Fixed error in propagating BN_FLG_CONSTTIME flag through BN_MONT_CTX_set, which could lead to information disclosure on RSA primes p and q.

Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4377)
2025-03-19 19:50:42 +08:00 · 2017-09-15 22:12:53 +02:00 · 2017-09-15 22:12:53 +02:00 · 3de81a5912
commit 3de81a5912
parent 7966101e20
1 changed files with 5 additions and 0 deletions
--- a/crypto/bn/bn_mont.c
+++ b/crypto/bn/bn_mont.c
@ -258,6 +258,8 @@ int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx)
    R = &(mont->RR);            /* grab RR as a temp */
    if (!BN_copy(&(mont->N), mod))
        goto err;               /* Set N */
+    if (BN_get_flags(mod, BN_FLG_CONSTTIME) != 0)
+        BN_set_flags(&(mont->N), BN_FLG_CONSTTIME);
    mont->N.neg = 0;

 #ifdef MONT_WORD
@ -270,6 +272,9 @@ int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx)
        tmod.dmax = 2;
        tmod.neg = 0;

+        if (BN_get_flags(mod, BN_FLG_CONSTTIME) != 0)
+            BN_set_flags(&tmod, BN_FLG_CONSTTIME);
+
        mont->ri = (BN_num_bits(mod) + (BN_BITS2 - 1)) / BN_BITS2 * BN_BITS2;

 # if defined(OPENSSL_BN_ASM_MONT) && (BN_BITS2<=32)