summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authortb <>2021-12-26 15:16:50 +0000
committertb <>2021-12-26 15:16:50 +0000
commitc8d92e7494cde45554fdc18c66728a2adbe1bb71 (patch)
tree6a671dbeeec853ee17f157f9b538e98cd605b1c5
parent9656351e09b56a51fb7279fc55f9ec06f3459223 (diff)
downloadopenbsd-c8d92e7494cde45554fdc18c66728a2adbe1bb71.tar.gz
openbsd-c8d92e7494cde45554fdc18c66728a2adbe1bb71.tar.bz2
openbsd-c8d92e7494cde45554fdc18c66728a2adbe1bb71.zip
Consistently call BN_init() before BN_with_flags()
BN_with_flags() preserves the BN_FLG_MALLOCED flag of the destination which results in a potential use of an uninitialized bit. In practice this doesn't matter since we don't free the cloned BIGNUMs anyway. As jsing points out, these are mostly pointless noise and should be garbage collected. I'll leave that for another rainy day. Coverity flagged one instance BN_gcd_no_branch(), the rest was found by the ever so helpful grep(1). CID 345122 ok jsing
Diffstat
-rw-r--r--src/lib/libcrypto/bn/bn_gcd.c40
-rw-r--r--src/lib/libcrypto/rsa/rsa_eay.c3
-rw-r--r--src/lib/libcrypto/rsa/rsa_gen.c5
3 files changed, 33 insertions, 15 deletions
diff --git a/src/lib/libcrypto/bn/bn_gcd.c b/src/lib/libcrypto/bn/bn_gcd.c
index 469ae752fb..d756398c8f 100644
--- a/src/lib/libcrypto/bn/bn_gcd.c
+++ b/src/lib/libcrypto/bn/bn_gcd.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: bn_gcd.c,v 1.15 2017/01/29 17:49:22 beck Exp $ */ 1/* $OpenBSD: bn_gcd.c,v 1.16 2021/12/26 15:16:50 tb Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -576,6 +576,9 @@ BN_mod_inverse_no_branch(BIGNUM *in, const BIGNUM *a, const BIGNUM *n,
576 bn_check_top(a); 576 bn_check_top(a);
577 bn_check_top(n); 577 bn_check_top(n);
578 578
579 BN_init(&local_A);
580 BN_init(&local_B);
581
579 BN_CTX_start(ctx); 582 BN_CTX_start(ctx);
580 if ((A = BN_CTX_get(ctx)) == NULL) 583 if ((A = BN_CTX_get(ctx)) == NULL)
581 goto err; 584 goto err;
@@ -608,10 +611,12 @@ BN_mod_inverse_no_branch(BIGNUM *in, const BIGNUM *a, const BIGNUM *n,
608 A->neg = 0; 611 A->neg = 0;
609 612
610 if (B->neg || (BN_ucmp(B, A) >= 0)) { 613 if (B->neg || (BN_ucmp(B, A) >= 0)) {
611 /* Turn BN_FLG_CONSTTIME flag on, so that when BN_div is invoked, 614 /*
612 * BN_div_no_branch will be called eventually. 615 * Turn BN_FLG_CONSTTIME flag on, so that when BN_div is invoked,
613 */ 616 * BN_div_no_branch will be called eventually.
617 */
614 pB = &local_B; 618 pB = &local_B;
619 /* BN_init() done at the top of the function. */
615 BN_with_flags(pB, B, BN_FLG_CONSTTIME); 620 BN_with_flags(pB, B, BN_FLG_CONSTTIME);
616 if (!BN_nnmod(B, pB, A, ctx)) 621 if (!BN_nnmod(B, pB, A, ctx))
617 goto err; 622 goto err;
@@ -633,10 +638,12 @@ BN_mod_inverse_no_branch(BIGNUM *in, const BIGNUM *a, const BIGNUM *n,
633 * sign*Y*a == A (mod |n|) 638 * sign*Y*a == A (mod |n|)
634 */ 639 */
635 640
636 /* Turn BN_FLG_CONSTTIME flag on, so that when BN_div is invoked, 641 /*
637 * BN_div_no_branch will be called eventually. 642 * Turn BN_FLG_CONSTTIME flag on, so that when BN_div is invoked,
638 */ 643 * BN_div_no_branch will be called eventually.
644 */
639 pA = &local_A; 645 pA = &local_A;
646 /* BN_init() done at the top of the function. */
640 BN_with_flags(pA, A, BN_FLG_CONSTTIME); 647 BN_with_flags(pA, A, BN_FLG_CONSTTIME);
641 648
642 /* (D, M) := (A/B, A%B) ... */ 649 /* (D, M) := (A/B, A%B) ... */
@@ -740,6 +747,9 @@ BN_gcd_no_branch(BIGNUM *in, const BIGNUM *a, const BIGNUM *n,
740 goto err; 747 goto err;
741 R = in; 748 R = in;
742 749
750 BN_init(&local_A);
751 BN_init(&local_B);
752
743 bn_check_top(a); 753 bn_check_top(a);
744 bn_check_top(n); 754 bn_check_top(n);
745 755
@@ -768,10 +778,12 @@ BN_gcd_no_branch(BIGNUM *in, const BIGNUM *a, const BIGNUM *n,
768 A->neg = 0; 778 A->neg = 0;
769 779
770 if (B->neg || (BN_ucmp(B, A) >= 0)) { 780 if (B->neg || (BN_ucmp(B, A) >= 0)) {
771 /* Turn BN_FLG_CONSTTIME flag on, so that when BN_div is invoked, 781 /*
772 * BN_div_no_branch will be called eventually. 782 * Turn BN_FLG_CONSTTIME flag on, so that when BN_div is invoked,
773 */ 783 * BN_div_no_branch will be called eventually.
