Implement fixed-window exponentiation to mitigate hyper-threading

timing attacks. BN_FLG_EXP_CONSTTIME requests this algorithm, and this done by default for RSA/DSA/DH private key computations unless RSA_FLAG_NO_EXP_CONSTTIME/DSA_FLAG_NO_EXP_CONSTTIME/ DH_FLAG_NO_EXP_CONSTTIME is set. Submitted by: Matthew D Wood Reviewed by: Bodo Moeller
author: Bodo Möller <bodo@openssl.org> 2005-05-16 01:43:31 +0000
committer: Bodo Möller <bodo@openssl.org> 2005-05-16 01:43:31 +0000
commit: 46a643763de6d8e39ecf6f76fa79b4d04885aa59 (patch)
tree: e1f3cfc98bddba797b5300977dbf3223f008fc4a /crypto/dsa
parent: 92c44685724c0d993ea8920577680f3c0a1d79c8 (diff)
download: openssl-46a643763de6d8e39ecf6f76fa79b4d04885aa59.tar.gz
4 files changed, 34 insertions, 1 deletions
diff --git a/crypto/dsa/dsa.h b/crypto/dsa/dsa.h
index c7ba059f25..b12db98b13 100644
--- a/crypto/dsa/dsa.h
+++ b/crypto/dsa/dsa.h
@@ -85,6 +85,13 @@
 #endif
 
 #define DSA_FLAG_CACHE_MONT_P	0x01
+#define DSA_FLAG_NO_EXP_CONSTTIME       0x02 /* new with 0.9.7h; the built-in DSA
+                                              * implementation now uses constant time
+                                              * modular exponentiation for secret exponents
+                                              * by default. This flag causes the
+                                              * faster variable sliding window method to
+                                              * be used for all exponents.
+                                              */
 
 #ifdef  __cplusplus
 extern "C" {
diff --git a/crypto/dsa/dsa_key.c b/crypto/dsa/dsa_key.c
index 8427b77970..5ba885e1e2 100644
--- a/crypto/dsa/dsa_key.c
+++ b/crypto/dsa/dsa_key.c
@@ -98,8 +98,21 @@ static int dsa_builtin_keygen(DSA *dsa)
 		}
 	else
 		pub_key=dsa->pub_key;
+	
+	{
+		BIGNUM local_prk;
+		BIGNUM *prk;
+
+		if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0)
+			{
+			prk = &local_prk;
+			BN_with_flags(prk, priv_key, BN_FLG_EXP_CONSTTIME);
+			}
+		else
+			prk = priv_key;
 
-	if (!BN_mod_exp(pub_key,dsa->g,priv_key,dsa->p,ctx)) goto err;
+		if (!BN_mod_exp(pub_key,dsa->g,prk,dsa->p,ctx)) goto err;
+	}
 
 	dsa->priv_key=priv_key;
 	dsa->pub_key=pub_key;
diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c
index 25cd8484aa..2e5ede7826 100644
--- a/crypto/dsa/dsa_ossl.c
+++ b/crypto/dsa/dsa_ossl.c
@@ -227,6 +227,10 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
 	do
 		if (!BN_rand_range(&k, dsa->q)) goto err;
 	while (BN_is_zero(&k));
+	if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0)
+		{
+		BN_set_flags(&k, BN_FLG_EXP_CONSTTIME);
+		}
 
 	if (dsa->flags & DSA_FLAG_CACHE_MONT_P)
 		{
diff --git a/crypto/dsa/dsatest.c b/crypto/dsa/dsatest.c
index ccc456eab7..66ff417398 100644
--- a/crypto/dsa/dsatest.c
+++ b/crypto/dsa/dsatest.c
@@ -204,10 +204,19 @@ int main(int argc, char **argv)
 		BIO_printf(bio_err,"g value is wrong\n");
 		goto end;
 		}
+
+	dsa->flags |= DSA_FLAG_NO_EXP_CONSTTIME;
 	DSA_generate_key(dsa);
 	DSA_sign(0, str1, 20, sig, &siglen, dsa);
 	if (DSA_verify(0, str1, 20, sig, siglen, dsa) == 1)
 		ret=1;
+
+	dsa->flags &= ~DSA_FLAG_NO_EXP_CONSTTIME;
+	DSA_generate_key(dsa);
+	DSA_sign(0, str1, 20, sig, &siglen, dsa);
+	if (DSA_verify(0, str1, 20, sig, siglen, dsa) == 1)
+		ret=1;
+
 end:
 	if (!ret)
 		ERR_print_errors(bio_err);
author	Bodo Möller <bodo@openssl.org>	2005-05-16 01:43:31 +0000
committer	Bodo Möller <bodo@openssl.org>	2005-05-16 01:43:31 +0000
commit	46a643763de6d8e39ecf6f76fa79b4d04885aa59 (patch)
tree	e1f3cfc98bddba797b5300977dbf3223f008fc4a /crypto/dsa
parent	92c44685724c0d993ea8920577680f3c0a1d79c8 (diff)
download	openssl-46a643763de6d8e39ecf6f76fa79b4d04885aa59.tar.gz