Loading CHANGES +12 −1 Original line number Diff line number Diff line Loading @@ -469,8 +469,19 @@ in ssl3_get_client_key_exchange (ssl/s3_srvr.c). [Bodo Moeller] *) Turn on RSA blinding by default in the default implementation to avoid a timing attack. Applications that don't want it can call RSA_blinding_off() or use the new flag RSA_FLAG_NO_BLINDING. They would be ill-advised to do so in most cases. [Ben Laurie, Steve Henson, Geoff Thorpe] *) Change RSA blinding code so that it works when the PRNG is not seeded (in this case, the secret RSA exponent is abused as an unpredictable seed -- if it is not unpredictable, there is no point in blinding anyway). [Bodo Moeller] yet to be integrated into this CVS branch: - RSA blinding changes - Geoff's ENGINE_set_default() fix *) Target "mingw" now allows native Windows code to be generated in Loading crypto/rsa/rsa.h +7 −0 Original line number Diff line number Diff line Loading @@ -162,6 +162,11 @@ struct rsa_st #define RSA_FLAG_CACHE_PUBLIC 0x02 #define RSA_FLAG_CACHE_PRIVATE 0x04 #define RSA_FLAG_BLINDING 0x08 #define RSA_FLAG_NO_BLINDING 0x80 /* new with 0.9.6j and 0.9.7b; the built-in * RSA implementation now uses blinding by * default (ignoring RSA_FLAG_BLINDING), * but other engines might not need it */ #define RSA_FLAG_THREAD_SAFE 0x10 /* This flag means the private key operations will be handled by rsa_mod_exp * and that they do not depend on the private key components being present: Loading @@ -174,6 +179,8 @@ struct rsa_st */ #define RSA_FLAG_SIGN_VER 0x40 #define RSA_FLAG_NO_BLINDING 0x80 #define RSA_PKCS1_PADDING 1 #define RSA_SSLV23_PADDING 2 #define RSA_NO_PADDING 3 Loading crypto/rsa/rsa_eay.c +27 −8 Original line number Diff line number Diff line Loading @@ -211,6 +211,25 @@ err: return(r); } static int rsa_eay_blinding(RSA *rsa, BN_CTX *ctx) { int ret = 1; CRYPTO_w_lock(CRYPTO_LOCK_RSA); /* Check again inside the lock - the macro's check is racey */ if(rsa->blinding == NULL) ret = RSA_blinding_on(rsa, ctx); CRYPTO_w_unlock(CRYPTO_LOCK_RSA); return ret; } #define BLINDING_HELPER(rsa, ctx, err_instr) \ do { \ if((!((rsa)->flags & RSA_FLAG_NO_BLINDING)) && \ ((rsa)->blinding == NULL) && \ !rsa_eay_blinding(rsa, ctx)) \ err_instr \ } while(0) /* signing */ static int RSA_eay_private_encrypt(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding) Loading Loading @@ -255,9 +274,9 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from, goto err; } if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL)) RSA_blinding_on(rsa,ctx); if (rsa->flags & RSA_FLAG_BLINDING) BLINDING_HELPER(rsa, ctx, goto err;); if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err; if ( (rsa->flags & RSA_FLAG_EXT_PKEY) || Loading @@ -274,7 +293,7 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from, rsa->_method_mod_n)) goto err; } if (rsa->flags & RSA_FLAG_BLINDING) if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err; /* put in leading 0 bytes if the number is less than the Loading Loading @@ -336,9 +355,9 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from, goto err; } if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL)) RSA_blinding_on(rsa,ctx); if (rsa->flags & RSA_FLAG_BLINDING) BLINDING_HELPER(rsa, ctx, goto err;); if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err; /* do the decrypt */ Loading @@ -357,7 +376,7 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from, goto err; } if (rsa->flags & RSA_FLAG_BLINDING) if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err; p=buf; Loading crypto/rsa/rsa_lib.c +17 −4 Original line number Diff line number Diff line Loading @@ -72,7 +72,9 @@ static const RSA_METHOD *default_RSA_meth=NULL; RSA *RSA_new(void) { return(RSA_new_method(NULL)); RSA *r=RSA_new_method(NULL); return r; } void RSA_set_default_method(const RSA_METHOD *meth) Loading Loading @@ -308,6 +310,7 @@ void RSA_blinding_off(RSA *rsa) rsa->blinding=NULL; } rsa->flags &= ~RSA_FLAG_BLINDING; rsa->flags |= RSA_FLAG_NO_BLINDING; } int RSA_blinding_on(RSA *rsa, BN_CTX *p_ctx) Loading @@ -328,13 +331,23 @@ int RSA_blinding_on(RSA *rsa, BN_CTX *p_ctx) BN_CTX_start(ctx); A = BN_CTX_get(ctx); if ((RAND_status() == 0) && rsa->d != NULL && rsa->d->d != NULL) { /* if PRNG is not properly seeded, resort to secret exponent as unpredictable seed */ RAND_add(rsa->d->d, rsa->d->dmax * sizeof rsa->d->d[0], 0); if (!BN_pseudo_rand_range(A,rsa->n)) goto err; } else { if (!BN_rand_range(A,rsa->n)) goto err; } if ((Ai=BN_mod_inverse(NULL,A,rsa->n,ctx)) == NULL) goto err; if (!rsa->meth->bn_mod_exp(A,A,rsa->e,rsa->n,ctx,rsa->_method_mod_n)) goto err; rsa->blinding=BN_BLINDING_new(A,Ai,rsa->n); rsa->flags |= RSA_FLAG_BLINDING; rsa->flags &= ~RSA_FLAG_NO_BLINDING; BN_free(Ai); ret=1; err: Loading Loading
