diff options
author | Bodo Möller <bodo@openssl.org> | 2005-05-16 01:43:31 +0000 |
---|---|---|
committer | Bodo Möller <bodo@openssl.org> | 2005-05-16 01:43:31 +0000 |
commit | 46a643763de6d8e39ecf6f76fa79b4d04885aa59 (patch) | |
tree | e1f3cfc98bddba797b5300977dbf3223f008fc4a /crypto/dsa | |
parent | 92c44685724c0d993ea8920577680f3c0a1d79c8 (diff) | |
download | openssl-46a643763de6d8e39ecf6f76fa79b4d04885aa59.tar.gz |
Implement fixed-window exponentiation to mitigate hyper-threading
timing attacks.
BN_FLG_EXP_CONSTTIME requests this algorithm, and this done by default for
RSA/DSA/DH private key computations unless
RSA_FLAG_NO_EXP_CONSTTIME/DSA_FLAG_NO_EXP_CONSTTIME/
DH_FLAG_NO_EXP_CONSTTIME is set.
Submitted by: Matthew D Wood
Reviewed by: Bodo Moeller
Diffstat (limited to 'crypto/dsa')
-rw-r--r-- | crypto/dsa/dsa.h | 7 | ||||
-rw-r--r-- | crypto/dsa/dsa_key.c | 15 | ||||
-rw-r--r-- | crypto/dsa/dsa_ossl.c | 4 | ||||
-rw-r--r-- | crypto/dsa/dsatest.c | 9 |
4 files changed, 34 insertions, 1 deletions
diff --git a/crypto/dsa/dsa.h b/crypto/dsa/dsa.h index c7ba059f25..b12db98b13 100644 --- a/crypto/dsa/dsa.h +++ b/crypto/dsa/dsa.h @@ -85,6 +85,13 @@ #endif #define DSA_FLAG_CACHE_MONT_P 0x01 +#define DSA_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DSA + * implementation now uses constant time + * modular exponentiation for secret exponents + * by default. This flag causes the + * faster variable sliding window method to + * be used for all exponents. + */ #ifdef __cplusplus extern "C" { diff --git a/crypto/dsa/dsa_key.c b/crypto/dsa/dsa_key.c index 8427b77970..5ba885e1e2 100644 --- a/crypto/dsa/dsa_key.c +++ b/crypto/dsa/dsa_key.c @@ -98,8 +98,21 @@ static int dsa_builtin_keygen(DSA *dsa) } else pub_key=dsa->pub_key; + + { + BIGNUM local_prk; + BIGNUM *prk; + + if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) + { + prk = &local_prk; + BN_with_flags(prk, priv_key, BN_FLG_EXP_CONSTTIME); + } + else + prk = priv_key; - if (!BN_mod_exp(pub_key,dsa->g,priv_key,dsa->p,ctx)) goto err; + if (!BN_mod_exp(pub_key,dsa->g,prk,dsa->p,ctx)) goto err; + } dsa->priv_key=priv_key; dsa->pub_key=pub_key; diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c index 25cd8484aa..2e5ede7826 100644 --- a/crypto/dsa/dsa_ossl.c +++ b/crypto/dsa/dsa_ossl.c @@ -227,6 +227,10 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) do if (!BN_rand_range(&k, dsa->q)) goto err; while (BN_is_zero(&k)); + if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) + { + BN_set_flags(&k, BN_FLG_EXP_CONSTTIME); + } if (dsa->flags & DSA_FLAG_CACHE_MONT_P) { diff --git a/crypto/dsa/dsatest.c b/crypto/dsa/dsatest.c index ccc456eab7..66ff417398 100644 --- a/crypto/dsa/dsatest.c +++ b/crypto/dsa/dsatest.c @@ -204,10 +204,19 @@ int main(int argc, char **argv) BIO_printf(bio_err,"g value is wrong\n"); goto end; } + + dsa->flags |= DSA_FLAG_NO_EXP_CONSTTIME; DSA_generate_key(dsa); DSA_sign(0, str1, 20, sig, &siglen, dsa); if (DSA_verify(0, str1, 20, sig, siglen, dsa) == 1) ret=1; + + dsa->flags &= ~DSA_FLAG_NO_EXP_CONSTTIME; + DSA_generate_key(dsa); + DSA_sign(0, str1, 20, sig, &siglen, dsa); + if (DSA_verify(0, str1, 20, sig, siglen, dsa) == 1) + ret=1; + end: if (!ret) ERR_print_errors(bio_err); |