|
 |
ad56ed |
diff -up openssl-1.0.2k/crypto/rsa/rsa_gen.c.gen-timing openssl-1.0.2k/crypto/rsa/rsa_gen.c
|
|
|
ad56ed |
--- openssl-1.0.2k/crypto/rsa/rsa_gen.c.gen-timing 2018-06-18 13:46:24.323138691 +0200
|
|
|
ad56ed |
+++ openssl-1.0.2k/crypto/rsa/rsa_gen.c 2018-06-18 14:53:26.361975922 +0200
|
|
|
ad56ed |
@@ -1,6 +1,6 @@
|
|
|
ad56ed |
/* crypto/rsa/rsa_gen.c */
|
|
|
ad56ed |
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
|
|
|
ad56ed |
- * Copyright (C) 2013 Red Hat, Inc.
|
|
|
ad56ed |
+ * Copyright (C) 2013, 2018 Red Hat, Inc.
|
|
|
ad56ed |
* All rights reserved.
|
|
|
ad56ed |
*
|
|
|
ad56ed |
* This package is an SSL implementation written
|
|
|
ad56ed |
@@ -175,14 +175,13 @@ static int FIPS_rsa_builtin_keygen(RSA *
|
|
|
ad56ed |
BN_GENCB *cb)
|
|
|
ad56ed |
{
|
|
|
ad56ed |
BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *r3 = NULL, *tmp;
|
|
|
ad56ed |
- BIGNUM local_r0, local_d, local_p;
|
|
|
ad56ed |
- BIGNUM *pr0, *d, *p;
|
|
|
ad56ed |
BN_CTX *ctx = NULL;
|
|
|
ad56ed |
int ok = -1;
|
|
|
ad56ed |
int i;
|
|
|
ad56ed |
int n = 0;
|
|
|
ad56ed |
int test = 0;
|
|
|
ad56ed |
int pbits = bits / 2;
|
|
|
ad56ed |
+ unsigned long error = 0;
|
|
|
ad56ed |
|
|
|
ad56ed |
if (FIPS_selftest_failed()) {
|
|
|
ad56ed |
FIPSerr(FIPS_F_RSA_BUILTIN_KEYGEN, FIPS_R_FIPS_SELFTEST_FAILED);
|
|
|
ad56ed |
@@ -251,6 +250,12 @@ static int FIPS_rsa_builtin_keygen(RSA *
|
|
|
ad56ed |
if (!BN_is_zero(rsa->p) && !BN_is_zero(rsa->q))
|
|
|
ad56ed |
test = 1;
|
|
|
ad56ed |
|
|
|
ad56ed |
+ BN_set_flags(r0, BN_FLG_CONSTTIME);
|
|
|
ad56ed |
+ BN_set_flags(r1, BN_FLG_CONSTTIME);
|
|
|
ad56ed |
+ BN_set_flags(r2, BN_FLG_CONSTTIME);
|
|
|
ad56ed |
+ BN_set_flags(rsa->p, BN_FLG_CONSTTIME);
|
|
|
ad56ed |
+ BN_set_flags(rsa->q, BN_FLG_CONSTTIME);
|
|
|
ad56ed |
+
|
|
|
ad56ed |
retry:
|
|
|
ad56ed |
/* generate p and q */
|
|
|
ad56ed |
for (i = 0; i < 5 * pbits; i++) {
|
|
|
ad56ed |
@@ -266,9 +271,9 @@ static int FIPS_rsa_builtin_keygen(RSA *
|
|
|
ad56ed |
|
|
|
ad56ed |
if (!BN_sub(r2, rsa->p, BN_value_one()))
|
|
|
ad56ed |
goto err;
|
|
|
ad56ed |
- if (!BN_gcd(r1, r2, rsa->e, ctx))
|
|
|
ad56ed |
- goto err;
|
|
|
ad56ed |
- if (BN_is_one(r1)) {
|
|
|
ad56ed |
+ ERR_set_mark();
|
|
|
ad56ed |
+ if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) {
|
|
|
ad56ed |
+ /* GCD == 1 since inverse exists */
|
|
|
ad56ed |
int r;
|
|
|
ad56ed |
r = BN_is_prime_fasttest_ex(rsa->p, pbits > 1024 ? 4 : 5, ctx, 0,
|
|
|
ad56ed |
cb);
|
|
|
ad56ed |
@@ -276,8 +281,16 @@ static int FIPS_rsa_builtin_keygen(RSA *
|
|
|
ad56ed |
goto err;
|
|
|
ad56ed |
if (r > 0)
|
|
|
ad56ed |
break;
|
|
