rpms/openssl/FC-3 openssl-0.9.7a-can-2005-0109.patch, NONE, 1.1 openssl.spec, 1.42, 1.43
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Fri May 20 15:11:01 UTC 2005
Author: tmraz
Update of /cvs/dist/rpms/openssl/FC-3
In directory cvs.devel.redhat.com:/tmp/cvs-serv5552
Modified Files:
openssl.spec
Added Files:
openssl-0.9.7a-can-2005-0109.patch
Log Message:
* Fri May 20 2005 Tomas Mraz <tmraz at redhat.com> 0.9.7a-42.1
- fix CAN-2005-0109 - use constant time/memory access mod_exp
so bits of private key aren't leaked by cache eviction (#157631)
openssl-0.9.7a-can-2005-0109.patch:
apps/speed.c | 4
crypto/bn/bn.h | 17 +++
crypto/bn/bn_err.c | 4
crypto/bn/bn_exp.c | 244 +++++++++++++++++++++++++++++++++++++++++++++++++-
crypto/bn/bn_lcl.h | 39 +++++++
crypto/bn/bntest.c | 56 +++++++++++
crypto/bn/expspeed.c | 2
crypto/bn/exptest.c | 18 +++
crypto/dh/dh.h | 9 +
crypto/dh/dh_key.c | 28 ++++-
crypto/dh/dhtest.c | 4
crypto/dsa/dsa.h | 7 +
crypto/dsa/dsa_key.c | 15 ++-
crypto/dsa/dsa_ossl.c | 4
crypto/dsa/dsatest.c | 9 +
crypto/rsa/rsa.h | 7 +
crypto/rsa/rsa_eay.c | 120 +++++++++++++++++++++++-
crypto/rsa/rsa_test.c | 5 -
util/libeay.num | 1
19 files changed, 571 insertions(+), 22 deletions(-)
--- NEW FILE openssl-0.9.7a-can-2005-0109.patch ---
*) Make a new fixed-window mod_exp implementation the default for
RSA, DSA, and DH private-key operations so that the sequence of
squares and multiplies and the memory access pattern are
independent of the particular secret key. This will mitigate
cache-timing and potential related attacks.
BN_mod_exp_mont_consttime() is the new exponentiation implementation,
and this is automatically used by BN_mod_exp_mont() if the new flag
BN_FLG_EXP_CONSTTIME is set for the exponent. RSA, DSA, and DH
will use this BN flag for private exponents unless the flag
RSA_FLAG_NO_EXP_CONSTTIME, DSA_FLAG_NO_EXP_CONSTTIME, or
DH_FLAG_NO_EXP_CONSTTIME, respectively, is set.
[Matthew D Wood (Intel Corp), with some changes by Bodo Moeller]
--- openssl-0.9.7a/apps/speed.c.modexp-consttime 2003-02-14 02:03:04.000000000 +0100
+++ openssl-0.9.7a/apps/speed.c 2005-05-18 09:50:19.491810953 +0200
@@ -1698,7 +1698,7 @@
k,rsa_bits[k],rsa_results[k][0],
rsa_results[k][1]);
else
- fprintf(stdout,"rsa %4u bits %8.4fs %8.4fs %8.1f %8.1f\n",
+ fprintf(stdout,"rsa %4u bits %8.6fs %8.6fs %8.1f %8.1f\n",
rsa_bits[k],rsa_results[k][0],rsa_results[k][1],
1.0/rsa_results[k][0],1.0/rsa_results[k][1]);
}
@@ -1717,7 +1717,7 @@
fprintf(stdout,"+F3:%u:%u:%f:%f\n",
k,dsa_bits[k],dsa_results[k][0],dsa_results[k][1]);
else
- fprintf(stdout,"dsa %4u bits %8.4fs %8.4fs %8.1f %8.1f\n",
+ fprintf(stdout,"dsa %4u bits %8.6fs %8.6fs %8.1f %8.1f\n",
dsa_bits[k],dsa_results[k][0],dsa_results[k][1],
1.0/dsa_results[k][0],1.0/dsa_results[k][1]);
}
--- openssl-0.9.7a/util/libeay.num.modexp-consttime 2003-01-30 18:58:24.000000000 +0100
+++ openssl-0.9.7a/util/libeay.num 2005-05-18 10:03:38.608570603 +0200
@@ -2801,3 +2801,4 @@
BUF_strlcpy 3243 EXIST::FUNCTION:
OpenSSLDie 3244 EXIST::FUNCTION:
OPENSSL_cleanse 3245 EXIST::FUNCTION:
+BN_mod_exp_mont_consttime 3246 EXIST::FUNCTION:
--- openssl-0.9.7a/crypto/bn/bn_lcl.h.modexp-consttime 2005-05-18 09:49:48.691697491 +0200
+++ openssl-0.9.7a/crypto/bn/bn_lcl.h 2005-05-18 09:50:19.501809366 +0200
@@ -177,6 +177,45 @@
+/* BN_mod_exp_mont_conttime is based on the assumption that the
+ * L1 data cache line width of the target processor is at least
+ * the following value.
+ */
+#define MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH ( 64 )
+#define MOD_EXP_CTIME_MIN_CACHE_LINE_MASK (MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH - 1)
+
+/* Window sizes optimized for fixed window size modular exponentiation
+ * algorithm (BN_mod_exp_mont_consttime).
+ *
+ * To achieve the security goals of BN_mode_exp_mont_consttime, the
+ * maximum size of the window must not exceed
+ * log_2(MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH).
