From: Samuel Weiser Date: Fri, 15 Sep 2017 20:12:53 +0000 (+0200) Subject: Fixed error in propagating BN_FLG_CONSTTIME flag through BN_MONT_CTX_set, which could... X-Git-Tag: OpenSSL_1_1_1-pre1~619 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=3de81a5912041a70884cf4e52e7213f3b5dfa747;p=oweals%2Fopenssl.git Fixed error in propagating BN_FLG_CONSTTIME flag through BN_MONT_CTX_set, which could lead to information disclosure on RSA primes p and q. Reviewed-by: Paul Dale Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/4377) --- diff --git a/crypto/bn/bn_mont.c b/crypto/bn/bn_mont.c index 9dad113d02..0985de2d82 100644 --- a/crypto/bn/bn_mont.c +++ b/crypto/bn/bn_mont.c @@ -258,6 +258,8 @@ int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx) R = &(mont->RR); /* grab RR as a temp */ if (!BN_copy(&(mont->N), mod)) goto err; /* Set N */ + if (BN_get_flags(mod, BN_FLG_CONSTTIME) != 0) + BN_set_flags(&(mont->N), BN_FLG_CONSTTIME); mont->N.neg = 0; #ifdef MONT_WORD @@ -270,6 +272,9 @@ int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx) tmod.dmax = 2; tmod.neg = 0; + if (BN_get_flags(mod, BN_FLG_CONSTTIME) != 0) + BN_set_flags(&tmod, BN_FLG_CONSTTIME); + mont->ri = (BN_num_bits(mod) + (BN_BITS2 - 1)) / BN_BITS2 * BN_BITS2; # if defined(OPENSSL_BN_ASM_MONT) && (BN_BITS2<=32)