mirrors/openssl
0
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2025-01-23 18:33:37 +08:00
Code Issues Packages Projects Releases Wiki Activity

Deprecate the flags that switch off constant time

Browse Source 
The flags RSA_FLAG_NO_CONSTTIME, DSA_FLAG_NO_EXP_CONSTTIME and
DH_FLAG_NO_EXP_CONSTTIME which previously provided the ability to switch
off the constant time implementation for RSA, DSA and DH have been made
no-ops and deprecated.

Reviewed-by: Richard Levitte <levitte@openssl.org>
This commit is contained in:
Matt Caswell 2016-05-26 10:55:11 +01:00
parent f943e640ef
commit 5584f65a10
13 changed files with 163 additions and 267 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
CHANGES
View File

@ -4,6 +4,12 @@
Changes between 1.0.2h and 1.1.0 [xx XXX 2016]
*) The flags RSA_FLAG_NO_CONSTTIME, DSA_FLAG_NO_EXP_CONSTTIME and
DH_FLAG_NO_EXP_CONSTTIME which previously provided the ability to switch
off the constant time implementation for RSA, DSA and DH have been made
no-ops and deprecated.
[Matt Caswell]
*) Windows RAND implementation was simplified to only get entropy by
calling CryptGenRandom(). Various other RAND-related tickets
were also closed.

35
crypto/dh/dh_key.c
View File

@ -113,24 +113,18 @@ static int generate_key(DH *dh)
}
{
BIGNUM *local_prk = NULL;
BIGNUM *prk;
BIGNUM *prk = BN_new();
if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) {
local_prk = prk = BN_new();
if (local_prk == NULL)
goto err;
BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
} else {
prk = priv_key;
}
if (prk == NULL)
goto err;
BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, prk, dh->p, ctx, mont)) {
BN_free(local_prk);
BN_free(prk);
goto err;
}
/* We MUST free local_prk before any further use of priv_key */
BN_free(local_prk);
/* We MUST free prk before any further use of priv_key */
BN_free(prk);
}
dh->pub_key = pub_key;
@ -175,10 +169,7 @@ static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
if (dh->flags & DH_FLAG_CACHE_MONT_P) {
mont = BN_MONT_CTX_set_locked(&dh->method_mont_p,
dh->lock, dh->p, ctx);
if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) {
/* XXX */
BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME);
}
BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME);
if (!mont)
goto err;
}
@ -207,15 +198,7 @@ static int dh_bn_mod_exp(const DH *dh, BIGNUM *r,
const BIGNUM *a, const BIGNUM *p,
const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
{
/*
* If a is only one word long and constant time is false, use the faster
* exponentiation function.
*/
if (bn_get_top(a) == 1 && ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) != 0)) {
BN_ULONG A = bn_get_words(a)[0];
return BN_mod_exp_mont_word(r, A, p, m, ctx, m_ctx);
} else
return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
}
static int dh_init(DH *dh)

20
crypto/dsa/dsa_key.c
View File

@ -50,24 +50,18 @@ static int dsa_builtin_keygen(DSA *dsa)
pub_key = dsa->pub_key;
{
BIGNUM *local_prk = NULL;
BIGNUM *prk;
BIGNUM *prk = BN_new();
if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {
local_prk = prk = BN_new();
if (local_prk == NULL)
goto err;
BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
} else {
prk = priv_key;
}
if (prk == NULL)
goto err;
BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
if (!BN_mod_exp(pub_key, dsa->g, prk, dsa->p, ctx)) {
BN_free(local_prk);
BN_free(prk);
goto err;
}
/* We MUST free local_prk before any further use of priv_key */
BN_free(local_prk);
/* We MUST free prk before any further use of priv_key */
BN_free(prk);
}
dsa->priv_key = priv_key;

