Commit 3c97136e authored by Nicola Tuveri's avatar Nicola Tuveri
Browse files

Test for constant-time flag leakage in BN_CTX 



This commit adds a simple unit test to make sure that the constant-time
flag does not "leak" among BN_CTX frames:

- test_ctx_consttime_flag() initializes (and later frees before
  returning) a BN_CTX object, then it calls in sequence
  test_ctx_set_ct_flag() and test_ctx_check_ct_flag() using the same
  BN_CTX object. The process is run twice, once with a "normal"
  BN_CTX_new() object, then with a BN_CTX_secure_new() one.
- test_ctx_set_ct_flag() starts a frame in the given BN_CTX and sets the
  BN_FLG_CONSTTIME flag on some of the BIGNUMs obtained from the frame
  before ending it.
- test_ctx_check_ct_flag() then starts a new frame and gets a number of
  BIGNUMs from it. In absence of leaks, none of the BIGNUMs in the new
  frame should have BN_FLG_CONSTTIME set.

In actual BN_CTX usage inside libcrypto the leak could happen at any
depth level in the BN_CTX stack, with varying results depending on the
patterns of sibling trees of nested function calls sharing the same
BN_CTX object, and the effect of unintended BN_FLG_CONSTTIME on the
called BN_* functions.

This simple unit test abstracts away this complexity and verifies that
the leak does not happen between two sibling functions sharing the same
BN_CTX object at the same level of nesting.

(cherry picked from commit fe16ae5f)

Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8253)
parent d11e4bcd

test/bntest.c

+122 −39
Original line number Diff line number Diff line 
/*

 * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.

 * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.

 *

 * Licensed under the OpenSSL license (the "License").  You may not use

 * this file except in compliance with the License.  You can obtain a copy
@@ -138,7 +138,6 @@ static int equalBN(const char *op, const BIGNUM *expected, const BIGNUM *actual) 
    return 0;

}





/*

 * Return a "random" flag for if a BN should be negated.

 */
@@ -150,7 +149,6 @@ static int rand_neg(void) 
    return sign[(neg++) % 8];

}





static int test_swap(void)

{

    BIGNUM *a = NULL, *b = NULL, *c = NULL, *d = NULL;
@@ -259,7 +257,6 @@ err: 
    return st;

}





static int test_div_recip(void)

{

    BIGNUM *a = NULL, *b = NULL, *c = NULL, *d = NULL, *e = NULL;
@@ -303,7 +300,6 @@ err: 
    return st;

}





static int test_mod(void)

{

    BIGNUM *a = NULL, *b = NULL, *c = NULL, *d = NULL, *e = NULL;
@@ -2200,6 +2196,92 @@ err: 
    return ret;

}



static int test_ctx_set_ct_flag(BN_CTX *c)

{

    int st = 0;

    size_t i;

    BIGNUM *b[15];



    BN_CTX_start(c);

    for (i = 0; i < OSSL_NELEM(b); i++) {

        if (!TEST_ptr(b[i] = BN_CTX_get(c)))

            goto err;

        if (i % 2 == 1)

            BN_set_flags(b[i], BN_FLG_CONSTTIME);

    }



    st = 1;

 err:

    BN_CTX_end(c);

    return st;

}



static int test_ctx_check_ct_flag(BN_CTX *c)

{

    int st = 0;

    size_t i;

    BIGNUM *b[30];



    BN_CTX_start(c);

    for (i = 0; i < OSSL_NELEM(b); i++) {

        if (!TEST_ptr(b[i] = BN_CTX_get(c)))

            goto err;

        if (!TEST_false(BN_get_flags(b[i], BN_FLG_CONSTTIME)))

            goto err;

    }



    st = 1;

 err:

    BN_CTX_end(c);

    return st;

}



static int test_ctx_consttime_flag(void)

{

    /*-

     * The constant-time flag should not "leak" among BN_CTX frames:

     *

     * - test_ctx_set_ct_flag() starts a frame in the given BN_CTX and

     *   sets the BN_FLG_CONSTTIME flag on some of the BIGNUMs obtained

     *   from the frame before ending it.

     * - test_ctx_check_ct_flag() then starts a new frame and gets a

     *   number of BIGNUMs from it. In absence of leaks, none of the

     *   BIGNUMs in the new frame should have BN_FLG_CONSTTIME set.

     *

     * In actual BN_CTX usage inside libcrypto the leak could happen at

     * any depth level in the BN_CTX stack, with varying results

     * depending on the patterns of sibling trees of nested function

     * calls sharing the same BN_CTX object, and the effect of

     * unintended BN_FLG_CONSTTIME on the called BN_* functions.

     *

     * This simple unit test abstracts away this complexity and verifies

     * that the leak does not happen between two sibling functions

     * sharing the same BN_CTX object at the same level of nesting.

     *

     */

    BN_CTX *nctx = NULL;

    BN_CTX *sctx = NULL;

    size_t i = 0;

    int st = 0;



    if (!TEST_ptr(nctx = BN_CTX_new())

            || !TEST_ptr(sctx = BN_CTX_secure_new()))

        goto err;



    for (i = 0; i < 2; i++) {

        BN_CTX *c = i == 0 ? nctx : sctx;

        if (!TEST_true(test_ctx_set_ct_flag(c))

                || !TEST_true(test_ctx_check_ct_flag(c)))

            goto err;

    }



    st = 1;

 err:

    BN_CTX_free(nctx);

    BN_CTX_free(sctx);

    return st;

}



static int file_test_run(STANZA *s)

{

    static const FILETEST filetests[] = {
@@ -2287,6 +2369,7 @@ int setup_tests(void) 
        ADD_TEST(test_expmodone);

        ADD_TEST(test_smallprime);

        ADD_TEST(test_swap);

        ADD_TEST(test_ctx_consttime_flag);

#ifndef OPENSSL_NO_EC2M

        ADD_TEST(test_gf2m_add);

        ADD_TEST(test_gf2m_mod);