From: Bodo Möller Date: Wed, 19 Mar 2003 18:58:55 +0000 (+0000) Subject: make sure RSA blinding works when the PRNG is not properly seeded; X-Git-Tag: OpenSSL_0_9_7b~46 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=84b1e84af13ac935c554eb9466c0b299f675ab8a;p=openssl make sure RSA blinding works when the PRNG is not properly seeded; enable it automatically only for the built-in engine --- diff --git a/CHANGES b/CHANGES index 6ab49d23a1..73ca1e18a5 100644 --- a/CHANGES +++ b/CHANGES @@ -4,12 +4,18 @@ Changes between 0.9.7a and 0.9.7b [xx XXX 2003] - *) Turn on RSA blinding by default, to avoid a timing attack. Applications - that don't want it can call RSA_blinding_off(). They would be ill-advised - to do so in most cases. The automatic enabling can also be turned off - by defining OPENSSL_FORCE_NO_RSA_BLINDING at compile-time. + *) Turn on RSA blinding by default in the default implementation + to avoid a timing attack. Applications that don't want it can call + RSA_blinding_off() or use the new flag RSA_FLAG_NO_BLINDING. + They would be ill-advised to do so in most cases. [Ben Laurie, Steve Henson, Geoff Thorpe] + *) Change RSA blinding code so that it works when the PRNG is not + seeded (in this case, the secret RSA exponent is abused as + an unpredictable seed -- if it is not unpredictable, there + is no point in blinding anyway). + [Bodo Moeller] + *) Fixed a typo bug that would cause ENGINE_set_default() to set an ENGINE as defaults for all supported algorithms irrespective of the 'flags' parameter. 'flags' is now honoured, so applications diff --git a/crypto/rsa/rsa.h b/crypto/rsa/rsa.h index b2e25e4e7c..264d929fcd 100644 --- a/crypto/rsa/rsa.h +++ b/crypto/rsa/rsa.h @@ -158,6 +158,11 @@ struct rsa_st #define RSA_FLAG_CACHE_PUBLIC 0x02 #define RSA_FLAG_CACHE_PRIVATE 0x04 #define RSA_FLAG_BLINDING 0x08 +#define RSA_FLAG_NO_BLINDING 0x80 /* new with 0.9.7b; the built-in RSA + * implementation now uses blinding by + * default (ignoring RSA_FLAG_BLINDING), + * but other engines might not need it + */ #define RSA_FLAG_THREAD_SAFE 0x10 /* This flag means the private key operations will be handled by rsa_mod_exp * and that they do not depend on the private key components being present: @@ -170,6 +175,8 @@ struct rsa_st */ #define RSA_FLAG_SIGN_VER 0x40 +#define RSA_FLAG_NO_BLINDING 0x80 + #define RSA_PKCS1_PADDING 1 #define RSA_SSLV23_PADDING 2 #define RSA_NO_PADDING 3 diff --git a/crypto/rsa/rsa_eay.c b/crypto/rsa/rsa_eay.c index e4bcf499d0..d9b2925b1b 100644 --- a/crypto/rsa/rsa_eay.c +++ b/crypto/rsa/rsa_eay.c @@ -208,10 +208,10 @@ static int rsa_eay_blinding(RSA *rsa, BN_CTX *ctx) #define BLINDING_HELPER(rsa, ctx, err_instr) \ do { \ - if(((rsa)->flags & RSA_FLAG_BLINDING) && \ - ((rsa)->blinding == NULL) && \ - !rsa_eay_blinding(rsa, ctx)) \ - err_instr \ + if((!((rsa)->flags & RSA_FLAG_NO_BLINDING)) && \ + ((rsa)->blinding == NULL) && \ + !rsa_eay_blinding(rsa, ctx)) \ + err_instr \ } while(0) /* signing */ @@ -260,7 +260,7 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from, BLINDING_HELPER(rsa, ctx, goto err;); - if (rsa->flags & RSA_FLAG_BLINDING) + if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err; if ( (rsa->flags & RSA_FLAG_EXT_PKEY) || @@ -275,7 +275,7 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from, if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) goto err; } - if (rsa->flags & RSA_FLAG_BLINDING) + if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err; /* put in leading 0 bytes if the number is less than the @@ -339,7 +339,7 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from, BLINDING_HELPER(rsa, ctx, goto err;); - if (rsa->flags & RSA_FLAG_BLINDING) + if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err; /* do the decrypt */ @@ -356,7 +356,7 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from, goto err; } - if (rsa->flags & RSA_FLAG_BLINDING) + if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err; p=buf; diff --git a/crypto/rsa/rsa_lib.c b/crypto/rsa/rsa_lib.c index f234ae0748..33ca8330c9 100644 --- a/crypto/rsa/rsa_lib.c +++ b/crypto/rsa/rsa_lib.c @@ -74,10 +74,6 @@ RSA *RSA_new(void) { RSA *r=RSA_new_method(NULL); -#ifndef OPENSSL_NO_FORCE_RSA_BLINDING - r->flags|=RSA_FLAG_BLINDING; -#endif - return r; } @@ -313,7 +309,8 @@ void RSA_blinding_off(RSA *rsa) BN_BLINDING_free(rsa->blinding); rsa->blinding=NULL; } - rsa->flags&= ~RSA_FLAG_BLINDING; + rsa->flags &= ~RSA_FLAG_BLINDING; + rsa->flags |= RSA_FLAG_NO_BLINDING; } int RSA_blinding_on(RSA *rsa, BN_CTX *p_ctx) @@ -334,13 +331,23 @@ int RSA_blinding_on(RSA *rsa, BN_CTX *p_ctx) BN_CTX_start(ctx); A = BN_CTX_get(ctx); - if (!BN_rand_range(A,rsa->n)) goto err; + if ((RAND_status() == 0) && rsa->d != NULL && rsa->d->d != NULL) + { + /* if PRNG is not properly seeded, resort to secret exponent as unpredictable seed */ + RAND_add(rsa->d->d, rsa->d->dmax * sizeof rsa->d->d[0], 0); + if (!BN_pseudo_rand_range(A,rsa->n)) goto err; + } + else + { + if (!BN_rand_range(A,rsa->n)) goto err; + } if ((Ai=BN_mod_inverse(NULL,A,rsa->n,ctx)) == NULL) goto err; if (!rsa->meth->bn_mod_exp(A,A,rsa->e,rsa->n,ctx,rsa->_method_mod_n)) goto err; rsa->blinding=BN_BLINDING_new(A,Ai,rsa->n); - rsa->flags|=RSA_FLAG_BLINDING; + rsa->flags |= RSA_FLAG_BLINDING; + rsa->flags &= ~RSA_FLAG_NO_BLINDING; BN_free(Ai); ret=1; err: