/sha.h> +#include "bn_lcl.h" + static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa); static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp); @@ -238,7 +240,7 @@ dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) dsa->method_mont_p)) goto err; } else { - if (!BN_mod_exp_mont(r, dsa->g, &k, dsa->p, ctx, dsa->method_mont_p)) + if (!BN_mod_exp_mont_ct(r, dsa->g, &k, dsa->p, ctx, dsa->method_mont_p)) goto err; } diff --git a/lib/libcrypto/pem/pvkfmt.c b/lib/libcrypto/pem/pvkfmt.c index 7a9045396c5..0a33a24b9f7 100644 --- a/lib/libcrypto/pem/pvkfmt.c +++ b/lib/libcrypto/pem/pvkfmt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pvkfmt.c,v 1.16 2016/03/02 14:28:14 beck Exp $ */ +/* $OpenBSD: pvkfmt.c,v 1.17 2017/01/21 09:38:59 beck Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2005. */ @@ -73,6 +73,8 @@ #include <openssl/dsa.h> #include <openssl/rsa.h> +#include "bn_lcl.h" + /* Utility function: read a DWORD (4 byte unsigned integer) in little endian * format */ @@ -340,7 +342,7 @@ b2i_dss(const unsigned char **in, unsigned int length, unsigned int bitlen, goto memerr; if (!(ctx = BN_CTX_new())) goto memerr; - if (!BN_mod_exp(dsa->pub_key, dsa->g, + if (!BN_mod_exp_ct(dsa->pub_key, dsa->g, dsa->priv_key, dsa->p, ctx)) goto memerr; BN_CTX_free(ctx); diff --git a/lib/libcrypto/rsa/rsa_eay.c b/lib/libcrypto/rsa/rsa_eay.c index af76541c28f..640ed9a0d6a 100644 --- a/lib/libcrypto/rsa/rsa_eay.c +++ b/lib/libcrypto/rsa/rsa_eay.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rsa_eay.c,v 1.43 2016/09/09 11:39:11 tb Exp $ */ +/* $OpenBSD: rsa_eay.c,v 1.44 2017/01/21 09:38:59 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -118,6 +118,8 @@ #include <openssl/err.h> #include <openssl/rsa.h> +#include "bn_lcl.h" + static int RSA_eay_public_encrypt(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding); static int RSA_eay_private_encrypt(int flen, const unsigned char *from, @@ -137,7 +139,7 @@ static RSA_METHOD rsa_pkcs1_eay_meth = { .rsa_priv_enc = RSA_eay_private_encrypt, /* signing */ .rsa_priv_dec = RSA_eay_private_decrypt, .rsa_mod_exp = RSA_eay_mod_exp, - .bn_mod_exp = BN_mod_exp_mont, /* XXX probably we should not use Montgomery if e == 3 */ + .bn_mod_exp = BN_mod_exp_mont_ct, /* XXX probably we should not use Montgomery if e == 3 */ .init = RSA_eay_init, .finish = RSA_eay_finish, }; diff --git a/regress/lib/libcrypto/bn/general/Makefile b/regress/lib/libcrypto/bn/general/Makefile index 18207ffb01f..d578d0fe120 100644 --- a/regress/lib/libcrypto/bn/general/Makefile +++ b/regress/lib/libcrypto/bn/general/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.3 2016/12/21 15:51:05 jsing Exp $ +# $OpenBSD: Makefile,v 1.4 2017/01/21 09:38:58 beck Exp $ .include "../../Makefile.inc" @@ -6,6 +6,6 @@ PROG= bntest LDADD= ${CRYPTO_INT} DPADD= ${LIBCRYPTO} WARNINGS= Yes -CFLAGS+= -DLIBRESSL_INTERNAL -Werror +CFLAGS+= -Werror .include <bsd.regress.mk> diff --git a/regress/lib/libcrypto/bn/general/bntest.c b/regress/lib/libcrypto/bn/general/bntest.c index 0247dacaa49..7e5e6ed81b9 100644 --- a/regress/lib/libcrypto/bn/general/bntest.c +++ b/regress/lib/libcrypto/bn/general/bntest.c @@ -84,6 +84,15 @@ #include <openssl/x509.h> #include <openssl/err.h> +int BN_mod_exp_ct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, + const