+ *
+ * Window size thresholds are defined for cache line sizes of 32 and 64,
+ * cache line sizes where log_2(32)=5 and log_2(64)=6 respectively. A
+ * window size of 7 should only be used on processors that have a 128
+ * byte or greater cache line size.
+ */
+#if MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH == 64
+
+# define BN_window_bits_for_ctime_exponent_size(b) \
+ ((b) > 937 ? 6 : \
+ (b) > 306 ? 5 : \
+ (b) > 89 ? 4 : \
+ (b) > 22 ? 3 : 1)
+# define BN_MAX_WINDOW_BITS_FOR_CTIME_EXPONENT_SIZE (6)
+
+#elif MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH == 32
+
+# define BN_window_bits_for_ctime_exponent_size(b) \
+ ((b) > 306 ? 5 : \
+ (b) > 89 ? 4 : \
+ (b) > 22 ? 3 : 1)
+# define BN_MAX_WINDOW_BITS_FOR_CTIME_EXPONENT_SIZE (5)
+
+#endif
+
+
/* Pentium pro 16,16,16,32,64 */
/* Alpha 16,16,16,16.64 */
#define BN_MULL_SIZE_NORMAL (16) /* 32 */
--- openssl-0.9.7a/crypto/bn/bn_exp.c.modexp-consttime 2000-12-07 23:06:09.000000000 +0100
+++ openssl-0.9.7a/crypto/bn/bn_exp.c 2005-05-18 09:50:19.504808890 +0200
@@ -56,7 +56,7 @@
* [including the GNU Public Licence.]
*/
/* ====================================================================
- * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -113,6 +113,7 @@
#include "cryptlib.h"
#include "bn_lcl.h"
+/* maximum precomputation table size for *variable* sliding windows */
#define TABLE_SIZE 32
/* this one works - simple but works */
@@ -121,6 +122,13 @@
int i,bits,ret=0;
BIGNUM *v,*rr;
+ if (BN_get_flags(p, BN_FLG_EXP_CONSTTIME) != 0)
+ {
+ /* BN_FLG_EXP_CONSTTIME only supported by BN_mod_exp_mont() */
+ BNerr(BN_F_BN_EXP,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+ return -1;
+ }
+
BN_CTX_start(ctx);
if ((r == a) || (r == p))
rr = BN_CTX_get(ctx);
@@ -204,7 +212,7 @@
if (BN_is_odd(m))
{
# ifdef MONT_EXP_WORD
- if (a->top == 1 && !a->neg)
+ if (a->top == 1 && !a->neg && (BN_get_flags(p, BN_FLG_EXP_CONSTTIME) == 0))
{
BN_ULONG A = a->d[0];
ret=BN_mod_exp_mont_word(r,A,p,m,ctx,NULL);
@@ -234,6 +242,13 @@
BIGNUM val[TABLE_SIZE];
BN_RECP_CTX recp;
+ if (BN_get_flags(p, BN_FLG_EXP_CONSTTIME) != 0)
+ {
+ /* BN_FLG_EXP_CONSTTIME only supported by BN_mod_exp_mont() */
+ BNerr(BN_F_BN_MOD_EXP_RECP,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+ return -1;
+ }
+
bits=BN_num_bits(p);
if (bits == 0)
@@ -361,6 +376,11 @@
BIGNUM val[TABLE_SIZE];
BN_MONT_CTX *mont=NULL;
+ if (BN_get_flags(p, BN_FLG_EXP_CONSTTIME) != 0)
+ {
+ return BN_mod_exp_mont_consttime(rr, a, p, m, ctx, in_mont);
+ }
+
bn_check_top(a);
bn_check_top(p);
bn_check_top(m);
@@ -493,6 +513,212 @@
return(ret);
}
+
+/* BN_mod_exp_mont_consttime() stores the precomputed powers in a specific layout
+ * so that accessing any of these table values shows the same access pattern as far
+ * as cache lines are concerned. The following functions are used to transfer a BIGNUM
+ * from/to that table. */
+
+static int MOD_EXP_CTIME_COPY_TO_PREBUF(BIGNUM *b, int top, unsigned char *buf, int idx, int width)
+ {
+ size_t i, j;
+
+ if (bn_wexpand(b, top) == NULL)
+ return 0;
+ while (b->top < top)
+ {
+ b->d[b->top++] = 0;
+ }
+
+ for (i = 0, j=idx; i < top * sizeof b->d[0]; i++, j+=width)
+ {
+ buf[j] = ((unsigned char*)b->d)[i];
+ }
+
+ bn_fix_top(b);
+ return 1;
+ }
+
+static int MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM *b, int top, unsigned char *buf, int idx, int width)
+ {
+ size_t i, j;
+
+ if (bn_wexpand(b, top) == NULL)
+ return 0;
+
+ for (i=0, j=idx; i < top * sizeof b->d[0]; i++, j+=width)
+ {
+ ((unsigned char*)b->d)[i] = buf[j];
+ }
+
+ b->top = top;
+ bn_fix_top(b);
+ return 1;
+ }
+
+/* Given a pointer value, compute the next address that is a cache line multiple. */
+#define MOD_EXP_CTIME_ALIGN(x_) \
+ ((unsigned char*)(x_) + (MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH - (((BN_ULONG)(x_)) & (MOD_EXP_CTIME_MIN_CACHE_LINE_MASK))))
+
+/* This variant of BN_mod_exp_mont() uses fixed windows and the special
+ * precomputation memory layout to limit data-dependency to a minimum
+ * to protect secret exponents (cf. the hyper-threading timing attacks
+ * pointed out by Colin Percival,
+ * http://www.daemonology.net/hyperthreading-considered-harmful/)
+ */
+int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
+ const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont)
+ {
+ int i,bits,ret=0,idx,window,wvalue;
+ int top;
+ BIGNUM *r;
+ const BIGNUM *aa;
+ BN_MONT_CTX *mont=NULL;
+
+ int numPowers;
+ unsigned char *powerbufFree=NULL;
+ int powerbufLen = 0;
+ unsigned char *powerbuf=NULL;
+ BIGNUM *computeTemp=NULL, *am=NULL;
+
+ bn_check_top(a);
+ bn_check_top(p);
+ bn_check_top(m);
+
+ top = m->top;
+
+ if (!(m->d[0] & 1))
+ {
+ BNerr(BN_F_BN_MOD_EXP_MONT_CONSTTIME,BN_R_CALLED_WITH_EVEN_MODULUS);
+ return(0);
+ }
+ bits=BN_num_bits(p);
+ if (bits == 0)
+ {
+ ret = BN_one(rr);
+ return ret;
+ }
+
+ /* Initialize BIGNUM context and allocate intermediate result */
+ BN_CTX_start(ctx);
+ r = BN_CTX_get(ctx);
+ if (r == NULL) goto err;
+
+ /* Allocate a montgomery context if it was not supplied by the caller.