CHANGES +12 −1 Original line number Diff line number Diff line Loading @@ -469,8 +469,19 @@ in ssl3_get_client_key_exchange (ssl/s3_srvr.c). [Bodo Moeller] *) Turn on RSA blinding by default in the default implementation to avoid a timing attack. Applications that don't want it can call RSA_blinding_off() or use the new flag RSA_FLAG_NO_BLINDING. They would be ill-advised to do so in most cases. [Ben Laurie, Steve Henson, Geoff Thorpe] *) Change RSA blinding code so that it works when the PRNG is not seeded (in this case, the secret RSA exponent is abused as an unpredictable seed -- if it is not unpredictable, there is no point in blinding anyway). [Bodo Moeller] yet to be integrated into this CVS branch: - RSA blinding changes - Geoff's ENGINE_set_default() fix *) Target "mingw" now allows native Windows code to be generated in Loading
crypto/rsa/rsa.h +7 −0 Original line number Diff line number Diff line Loading @@ -162,6 +162,11 @@ struct rsa_st #define RSA_FLAG_CACHE_PUBLIC 0x02 #define RSA_FLAG_CACHE_PRIVATE 0x04 #define RSA_FLAG_BLINDING 0x08 #define RSA_FLAG_NO_BLINDING 0x80 /* new with 0.9.6j and 0.9.7b; the built-in * RSA implementation now uses blinding by * default (ignoring RSA_FLAG_BLINDING), * but other engines might not need it */ #define RSA_FLAG_THREAD_SAFE 0x10 /* This flag means the private key operations will be handled by rsa_mod_exp * and that they do not depend on the private key components being present: Loading @@ -174,6 +179,8 @@ struct rsa_st */ #define RSA_FLAG_SIGN_VER 0x40 #define RSA_FLAG_NO_BLINDING 0x80 #define RSA_PKCS1_PADDING 1 #define RSA_SSLV23_PADDING 2 #define RSA_NO_PADDING 3 Loading
crypto/rsa/rsa_eay.c +27 −8 Original line number Diff line number Diff line Loading @@ -211,6 +211,25 @@ err: return(r); } static int rsa_eay_blinding(RSA *rsa, BN_CTX *ctx) { int ret = 1; CRYPTO_w_lock(CRYPTO_LOCK_RSA); /* Check again inside the lock - the macro's check is racey */ if(rsa->blinding == NULL) ret = RSA_blinding_on(rsa, ctx); CRYPTO_w_unlock(CRYPTO_LOCK_RSA); return ret; } #define BLINDING_HELPER(rsa, ctx, err_instr) \ do { \ if((!((rsa)->flags & RSA_FLAG_NO_BLINDING)) && \ ((rsa)->blinding == NULL) && \ !rsa_eay_blinding(rsa, ctx)) \ err_instr \ } while(0) /* signing */ static int RSA_eay_private_encrypt(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding) Loading Loading @@ -255,9 +274,9 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from, goto err; } if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL)) RSA_blinding_on(rsa,ctx); if (rsa->flags & RSA_FLAG_BLINDING) BLINDING_HELPER(rsa, ctx, goto err;); if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err; if ( (rsa->flags & RSA_FLAG_EXT_PKEY) || Loading @@ -274,7 +293,7 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from, rsa->_method_mod_n)) goto err; } if (rsa->flags & RSA_FLAG_BLINDING) if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err; /* put in leading 0 bytes if the number is less than the Loading Loading @@ -336,9 +355,9 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from, goto err; } if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL)) RSA_blinding_on(rsa,ctx); if (rsa->flags & RSA_FLAG_BLINDING) BLINDING_HELPER(rsa, ctx, goto err;); if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err; /* do the decrypt */ Loading @@ -357,7 +376,7 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from, goto err; } if (rsa->flags & RSA_FLAG_BLINDING) if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err; p=buf; Loading
crypto/rsa/rsa_lib.c +17 −4 Original line number Diff line number Diff line Loading @@ -72,7 +72,9 @@ static const RSA_METHOD *default_RSA_meth=NULL; RSA *RSA_new(void) { return(RSA_new_method(NULL)); RSA *r=RSA_new_method(NULL); return r; } void RSA_set_default_method(const RSA_METHOD *meth) Loading Loading @@ -308,6 +310,7 @@ void RSA_blinding_off(RSA *rsa) rsa->blinding=NULL; } rsa->flags &= ~RSA_FLAG_BLINDING; rsa->flags |= RSA_FLAG_NO_BLINDING; } int RSA_blinding_on(RSA *rsa, BN_CTX *p_ctx) Loading @@ -328,13 +331,23 @@ int RSA_blinding_on(RSA *rsa, BN_CTX *p_ctx) BN_CTX_start(ctx); A = BN_CTX_get(ctx); if ((RAND_status() == 0) && rsa->d != NULL && rsa->d->d != NULL) { /* if PRNG is not properly seeded, resort to secret exponent as unpredictable seed */ RAND_add(rsa->d->d, rsa->d->dmax * sizeof rsa->d->d[0], 0); if (!BN_pseudo_rand_range(A,rsa->n)) goto err; } else { if (!BN_rand_range(A,rsa->n)) goto err; } if ((Ai=BN_mod_inverse(NULL,A,rsa->n,ctx)) == NULL) goto err; if (!rsa->meth->bn_mod_exp(A,A,rsa->e,rsa->n,ctx,rsa->_method_mod_n)) goto err; rsa->blinding=BN_BLINDING_new(A,Ai,rsa->n); rsa->flags |= RSA_FLAG_BLINDING; rsa->flags &= ~RSA_FLAG_NO_BLINDING; BN_free(Ai); ret=1; err: Loading
