git.librecmc.org Git - oweals/openssl.git/commit

author	Nicola Tuveri <nic.tuv@gmail.com>
	Tue, 16 Jun 2020 17:12:13 +0000 (20:12 +0300)
committer	Nicola Tuveri <nic.tuv@gmail.com>
	Sun, 21 Jun 2020 10:45:27 +0000 (13:45 +0300)
commit	d4bf0d57a84a9bcdeba839b66138949be8221e17
tree	7a9eeb03f3a029c76bd055f00bed8c6898d30058	tree \| snapshot
parent	200ae2ee8e1cec5c9af2ea36298bf6583bcd415d	commit \| diff

Flag RSA secret BNs as consttime on keygen and checks

<https://github.com/openssl/openssl/pull/11765> switched the default
code path for keygen.

External testing through TriggerFlow highlighted that in several places
we failed (once more!) to set the `BN_FLG_CONSTTIME` flag on critical
secret values (either long term or temporary values).

This commit tries to make sure that the secret BN values inside the
`rsa struct` are always flagged on creation, and that temporary values
derived from these secrets are flagged when allocated from a BN_CTX.

Acknowledgments
---------------

Thanks to @Voker57, @bbbrumley, @sohhas, @cpereida for the
[OpenSSL Triggerflow CI] ([paper]) through which this defect was detected and
tested, and for providing early feedback to fix the issue!

[OpenSSL Triggerflow CI]: https://gitlab.com/nisec/openssl-triggerflow-ci
[paper]: https://eprint.iacr.org/2019/366

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12167)

crypto/bn/bn_rsa_fips186_4.c		diff \| blob \| history
crypto/rsa/rsa_gen.c		diff \| blob \| history
crypto/rsa/rsa_sp800_56b_check.c		diff \| blob \| history
crypto/rsa/rsa_sp800_56b_gen.c		diff \| blob \| history