From 66e1081a1567d40bd50a5cea47d546eac292cbc2 Mon Sep 17 00:00:00 2001 From: Ben Laurie Date: Thu, 20 Mar 2003 16:00:18 +0000 Subject: [PATCH] Blinding fix. --- CHANGES | 6 ++++++ crypto/rsa/rsa_eay.c | 27 +++++++++++++++++++++++---- crypto/rsa/rsa_lib.c | 8 +++++++- 3 files changed, 36 insertions(+), 5 deletions(-) diff --git a/CHANGES b/CHANGES index 46916103b9..ab440fc46d 100644 --- a/CHANGES +++ b/CHANGES @@ -10,6 +10,12 @@ in ssl3_get_client_key_exchange (ssl/s3_srvr.c). [Bodo Moeller] + *) Turn on RSA blinding by default, to avoid a timing attack. Applications + that don't want it can call RSA_blinding_off(). They would be ill-advised + to do so in most cases. The automatic enabling can also be turned off + by defining OPENSSL_FORCE_NO_RSA_BLINDING at compile-time. + [Ben Laurie, Steve Henson, Geoff Thorpe] + Changes between 0.9.6h and 0.9.6i [19 Feb 2003] *) In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked diff --git a/crypto/rsa/rsa_eay.c b/crypto/rsa/rsa_eay.c index c49abe6e3e..444111fc39 100644 --- a/crypto/rsa/rsa_eay.c +++ b/crypto/rsa/rsa_eay.c @@ -190,6 +190,25 @@ err: return(r); } +static int rsa_eay_blinding(RSA *rsa, BN_CTX *ctx) + { + int ret = 1; + CRYPTO_w_lock(CRYPTO_LOCK_RSA); + /* Check again inside the lock - the macro's check is racey */ + if(rsa->blinding == NULL) + ret = RSA_blinding_on(rsa, ctx); + CRYPTO_w_unlock(CRYPTO_LOCK_RSA); + return ret; + } + +#define BLINDING_HELPER(rsa, ctx, err_instr) \ + do { \ + if(((rsa)->flags & RSA_FLAG_BLINDING) && \ + ((rsa)->blinding == NULL) && \ + !rsa_eay_blinding(rsa, ctx)) \ + err_instr \ + } while(0) + /* signing */ static int RSA_eay_private_encrypt(int flen, unsigned char *from, unsigned char *to, RSA *rsa, int padding) @@ -234,8 +253,8 @@ static int RSA_eay_private_encrypt(int flen, unsigned char *from, goto err; } - if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL)) - RSA_blinding_on(rsa,ctx); + BLINDING_HELPER(rsa, ctx, goto err;); + if (rsa->flags & RSA_FLAG_BLINDING) if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err; @@ -313,8 +332,8 @@ static int RSA_eay_private_decrypt(int flen, unsigned char *from, goto err; } - if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL)) - RSA_blinding_on(rsa,ctx); + BLINDING_HELPER(rsa, ctx, goto err;); + if (rsa->flags & RSA_FLAG_BLINDING) if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err; diff --git a/crypto/rsa/rsa_lib.c b/crypto/rsa/rsa_lib.c index 422643e9f2..0aeefae7db 100644 --- a/crypto/rsa/rsa_lib.c +++ b/crypto/rsa/rsa_lib.c @@ -71,7 +71,13 @@ static STACK_OF(CRYPTO_EX_DATA_FUNCS) *rsa_meth=NULL; RSA *RSA_new(void) { - return(RSA_new_method(NULL)); + RSA *r=RSA_new_method(NULL); + +#ifndef OPENSSL_NO_FORCE_RSA_BLINDING + r->flags|=RSA_FLAG_BLINDING; +#endif + + return r; } void RSA_set_default_method(RSA_METHOD *meth) -- 2.25.1