BIGNUM *m, BN_CTX *ctx); +int BN_mod_exp_nonct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, + const BIGNUM *m, BN_CTX *ctx); +int BN_mod_exp_mont_ct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, + const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); +int BN_mod_exp_mont_nonct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, + const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); + int BN_bntest_rand(BIGNUM *rnd, int bits, int top, int bottom); const int num0 = 100; /* number of tests */ @@ -1037,6 +1046,14 @@ test_mod_exp(BIO *bp, BN_CTX *ctx) fprintf(stderr, "BN_mod_exp with zero modulus succeeded!\n"); return (0); } + if (BN_mod_exp_ct(d, a, b, c, ctx)) { + fprintf(stderr, "BN_mod_exp_ct with zero modulus succeeded!\n"); + return (0); + } + if (BN_mod_exp_nonct(d, a, b, c, ctx)) { + fprintf(stderr, "BN_mod_exp_nonct with zero modulus succeeded!\n"); + return (0); + } BN_bntest_rand(c, 30, 0, 1); /* must be odd for montgomery */ for (i = 0; i < num2; i++) { @@ -1069,6 +1086,70 @@ test_mod_exp(BIO *bp, BN_CTX *ctx) break; } } + + BN_bntest_rand(c, 30, 0, 1); /* must be odd for montgomery */ + for (i = 0; i < num2; i++) { + BN_bntest_rand(a, 20 + i * 5, 0, 0); + BN_bntest_rand(b, 2 + i, 0, 0); + + if (!BN_mod_exp_ct(d, a, b, c, ctx)) { + rc = 0; + break; + } + + if (bp != NULL) { + if (!results) { + BN_print(bp, a); + BIO_puts(bp, " ^ "); + BN_print(bp, b); + BIO_puts(bp, " % "); + BN_print(bp, c); + BIO_puts(bp, " - "); + } + BN_print(bp, d); + BIO_puts(bp, "\n"); + } + BN_exp(e, a, b, ctx); + BN_sub(e, e, d); + BN_div(a, b, e, c, ctx); + if (!BN_is_zero(b)) { + fprintf(stderr, "Modulo exponentiation test failed!\n"); + rc = 0; + break; + } + } + + BN_bntest_rand(c, 30, 0, 1); /* must be odd for montgomery */ + for (i = 0; i < num2; i++) { + BN_bntest_rand(a, 20 + i * 5, 0, 0); + BN_bntest_rand(b, 2 + i, 0, 0); + + if (!BN_mod_exp_nonct(d, a, b, c, ctx)) { + rc = 0; + break; + } + + if (bp != NULL) { + if (!results) { + BN_print(bp, a); + BIO_puts(bp, " ^ "); + BN_print(bp, b); + BIO_puts(bp, " % "); + BN_print(bp, c); + BIO_puts(bp, " - "); + } + BN_print(bp, d); + BIO_puts(bp, "\n"); + } + BN_exp(e, a, b, ctx); + BN_sub(e, e, d); + BN_div(a, b, e, c, ctx); + if (!BN_is_zero(b)) { + fprintf(stderr, "Modulo exponentiation test failed!\n"); + rc = 0; + break; + } + } BN_free(a); BN_free(b); BN_free(c); diff --git a/regress/lib/libcrypto/bn/mont/Makefile b/regress/lib/libcrypto/bn/mont/Makefile index eda36001a37..55c48220d44 100644 --- a/regress/lib/libcrypto/bn/mont/Makefile +++ b/regress/lib/libcrypto/bn/mont/Makefile @@ -1,9 +1,9 @@ -# $OpenBSD: Makefile,v 1.2 2014/07/08 15:53:52 jsing Exp $ +# $OpenBSD: Makefile,v 1.3 2017/01/21 09:38:58 beck Exp $ PROG= mont LDADD= -lcrypto DPADD= ${LIBCRYPTO} WARNINGS= Yes -CFLAGS+= -DLIBRESSL_INTERNAL -Werror +CFLAGS+= -Werror .include <bsd.regress.mk> diff --git a/regress/lib/libcrypto/exp/Makefile b/regress/lib/libcrypto/exp/Makefile index 39142014315..890b38e9fe9 100644 --- a/regress/lib/libcrypto/exp/Makefile +++ b/regress/lib/libcrypto/exp/Makefile @@ -1,9 +1,9 @@ -# $OpenBSD: Makefile,v 1.3 2014/07/08 15:53:52 jsing Exp $ +# $OpenBSD: Makefile,v 1.4 2017/01/21 09:38:58 beck Exp $ PROG= exptest -LDADD= -lcrypto +LDADD= ${CRYPTO_INT} DPADD= ${LIBCRYPTO} WARNINGS= Yes -CFLAGS+= -DLIBRESSL_INTERNAL -Werror +CFLAGS+= -Werror .include <bsd.regress.mk> diff --git a/regress/lib/libcrypto/exp/exptest.c b/regress/lib/libcrypto/exp/exptest.c index 45ca5ac5f57..375628cb251 100644 --- a/regress/lib/libcrypto/exp/exptest.c +++ b/regress/lib/libcrypto/exp/exptest.c @@ -64,6 +64,15 @@ #include <openssl/bn.h> #include <openssl/err.h> +int BN_mod_exp_ct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, + const BIGNUM *m, BN_CTX *ctx); +int BN_mod_exp_nonct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, + const BIGNUM *m, BN_CTX *ctx); +int BN_mod_exp_mont_ct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, + const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); +int BN_mod_exp_mont_nonct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, + const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); + #define NUM_BITS (BN_BITS*2) /* @@ -116,6 +125,18 @@ static int test_exp_mod_zero(void) if (!a_is_zero_mod_one("BN_mod_exp", &r, &a)) failed = 1; + if (!BN_mod_exp_ct(&r, &a, &p, &m, ctx)) + goto err; + + if (!a_is_zero_mod_one("BN_mod_exp_ct", &r, &a)) + failed = 1; + + if (!BN_mod_exp_nonct(&r, &a, &p, &m, ctx)) + goto err; + + if (!a_is_zero_mod_one("BN_mod_exp_nonct", &r, &a)) + failed = 1; + if (!BN_mod_exp_recp(&r, &a, &p, &m, ctx)) goto err; @@ -134,6 +155,18 @@ static int test_exp_mod_zero(void) if (!a_is_zero_mod_one("BN_mod_exp_mont", &r, &a)) failed = 1; + if (!BN_mod_exp_mont_ct(&r, &a, &p, &m, ctx, NULL)) + goto err; + + if (!a_is_zero_mod_one("BN_mod_exp_mont_ct", &r, &a)) + failed = 1; + + if (!BN_mod_exp_mont_nonct(&r, &a, &p, &m, ctx, NULL)) + goto err; + + if (!a_is_zero_mod_one("BN_mod_exp_mont_nonct", &r, &a)) + failed = 1; + if (!BN_mod_exp_mont_consttime(&r, &a, &p, &m, ctx, NULL)) { goto err; } @@ -175,7 +208,8 @@ int main(int argc, char *argv[]) BIO *out = NULL; int i, ret; unsigned char c; - BIGNUM *r_mont, *r_mont_const, *r_recp, *r_simple, *a, *b, *m; + BIGNUM *r_mont, *r_mont_const, *r_recp, *r_simple, + *r_mont_ct, *r_mont_nonct, *a, *b, *m; ERR_load_BN_strings(); @@ -184,6 +218,8 @@ int main(int argc, char *argv[]) exit(1); r_mont = BN_new(); r_mont_const = BN_new(); + r_mont_ct = BN_new(); + r_mont_nonct = BN_new(); r_recp = BN_new(); r_simple = BN_new(); a = BN_new(); @@ -221,6 +257,20 @@ int main(int argc, char *argv[]) exit(1); } + ret = BN_mod_exp_mont_ct(r_mont_ct, a, b, m, ctx, NULL); + if (ret <= 0) { + printf("BN_mod_exp_mont_ct() problems\n"); + ERR_print_errors(out); + exit(1); + } + + ret = BN_mod_exp_mont_nonct(r_mont_nonct, a, b, m, ctx, NULL); + if (ret <= 0) { + printf("BN_mod_exp_mont_nonct() problems\n"); + ERR_print_errors(out); + exit(1); + } + ret = BN_mod_exp_recp(r_recp, a, b, m, ctx); if (ret <= 0) { printf("BN_mod_exp_recp() problems\n"); @@ -254,6 +304,10 @@ int main(int argc, char *argv[]) printf("\nsimple and mont const time results differ\n"); if (BN_cmp(r_simple, r_recp) != 0) printf("\nsimple and recp results differ\n"); + if (BN_cmp(r_mont, r_mont_ct) != 0) + printf("\nmont_ct and mont results differ\n"); + if (BN_cmp(r_mont_ct, r_mont_nonct) != 0) + printf("\nmont_ct and mont_nonct results differ\n"); printf("a (%3d) = ", BN_num_bits(a)); BN_print(out, a); |