38
crypto/dsa/dsa_ossl.c
View File

@ -135,7 +135,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
const unsigned char *dgst, int dlen)
{
BN_CTX *ctx = NULL;
BIGNUM *k, *kq, *K, *kinv = NULL, *r = *rp;
BIGNUM *k, *kq, *kinv = NULL, *r = *rp;
int ret = 0;
if (!dsa->p || !dsa->q || !dsa->g) {
@ -176,39 +176,31 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
/* Compute r = (g^k mod p) mod q */
if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {
if (!BN_copy(kq, k))
goto err;
if (!BN_copy(kq, k))
goto err;
/*
* We do not want timing information to leak the length of k, so we
* compute g^k using an equivalent exponent of fixed length. (This
* is a kludge that we need because the BN_mod_exp_mont() does not
* let us specify the desired timing behaviour.)
*/
/*
* We do not want timing information to leak the length of k, so we
* compute g^k using an equivalent exponent of fixed length. (This
* is a kludge that we need because the BN_mod_exp_mont() does not
* let us specify the desired timing behaviour.)
*/
if (!BN_add(kq, kq, dsa->q))
goto err;
if (BN_num_bits(kq) <= BN_num_bits(dsa->q)) {
if (!BN_add(kq, kq, dsa->q))
goto err;
if (BN_num_bits(kq) <= BN_num_bits(dsa->q)) {
if (!BN_add(kq, kq, dsa->q))
goto err;
}
K = kq;
} else {
K = k;
}
if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {
BN_set_flags(K, BN_FLG_CONSTTIME);
}
BN_set_flags(kq, BN_FLG_CONSTTIME);
if ((dsa)->meth->bn_mod_exp != NULL) {
if (!dsa->meth->bn_mod_exp(dsa, r, dsa->g, K, dsa->p, ctx,
if (!dsa->meth->bn_mod_exp(dsa, r, dsa->g, kq, dsa->p, ctx,
dsa->method_mont_p))
goto err;
} else {
if (!BN_mod_exp_mont(r, dsa->g, K, dsa->p, ctx, dsa->method_mont_p))
if (!BN_mod_exp_mont(r, dsa->g, kq, dsa->p, ctx, dsa->method_mont_p))
goto err;
}

21
crypto/rsa/rsa_crpt.c
View File

@ -147,23 +147,18 @@ BN_BLINDING *RSA_setup_blinding(RSA *rsa, BN_CTX *in_ctx)
}
{
BIGNUM *local_n = NULL, *n;
if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
/* Set BN_FLG_CONSTTIME flag */
local_n = n = BN_new();
if (local_n == NULL) {
RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_MALLOC_FAILURE);
goto err;
}
BN_with_flags(n, rsa->n, BN_FLG_CONSTTIME);
} else {
n = rsa->n;
BIGNUM *n = BN_new();
if (n == NULL) {
RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_MALLOC_FAILURE);
goto err;
}
BN_with_flags(n, rsa->n, BN_FLG_CONSTTIME);
ret = BN_BLINDING_create_param(NULL, e, n, ctx, rsa->meth->bn_mod_exp,
rsa->_method_mod_n);
/* We MUST free local_n before any further use of rsa->n */
BN_free(local_n);
/* We MUST free n before any further use of rsa->n */
BN_free(n);
}
if (ret == NULL) {
RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_BN_LIB);

61
crypto/rsa/rsa_gen.c
View File

@ -137,64 +137,51 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value,
if (!BN_mul(r0, r1, r2, ctx))
goto err; /* (p-1)(q-1) */
{
BIGNUM *local_r0 = NULL, *pr0;
if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
pr0 = local_r0 = BN_new();
if (local_r0 == NULL)
goto err;
BN_with_flags(pr0, r0, BN_FLG_CONSTTIME);
} else {
pr0 = r0;
}
BIGNUM *pr0 = BN_new();
if (pr0 == NULL)
goto err;
BN_with_flags(pr0, r0, BN_FLG_CONSTTIME);
if (!BN_mod_inverse(rsa->d, rsa->e, pr0, ctx)) {
BN_free(local_r0);
BN_free(pr0);
goto err; /* d */
}
/* We MUST free local_r0 before any further use of r0 */
BN_free(local_r0);
/* We MUST free pr0 before any further use of r0 */
BN_free(pr0);
}
{
BIGNUM *local_d = NULL, *d;
/* set up d for correct BN_FLG_CONSTTIME flag */
if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
d = local_d = BN_new();
if (local_d == NULL)
goto err;
BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
} else {
d = rsa->d;
}
BIGNUM *d = BN_new();
if (d == NULL)
goto err;
BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
if ( /* calculate d mod (p-1) */
!BN_mod(rsa->dmp1, d, r1, ctx)
/* calculate d mod (q-1) */
|| !BN_mod(rsa->dmq1, d, r2, ctx)) {
BN_free(local_d);
BN_free(d);
goto err;
}
/* We MUST free local_d before any further use of rsa->d */
BN_free(local_d);
/* We MUST free d before any further use of rsa->d */
BN_free(d);
}
{
BIGNUM *local_p = NULL, *p;
BIGNUM *p = BN_new();
if (p == NULL)
goto err;
BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
/* calculate inverse of q mod p */
if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
p = local_p = BN_new();
if (local_p == NULL)
goto err;
BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
} else {
p = rsa->p;
}
if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx)) {
BN_free(local_p);
BN_free(p);
goto err;
}
/* We MUST free local_p before any further use of rsa->p */
BN_free(local_p);
/* We MUST free p before any further use of rsa->p */
BN_free(p);
}
ok = 1;