784 */
774 pB = &local_B; 785 pB = &local_B;
786 /* BN_init() done at the top of the function. */
775 BN_with_flags(pB, B, BN_FLG_CONSTTIME); 787 BN_with_flags(pB, B, BN_FLG_CONSTTIME);
776 if (!BN_nnmod(B, pB, A, ctx)) 788 if (!BN_nnmod(B, pB, A, ctx))
777 goto err; 789 goto err;
@@ -793,10 +805,12 @@ BN_gcd_no_branch(BIGNUM *in, const BIGNUM *a, const BIGNUM *n,
793 * sign*Y*a == A (mod |n|) 805 * sign*Y*a == A (mod |n|)
794 */ 806 */
795 807
796 /* Turn BN_FLG_CONSTTIME flag on, so that when BN_div is invoked, 808 /*
797 * BN_div_no_branch will be called eventually. 809 * Turn BN_FLG_CONSTTIME flag on, so that when BN_div is invoked,
798 */ 810 * BN_div_no_branch will be called eventually.
811 */
799 pA = &local_A; 812 pA = &local_A;
813 /* BN_init() done at the top of the function. */
800 BN_with_flags(pA, A, BN_FLG_CONSTTIME); 814 BN_with_flags(pA, A, BN_FLG_CONSTTIME);
801 815
802 /* (D, M) := (A/B, A%B) ... */ 816 /* (D, M) := (A/B, A%B) ... */
diff --git a/src/lib/libcrypto/rsa/rsa_eay.c b/src/lib/libcrypto/rsa/rsa_eay.c
index 33201a8a8b..e9fc67349b 100644
--- a/src/lib/libcrypto/rsa/rsa_eay.c
+++ b/src/lib/libcrypto/rsa/rsa_eay.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: rsa_eay.c,v 1.51 2019/11/02 13:52:31 jsing Exp $ */ 1/* $OpenBSD: rsa_eay.c,v 1.52 2021/12/26 15:16:50 tb Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -753,6 +753,7 @@ RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
753 goto err; 753 goto err;
754 754
755 /* compute I mod p */ 755 /* compute I mod p */
756 BN_init(&c);
756 BN_with_flags(&c, I, BN_FLG_CONSTTIME); 757 BN_with_flags(&c, I, BN_FLG_CONSTTIME);
757 758
758 if (!BN_mod_ct(r1, &c, rsa->p, ctx)) 759 if (!BN_mod_ct(r1, &c, rsa->p, ctx))
diff --git a/src/lib/libcrypto/rsa/rsa_gen.c b/src/lib/libcrypto/rsa/rsa_gen.c
index 596eb8eb78..1c37d8ef21 100644
--- a/src/lib/libcrypto/rsa/rsa_gen.c
+++ b/src/lib/libcrypto/rsa/rsa_gen.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: rsa_gen.c,v 1.22 2017/01/29 17:49:23 beck Exp $ */ 1/* $OpenBSD: rsa_gen.c,v 1.23 2021/12/26 15:16:50 tb Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -194,12 +194,14 @@ rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
194 if (!BN_mul(r0, r1, r2, ctx)) /* (p-1)(q-1) */ 194 if (!BN_mul(r0, r1, r2, ctx)) /* (p-1)(q-1) */
195 goto err; 195 goto err;
196 196
197 BN_init(&pr0);
197 BN_with_flags(&pr0, r0, BN_FLG_CONSTTIME); 198 BN_with_flags(&pr0, r0, BN_FLG_CONSTTIME);
198 199
199 if (!BN_mod_inverse_ct(rsa->d, rsa->e, &pr0, ctx)) /* d */ 200 if (!BN_mod_inverse_ct(rsa->d, rsa->e, &pr0, ctx)) /* d */
200 goto err; 201 goto err;
201 202
202 /* set up d for correct BN_FLG_CONSTTIME flag */ 203 /* set up d for correct BN_FLG_CONSTTIME flag */
204 BN_init(&d);
203 BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME); 205 BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME);
204 206
205 /* calculate d mod (p-1) */ 207 /* calculate d mod (p-1) */
@@ -211,6 +213,7 @@ rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
211 goto err; 213 goto err;
212 214
213 /* calculate inverse of q mod p */ 215 /* calculate inverse of q mod p */
216 BN_init(&p);
214 BN_with_flags(&p, rsa->p, BN_FLG_CONSTTIME); 217 BN_with_flags(&p, rsa->p, BN_FLG_CONSTTIME);
215 if (!BN_mod_inverse_ct(rsa->iqmp, rsa->q, &p, ctx)) 218 if (!BN_mod_inverse_ct(rsa->iqmp, rsa->q, &p, ctx))
216 goto err; 219 goto err;
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-21 01:05:58 +0000