+ * If this is not done, things will break in the montgomery part.
+ */
+ if (in_mont != NULL)
+ mont=in_mont;
+ else
+ {
+ if ((mont=BN_MONT_CTX_new()) == NULL) goto err;
+ if (!BN_MONT_CTX_set(mont,m,ctx)) goto err;
+ }
+
+ /* Get the window size to use with size of p. */
+ window = BN_window_bits_for_ctime_exponent_size(bits);
+
+ /* Allocate a buffer large enough to hold all of the pre-computed
+ * powers of a.
+ */
+ numPowers = 1 << window;
+ powerbufLen = sizeof(m->d[0])*top*numPowers;
+ if ((powerbufFree=(unsigned char*)OPENSSL_malloc(powerbufLen+MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH)) == NULL)
+ goto err;
+
+ powerbuf = MOD_EXP_CTIME_ALIGN(powerbufFree);
+ memset(powerbuf, 0, powerbufLen);
+
+ /* Initialize the intermediate result. Do this early to save double conversion,
+ * once each for a^0 and intermediate result.
+ */
+ if (!BN_to_montgomery(r,BN_value_one(),mont,ctx)) goto err;
+ if (!MOD_EXP_CTIME_COPY_TO_PREBUF(r, top, powerbuf, 0, numPowers)) goto err;
+
+ /* Initialize computeTemp as a^1 with montgomery precalcs */
+ computeTemp = BN_CTX_get(ctx);
+ am = BN_CTX_get(ctx);
+ if (computeTemp==NULL || am==NULL) goto err;
+
+ if (a->neg || BN_ucmp(a,m) >= 0)
+ {
+ if (!BN_mod(am,a,m,ctx))
+ goto err;
+ aa= am;
+ }
+ else
+ aa=a;
+ if (!BN_to_montgomery(am,aa,mont,ctx)) goto err;
+ if (!BN_copy(computeTemp, am)) goto err;
+ if (!MOD_EXP_CTIME_COPY_TO_PREBUF(am, top, powerbuf, 1, numPowers)) goto err;
+
+ /* If the window size is greater than 1, then calculate
+ * val[i=2..2^winsize-1]. Powers are computed as a*a^(i-1)
+ * (even powers could instead be computed as (a^(i/2))^2
+ * to use the slight performance advantage of sqr over mul).
+ */
+ if (window > 1)
+ {
+ for (i=2; i<numPowers; i++)
+ {
+ /* Calculate a^i = a^(i-1) * a */
+ if (!BN_mod_mul_montgomery(computeTemp,am,computeTemp,mont,ctx))
+ goto err;
+ if (!MOD_EXP_CTIME_COPY_TO_PREBUF(computeTemp, top, powerbuf, i, numPowers)) goto err;
+ }
+ }
+
+ /* Adjust the number of bits up to a multiple of the window size.
+ * If the exponent length is not a multiple of the window size, then
+ * this pads the most significant bits with zeros to normalize the
+ * scanning loop to there's no special cases.
+ *
+ * * NOTE: Making the window size a power of two less than the native
+ * * word size ensures that the padded bits won't go past the last
+ * * word in the internal BIGNUM structure. Going past the end will
+ * * still produce the correct result, but causes a different branch
+ * * to be taken in the BN_is_bit_set function.
+ */
+ bits = ((bits+window-1)/window)*window;
+ idx=bits-1; /* The top bit of the window */
+
+ /* Scan the exponent one window at a time starting from the most
+ * significant bits.
