git.ipfire.org Git - thirdparty/openssl.git/commit

author	Nicola Tuveri <nic.tuv@gmail.com>
	Mon, 11 Feb 2019 22:37:25 +0000 (00:37 +0200)
committer	Nicola Tuveri <nic.tuv@gmail.com>
	Wed, 20 Feb 2019 20:57:19 +0000 (22:57 +0200)
commit	d769ce09b690237c35c32032edbaf0339c480e85
tree	ef088a7d1d31d4eb700634918eade65237ad2460	tree \| snapshot
parent	e30dfbebe7fa3af40fd840fc89b004376fc2b21f	commit \| diff

Test for constant-time flag leakage in BN_CTX

This commit adds a simple unit test to make sure that the constant-time
flag does not "leak" among BN_CTX frames:

- test_ctx_consttime_flag() initializes (and later frees before
  returning) a BN_CTX object, then it calls in sequence
  test_ctx_set_ct_flag() and test_ctx_check_ct_flag() using the same
  BN_CTX object.
- test_ctx_set_ct_flag() starts a frame in the given BN_CTX and sets the
  BN_FLG_CONSTTIME flag on some of the BIGNUMs obtained from the frame
  before ending it.
- test_ctx_check_ct_flag() then starts a new frame and gets a number of
  BIGNUMs from it. In absence of leaks, none of the BIGNUMs in the new
  frame should have BN_FLG_CONSTTIME set.

In actual BN_CTX usage inside libcrypto the leak could happen at any
depth level in the BN_CTX stack, with varying results depending on the
patterns of sibling trees of nested function calls sharing the same
BN_CTX object, and the effect of unintended BN_FLG_CONSTTIME on the
called BN_* functions.

This simple unit test abstracts away this complexity and verifies that
the leak does not happen between two sibling functions sharing the same
BN_CTX object at the same level of nesting.

(manually cherry picked from commit fe16ae5f95fa86ddb049a8d1e2caee0b80b32282)

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8295)