Make BN_BLINDING respect some invariants

Pass e and mod into BN_BLINDING_new() for now and unconditionally allocate A and Ai. This way non-NULL blindings always have these four members set. This allows removing several unnecessary checks in the update, convert and parameter creation code paths. Fix exit BN_BLINDING_create_param() so as to signal errors to the caller if a non-NULL blinding was passed. This fixes a long standing bug. ok jsing
author: tb <> 2023-08-08 13:59:04 +0000
committer: tb <> 2023-08-08 13:59:04 +0000
commit: ee52c24f5bd67428aaba2f1ca699029a1a069cf6 (patch)
tree: ce74387dc64e380226cba28bf0c6d521d287c673
parent: 83b348b817ac67aa3c0b138f7ed9ad3367a997fd (diff)
download: openbsd-ee52c24f5bd67428aaba2f1ca699029a1a069cf6.tar.gz
openbsd-ee52c24f5bd67428aaba2f1ca699029a1a069cf6.tar.bz2
openbsd-ee52c24f5bd67428aaba2f1ca699029a1a069cf6.zip
1 files changed, 17 insertions, 48 deletions
diff --git a/src/lib/libcrypto/bn/bn_blind.c b/src/lib/libcrypto/bn/bn_blind.c
index cd2f7c8ebe..e530bdfb27 100644
--- a/src/lib/libcrypto/bn/bn_blind.c
+++ b/src/lib/libcrypto/bn/bn_blind.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_blind.c,v 1.32 2023/08/02 09:25:36 tb Exp $ */
+/* $OpenBSD: bn_blind.c,v 1.33 2023/08/08 13:59:04 tb Exp $ */
 /* ====================================================================
 * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
 *
@@ -132,24 +132,20 @@ struct bn_blinding_st {
 };
 static BN_BLINDING *
-BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod)
+BN_BLINDING_new(const BIGNUM *e, const BIGNUM *mod)
 {
        BN_BLINDING *ret = NULL;
        if ((ret = calloc(1, sizeof(BN_BLINDING))) == NULL) {
                BNerror(ERR_R_MALLOC_FAILURE);
-                return NULL;
+                goto err;
-        }
-        if (A != NULL) {
-                if ((ret->A = BN_dup(A)) == NULL)
-                        goto err;
-        }
-        if (Ai != NULL) {
-                if ((ret->Ai = BN_dup(Ai)) == NULL)
-                        goto err;
        }
+        if ((ret->A = BN_new()) == NULL)
-        /* save a copy of mod in the BN_BLINDING structure */
+                goto err;
+        if ((ret->Ai = BN_new()) == NULL)
+                goto err;
+        if ((ret->e = BN_dup(e)) == NULL)
+                goto err;
        if ((ret->mod = BN_dup(mod)) == NULL)
                goto err;
        if (BN_get_flags(mod, BN_FLG_CONSTTIME) != 0)
@@ -160,11 +156,11 @@ BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod)
         * that does not need updating before first use. */
        ret->counter = -1;
        CRYPTO_THREADID_current(&ret->tid);
-        return (ret);
+        return ret;
 err:
-        if (ret != NULL)
+        BN_BLINDING_free(ret);
-                BN_BLINDING_free(ret);
        return NULL;
 }
@@ -187,15 +183,10 @@ BN_BLINDING_update(BN_BLINDING *b, BN_CTX *ctx)
 {
        int ret = 0;
-        if (b->A == NULL || b->Ai == NULL) {
-                BNerror(BN_R_NOT_INITIALIZED);
-                goto err;
-        }
        if (b->counter == -1)
                b->counter = 0;
-        if (++b->counter == BN_BLINDING_COUNTER && b->e != NULL) {
+        if (++b->counter == BN_BLINDING_COUNTER) {
                /* re-create blinding parameters */
                if (!BN_BLINDING_create_param(b, NULL, NULL, ctx, NULL, NULL))