202
crypto/rsa/rsa_ossl.c
View File

@ -300,33 +300,27 @@ static int rsa_ossl_private_encrypt(int flen, const unsigned char *from,
if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx))
goto err;
} else {
BIGNUM *d = NULL, *local_d = NULL;
if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
local_d = d = BN_new();
if (d == NULL) {
RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE);
goto err;
}
BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
} else {
d = rsa->d;
BIGNUM *d = BN_new();
if (d == NULL) {
RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE);
goto err;
}
BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
if (!BN_MONT_CTX_set_locked
(&rsa->_method_mod_n, rsa->lock, rsa->n, ctx)) {
BN_free(local_d);
BN_free(d);
goto err;
}
if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,
rsa->_method_mod_n)) {
BN_free(local_d);
BN_free(d);
goto err;
}
/* We MUST free local_d before any further use of rsa->d */
BN_free(local_d);
/* We MUST free d before any further use of rsa->d */
BN_free(d);
}
if (blinding)
@ -434,32 +428,26 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx))
goto err;
} else {
BIGNUM *d = NULL, *local_d = NULL;
if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
local_d = d = BN_new();
if (d == NULL) {
RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE);
goto err;
}
BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
} else {
d = rsa->d;
BIGNUM *d = BN_new();
if (d == NULL) {
RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE);
goto err;
}
BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
if (!BN_MONT_CTX_set_locked
(&rsa->_method_mod_n, rsa->lock, rsa->n, ctx)) {
BN_free(local_d);
BN_free(d);
goto err;
}
if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,
rsa->_method_mod_n)) {
BN_free(local_d);
BN_free(d);
goto err;
}
/* We MUST free local_d before any further use of rsa->d */
BN_free(local_d);
/* We MUST free d before any further use of rsa->d */
BN_free(d);
}
if (blinding)
@ -608,46 +596,35 @@ static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
vrfy = BN_CTX_get(ctx);
{
BIGNUM *local_p = NULL, *local_q = NULL;
BIGNUM *p = NULL, *q = NULL;
BIGNUM *p = BN_new(), *q = BN_new();
/*
* Make sure BN_mod_inverse in Montgomery initialization uses the
* BN_FLG_CONSTTIME flag (unless RSA_FLAG_NO_CONSTTIME is set)
* BN_FLG_CONSTTIME flag
*/
if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
local_p = p = BN_new();
if (p == NULL)
goto err;
BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
local_q = q = BN_new();
if (q == NULL) {
BN_free(local_p);
goto err;
}
BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME);
} else {
p = rsa->p;
q = rsa->q;
if (p == NULL || q == NULL) {
BN_free(p);
BN_free(q);
goto err;
}
BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME);
if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) {
if (!BN_MONT_CTX_set_locked
(&rsa->_method_mod_p, rsa->lock, p, ctx)
|| !BN_MONT_CTX_set_locked(&rsa->_method_mod_q,
rsa->lock, q, ctx)) {
BN_free(local_p);
BN_free(local_q);
BN_free(p);
BN_free(q);
goto err;
}
}
/*
* We MUST free local_p and local_q before any further use of rsa->p and
* rsa->q
* We MUST free p and q before any further use of rsa->p and rsa->q
*/
BN_free(local_p);
BN_free(local_q);
BN_free(p);
BN_free(q);
}
if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
@ -657,72 +634,58 @@ static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
/* compute I mod q */
{
BIGNUM *local_c = NULL;