+ */
+ while (idx >= 0)
+ {
+ wvalue=0; /* The 'value' of the window */
+
+ /* Scan the window, squaring the result as we go */
+ for (i=0; i<window; i++,idx--)
+ {
+ if (!BN_mod_mul_montgomery(r,r,r,mont,ctx)) goto err;
+ wvalue = (wvalue<<1)+BN_is_bit_set(p,idx);
+ }
+
+ /* Fetch the appropriate pre-computed value from the pre-buf */
+ if (!MOD_EXP_CTIME_COPY_FROM_PREBUF(computeTemp, top, powerbuf, wvalue, numPowers)) goto err;
+
+ /* Multiply the result into the intermediate result */
+ if (!BN_mod_mul_montgomery(r,r,computeTemp,mont,ctx)) goto err;
+ }
+
+ /* Convert the final result from montgomery to standard format */
+ if (!BN_from_montgomery(rr,r,mont,ctx)) goto err;
+ ret=1;
+err:
+ if ((in_mont == NULL) && (mont != NULL)) BN_MONT_CTX_free(mont);
+ if (powerbuf!=NULL)
+ {
+ OPENSSL_cleanse(powerbuf,powerbufLen);
+ OPENSSL_free(powerbufFree);
+ }
+ if (am!=NULL) BN_clear(am);
+ if (computeTemp!=NULL) BN_clear(computeTemp);
+ BN_CTX_end(ctx);
+ return(ret);
+ }
+
int BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p,
const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont)
{
@@ -517,6 +743,13 @@
#define BN_TO_MONTGOMERY_WORD(r, w, mont) \
(BN_set_word(r, (w)) && BN_to_montgomery(r, r, (mont), ctx))
+ if (BN_get_flags(p, BN_FLG_EXP_CONSTTIME) != 0)
+ {
+ /* BN_FLG_EXP_CONSTTIME only supported by BN_mod_exp_mont() */
+ BNerr(BN_F_BN_MOD_EXP_MONT_WORD,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+ return -1;
+ }
+
bn_check_top(p);
bn_check_top(m);
@@ -644,6 +877,13 @@
BIGNUM *d;
BIGNUM val[TABLE_SIZE];
+ if (BN_get_flags(p, BN_FLG_EXP_CONSTTIME) != 0)
+ {
+ /* BN_FLG_EXP_CONSTTIME only supported by BN_mod_exp_mont() */
+ BNerr(BN_F_BN_MOD_EXP_SIMPLE,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+ return -1;
+ }
+
bits=BN_num_bits(p);
if (bits == 0)
--- openssl-0.9.7a/crypto/bn/exptest.c.modexp-consttime 2002-11-28 19:56:43.000000000 +0100
+++ openssl-0.9.7a/crypto/bn/exptest.c 2005-05-18 09:50:19.507808414 +0200
@@ -80,7 +80,7 @@
BIO *out=NULL;
int i,ret;
unsigned char c;
- BIGNUM *r_mont,*r_recp,*r_simple,*a,*b,*m;
+ BIGNUM *r_mont,*r_mont_const,*r_recp,*r_simple,*a,*b,*m;
RAND_seed(rnd_seed, sizeof rnd_seed); /* or BN_rand may fail, and we don't
* even check its return value
@@ -91,6 +91,7 @@
ctx=BN_CTX_new();
if (ctx == NULL) EXIT(1);
r_mont=BN_new();
+ r_mont_const=BN_new();
r_recp=BN_new();
r_simple=BN_new();
a=BN_new();
@@ -146,8 +147,17 @@
EXIT(1);
}
+ ret=BN_mod_exp_mont_consttime(r_mont_const,a,b,m,ctx,NULL);
+ if (ret <= 0)
+ {
+ printf("BN_mod_exp_mont_consttime() problems\n");
+ ERR_print_errors(out);
+ EXIT(1);
+ }
+
if (BN_cmp(r_simple, r_mont) == 0
- && BN_cmp(r_simple,r_recp) == 0)
+ && BN_cmp(r_simple,r_recp) == 0
+ && BN_cmp(r_simple,r_mont_const) == 0)
{
printf(".");
fflush(stdout);
@@ -156,6 +166,8 @@
{
if (BN_cmp(r_simple,r_mont) != 0)
printf("\nsimple and mont results differ\n");
+ if (BN_cmp(r_simple,r_mont) != 0)
+ printf("\nsimple and mont const time results differ\n");
if (BN_cmp(r_simple,r_recp) != 0)
printf("\nsimple and recp results differ\n");
@@ -165,11 +177,13 @@
printf("\nsimple ="); BN_print(out,r_simple);
printf("\nrecp ="); BN_print(out,r_recp);
printf("\nmont ="); BN_print(out,r_mont);
+ printf("\nmont_ct ="); BN_print(out,r_mont_const);
printf("\n");
EXIT(1);
}
}
BN_free(r_mont);
+ BN_free(r_mont_const);
BN_free(r_recp);
BN_free(r_simple);
BN_free(a);
--- openssl-0.9.7a/crypto/bn/bn_err.c.modexp-consttime 2001-02-19 17:05:06.000000000 +0100
+++ openssl-0.9.7a/crypto/bn/bn_err.c 2005-05-18 09:50:19.508808256 +0200
@@ -75,11 +75,15 @@