                        goto err;
@@ -220,11 +211,6 @@ BN_BLINDING_convert(BIGNUM *n, BIGNUM *r, BN_BLINDING *b, BN_CTX *ctx)
 {
        int ret = 1;
-        if (b->A == NULL || b->Ai == NULL) {
-                BNerror(BN_R_NOT_INITIALIZED);
-                return 0;
-        }
        if (b->counter == -1)
                /* Fresh blinding, doesn't need updating. */
                b->counter = 0;
@@ -274,26 +260,11 @@ BN_BLINDING_create_param(BN_BLINDING *b, const BIGNUM *e, BIGNUM *m, BN_CTX *ctx
        BN_BLINDING *ret = NULL;
        int retry_counter = 32;
-        if (b == NULL)
+        if ((ret = b) == NULL)
-                ret = BN_BLINDING_new(NULL, NULL, m);
+                ret = BN_BLINDING_new(e, m);
-        else
-                ret = b;
        if (ret == NULL)
                goto err;
-        if (ret->A == NULL && (ret->A = BN_new()) == NULL)
-                goto err;
-        if (ret->Ai == NULL && (ret->Ai = BN_new()) == NULL)
-                goto err;
-        if (e != NULL) {
-                BN_free(ret->e);
-                ret->e = BN_dup(e);
-        }
-        if (ret->e == NULL)
-                goto err;
        if (bn_mod_exp != NULL)
                ret->bn_mod_exp = bn_mod_exp;
        if (m_ctx != NULL)
@@ -329,10 +300,8 @@ BN_BLINDING_create_param(BN_BLINDING *b, const BIGNUM *e, BIGNUM *m, BN_CTX *ctx
        return ret;
 err:
-        if (b == NULL && ret != NULL) {
+        if (ret != b)
                BN_BLINDING_free(ret);
-                ret = NULL;
-        }
-        return ret;
+        return NULL;
 }
author	tb <>	2023-08-08 13:59:04 +0000
committer	tb <>	2023-08-08 13:59:04 +0000
commit	ee52c24f5bd67428aaba2f1ca699029a1a069cf6 (patch)
tree	ce74387dc64e380226cba28bf0c6d521d287c673
parent	83b348b817ac67aa3c0b138f7ed9ad3367a997fd (diff)
download	openbsd-ee52c24f5bd67428aaba2f1ca699029a1a069cf6.tar.gz openbsd-ee52c24f5bd67428aaba2f1ca699029a1a069cf6.tar.bz2 openbsd-ee52c24f5bd67428aaba2f1ca699029a1a069cf6.zip

diff --git a/src/lib/libcrypto/bn/bn_blind.c b/src/lib/libcrypto/bn/bn_blind.c index cd2f7c8ebe..e530bdfb27 100644 --- a/src/lib/libcrypto/bn/bn_blind.c +++ b/src/lib/libcrypto/bn/bn_blind.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: bn_blind.c,v 1.32 2023/08/02 09:25:36 tb Exp $ */	1	/* $OpenBSD: bn_blind.c,v 1.33 2023/08/08 13:59:04 tb Exp $ */
2	/* ====================================================================	2	/* ====================================================================
3	* Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.	3	* Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
4	*	4	*
@@ -132,24 +132,20 @@ struct bn_blinding_st {
132	};	132	};
133		133
134	static BN_BLINDING *	134	static BN_BLINDING *
135	BN_BLINDING_new(const BIGNUM A, const BIGNUM Ai, BIGNUM *mod)	135	BN_BLINDING_new(const BIGNUM e, const BIGNUM mod)
136	{	136	{
137	BN_BLINDING *ret = NULL;	137	BN_BLINDING *ret = NULL;
138		138
139	if ((ret = calloc(1, sizeof(BN_BLINDING))) == NULL) {	139	if ((ret = calloc(1, sizeof(BN_BLINDING))) == NULL) {
140	BNerror(ERR_R_MALLOC_FAILURE);	140	BNerror(ERR_R_MALLOC_FAILURE);
141	return NULL;	141	goto err;
142	}
143	if (A != NULL) {
144	if ((ret->A = BN_dup(A)) == NULL)
145	goto err;
146	}
147	if (Ai != NULL) {
148	if ((ret->Ai = BN_dup(Ai)) == NULL)