|
ad56ed |
+ } else {
|
|
|
ad56ed |
+ error = ERR_peek_last_error();
|
|
|
ad56ed |
+ if (ERR_GET_LIB(error) == ERR_LIB_BN
|
|
|
ad56ed |
+ && ERR_GET_REASON(error) == BN_R_NO_INVERSE) {
|
|
|
ad56ed |
+ /* GCD != 1 */
|
|
|
ad56ed |
+ ERR_pop_to_mark();
|
|
|
ad56ed |
+ } else {
|
|
|
ad56ed |
+ goto err;
|
|
|
ad56ed |
+ }
|
|
|
ad56ed |
}
|
|
|
ad56ed |
-
|
|
|
ad56ed |
if (!BN_GENCB_call(cb, 2, n++))
|
|
|
ad56ed |
goto err;
|
|
|
ad56ed |
}
|
|
|
ad56ed |
@@ -309,9 +322,9 @@ static int FIPS_rsa_builtin_keygen(RSA *
|
|
|
ad56ed |
|
|
|
ad56ed |
if (!BN_sub(r2, rsa->q, BN_value_one()))
|
|
|
ad56ed |
goto err;
|
|
|
ad56ed |
- if (!BN_gcd(r1, r2, rsa->e, ctx))
|
|
|
ad56ed |
- goto err;
|
|
|
ad56ed |
- if (BN_is_one(r1)) {
|
|
|
ad56ed |
+ ERR_set_mark();
|
|
|
ad56ed |
+ if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) {
|
|
|
ad56ed |
+ /* GCD == 1 since inverse exists */
|
|
|
ad56ed |
int r;
|
|
|
ad56ed |
r = BN_is_prime_fasttest_ex(rsa->q, pbits > 1024 ? 4 : 5, ctx, 0,
|
|
|
ad56ed |
cb);
|
|
|
ad56ed |
@@ -319,8 +332,16 @@ static int FIPS_rsa_builtin_keygen(RSA *
|
|
|
ad56ed |
goto err;
|
|
|
ad56ed |
if (r > 0)
|
|
|
ad56ed |
break;
|
|
|
ad56ed |
+ } else {
|
|
|
ad56ed |
+ error = ERR_peek_last_error();
|
|
|
ad56ed |
+ if (ERR_GET_LIB(error) == ERR_LIB_BN
|
|
|
ad56ed |
+ && ERR_GET_REASON(error) == BN_R_NO_INVERSE) {
|
|
|
ad56ed |
+ /* GCD != 1 */
|
|
|
ad56ed |
+ ERR_pop_to_mark();
|
|
|
ad56ed |
+ } else {
|
|
|
ad56ed |
+ goto err;
|
|
|
ad56ed |
+ }
|
|
|
ad56ed |
}
|
|
|
ad56ed |
-
|
|
|
ad56ed |
if (!BN_GENCB_call(cb, 2, n++))
|
|
|
ad56ed |
goto err;
|
|
|
ad56ed |
}
|
|
|
ad56ed |
@@ -355,51 +376,44 @@ static int FIPS_rsa_builtin_keygen(RSA *
|
|
|
ad56ed |
if (!BN_sub(r2, rsa->q, BN_value_one()))
|
|
|
ad56ed |
goto err; /* q-1 */
|
|
|
ad56ed |
|
|
|
ad56ed |
+ /* note that computing gcd is not safe to timing attacks */
|
|
|
ad56ed |
if (!BN_gcd(r0, r1, r2, ctx))
|
|
|
ad56ed |
goto err;
|
|
|
ad56ed |
- if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
|
|
|
ad56ed |
- pr0 = &local_r0;
|
|
|
ad56ed |
- BN_with_flags(pr0, r0, BN_FLG_CONSTTIME);
|
|
|
ad56ed |
- } else
|
|
|
ad56ed |
- pr0 = r0;
|
|
|
ad56ed |
- if (!BN_div(r0, NULL, r1, pr0, ctx))
|
|
|
ad56ed |
- goto err;
|
|
|
ad56ed |
- if (!BN_mul(r0, r0, r2, ctx))
|
|
|
ad56ed |
- goto err; /* lcm(p-1, q-1) */
|
|
|
ad56ed |
-
|
|
|
ad56ed |
- if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
|
|
|
ad56ed |
- pr0 = &local_r0;
|
|
|
ad56ed |
- BN_with_flags(pr0, r0, BN_FLG_CONSTTIME);
|
|
|
ad56ed |
- } else
|
|
|
ad56ed |
- pr0 = r0;
|
|
|
ad56ed |
- if (!BN_mod_inverse(rsa->d, rsa->e, pr0, ctx))
