Commit 8db7946e authored by Samuel Weiser's avatar Samuel Weiser Committed by Matt Caswell
Browse files

Replaced variable-time GCD with consttime inversion to avoid side-channel... 


Replaced variable-time GCD with consttime inversion to avoid side-channel attacks on RSA key generation

Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
Reviewed-by: default avatarKurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/5161)
parent ee763495

crypto/rsa/rsa_gen.c

+14 −3
Original line number Diff line number Diff line
@@ -71,6 +71,7 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, int primes, BIGNUM *e_value, 
    STACK_OF(RSA_PRIME_INFO) *prime_infos = NULL;

    BN_CTX *ctx = NULL;

    BN_ULONG bitst = 0;

    unsigned long error = 0;



    if (bits < RSA_MIN_MODULUS_BITS) {

        ok = 0;             /* we set our own err */
@@ -186,10 +187,20 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, int primes, BIGNUM *e_value, 
            }

            if (!BN_sub(r2, prime, BN_value_one()))

                goto err;

            if (!BN_gcd(r1, r2, rsa->e, ctx))

                goto err;

            if (BN_is_one(r1))

            ERR_set_mark();

            BN_set_flags(r2, BN_FLG_CONSTTIME);

            if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) {

               /* GCD == 1 since inverse exists */

                break;

            }

            error = ERR_peek_last_error();

            if (ERR_GET_LIB(error) == ERR_LIB_BN

                && ERR_GET_REASON(error) == BN_R_NO_INVERSE) {

                /* GCD != 1 */

                ERR_pop_to_mark();

            } else {

                goto err;

            }

            if (!BN_GENCB_call(cb, 2, n++))

                goto err;

        }