From d320e803d97fe9cef872a3eafa3359886b42a7da Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Mon, 15 Jan 2018 11:23:07 +0000 Subject: [PATCH] Revert BN_copy() flag copy semantics change Commit 9f9442918a changed the semantics of BN_copy() to additionally copy the BN_FLG_CONSTTIME flag if it is set. This turns out to be ill advised as it has unintended consequences. For example calling BN_mod_inverse_no_branch() can sometimes return a result with the flag set and sometimes not as a result. This can lead to later failures if we go down code branches that do not support constant time, but check for the presence of the flag. The original commit was made due to an issue in BN_MOD_CTX_set(). The original PR fixed the problem in that function, but it was changed in review to fix it in BN_copy() instead. The solution seems to be to revert the BN_copy() change and go back to the originally proposed way. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/5080) (cherry picked from commit 7d461736f7bd3af3c2f266f8541034ecf6f41ed9) --- crypto/bn/bn_lib.c | 3 --- crypto/bn/bn_mont.c | 2 ++ 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/crypto/bn/bn_lib.c b/crypto/bn/bn_lib.c index d7c5fc3c97..b8d44683c1 100644 --- a/crypto/bn/bn_lib.c +++ b/crypto/bn/bn_lib.c @@ -406,9 +406,6 @@ BIGNUM *BN_copy(BIGNUM *a, const BIGNUM *b) memcpy(a->d, b->d, sizeof(b->d[0]) * b->top); #endif - if (BN_get_flags(b, BN_FLG_CONSTTIME) != 0) - BN_set_flags(a, BN_FLG_CONSTTIME); - a->top = b->top; a->neg = b->neg; bn_check_top(a); diff --git a/crypto/bn/bn_mont.c b/crypto/bn/bn_mont.c index faea4684fa..90e1ba296e 100644 --- a/crypto/bn/bn_mont.c +++ b/crypto/bn/bn_mont.c @@ -258,6 +258,8 @@ int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx) R = &(mont->RR); /* grab RR as a temp */ if (!BN_copy(&(mont->N), mod)) goto err; /* Set N */ + if (BN_get_flags(mod, BN_FLG_CONSTTIME) != 0) + BN_set_flags(&(mont->N), BN_FLG_CONSTTIME); mont->N.neg = 0; #ifdef MONT_WORD -- 2.25.1