|
|
|
ad56ed |
- goto err; /* d */
|
|
|
ad56ed |
+
|
|
|
ad56ed |
+ {
|
|
|
ad56ed |
+ if (!BN_div(r0, NULL, r1, r0, ctx))
|
|
|
ad56ed |
+ goto err;
|
|
|
ad56ed |
+
|
|
|
ad56ed |
+ if (!BN_mul(r0, r0, r2, ctx)) /* lcm(p-1, q-1) */
|
|
|
ad56ed |
+ goto err;
|
|
|
ad56ed |
+
|
|
|
ad56ed |
+ if (!BN_mod_inverse(rsa->d, rsa->e, r0, ctx)) /* d */
|
|
|
ad56ed |
+ goto err;
|
|
|
ad56ed |
+ }
|
|
|
ad56ed |
|
|
|
ad56ed |
if (BN_num_bits(rsa->d) < pbits)
|
|
|
ad56ed |
goto retry; /* d is too small */
|
|
|
ad56ed |
|
|
|
ad56ed |
- /* set up d for correct BN_FLG_CONSTTIME flag */
|
|
|
ad56ed |
- if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
|
|
|
ad56ed |
- d = &local_d;
|
|
|
ad56ed |
- BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
|
|
|
ad56ed |
- } else
|
|
|
ad56ed |
- d = rsa->d;
|
|
|
ad56ed |
+ {
|
|
|
ad56ed |
+ BIGNUM *d = BN_new();
|
|
|
ad56ed |
|
|
|
ad56ed |
- /* calculate d mod (p-1) */
|
|
|
ad56ed |
- if (!BN_mod(rsa->dmp1, d, r1, ctx))
|
|
|
ad56ed |
- goto err;
|
|
|
ad56ed |
+ if (d == NULL)
|
|
|
ad56ed |
+ goto err;
|
|
|
ad56ed |
+ BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
|
|
|
ad56ed |
|
|
|
ad56ed |
- /* calculate d mod (q-1) */
|
|
|
ad56ed |
- if (!BN_mod(rsa->dmq1, d, r2, ctx))
|
|
|
ad56ed |
- goto err;
|
|
|
ad56ed |
+ if (/* calculate d mod (p-1) */
|
|
|
ad56ed |
+ !BN_mod(rsa->dmp1, d, r1, ctx)
|
|
|
ad56ed |
+ /* calculate d mod (q-1) */
|
|
|
ad56ed |
+ || !BN_mod(rsa->dmq1, d, r2, ctx)) {
|
|
|
ad56ed |
+ BN_free(d);
|
|
|
ad56ed |
+ goto err;
|
|
|
ad56ed |
+ }
|
|
|
ad56ed |
+ /* We MUST free d before any further use of rsa->d */
|
|
|
ad56ed |
+ BN_free(d);
|
|
|
ad56ed |
+ }
|
|
|
ad56ed |
|
|
|
ad56ed |
/* calculate inverse of q mod p */
|
|
|
ad56ed |
- if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
|
|
|
ad56ed |
- p = &local_p;
|
|
|
ad56ed |
- BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
|
|
|
ad56ed |
- } else
|
|
|
ad56ed |
- p = rsa->p;
|
|
|
ad56ed |
- if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx))
|
|
|
ad56ed |
+ if (!BN_mod_inverse(rsa->iqmp, rsa->q, rsa->p, ctx))
|
|
|
ad56ed |
goto err;
|
|
|
ad56ed |
|
|
|
ad56ed |
if (fips_rsa_pairwise_fail)
|
|
|
ad56ed |
@@ -431,6 +445,17 @@ static int rsa_builtin_keygen(RSA *rsa,
|
|
|
ad56ed |
BIGNUM *pr0, *d, *p;
|
|
|
ad56ed |
int bitsp, bitsq, ok = -1, n = 0;
|
|
|
ad56ed |
BN_CTX *ctx = NULL;
|
|
|
ad56ed |
+ unsigned long error = 0;
|
|
|
ad56ed |
+
|
|
|
ad56ed |
+ /*
|
|
|
ad56ed |
+ * When generating ridiculously small keys, we can get stuck
|
|
|
ad56ed |
+ * continually regenerating the same prime values.