{ERR_PACK(0,BN_F_BN_CTX_GET,0), "BN_CTX_get"},
{ERR_PACK(0,BN_F_BN_CTX_NEW,0), "BN_CTX_new"},
{ERR_PACK(0,BN_F_BN_DIV,0), "BN_div"},
+{ERR_PACK(0,BN_F_BN_EXP,0), "BN_exp"},
{ERR_PACK(0,BN_F_BN_EXPAND2,0), "bn_expand2"},
{ERR_PACK(0,BN_F_BN_EXPAND_INTERNAL,0), "BN_EXPAND_INTERNAL"},
{ERR_PACK(0,BN_F_BN_MOD_EXP2_MONT,0), "BN_mod_exp2_mont"},
{ERR_PACK(0,BN_F_BN_MOD_EXP_MONT,0), "BN_mod_exp_mont"},
+{ERR_PACK(0,BN_F_BN_MOD_EXP_MONT_CONSTTIME,0), "BN_mod_exp_mont_consttime"},
{ERR_PACK(0,BN_F_BN_MOD_EXP_MONT_WORD,0), "BN_mod_exp_mont_word"},
+{ERR_PACK(0,BN_F_BN_MOD_EXP_RECP,0), "BN_mod_exp_recp"},
+{ERR_PACK(0,BN_F_BN_MOD_EXP_SIMPLE,0), "BN_mod_exp_simple"},
{ERR_PACK(0,BN_F_BN_MOD_INVERSE,0), "BN_mod_inverse"},
{ERR_PACK(0,BN_F_BN_MOD_LSHIFT_QUICK,0), "BN_mod_lshift_quick"},
{ERR_PACK(0,BN_F_BN_MOD_MUL_RECIPROCAL,0), "BN_mod_mul_reciprocal"},
--- openssl-0.9.7a/crypto/bn/expspeed.c.modexp-consttime 2001-03-07 11:03:54.000000000 +0100
+++ openssl-0.9.7a/crypto/bn/expspeed.c 2005-05-18 09:50:19.509808097 +0200
@@ -321,7 +321,7 @@
#else /* TEST_SQRT */
"2*sqrt [prime == %d (mod 64)] %4d %4d mod %4d"
#endif
- " -> %8.3fms %5.1f (%ld)\n",
+ " -> %8.6fms %5.1f (%ld)\n",
#ifdef TEST_SQRT
P_MOD_64,
#endif
--- openssl-0.9.7a/crypto/bn/bn.h.modexp-consttime 2005-05-18 09:49:48.052798844 +0200
+++ openssl-0.9.7a/crypto/bn/bn.h 2005-05-18 09:50:19.512807621 +0200
@@ -225,10 +225,21 @@
#define BN_FLG_MALLOCED 0x01
#define BN_FLG_STATIC_DATA 0x02
+#define BN_FLG_EXP_CONSTTIME 0x04 /* avoid leaking exponent information through timings
+ * (BN_mod_exp_mont() will call BN_mod_exp_mont_consttime) */
#define BN_FLG_FREE 0x8000 /* used for debuging */
#define BN_set_flags(b,n) ((b)->flags|=(n))
#define BN_get_flags(b,n) ((b)->flags&(n))
+#define BN_with_flags(dest,b,n) ((dest)->d=(b)->d, \
+ (dest)->top=(b)->top, \
+ (dest)->dmax=(b)->dmax, \
+ (dest)->neg=(b)->neg, \
+ (dest)->flags=(((dest)->flags & BN_FLG_MALLOCED) \
+ | ((b)->flags & ~BN_FLG_MALLOCED) \
+ | BN_FLG_STATIC_DATA \
+ | (n)))
+
typedef struct bignum_st
{
BN_ULONG *d; /* Pointer to an array of 'BN_BITS2' bit chunks. */
@@ -376,6 +387,8 @@
const BIGNUM *m,BN_CTX *ctx);
int BN_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
+ const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont);
int BN_mod_exp_mont_word(BIGNUM *r, BN_ULONG a, const BIGNUM *p,
const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
int BN_mod_exp2_mont(BIGNUM *r, const BIGNUM *a1, const BIGNUM *p1,
@@ -508,11 +521,15 @@
#define BN_F_BN_CTX_GET 116
#define BN_F_BN_CTX_NEW 106
#define BN_F_BN_DIV 107
+#define BN_F_BN_EXP 123
#define BN_F_BN_EXPAND2 108
#define BN_F_BN_EXPAND_INTERNAL 120
#define BN_F_BN_MOD_EXP2_MONT 118
#define BN_F_BN_MOD_EXP_MONT 109
+#define BN_F_BN_MOD_EXP_MONT_CONSTTIME 124
#define BN_F_BN_MOD_EXP_MONT_WORD 117
+#define BN_F_BN_MOD_EXP_RECP 125
+#define BN_F_BN_MOD_EXP_SIMPLE 126
#define BN_F_BN_MOD_INVERSE 110
#define BN_F_BN_MOD_LSHIFT_QUICK 119
#define BN_F_BN_MOD_MUL_RECIPROCAL 111
--- openssl-0.9.7a/crypto/bn/bntest.c.modexp-consttime 2002-11-28 19:56:43.000000000 +0100
+++ openssl-0.9.7a/crypto/bn/bntest.c 2005-05-18 09:50:19.515807145 +0200
@@ -90,6 +90,7 @@
int test_mod(BIO *bp,BN_CTX *ctx);
int test_mod_mul(BIO *bp,BN_CTX *ctx);
int test_mod_exp(BIO *bp,BN_CTX *ctx);
+int test_mod_exp_mont_consttime(BIO *bp,BN_CTX *ctx);
int test_exp(BIO *bp,BN_CTX *ctx);
int test_kron(BIO *bp,BN_CTX *ctx);
int test_sqrt(BIO *bp,BN_CTX *ctx);
@@ -222,6 +223,10 @@
if (!test_mod_exp(out,ctx)) goto err;
BIO_flush(out);
+ message(out,"BN_mod_exp_mont_consttime");
+ if (!test_mod_exp_mont_consttime(out,ctx)) goto err;
+ BIO_flush(out);
+
message(out,"BN_exp");
if (!test_exp(out,ctx)) goto err;
BIO_flush(out);
@@ -822,6 +827,57 @@
return(1);
}
+int test_mod_exp_mont_consttime(BIO *bp, BN_CTX *ctx)
+ {
+ BIGNUM *a,*b,*c,*d,*e;
+ int i;
+
+ a=BN_new();
+ b=BN_new();
+ c=BN_new();
+ d=BN_new();
+ e=BN_new();
+
+ BN_bntest_rand(c,30,0,1); /* must be odd for montgomery */
+ for (i=0; i<num2; i++)
+ {
+ BN_bntest_rand(a,20+i*5,0,0); /**/
+ BN_bntest_rand(b,2+i,0,0); /**/
+
+ if (!BN_mod_exp_mont_consttime(d,a,b,c,ctx,NULL))
+ return(00);
+
+ if (bp != NULL)
+ {
+ if (!results)
+ {
+ BN_print(bp,a);
+ BIO_puts(bp," ^ ");
+ BN_print(bp,b);
+ BIO_puts(bp," % ");
+ BN_print(bp,c);
+ BIO_puts(bp," - ");
+ }
+ BN_print(bp,d);
+ BIO_puts(bp,"\n");
+ }
+ BN_exp(e,a,b,ctx);
+ BN_sub(e,e,d);
+ BN_div(a,b,e,c,ctx);
+ if(!BN_is_zero(b))
+ {
+ fprintf(stderr,"Modulo exponentiation test failed!\n");
+ return 0;
+ }
+ }
+ BN_free(a);
+ BN_free(b);
+ BN_free(c);
+ BN_free(d);
+ BN_free(e);
+ return(1);
+ }
+
int test_exp(BIO *bp, BN_CTX *ctx)
{
BIGNUM *a,*b,*d,*e,*one;
--- openssl-0.9.7a/crypto/dh/dhtest.c.modexp-consttime 2002-11-28 19:56:48.000000000 +0100
+++ openssl-0.9.7a/crypto/dh/dhtest.c 2005-05-18 09:50:19.517806828 +0200
@@ -143,6 +143,10 @@
b->g=BN_dup(a->g);
if ((b->p == NULL) || (b->g == NULL)) goto err;
+ /* Set a to run with normal modexp and b to use constant time */
+ a->flags &= ~DH_FLAG_NO_EXP_CONSTTIME;
+ b->flags |= DH_FLAG_NO_EXP_CONSTTIME;
+
if (!DH_generate_key(a)) goto err;
BIO_puts(out,"pri 1=");
BN_print(out,a->priv_key);
--- openssl-0.9.7a/crypto/dh/dh_key.c.modexp-consttime 2003-01-30 18:37:40.000000000 +0100
+++ openssl-0.9.7a/crypto/dh/dh_key.c 2005-05-18 09:50:19.519806510 +0200
@@ -142,8 +142,21 @@
l = dh->length ? dh->length : BN_num_bits(dh->p)-1; /* secret exponent length */
if (!BN_rand(priv_key, l, 0, 0)) goto err;
}
- if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, priv_key,dh->p,ctx,mont))
- goto err;
+
+ {
+ BIGNUM local_prk;
+ BIGNUM *prk;
+
+ if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0)
+ {
+ prk = &local_prk;
+ BN_with_flags(prk, priv_key, BN_FLG_EXP_CONSTTIME);
+ }
+ else
+ prk = priv_key;
+
+ if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, prk, dh->p, ctx, mont)) goto err;
+ }
dh->pub_key=pub_key;
dh->priv_key=priv_key;
@@ -181,7 +194,11 @@
if (!BN_MONT_CTX_set((BN_MONT_CTX *)dh->method_mont_p,
dh->p,ctx)) goto err;
}
-
+ if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0)
+ {
+ /* XXX */
+ BN_set_flags(dh->priv_key, BN_FLG_EXP_CONSTTIME);
+ }
mont=(BN_MONT_CTX *)dh->method_mont_p;
if (!dh->meth->bn_mod_exp(dh, tmp, pub_key, dh->priv_key,dh->p,ctx,mont))
{
@@ -201,7 +218,10 @@
const BIGNUM *m, BN_CTX *ctx,
BN_MONT_CTX *m_ctx)
{
- if (a->top == 1)
+ /* If a is only one word long and constant time is false, use the faster
+ * exponenentiation function.
+ */
+ if (a->top == 1 && ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) != 0))
{
BN_ULONG A = a->d[0];
return BN_mod_exp_mont_word(r,A,p,m,ctx,m_ctx);
--- openssl-0.9.7a/crypto/dh/dh.h.modexp-consttime 2005-05-18 09:49:48.066796623 +0200
+++ openssl-0.9.7a/crypto/dh/dh.h 2005-05-18 09:50:19.520806352 +0200
@@ -70,7 +70,14 @@
#include <openssl/crypto.h>
#include <openssl/ossl_typ.h>
-#define DH_FLAG_CACHE_MONT_P 0x01
+#define DH_FLAG_CACHE_MONT_P 0x01
+#define DH_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DH
+ * implementation now uses constant time
+ * modular exponentiation for secret exponents
+ * by default. This flag causes the
+ * faster variable sliding window method to
+ * be used for all exponents.
