Search
j0ke.net Open Build Service
>
Projects
>
home:netmax
:
monitoring
>
openssl1
> openssl-add-computationally-constant-time-bn_bn2binpad.patch
Sign Up
|
Log In
Username
Password
Cancel
Overview
Repositories
Revisions
Requests
Users
Advanced
Attributes
Meta
File openssl-add-computationally-constant-time-bn_bn2binpad.patch of Package openssl1
From 6412738be390dd9bf680cef89f22e4c810ab065f Mon Sep 17 00:00:00 2001 From: Andy Polyakov <appro@openssl.org> Date: Sun, 4 Feb 2018 15:20:29 +0100 Subject: [PATCH] bn/bn_lib.c: add computationally constant-time bn_bn2binpad. "Computationally constant-time" means that it might still leak information about input's length, but only in cases when input is missing complete BN_ULONG limbs. But even then leak is possible only if attacker can observe memory access pattern with limb granularity. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6889) (cherry picked from commit 89d8aade5f4011ddeea7827f08ec544c914f275a) Resolved conflicts: crypto/bn/bn_lib.c --- crypto/bn/bn_lib.c | 36 ++++++++++++++++++++++++++++++++++++ crypto/bn_int.h | 2 ++ 2 files changed, 38 insertions(+) Index: openssl-1.0.1i/crypto/bn/bn_lib.c =================================================================== --- openssl-1.0.1i.orig/crypto/bn/bn_lib.c +++ openssl-1.0.1i/crypto/bn/bn_lib.c @@ -628,6 +628,42 @@ BIGNUM *BN_bin2bn(const unsigned char *s } /* ignore negative */ +static int bn2binpad(const BIGNUM *a, unsigned char *to, int tolen) +{ + int i, j, top; + BN_ULONG l; + + i = BN_num_bytes(a); + if (tolen == -1) + tolen = i; + else if (tolen < i) + return -1; + + if (i == 0) { + OPENSSL_cleanse(to, tolen); + return tolen; + } + + top = a->top * BN_BYTES; + for (i = 0, j = tolen; j > 0; i++) { + unsigned int mask; + + mask = constant_time_lt(i, top); + i -= 1 & ~mask; /* stay on top limb */ + l = a->d[i / BN_BYTES]; + to[--j] = (unsigned char)(l >> (8 * (i % BN_BYTES)) & mask); + } + + return tolen; +} + +int bn_bn2binpad(const BIGNUM *a, unsigned char *to, int tolen) +{ + if (tolen < 0) + return -1; + return bn2binpad(a, to, tolen); +} + int BN_bn2bin(const BIGNUM *a, unsigned char *to) { int n,i; Index: openssl-1.0.1i/crypto/bn/bn.h =================================================================== --- openssl-1.0.1i.orig/crypto/bn/bn.h +++ openssl-1.0.1i/crypto/bn/bn.h @@ -580,6 +580,7 @@ int BN_mod_mul_montgomery(BIGNUM *r,cons (r),(a),&((mont)->RR),(mont),(ctx)) int BN_from_montgomery(BIGNUM *r,const BIGNUM *a, BN_MONT_CTX *mont, BN_CTX *ctx); +int bn_bn2binpad(const BIGNUM *a, unsigned char *to, int tolen); void BN_MONT_CTX_free(BN_MONT_CTX *mont); int BN_MONT_CTX_set(BN_MONT_CTX *mont,const BIGNUM *mod,BN_CTX *ctx); BN_MONT_CTX *BN_MONT_CTX_copy(BN_MONT_CTX *to,BN_MONT_CTX *from);