const BIGNUM *c;
if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
local_c = BN_new();
if (local_c == NULL)
goto err;
BN_with_flags(local_c, I, BN_FLG_CONSTTIME);
c = local_c;
} else {
c = I;
}
BIGNUM *c = BN_new();
if (c == NULL)
goto err;
BN_with_flags(c, I, BN_FLG_CONSTTIME);
if (!BN_mod(r1, c, rsa->q, ctx)) {
BN_free(local_c);
BN_free(c);
goto err;
}
{
BIGNUM *local_dmq1 = NULL, *dmq1;
/* compute r1^dmq1 mod q */
if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
dmq1 = local_dmq1 = BN_new();
if (local_dmq1 == NULL) {
BN_free(local_c);
goto err;
}
BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
} else {
dmq1 = rsa->dmq1;
}
if (!rsa->meth->bn_mod_exp(m1, r1, dmq1, rsa->q, ctx,
rsa->_method_mod_q)) {
BN_free(local_c);
BN_free(local_dmq1);
BIGNUM *dmq1 = BN_new();
if (dmq1 == NULL) {
BN_free(c);
goto err;
}
/* We MUST free local_dmq1 before any further use of rsa->dmq1 */
BN_free(local_dmq1);
BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
/* compute r1^dmq1 mod q */
if (!rsa->meth->bn_mod_exp(m1, r1, dmq1, rsa->q, ctx,
rsa->_method_mod_q)) {
BN_free(c);
BN_free(dmq1);
goto err;
}
/* We MUST free dmq1 before any further use of rsa->dmq1 */
BN_free(dmq1);
}
/* compute I mod p */
if (!BN_mod(r1, c, rsa->p, ctx)) {
BN_free(local_c);
BN_free(c);
goto err;
}
/* We MUST free local_c before any further use of I */
BN_free(local_c);
/* We MUST free c before any further use of I */
BN_free(c);
}
{
BIGNUM *local_dmp1 = NULL, *dmp1;
BIGNUM *dmp1 = BN_new();
if (dmp1 == NULL)
goto err;
BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
/* compute r1^dmp1 mod p */
if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
dmp1 = local_dmp1 = BN_new();
if (local_dmp1 == NULL)
goto err;
BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
} else {
dmp1 = rsa->dmp1;
}
if (!rsa->meth->bn_mod_exp(r0, r1, dmp1, rsa->p, ctx,
rsa->_method_mod_p)) {
BN_free(local_dmp1);
BN_free(dmp1);
goto err;
}
/* We MUST free local_dmp1 before any further use of rsa->dmp1 */
BN_free(local_dmp1);
/* We MUST free dmp1 before any further use of rsa->dmp1 */
BN_free(dmp1);
}
if (!BN_sub(r0, r0, m1))
@ -739,22 +702,17 @@ static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
goto err;
{
BIGNUM *local_r1 = NULL, *pr1;
/* Turn BN_FLG_CONSTTIME flag on before division operation */
if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
pr1 = local_r1 = BN_new();
if (local_r1 == NULL)
goto err;
BN_with_flags(pr1, r1, BN_FLG_CONSTTIME);
} else {
pr1 = r1;
}
BIGNUM *pr1 = BN_new();
if (pr1 == NULL)
goto err;
BN_with_flags(pr1, r1, BN_FLG_CONSTTIME);
if (!BN_mod(r0, pr1, rsa->p, ctx)) {
BN_free(local_r1);
BN_free(pr1);
goto err;
}
/* We MUST free local_r1 before any further use of r1 */
BN_free(local_r1);
/* We MUST free pr1 before any further use of r1 */
BN_free(pr1);
}
/*
@ -796,24 +754,18 @@ static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
* return that instead.
*/
BIGNUM *local_d = NULL;
BIGNUM *d = NULL;
BIGNUM *d = BN_new();
if (d == NULL)
goto err;
BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
local_d = d = BN_new();
if (d == NULL)
goto err;
BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
} else {
d = rsa->d;
}
if (!rsa->meth->bn_mod_exp(r0, I, d, rsa->n, ctx,
rsa->_method_mod_n)) {
BN_free(local_d);
BN_free(d);
goto err;
}
/* We MUST free local_d before any further use of rsa->d */
BN_free(local_d);
/* We MUST free d before any further use of rsa->d */
BN_free(d);
}
}
ret = 1;

