From cb6fdc3a4938aa5e0bafd3fb3b4cefbe55830760 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Wed, 28 Mar 2007 22:00:48 +0000 Subject: [PATCH] Update from stable branch. --- CHANGES | 37 +++++++++++++++++++++++++++++++++++++ crypto/bn/bn_div.c | 2 +- crypto/bn/bn_gcd.c | 2 +- 3 files changed, 39 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index a4421e421a..68895177b9 100644 --- a/CHANGES +++ b/CHANGES @@ -98,6 +98,43 @@ [Matthew D Wood (Intel Corp)] + *) Mitigate branch prediction attacks, which can be practical if a + single processor is shared, allowing a spy process to extract + information. For detailed background information, see + http://eprint.iacr.org/2007/039 (O. Aciicmez, S. Gueron, + J.-P. Seifert, "New Branch Prediction Vulnerabilities in OpenSSL + and Necessary Software Countermeasures"). The core of the change + are new versions BN_div_no_branch() and + BN_mod_inverse_no_branch() of BN_div() and BN_mod_inverse(), + respectively, which are slower, but avoid the security-relevant + conditional branches. These are automatically called by BN_div() + and BN_mod_inverse() if the flag BN_FLG_CONSTTIME is set for one + of the input BIGNUMs. Also, BN_is_bit_set() has been changed to + remove a conditional branch. + + BN_FLG_CONSTTIME is the new name for the previous + BN_FLG_EXP_CONSTTIME flag, since it now affects more than just + modular exponentiation. (Since OpenSSL 0.9.7h, setting this flag + in the exponent causes BN_mod_exp_mont() to use the alternative + implementation in BN_mod_exp_mont_consttime().) The old name + remains as a deprecated alias. + + Similary, RSA_FLAG_NO_EXP_CONSTTIME is replaced by a more general + RSA_FLAG_NO_CONSTTIME flag since the RSA implementation now uses + constant-time implementations for more than just exponentiation. + Here too the old name is kept as a deprecated alias. + + BN_BLINDING_new() will now use BN_dup() for the modulus so that + the BN_BLINDING structure gets an independent copy of the + modulus. This means that the previous "BIGNUM *m" argument to + BN_BLINDING_new() and to BN_BLINDING_create_param() now + essentially becomes "const BIGNUM *m", although we can't actually + change this in the header file before 0.9.9. It allows + RSA_setup_blinding() to use BN_with_flags() on the modulus to + enable BN_FLG_CONSTTIME. + + [Matthew D Wood (Intel Corp)] + *) In the SSL/TLS server implementation, be strict about session ID context matching (which matters if an application uses a single external cache for different purposes). Previously, diff --git a/crypto/bn/bn_div.c b/crypto/bn/bn_div.c index 1fd0206e1d..9addaf158f 100644 --- a/crypto/bn/bn_div.c +++ b/crypto/bn/bn_div.c @@ -185,7 +185,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor, BN_ULONG d0,d1; int num_n,div_n; - if (BN_get_flags(num, BN_FLG_CONSTTIME) != 0) + if ((BN_get_flags(num, BN_FLG_CONSTTIME) != 0) || (BN_get_flags(divisor, BN_FLG_CONSTTIME) != 0)) { return BN_div_no_branch(dv, rm, num, divisor, ctx); } diff --git a/crypto/bn/bn_gcd.c b/crypto/bn/bn_gcd.c index 9787a65f94..5fb8090c52 100644 --- a/crypto/bn/bn_gcd.c +++ b/crypto/bn/bn_gcd.c @@ -210,7 +210,7 @@ BIGNUM *BN_mod_inverse(BIGNUM *in, BIGNUM *ret=NULL; int sign; - if (BN_get_flags(n, BN_FLG_CONSTTIME) != 0) + if ((BN_get_flags(a, BN_FLG_CONSTTIME) != 0) || (BN_get_flags(n, BN_FLG_CONSTTIME) != 0)) { return BN_mod_inverse_no_branch(in, a, n, ctx); } -- 2.25.1