From aa88ce08dc8b367b254af7566f45c4db85f08d74 Mon Sep 17 00:00:00 2001 From: tb Date: Fri, 28 Jul 2023 10:05:16 +0000 Subject: [PATCH] Make BN_BLINDING internal RSA is pretty bad. In my most optimistic moments I dream of a world that stopped using it. That won't happen during my lifetime, unfortunately. Blinding is one way of making it a little less leaky. Unfortunately this side-channel leak mitigation leaked out of the library for no good reason. Let's at least fix that aspect of it. ok jsing --- lib/libcrypto/Symbols.list | 12 ------------ lib/libcrypto/Symbols.namespace | 12 ------------ lib/libcrypto/bn/bn.h | 23 +---------------------- lib/libcrypto/bn/bn_blind.c | 13 +------------ lib/libcrypto/bn/bn_local.h | 23 ++++++++++++++++++++++- lib/libcrypto/hidden/openssl/bn.h | 13 +------------ lib/libcrypto/hidden/openssl/rsa.h | 3 +-- lib/libcrypto/rsa/rsa.h | 3 +-- lib/libcrypto/rsa/rsa_crpt.c | 3 +-- lib/libcrypto/rsa/rsa_lib.c | 3 ++- lib/libcrypto/rsa/rsa_local.h | 4 +++- 11 files changed, 33 insertions(+), 79 deletions(-) diff --git a/lib/libcrypto/Symbols.list b/lib/libcrypto/Symbols.list index 80be9faeae6..cac15579b51 100644 --- a/lib/libcrypto/Symbols.list +++ b/lib/libcrypto/Symbols.list @@ -374,17 +374,6 @@ BIO_vfree BIO_vprintf BIO_vsnprintf BIO_write -BN_BLINDING_convert -BN_BLINDING_convert_ex -BN_BLINDING_create_param -BN_BLINDING_free -BN_BLINDING_get_flags -BN_BLINDING_invert -BN_BLINDING_invert_ex -BN_BLINDING_new -BN_BLINDING_set_flags -BN_BLINDING_thread_id -BN_BLINDING_update BN_CTX_end BN_CTX_free BN_CTX_get @@ -2377,7 +2366,6 @@ RSA_set_default_method RSA_set_ex_data RSA_set_flags RSA_set_method -RSA_setup_blinding RSA_sign RSA_sign_ASN1_OCTET_STRING RSA_size diff --git a/lib/libcrypto/Symbols.namespace b/lib/libcrypto/Symbols.namespace index 7a309ab4161..a58eb0b9a1f 100644 --- a/lib/libcrypto/Symbols.namespace +++ b/lib/libcrypto/Symbols.namespace @@ -2293,17 +2293,6 @@ _libre_BN_MONT_CTX_free _libre_BN_MONT_CTX_set _libre_BN_MONT_CTX_copy _libre_BN_MONT_CTX_set_locked -_libre_BN_BLINDING_new -_libre_BN_BLINDING_free -_libre_BN_BLINDING_update -_libre_BN_BLINDING_convert -_libre_BN_BLINDING_invert -_libre_BN_BLINDING_convert_ex -_libre_BN_BLINDING_invert_ex -_libre_BN_BLINDING_thread_id -_libre_BN_BLINDING_get_flags -_libre_BN_BLINDING_set_flags -_libre_BN_BLINDING_create_param _libre_get_rfc2409_prime_768 _libre_get_rfc2409_prime_1024 _libre_BN_get_rfc2409_prime_768 @@ -2385,7 +2374,6 @@ _libre_RSA_sign_ASN1_OCTET_STRING _libre_RSA_verify_ASN1_OCTET_STRING _libre_RSA_blinding_on _libre_RSA_blinding_off -_libre_RSA_setup_blinding _libre_RSA_padding_add_PKCS1_type_1 _libre_RSA_padding_check_PKCS1_type_1 _libre_RSA_padding_add_PKCS1_type_2 diff --git a/lib/libcrypto/bn/bn.h b/lib/libcrypto/bn/bn.h index 7dc138d1700..689196c911f 100644 --- a/lib/libcrypto/bn/bn.h +++ b/lib/libcrypto/bn/bn.h @@ -1,4 +1,4 @@ -/* $OpenBSD: bn.h,v 1.72 2023/06/13 09:12:22 tb Exp $ */ +/* $OpenBSD: bn.h,v 1.73 2023/07/28 10:05:16 tb Exp $ */ /* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -449,27 +449,6 @@ BN_MONT_CTX *BN_MONT_CTX_copy(BN_MONT_CTX *to, BN_MONT_CTX *from); BN_MONT_CTX *BN_MONT_CTX_set_locked(BN_MONT_CTX **pmont, int lock, const BIGNUM *mod, BN_CTX *ctx); -/* BN_BLINDING flags */ -#define BN_BLINDING_NO_UPDATE 0x00000001 -#define BN_BLINDING_NO_RECREATE 0x00000002 - -BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod); -void BN_BLINDING_free(BN_BLINDING *b); -int BN_BLINDING_update(BN_BLINDING *b, BN_CTX *ctx); -int BN_BLINDING_convert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx); -int BN_BLINDING_invert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx); -int BN_BLINDING_convert_ex(BIGNUM *n, BIGNUM *r, BN_BLINDING *b, BN_CTX *); -int BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b, BN_CTX *); - -CRYPTO_THREADID *BN_BLINDING_thread_id(BN_BLINDING *); -unsigned long BN_BLINDING_get_flags(const BN_BLINDING *); -void BN_BLINDING_set_flags(BN_BLINDING *, unsigned long); -BN_BLINDING *BN_BLINDING_create_param(BN_BLINDING *b, - const BIGNUM *e, BIGNUM *m, BN_CTX *ctx, - int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, - const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx), - BN_MONT_CTX *m_ctx); - /* Primes from RFC 2409 */ BIGNUM *get_rfc2409_prime_768(BIGNUM *bn); BIGNUM *get_rfc2409_prime_1024(BIGNUM *bn); diff --git a/lib/libcrypto/bn/bn_blind.c b/lib/libcrypto/bn/bn_blind.c index 07cd359e7e6..7332df2b567 100644 --- a/lib/libcrypto/bn/bn_blind.c +++ b/lib/libcrypto/bn/bn_blind.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bn_blind.c,v 1.23 2023/07/08 12:21:58 beck Exp $ */ +/* $OpenBSD: bn_blind.c,v 1.24 2023/07/28 10:05:16 tb Exp $ */ /* ==================================================================== * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. * @@ -169,7 +169,6 @@ err: BN_BLINDING_free(ret); return (NULL); } -LCRYPTO_ALIAS(BN_BLINDING_new); void BN_BLINDING_free(BN_BLINDING *r) @@ -183,7 +182,6 @@ BN_BLINDING_free(BN_BLINDING *r) BN_free(r->mod); free(r); } -LCRYPTO_ALIAS(BN_BLINDING_free); int BN_BLINDING_update(BN_BLINDING *b, BN_CTX *ctx) @@ -217,14 +215,12 @@ err: b->counter = 0; return (ret); } -LCRYPTO_ALIAS(BN_BLINDING_update); int BN_BLINDING_convert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx) { return BN_BLINDING_convert_ex(n, NULL, b, ctx); } -LCRYPTO_ALIAS(BN_BLINDING_convert); int BN_BLINDING_convert_ex(BIGNUM *n, BIGNUM *r, BN_BLINDING *b, BN_CTX *ctx) @@ -253,14 +249,12 @@ BN_BLINDING_convert_ex(BIGNUM *n, BIGNUM *r, BN_BLINDING *b, BN_CTX *ctx) return ret; } -LCRYPTO_ALIAS(BN_BLINDING_convert_ex); int BN_BLINDING_invert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx) { return BN_BLINDING_invert_ex(n, NULL, b, ctx); } -LCRYPTO_ALIAS(BN_BLINDING_invert); int BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b, BN_CTX *ctx) @@ -280,28 +274,24 @@ BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b, BN_CTX *ctx) return (ret); } -LCRYPTO_ALIAS(BN_BLINDING_invert_ex); CRYPTO_THREADID * BN_BLINDING_thread_id(BN_BLINDING *b) { return &b->tid; } -LCRYPTO_ALIAS(BN_BLINDING_thread_id); unsigned long BN_BLINDING_get_flags(const BN_BLINDING *b) { return b->flags; } -LCRYPTO_ALIAS(BN_BLINDING_get_flags); void BN_BLINDING_set_flags(BN_BLINDING *b, unsigned long flags) { b->flags = flags; } -LCRYPTO_ALIAS(BN_BLINDING_set_flags); BN_BLINDING * BN_BLINDING_create_param(BN_BLINDING *b, const BIGNUM *e, BIGNUM *m, @@ -373,4 +363,3 @@ err: return ret; } -LCRYPTO_ALIAS(BN_BLINDING_create_param); diff --git a/lib/libcrypto/bn/bn_local.h b/lib/libcrypto/bn/bn_local.h index a8d40fbcc8b..989770f2d63 100644 --- a/lib/libcrypto/bn/bn_local.h +++ b/lib/libcrypto/bn/bn_local.h @@ -1,4 +1,4 @@ -/* $OpenBSD: bn_local.h,v 1.26 2023/07/09 18:27:22 tb Exp $ */ +/* $OpenBSD: bn_local.h,v 1.27 2023/07/28 10:05:16 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -291,6 +291,27 @@ int BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, int BN_div_recp(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, BN_RECP_CTX *recp, BN_CTX *ctx); +/* BN_BLINDING flags */ +#define BN_BLINDING_NO_UPDATE 0x00000001 +#define BN_BLINDING_NO_RECREATE 0x00000002 + +BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod); +void BN_BLINDING_free(BN_BLINDING *b); +int BN_BLINDING_update(BN_BLINDING *b, BN_CTX *ctx); +int BN_BLINDING_convert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx); +int BN_BLINDING_invert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx); +int BN_BLINDING_convert_ex(BIGNUM *n, BIGNUM *r, BN_BLINDING *b, BN_CTX *); +int BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b, BN_CTX *); + +CRYPTO_THREADID *BN_BLINDING_thread_id(BN_BLINDING *); +unsigned long BN_BLINDING_get_flags(const BN_BLINDING *); +void BN_BLINDING_set_flags(BN_BLINDING *, unsigned long); +BN_BLINDING *BN_BLINDING_create_param(BN_BLINDING *b, + const BIGNUM *e, BIGNUM *m, BN_CTX *ctx, + int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, + const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx), + BN_MONT_CTX *m_ctx); + /* Explicitly const time / non-const time versions for internal use */ int BN_mod_exp_ct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx); diff --git a/lib/libcrypto/hidden/openssl/bn.h b/lib/libcrypto/hidden/openssl/bn.h index 6c23a5c6d83..d58bd10672a 100644 --- a/lib/libcrypto/hidden/openssl/bn.h +++ b/lib/libcrypto/hidden/openssl/bn.h @@ -1,4 +1,4 @@ -/* $OpenBSD: bn.h,v 1.1 2023/07/08 12:21:58 beck Exp $ */ +/* $OpenBSD: bn.h,v 1.2 2023/07/28 10:05:16 tb Exp $ */ /* * Copyright (c) 2023 Bob Beck * @@ -131,17 +131,6 @@ LCRYPTO_USED(BN_MONT_CTX_free); LCRYPTO_USED(BN_MONT_CTX_set); LCRYPTO_USED(BN_MONT_CTX_copy); LCRYPTO_USED(BN_MONT_CTX_set_locked); -LCRYPTO_USED(BN_BLINDING_new); -LCRYPTO_USED(BN_BLINDING_free); -LCRYPTO_USED(BN_BLINDING_update); -LCRYPTO_USED(BN_BLINDING_convert); -LCRYPTO_USED(BN_BLINDING_invert); -LCRYPTO_USED(BN_BLINDING_convert_ex); -LCRYPTO_USED(BN_BLINDING_invert_ex); -LCRYPTO_USED(BN_BLINDING_thread_id); -LCRYPTO_USED(BN_BLINDING_get_flags); -LCRYPTO_USED(BN_BLINDING_set_flags); -LCRYPTO_USED(BN_BLINDING_create_param); LCRYPTO_USED(get_rfc2409_prime_768); LCRYPTO_USED(get_rfc2409_prime_1024); LCRYPTO_USED(BN_get_rfc2409_prime_768); diff --git a/lib/libcrypto/hidden/openssl/rsa.h b/lib/libcrypto/hidden/openssl/rsa.h index f4342e21da0..ff47101a070 100644 --- a/lib/libcrypto/hidden/openssl/rsa.h +++ b/lib/libcrypto/hidden/openssl/rsa.h @@ -1,4 +1,4 @@ -/* $OpenBSD: rsa.h,v 1.1 2023/07/08 12:26:45 beck Exp $ */ +/* $OpenBSD: rsa.h,v 1.2 2023/07/28 10:05:16 tb Exp $ */ /* * Copyright (c) 2023 Bob Beck * @@ -66,7 +66,6 @@ LCRYPTO_USED(RSA_sign_ASN1_OCTET_STRING); LCRYPTO_USED(RSA_verify_ASN1_OCTET_STRING); LCRYPTO_USED(RSA_blinding_on); LCRYPTO_USED(RSA_blinding_off); -LCRYPTO_USED(RSA_setup_blinding); LCRYPTO_USED(RSA_padding_add_PKCS1_type_1); LCRYPTO_USED(RSA_padding_check_PKCS1_type_1); LCRYPTO_USED(RSA_padding_add_PKCS1_type_2); diff --git a/lib/libcrypto/rsa/rsa.h b/lib/libcrypto/rsa/rsa.h index ff88240f049..4fcef3a97c3 100644 --- a/lib/libcrypto/rsa/rsa.h +++ b/lib/libcrypto/rsa/rsa.h @@ -1,4 +1,4 @@ -/* $OpenBSD: rsa.h,v 1.64 2023/05/05 12:30:40 tb Exp $ */ +/* $OpenBSD: rsa.h,v 1.65 2023/07/28 10:05:16 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -321,7 +321,6 @@ int RSA_verify_ASN1_OCTET_STRING(int type, const unsigned char *m, int RSA_blinding_on(RSA *rsa, BN_CTX *ctx); void RSA_blinding_off(RSA *rsa); -BN_BLINDING *RSA_setup_blinding(RSA *rsa, BN_CTX *ctx); int RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen, const unsigned char *f, int fl); diff --git a/lib/libcrypto/rsa/rsa_crpt.c b/lib/libcrypto/rsa/rsa_crpt.c index ea79280b15d..15108e24f06 100644 --- a/lib/libcrypto/rsa/rsa_crpt.c +++ b/lib/libcrypto/rsa/rsa_crpt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rsa_crpt.c,v 1.22 2023/07/08 12:26:45 beck Exp $ */ +/* $OpenBSD: rsa_crpt.c,v 1.23 2023/07/28 10:05:16 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -229,4 +229,3 @@ err: return ret; } -LCRYPTO_ALIAS(RSA_setup_blinding); diff --git a/lib/libcrypto/rsa/rsa_lib.c b/lib/libcrypto/rsa/rsa_lib.c index 8831253b9fe..fbd2c2274c3 100644 --- a/lib/libcrypto/rsa/rsa_lib.c +++ b/lib/libcrypto/rsa/rsa_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rsa_lib.c,v 1.47 2023/07/08 12:26:45 beck Exp $ */ +/* $OpenBSD: rsa_lib.c,v 1.48 2023/07/28 10:05:16 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -67,6 +67,7 @@ #include #include +#include "bn_local.h" #include "evp_local.h" #include "rsa_local.h" diff --git a/lib/libcrypto/rsa/rsa_local.h b/lib/libcrypto/rsa/rsa_local.h index b4e90abd947..e4c3040b6f1 100644 --- a/lib/libcrypto/rsa/rsa_local.h +++ b/lib/libcrypto/rsa/rsa_local.h @@ -1,4 +1,4 @@ -/* $OpenBSD: rsa_local.h,v 1.3 2023/07/21 15:26:51 tb Exp $ */ +/* $OpenBSD: rsa_local.h,v 1.4 2023/07/28 10:05:16 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -153,4 +153,6 @@ int RSA_padding_check_X931(unsigned char *to, int tlen, const unsigned char *f, int fl, int rsa_len); int RSA_X931_hash_id(int nid); +BN_BLINDING *RSA_setup_blinding(RSA *rsa, BN_CTX *ctx); + __END_HIDDEN_DECLS -- 2.20.1