diff options
| author | Samuel Weiser <samuel.weiser@iaik.tugraz.at> | 2018-02-21 12:56:01 +0100 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2018-02-21 12:56:44 +0100 |
| commit | 8db7946ee879ce483f4c81141926e1357aa6b941 (patch) | |
| tree | d140b78aa25a32d5ae7e0f8d8b52d85674090036 /crypto/rsa/rsa_gen.c | |
| parent | Sanity check the ticket length before using key name/IV (diff) | |
| download | openssl-8db7946ee879ce483f4c81141926e1357aa6b941.tar.xz openssl-8db7946ee879ce483f4c81141926e1357aa6b941.zip | |
Replaced variable-time GCD with consttime inversion to avoid side-channel attacks on RSA key generation
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/5161)
Diffstat (limited to '')
| -rw-r--r-- | crypto/rsa/rsa_gen.c | 17 |
1 files changed, 14 insertions, 3 deletions
diff --git a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c index 4b9296e46c..0539027504 100644 --- a/crypto/rsa/rsa_gen.c +++ b/crypto/rsa/rsa_gen.c @@ -71,6 +71,7 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, int primes, BIGNUM *e_value, STACK_OF(RSA_PRIME_INFO) *prime_infos = NULL; BN_CTX *ctx = NULL; BN_ULONG bitst = 0; + unsigned long error = 0; if (bits < RSA_MIN_MODULUS_BITS) { ok = 0; /* we set our own err */ @@ -186,10 +187,20 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, int primes, BIGNUM *e_value, } if (!BN_sub(r2, prime, BN_value_one())) goto err; - if (!BN_gcd(r1, r2, rsa->e, ctx)) - goto err; - if (BN_is_one(r1)) + ERR_set_mark(); + BN_set_flags(r2, BN_FLG_CONSTTIME); + if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) { + /* GCD == 1 since inverse exists */ break; + } + error = ERR_peek_last_error(); + if (ERR_GET_LIB(error) == ERR_LIB_BN + && ERR_GET_REASON(error) == BN_R_NO_INVERSE) { + /* GCD != 1 */ + ERR_pop_to_mark(); + } else { + goto err; + } if (!BN_GENCB_call(cb, 2, n++)) goto err; } |