Overview

File openssl-add-computationally-constant-time-bn_bn2binpad.patch of Package compat-openssl098.29129

From 6412738be390dd9bf680cef89f22e4c810ab065f Mon Sep 17 00:00:00 2001
From: Andy Polyakov <appro@openssl.org>
Date: Sun, 4 Feb 2018 15:20:29 +0100
Subject: [PATCH] bn/bn_lib.c: add computationally constant-time bn_bn2binpad.

"Computationally constant-time" means that it might still leak
information about input's length, but only in cases when input
is missing complete BN_ULONG limbs. But even then leak is possible
only if attacker can observe memory access pattern with limb
granularity.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6889)

(cherry picked from commit 89d8aade5f4011ddeea7827f08ec544c914f275a)

Resolved conflicts:
	crypto/bn/bn_lib.c
---
 crypto/bn/bn_lib.c | 36 ++++++++++++++++++++++++++++++++++++
 crypto/bn_int.h    |  2 ++
 2 files changed, 38 insertions(+)

Index: openssl-1.0.1i/crypto/bn/bn_lib.c
===================================================================
--- openssl-1.0.1i.orig/crypto/bn/bn_lib.c
+++ openssl-1.0.1i/crypto/bn/bn_lib.c
@@ -628,6 +628,42 @@ BIGNUM *BN_bin2bn(const unsigned char *s
 	}
 
 /* ignore negative */
+static int bn2binpad(const BIGNUM *a, unsigned char *to, int tolen)
+{
+    int i, j, top;
+    BN_ULONG l;
+
+    i = BN_num_bytes(a);
+    if (tolen == -1)
+        tolen = i;
+    else if (tolen < i)
+        return -1;
+
+    if (i == 0) {
+        OPENSSL_cleanse(to, tolen);
+        return tolen;
+    }
+
+    top = a->top * BN_BYTES;
+    for (i = 0, j = tolen; j > 0; i++) {
+        unsigned int mask;
+
+        mask = constant_time_lt(i, top);
+        i -= 1 & ~mask; /* stay on top limb */
+        l = a->d[i / BN_BYTES];
+        to[--j] = (unsigned char)(l >> (8 * (i % BN_BYTES)) & mask);
+    }
+
+    return tolen;
+}
+
+int bn_bn2binpad(const BIGNUM *a, unsigned char *to, int tolen)
+{
+    if (tolen < 0)
+        return -1;
+    return bn2binpad(a, to, tolen);
+}
+
 int BN_bn2bin(const BIGNUM *a, unsigned char *to)
 	{
 	int n,i;
Index: openssl-1.0.1i/crypto/bn/bn.h
===================================================================
--- openssl-1.0.1i.orig/crypto/bn/bn.h
+++ openssl-1.0.1i/crypto/bn/bn.h
@@ -580,6 +580,7 @@ int BN_mod_mul_montgomery(BIGNUM *r,cons
 	(r),(a),&((mont)->RR),(mont),(ctx))
 int BN_from_montgomery(BIGNUM *r,const BIGNUM *a,
 	BN_MONT_CTX *mont, BN_CTX *ctx);
+int bn_bn2binpad(const BIGNUM *a, unsigned char *to, int tolen);
 void BN_MONT_CTX_free(BN_MONT_CTX *mont);
 int BN_MONT_CTX_set(BN_MONT_CTX *mont,const BIGNUM *mod,BN_CTX *ctx);
 BN_MONT_CTX *BN_MONT_CTX_copy(BN_MONT_CTX *to,BN_MONT_CTX *from);
openSUSE Build Service is sponsored by
Places