diff options
author | Bodo Möller <bodo@openssl.org> | 2005-05-16 01:43:31 +0000 |
---|---|---|
committer | Bodo Möller <bodo@openssl.org> | 2005-05-16 01:43:31 +0000 |
commit | 46a643763de6d8e39ecf6f76fa79b4d04885aa59 (patch) | |
tree | e1f3cfc98bddba797b5300977dbf3223f008fc4a /crypto/dh | |
parent | 92c44685724c0d993ea8920577680f3c0a1d79c8 (diff) | |
download | openssl-46a643763de6d8e39ecf6f76fa79b4d04885aa59.zip openssl-46a643763de6d8e39ecf6f76fa79b4d04885aa59.tar.gz openssl-46a643763de6d8e39ecf6f76fa79b4d04885aa59.tar.bz2 |
Implement fixed-window exponentiation to mitigate hyper-threading
timing attacks.
BN_FLG_EXP_CONSTTIME requests this algorithm, and this done by default for
RSA/DSA/DH private key computations unless
RSA_FLAG_NO_EXP_CONSTTIME/DSA_FLAG_NO_EXP_CONSTTIME/
DH_FLAG_NO_EXP_CONSTTIME is set.
Submitted by: Matthew D Wood
Reviewed by: Bodo Moeller
Diffstat (limited to 'crypto/dh')
-rw-r--r-- | crypto/dh/dh.h | 9 | ||||
-rw-r--r-- | crypto/dh/dh_key.c | 27 | ||||
-rw-r--r-- | crypto/dh/dhtest.c | 4 |
3 files changed, 36 insertions, 4 deletions
diff --git a/crypto/dh/dh.h b/crypto/dh/dh.h index da44778..d1559fd 100644 --- a/crypto/dh/dh.h +++ b/crypto/dh/dh.h @@ -73,7 +73,14 @@ #include <openssl/bn.h> #endif -#define DH_FLAG_CACHE_MONT_P 0x01 +#define DH_FLAG_CACHE_MONT_P 0x01 +#define DH_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DH + * implementation now uses constant time + * modular exponentiation for secret exponents + * by default. This flag causes the + * faster variable sliding window method to + * be used for all exponents. + */ #ifdef __cplusplus extern "C" { diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c index 9148f17..e384286 100644 --- a/crypto/dh/dh_key.c +++ b/crypto/dh/dh_key.c @@ -141,8 +141,21 @@ static int generate_key(DH *dh) l = dh->length ? dh->length : BN_num_bits(dh->p)-1; /* secret exponent length */ if (!BN_rand(priv_key, l, 0, 0)) goto err; } - if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, priv_key,dh->p,ctx,mont)) - goto err; + + { + BIGNUM local_prk; + BIGNUM *prk; + + if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) + { + prk = &local_prk; + BN_with_flags(prk, priv_key, BN_FLG_EXP_CONSTTIME); + } + else + prk = priv_key; + + if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, prk, dh->p, ctx, mont)) goto err; + } dh->pub_key=pub_key; dh->priv_key=priv_key; @@ -179,6 +192,11 @@ static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) { mont = BN_MONT_CTX_set_locked(&dh->method_mont_p, CRYPTO_LOCK_DH, dh->p, ctx); + if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) + { + /* XXX */ + BN_set_flags(dh->priv_key, BN_FLG_EXP_CONSTTIME); + } if (!mont) goto err; } @@ -201,7 +219,10 @@ static int dh_bn_mod_exp(const DH *dh, BIGNUM *r, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx) { - if (a->top == 1) + /* If a is only one word long and constant time is false, use the faster + * exponenentiation function. + */ + if (a->top == 1 && ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) != 0)) { BN_ULONG A = a->d[0]; return BN_mod_exp_mont_word(r,A,p,m,ctx,m_ctx); diff --git a/crypto/dh/dhtest.c b/crypto/dh/dhtest.c index 1b19364..882f5c3 100644 --- a/crypto/dh/dhtest.c +++ b/crypto/dh/dhtest.c @@ -145,6 +145,10 @@ int main(int argc, char *argv[]) b->g=BN_dup(a->g); if ((b->p == NULL) || (b->g == NULL)) goto err; + /* Set a to run with normal modexp and b to use constant time */ + a->flags &= ~DH_FLAG_NO_EXP_CONSTTIME; + b->flags |= DH_FLAG_NO_EXP_CONSTTIME; + if (!DH_generate_key(a)) goto err; BIO_puts(out,"pri 1="); BN_print(out,a->priv_key); |