|
|
|
ad56ed |
+ */
|
|
|
ad56ed |
+ if (bits < 16) {
|
|
|
ad56ed |
+ ok = 0; /* we set our own err */
|
|
|
ad56ed |
+ RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, RSA_R_KEY_SIZE_TOO_SMALL);
|
|
|
ad56ed |
+ goto err;
|
|
|
ad56ed |
+ }
|
|
|
ad56ed |
|
|
|
ad56ed |
#ifdef OPENSSL_FIPS
|
|
|
ad56ed |
if (FIPS_module_mode()) {
|
|
|
ad56ed |
@@ -483,45 +508,55 @@ static int rsa_builtin_keygen(RSA *rsa,
|
|
|
ad56ed |
if (BN_copy(rsa->e, e_value) == NULL)
|
|
|
ad56ed |
goto err;
|
|
|
ad56ed |
|
|
|
ad56ed |
+ BN_set_flags(rsa->p, BN_FLG_CONSTTIME);
|
|
|
ad56ed |
+ BN_set_flags(rsa->q, BN_FLG_CONSTTIME);
|
|
|
ad56ed |
+ BN_set_flags(r2, BN_FLG_CONSTTIME);
|
|
|
ad56ed |
/* generate p and q */
|
|
|
ad56ed |
for (;;) {
|
|
|
ad56ed |
if (!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb))
|
|
|
ad56ed |
goto err;
|
|
|
ad56ed |
if (!BN_sub(r2, rsa->p, BN_value_one()))
|
|
|
ad56ed |
goto err;
|
|
|
ad56ed |
- if (!BN_gcd(r1, r2, rsa->e, ctx))
|
|
|
ad56ed |
- goto err;
|
|
|
ad56ed |
- if (BN_is_one(r1))
|
|
|
ad56ed |
+ ERR_set_mark();
|
|
|
ad56ed |
+ if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) {
|
|
|
ad56ed |
+ /* GCD == 1 since inverse exists */
|
|
|
ad56ed |
break;
|
|
|
ad56ed |
+ }
|
|
|
ad56ed |
+ error = ERR_peek_last_error();
|
|
|
ad56ed |
+ if (ERR_GET_LIB(error) == ERR_LIB_BN
|
|
|
ad56ed |
+ && ERR_GET_REASON(error) == BN_R_NO_INVERSE) {
|
|
|
ad56ed |
+ /* GCD != 1 */
|
|
|
ad56ed |
+ ERR_pop_to_mark();
|
|
|
ad56ed |
+ } else {
|
|
|
ad56ed |
+ goto err;
|
|
|
ad56ed |
+ }
|
|
|
ad56ed |
if (!BN_GENCB_call(cb, 2, n++))
|
|
|
ad56ed |
goto err;
|
|
|
ad56ed |
}
|
|
|
ad56ed |
if (!BN_GENCB_call(cb, 3, 0))
|
|
|
ad56ed |
goto err;
|
|
|
ad56ed |
for (;;) {
|
|
|
ad56ed |
- /*
|
|
|
ad56ed |
- * When generating ridiculously small keys, we can get stuck
|
|
|
ad56ed |
- * continually regenerating the same prime values. Check for this and
|
|
|
ad56ed |
- * bail if it happens 3 times.
|
|
|
ad56ed |
- */
|
|
|
ad56ed |
- unsigned int degenerate = 0;
|
|
|
ad56ed |
do {
|
|
|
ad56ed |
if (!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb))
|
|
|
ad56ed |
goto err;
|
|
|
ad56ed |
if (!BN_sub(r2, rsa->q, rsa->p))
|
|
|
ad56ed |
goto err;
|
|
|
ad56ed |
- } while ((BN_ucmp(r2, r3) <= 0) && (++degenerate < 3));
|
|
|
ad56ed |
- if (degenerate == 3) {
|
|
|
ad56ed |
- ok = 0; /* we set our own err */
|
|
|
ad56ed |
- RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, RSA_R_KEY_SIZE_TOO_SMALL);
|
|
|
ad56ed |
- goto err;
|
|
|
ad56ed |
- }
|
|
|
ad56ed |
+ } while (BN_ucmp(r2, r3) <= 0);
|
|
|
ad56ed |
if (!BN_sub(r2, rsa->q, BN_value_one()))
|
|
|
ad56ed |
goto err;
|
|
|
ad56ed |
- if (!BN_gcd(r1, r2, rsa->e, ctx))
|
|
|
ad56ed |
- goto err;
|
|
|
ad56ed |
- if (BN_is_one(r1))
|
|
|
ad56ed |
+ ERR_set_mark();
|
|
|
ad56ed |
+ if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) {
|
|
|
ad56ed |
+ /* GCD == 1 since inverse exists */
|
|
|
ad56ed |
break;
|
|
|
ad56ed |
+ }
|
|
|
ad56ed |
+ error = ERR_peek_last_error();
|
|
|
ad56ed |
+ if (ERR_GET_LIB(error) == ERR_LIB_BN
|
|
|
ad56ed |
+ && ERR_GET_REASON(error) == BN_R_NO_INVERSE) {
|
|
|
ad56ed |
+ /* GCD != 1 */
|
|
|
ad56ed |
+ ERR_pop_to_mark();
|
|
|
ad56ed |
+ } else {
|
|
|
ad56ed |
+ goto err;
|
|
|
ad56ed |
+ }
|
|
|
ad56ed |
if (!BN_GENCB_call(cb, 2, n++))
|
|
|
ad56ed |
goto err;
|
|
|
ad56ed |
}
|