+ */
#ifdef __cplusplus
extern "C" {
--- openssl-0.9.7a/crypto/dsa/dsatest.c.modexp-consttime 2003-01-30 18:37:41.000000000 +0100
+++ openssl-0.9.7a/crypto/dsa/dsatest.c 2005-05-18 09:50:19.522806035 +0200
@@ -200,10 +200,19 @@
BIO_printf(bio_err,"g value is wrong\n");
goto end;
}
+
+ dsa->flags |= DSA_FLAG_NO_EXP_CONSTTIME;
DSA_generate_key(dsa);
DSA_sign(0, str1, 20, sig, &siglen, dsa);
if (DSA_verify(0, str1, 20, sig, siglen, dsa) == 1)
ret=1;
+
+ dsa->flags &= ~DSA_FLAG_NO_EXP_CONSTTIME;
+ DSA_generate_key(dsa);
+ DSA_sign(0, str1, 20, sig, &siglen, dsa);
+ if (DSA_verify(0, str1, 20, sig, siglen, dsa) == 1)
+ ret=1;
+
end:
if (!ret)
ERR_print_errors(bio_err);
--- openssl-0.9.7a/crypto/dsa/dsa.h.modexp-consttime 2005-05-18 09:49:48.132786155 +0200
+++ openssl-0.9.7a/crypto/dsa/dsa.h 2005-05-18 09:50:19.524805717 +0200
@@ -80,6 +80,13 @@
#endif
#define DSA_FLAG_CACHE_MONT_P 0x01
+#define DSA_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DSA
+ * implementation now uses constant time
+ * modular exponentiation for secret exponents
+ * by default. This flag causes the
+ * faster variable sliding window method to
+ * be used for all exponents.
+ */
#ifdef __cplusplus
extern "C" {
--- openssl-0.9.7a/crypto/dsa/dsa_key.c.modexp-consttime 2001-06-20 00:30:11.000000000 +0200
+++ openssl-0.9.7a/crypto/dsa/dsa_key.c 2005-05-18 09:50:19.526805400 +0200
@@ -89,8 +89,21 @@
}
else
pub_key=dsa->pub_key;
+
+ {
+ BIGNUM local_prk;
+ BIGNUM *prk;
- if (!BN_mod_exp(pub_key,dsa->g,priv_key,dsa->p,ctx)) goto err;
+ if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0)
+ {
+ prk = &local_prk;
+ BN_with_flags(prk, priv_key, BN_FLG_EXP_CONSTTIME);
+ }
+ else
+ prk = priv_key;
+
+ if (!BN_mod_exp(pub_key,dsa->g,prk,dsa->p,ctx)) goto err;
+ }
dsa->priv_key=priv_key;
dsa->pub_key=pub_key;
--- openssl-0.9.7a/crypto/dsa/dsa_ossl.c.modexp-consttime 2003-01-30 18:37:41.000000000 +0100
+++ openssl-0.9.7a/crypto/dsa/dsa_ossl.c 2005-05-18 09:50:19.527805241 +0200
@@ -199,6 +199,10 @@
do
if (!BN_rand_range(&k, dsa->q)) goto err;
while (BN_is_zero(&k));
+ if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0)
+ {
+ BN_set_flags(&k, BN_FLG_EXP_CONSTTIME);
+ }
if ((dsa->method_mont_p == NULL) && (dsa->flags & DSA_FLAG_CACHE_MONT_P))
{
--- openssl-0.9.7a/crypto/rsa/rsa_eay.c.modexp-consttime 2005-05-18 09:49:48.742689402 +0200
+++ openssl-0.9.7a/crypto/rsa/rsa_eay.c 2005-05-18 09:50:19.563799530 +0200
@@ -55,6 +55,59 @@
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/
+/* ====================================================================
+ * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core at openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay at cryptsoft.com). This product includes software written by Tim
+ * Hudson (tjh at cryptsoft.com).
+ *
+ */
#include <stdio.h>
#include "cryptlib.h"
@@ -313,10 +366,22 @@
(rsa->dmp1 != NULL) &&
(rsa->dmq1 != NULL) &&
(rsa->iqmp != NULL)) )
- { if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; }
+ {
+ if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err;
+ }
else
{
- if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) goto err;
+ BIGNUM local_d;
+ BIGNUM *d = NULL;
+
+ if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME))
+ {
+ d = &local_d;
+ BN_with_flags(d, rsa->d, BN_FLG_EXP_CONSTTIME);
+ }
+ else
+ d = rsa->d;
+ if (!rsa->meth->bn_mod_exp(&ret,&f,d,rsa->n,ctx,NULL)) goto err;
}
if (rsa->flags & RSA_FLAG_BLINDING)
@@ -404,10 +469,22 @@
(rsa->dmp1 != NULL) &&
(rsa->dmq1 != NULL) &&
(rsa->iqmp != NULL)) )
- { if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; }
+ {
+ if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err;
+ }
else
{
- if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL))
+ BIGNUM local_d;
+ BIGNUM *d = NULL;
+
+ if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME))
+ {
+ d = &local_d;
+ BN_with_flags(d, rsa->d, BN_FLG_EXP_CONSTTIME);
+ }
+ else
+ d = rsa->d;
+ if (!rsa->meth->bn_mod_exp(&ret,&f,d,rsa->n,ctx,NULL))
goto err;
}
@@ -555,6 +632,8 @@
static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