149	goto err;
150	}	142	}
151		143	if ((ret->A = BN_new()) == NULL)
152	/* save a copy of mod in the BN_BLINDING structure */	144	goto err;
		145	if ((ret->Ai = BN_new()) == NULL)
		146	goto err;
		147	if ((ret->e = BN_dup(e)) == NULL)
		148	goto err;
153	if ((ret->mod = BN_dup(mod)) == NULL)	149	if ((ret->mod = BN_dup(mod)) == NULL)
154	goto err;	150	goto err;
155	if (BN_get_flags(mod, BN_FLG_CONSTTIME) != 0)	151	if (BN_get_flags(mod, BN_FLG_CONSTTIME) != 0)
@@ -160,11 +156,11 @@ BN_BLINDING_new(const BIGNUM A, const BIGNUM Ai, BIGNUM *mod)
160	* that does not need updating before first use. */	156	* that does not need updating before first use. */
161	ret->counter = -1;	157	ret->counter = -1;
162	CRYPTO_THREADID_current(&ret->tid);	158	CRYPTO_THREADID_current(&ret->tid);
163	return (ret);	159
		160	return ret;
164		161
165	err:	162	err:
166	if (ret != NULL)	163	BN_BLINDING_free(ret);
167	BN_BLINDING_free(ret);
168		164
169	return NULL;	165	return NULL;
170	}	166	}
@@ -187,15 +183,10 @@ BN_BLINDING_update(BN_BLINDING b, BN_CTX ctx)
187	{	183	{
188	int ret = 0;	184	int ret = 0;
189		185
190	if (b->A == NULL \|\| b->Ai == NULL) {
191	BNerror(BN_R_NOT_INITIALIZED);
192	goto err;
193	}
194
195	if (b->counter == -1)	186	if (b->counter == -1)
196	b->counter = 0;	187	b->counter = 0;
197		188
198	if (++b->counter == BN_BLINDING_COUNTER && b->e != NULL) {	189	if (++b->counter == BN_BLINDING_COUNTER) {
199	/* re-create blinding parameters */	190	/* re-create blinding parameters */
200	if (!BN_BLINDING_create_param(b, NULL, NULL, ctx, NULL, NULL))	191	if (!BN_BLINDING_create_param(b, NULL, NULL, ctx, NULL, NULL))
201	goto err;	192	goto err;
@@ -220,11 +211,6 @@ BN_BLINDING_convert(BIGNUM n, BIGNUM r, BN_BLINDING b, BN_CTX ctx)
220	{	211	{
221	int ret = 1;	212	int ret = 1;
222		213
223	if (b->A == NULL \|\| b->Ai == NULL) {
224	BNerror(BN_R_NOT_INITIALIZED);
225	return 0;
226	}
227
228	if (b->counter == -1)	214	if (b->counter == -1)
229	/* Fresh blinding, doesn't need updating. */	215	/* Fresh blinding, doesn't need updating. */
230	b->counter = 0;	216	b->counter = 0;
@@ -274,26 +260,11 @@ BN_BLINDING_create_param(BN_BLINDING b, const BIGNUM e, BIGNUM m, BN_CTX ctx
274	BN_BLINDING *ret = NULL;	260	BN_BLINDING *ret = NULL;
275	int retry_counter = 32;	261	int retry_counter = 32;
276		262
277	if (b == NULL)	263	if ((ret = b) == NULL)
278	ret = BN_BLINDING_new(NULL, NULL, m);	264	ret = BN_BLINDING_new(e, m);
279	else
280	ret = b;
281
282	if (ret == NULL)	265	if (ret == NULL)
283	goto err;	266	goto err;
284		267
285	if (ret->A == NULL && (ret->A = BN_new()) == NULL)
286	goto err;
287	if (ret->Ai == NULL && (ret->Ai = BN_new()) == NULL)
288	goto err;
289
290	if (e != NULL) {
291	BN_free(ret->e);
292	ret->e = BN_dup(e);
293	}
294	if (ret->e == NULL)
295	goto err;
296
297	if (bn_mod_exp != NULL)	268	if (bn_mod_exp != NULL)
298	ret->bn_mod_exp = bn_mod_exp;	269	ret->bn_mod_exp = bn_mod_exp;
299	if (m_ctx != NULL)	270	if (m_ctx != NULL)
@@ -329,10 +300,8 @@ BN_BLINDING_create_param(BN_BLINDING b, const BIGNUM e, BIGNUM m, BN_CTX ctx
329	return ret;	300	return ret;
330		301
331	err:	302	err:
332	if (b == NULL && ret != NULL) {	303	if (ret != b)
333	BN_BLINDING_free(ret);	304	BN_BLINDING_free(ret);
334	ret = NULL;
335	}
336		305
337	return ret;	306	return NULL;
338	}	307	}