Skip to content

Commit

Permalink
Expose BN_set_flags as a no-op (aws#2021)
Browse files Browse the repository at this point in the history
We're currently leaning towards continuing to not support
`BN_FLG_CONSTTIME`. It's a problematic flag that's poorly documented and
could lead to constant time violations if we aren't careful.
We can expose `BN_set_flags` as a no-op however. Ruby has logic to get
around the `BN_FLG_CONSTTIME` flag, but not around `BN_set/get_flags`.
Exposing the set symbol would allow for a cleaner patch/build.

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license and the ISC license.
  • Loading branch information
samuel40791765 authored Dec 2, 2024
1 parent beb8846 commit b3f452d
Show file tree
Hide file tree
Showing 3 changed files with 8 additions and 6 deletions.
2 changes: 2 additions & 0 deletions crypto/fipsmodule/bn/bn.c
Original file line number Diff line number Diff line change
Expand Up @@ -445,3 +445,5 @@ void bn_set_minimal_width(BIGNUM *bn) {
int BN_get_flags(const BIGNUM *bn, int flags) {
return bn->flags & flags;
}

void BN_set_flags(BIGNUM *b, int n) { }
10 changes: 5 additions & 5 deletions include/openssl/bn.h
Original file line number Diff line number Diff line change
Expand Up @@ -1021,6 +1021,11 @@ OPENSSL_EXPORT int BN_mod_exp_mont_consttime_x2(BIGNUM *rr1, const BIGNUM *a1, c
const BIGNUM *m2, const BN_MONT_CTX *in_mont2,
BN_CTX *ctx);

// BN_set_flags does nothing. See comments regarding |BN_FLG_CONSTTIME| being
// intentionally omitted for more details.
OPENSSL_DEPRECATED OPENSSL_EXPORT void BN_set_flags(BIGNUM *b, int n);


// Private functions

struct bignum_st {
Expand Down Expand Up @@ -1065,11 +1070,6 @@ OPENSSL_EXPORT unsigned BN_num_bits_word(BN_ULONG l);
#define BN_FLG_MALLOCED 0x01
#define BN_FLG_STATIC_DATA 0x02

#ifdef AWS_LC_INTERNAL_IGNORE_BN_SET_FLAGS
#define BN_set_flags(x, y) /* Ignored */
#define BN_FLG_CONSTTIME 0x04
#endif /* AWS_LC_INTERNAL_IGNORE_BN_SET_FLAGS */

// |BN_FLG_CONSTTIME| has been removed and intentionally omitted so code relying
// on it will not compile unless the flag above is set. Consumers should use the
// higher-level cryptographic algorithms exposed by other modules. Consumers
Expand Down
2 changes: 1 addition & 1 deletion tests/ci/integration/run_openssh_integration.sh
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,7 @@ function openssh_build() {
# The RSA_meth_XXX functions are not implemented by AWS-LC, and the implementation provided by OpenSSH also doesn't compile for us.
# Fortunately, these functions are only needed for pkcs11 support, which is disabled for our build.
# See: https://github.com/openssh/openssh-portable/pull/385
export CFLAGS="-DAWS_LC_INTERNAL_IGNORE_BN_SET_FLAGS=1 -DHAVE_RSA_METH_FREE=1 -DHAVE_RSA_METH_DUP=1 -DHAVE_RSA_METH_SET1_NAME=1 -DHAVE_RSA_METH_GET_FINISH=1 -DHAVE_RSA_METH_SET_PRIV_ENC=1 -DHAVE_RSA_METH_SET_PRIV_DEC=1 -DHAVE_RSA_METH_SET_FINISH=1 "
export CFLAGS="-DBN_FLG_CONSTTIME=0x04 -DHAVE_RSA_METH_FREE=1 -DHAVE_RSA_METH_DUP=1 -DHAVE_RSA_METH_SET1_NAME=1 -DHAVE_RSA_METH_GET_FINISH=1 -DHAVE_RSA_METH_SET_PRIV_ENC=1 -DHAVE_RSA_METH_SET_PRIV_DEC=1 -DHAVE_RSA_METH_SET_FINISH=1 "
./configure --with-ssl-dir="${AWS_LC_INSTALL_FOLDER}" --prefix="${OPENSSH_INSTALL_FOLDER}" --disable-pkcs11
make -j "$NUM_CPU_THREADS"
make install
Expand Down

0 comments on commit b3f452d

Please sign in to comment.