{
BIGNUM r1,m1,vrfy;
+ BIGNUM local_dmp1, local_dmq1;
+ BIGNUM *dmp1, *dmq1;
int ret=0;
BN_CTX *ctx;
@@ -615,11 +694,25 @@
}
if (!BN_mod(&r1,I,rsa->q,ctx)) goto err;
- if (!rsa->meth->bn_mod_exp(&m1,&r1,rsa->dmq1,rsa->q,ctx,
+ if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME))
+ {
+ dmq1 = &local_dmq1;
+ BN_with_flags(dmq1, rsa->dmq1, BN_FLG_EXP_CONSTTIME);
+ }
+ else
+ dmq1 = rsa->dmq1;
+ if (!rsa->meth->bn_mod_exp(&m1,&r1,dmq1,rsa->q,ctx,
rsa->_method_mod_q)) goto err;
if (!BN_mod(&r1,I,rsa->p,ctx)) goto err;
- if (!rsa->meth->bn_mod_exp(r0,&r1,rsa->dmp1,rsa->p,ctx,
+ if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME))
+ {
+ dmp1 = &local_dmp1;
+ BN_with_flags(dmp1, rsa->dmp1, BN_FLG_EXP_CONSTTIME);
+ }
+ else
+ dmp1 = rsa->dmp1;
+ if (!rsa->meth->bn_mod_exp(r0,&r1,dmp1,rsa->p,ctx,
rsa->_method_mod_p)) goto err;
if (!BN_sub(r0,r0,&m1)) goto err;
@@ -654,10 +747,23 @@
if (vrfy.neg)
if (!BN_add(&vrfy, &vrfy, rsa->n)) goto err;
if (!BN_is_zero(&vrfy))
+ {
/* 'I' and 'vrfy' aren't congruent mod n. Don't leak
* miscalculated CRT output, just do a raw (slower)
* mod_exp and return that instead. */
- if (!rsa->meth->bn_mod_exp(r0,I,rsa->d,rsa->n,ctx,NULL)) goto err;
+
+ BIGNUM local_d;
+ BIGNUM *d = NULL;
+
+ if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME))
+ {
+ d = &local_d;
+ BN_with_flags(d, rsa->d, BN_FLG_EXP_CONSTTIME);
+ }
+ else
+ d = rsa->d;
+ if (!rsa->meth->bn_mod_exp(r0,I,d,rsa->n,ctx,NULL)) goto err;
+ }
}
ret=1;
err:
--- openssl-0.9.7a/crypto/rsa/rsa_test.c.modexp-consttime 2003-01-30 18:37:46.000000000 +0100
+++ openssl-0.9.7a/crypto/rsa/rsa_test.c 2005-05-18 09:50:19.565799213 +0200
@@ -230,10 +230,10 @@
plen = sizeof(ptext_ex) - 1;
- for (v = 0; v < 3; v++)
+ for (v = 0; v < 6; v++)
{
key = RSA_new();
- switch (v) {
+ switch (v%3) {
case 0:
clen = key1(key, ctext_ex);
break;
@@ -244,6 +244,7 @@
clen = key3(key, ctext_ex);
break;
}
+ if (v/3 > 1) key->flags |= RSA_FLAG_NO_EXP_CONSTTIME;
num = RSA_public_encrypt(plen, ptext_ex, ctext, key,
RSA_PKCS1_PADDING);
--- openssl-0.9.7a/crypto/rsa/rsa.h.modexp-consttime 2005-05-18 09:49:48.219772356 +0200
+++ openssl-0.9.7a/crypto/rsa/rsa.h 2005-05-18 09:55:19.573051827 +0200
@@ -169,6 +169,13 @@
/* This flag in the RSA_METHOD enables the new rsa_sign, rsa_verify functions.
*/
#define RSA_FLAG_SIGN_VER 0x40
+#define RSA_FLAG_NO_EXP_CONSTTIME 0x100 /* the built-in RSA
+ * implementation now uses constant time
+ * modular exponentiation for secret exponents
+ * by default. This flag causes the
+ * faster variable sliding window method to
+ * be used for all exponents.
+ */
#define RSA_PKCS1_PADDING 1
#define RSA_SSLV23_PADDING 2
Index: openssl.spec
===================================================================
RCS file: /cvs/dist/rpms/openssl/FC-3/openssl.spec,v
retrieving revision 1.42
retrieving revision 1.43
diff -u -r1.42 -r1.43
--- openssl.spec 19 Nov 2004 20:09:10 -0000 1.42
+++ openssl.spec 20 May 2005 15:10:58 -0000 1.43
@@ -21,7 +21,7 @@
Summary: The OpenSSL toolkit.
Name: openssl
Version: 0.9.7a
-Release: 42
+Release: 42.1
Source: openssl-%{version}-usa.tar.bz2
Source1: hobble-openssl
Source2: Makefile.certificate
@@ -60,6 +60,7 @@
Patch42: openssl-0.9.7a-krb5.patch
Patch43: openssl-0.9.7a-krb5-security.patch
Patch44: openssl-0.9.7a-dccs.patch
+Patch45: openssl-0.9.7a-can-2005-0109.patch
License: BSDish
Group: System Environment/Libraries
URL: http://www.openssl.org/
@@ -150,6 +151,7 @@
# Security fixes
%patch43 -p1 -b .krb5-security
%patch44 -p1 -b .dccs
+%patch45 -p1 -b .modexp-consttime
# Modify the various perl scripts to reference perl in the right location.
perl util/perlpath.pl `dirname %{__perl}`
@@ -406,6 +408,10 @@
%postun -p /sbin/ldconfig
%changelog
+* Fri May 20 2005 Tomas Mraz <tmraz at redhat.com> 0.9.7a-42.1
+- fix CAN-2005-0109 - use constant time/memory access mod_exp
+ so bits of private key aren't leaked by cache eviction (#157631)
+
* Fri Nov 19 2004 Nalin Dahyabhai <nalin at redhat.com> 0.9.7a-42
- rebuild
More information about the fedora-cvs-commits
mailing list