8
include/openssl/dh.h
View File

@ -32,7 +32,13 @@ extern "C" {
# define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024
# define DH_FLAG_CACHE_MONT_P 0x01
# define DH_FLAG_NO_EXP_CONSTTIME 0x02
# if OPENSSL_API_COMPAT < 0x10100000L
/*
* Does nothing. Previously this switched off constant time behaviour.
*/
# define DH_FLAG_NO_EXP_CONSTTIME 0x00
# endif
/*
* If this flag is set the DH method is FIPS compliant and can be used in

8
include/openssl/dsa.h
View File

@ -38,12 +38,12 @@ extern "C" {
# define OPENSSL_DSA_FIPS_MIN_MODULUS_BITS 1024
# define DSA_FLAG_CACHE_MONT_P 0x01
# if OPENSSL_API_COMPAT < 0x10100000L
/*
* new with 0.9.7h; the built-in DSA implementation now uses constant time
* modular exponentiation for secret exponents by default. This flag causes
* the faster variable sliding window method to be used for all exponents.
* Does nothing. Previously this switched off constant time behaviour.
*/
# define DSA_FLAG_NO_EXP_CONSTTIME 0x02
# define DSA_FLAG_NO_EXP_CONSTTIME 0x00
# endif
/*
* If this flag is set the DSA method is FIPS compliant and can be used in

14
include/openssl/rsa.h
View File

@ -66,18 +66,12 @@ extern "C" {
* but other engines might not need it
*/
# define RSA_FLAG_NO_BLINDING 0x0080
# if OPENSSL_API_COMPAT < 0x10100000L
/*
* new with 0.9.8f; the built-in RSA
* implementation now uses constant time
* operations by default in private key operations,
* e.g., constant time modular exponentiation,
* modular inverse without leaking branches,
* division without leaking branches. This
* flag disables these constant time
* operations and results in faster RSA
* private key operations.
* Does nothing. Previously this switched off constant time behaviour.
*/
# define RSA_FLAG_NO_CONSTTIME 0x0100
# define RSA_FLAG_NO_CONSTTIME 0x0000
# endif
# if OPENSSL_API_COMPAT < 0x00908000L
/* deprecated name for the flag*/
/*

4
test/dhtest.c
View File

@ -95,10 +95,6 @@ int main(int argc, char *argv[])
goto err;
bp = bg = NULL;
/* Set a to run with normal modexp and b to use constant time */
DH_clear_flags(a, DH_FLAG_NO_EXP_CONSTTIME);
DH_set_flags(b, DH_FLAG_NO_EXP_CONSTTIME);
if (!DH_generate_key(a))
goto err;
DH_get0_key(a, &apub_key, &priv_key);

7
test/dsatest.c
View File

@ -147,13 +147,6 @@ int main(int argc, char **argv)
goto end;
}
DSA_set_flags(dsa, DSA_FLAG_NO_EXP_CONSTTIME);
DSA_generate_key(dsa);
DSA_sign(0, str1, 20, sig, &siglen, dsa);
if (DSA_verify(0, str1, 20, sig, siglen, dsa) == 1)
ret = 1;
DSA_clear_flags(dsa, DSA_FLAG_NO_EXP_CONSTTIME);
DSA_generate_key(dsa);
DSA_sign(0, str1, 20, sig, &siglen, dsa);
if (DSA_verify(0, str1, 20, sig, siglen, dsa) == 1)

6
test/rsa_test.c
View File

@ -241,9 +241,9 @@ int main(int argc, char *argv[])
plen = sizeof(ptext_ex) - 1;
for (v = 0; v < 6; v++) {
for (v = 0; v < 3; v++) {
key = RSA_new();
switch (v % 3) {
switch (v) {
case 0:
clen = key1(key, ctext_ex);
break;
@ -254,8 +254,6 @@ int main(int argc, char *argv[])
clen = key3(key, ctext_ex);
break;
}
if (v / 3 >= 1)
RSA_set_flags(key, RSA_FLAG_NO_CONSTTIME);
num = RSA_public_encrypt(plen, ptext_ex, ctext, key,
RSA_PKCS1_PADDING);