Remove retry loop in BN_BLINDING_setup()

If we generate a non-invertible blinding, we have accidentally factored the modulus. This won't happen, so get rid of this ugly complication. ok jsing
author: tb <> 2023-08-09 08:35:59 +0000
committer: tb <> 2023-08-09 08:35:59 +0000
commit: fe61ca1a9898f7a0aac80b732c2fd7e1099ec53d (patch)
tree: f76b1c3f8010c02b61d3f3257cd3ecbe3637310f /src/lib/libc
parent: ea3f8524120c837fea811a9e0ad28a41387fab92 (diff)
download: openbsd-fe61ca1a9898f7a0aac80b732c2fd7e1099ec53d.tar.gz
openbsd-fe61ca1a9898f7a0aac80b732c2fd7e1099ec53d.tar.bz2
openbsd-fe61ca1a9898f7a0aac80b732c2fd7e1099ec53d.zip
1 files changed, 5 insertions, 24 deletions
diff --git a/src/lib/libcrypto/bn/bn_blind.c b/src/lib/libcrypto/bn/bn_blind.c
index 1cf2a4b1f4..cca211fb4f 100644
--- a/src/lib/libcrypto/bn/bn_blind.c
+++ b/src/lib/libcrypto/bn/bn_blind.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_blind.c,v 1.39 2023/08/09 08:31:13 tb Exp $ */
+/* $OpenBSD: bn_blind.c,v 1.40 2023/08/09 08:35:59 tb Exp $ */
 /* ====================================================================
 * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
 *
@@ -181,29 +181,10 @@ BN_BLINDING_free(BN_BLINDING *r)
 static int
 BN_BLINDING_setup(BN_BLINDING *b, BN_CTX *ctx)
 {
-        int retry_counter = 32;
+        if (!bn_rand_interval(b->A, 1, b->mod))
+                return 0;
-        /*
+        if (BN_mod_inverse_ct(b->Ai, b->A, b->mod, ctx) == NULL)
-         * XXX - remove this loop. If we happen to find a non-invertible A,
+                return 0;
-         * we have basically factored mod = (p-1)(q-1)...
-         */
-        do {
-                if (!BN_rand_range(b->A, b->mod))
-                        return 0;
-                if (BN_mod_inverse_ct(b->Ai, b->A, b->mod, ctx) == NULL) {
-                        /* this should almost never happen for good RSA keys */
-                        unsigned long error = ERR_peek_last_error();
-                        if (ERR_GET_REASON(error) == BN_R_NO_INVERSE) {
-                                if (retry_counter-- == 0) {
-                                        BNerror(BN_R_TOO_MANY_ITERATIONS);
-                                        return 0;
-                                }
-                                ERR_clear_error();
-                        } else
-                                return 0;
-                } else
-                        break;
-        } while (1);
        if (b->bn_mod_exp != NULL && b->m_ctx != NULL) {
                if (!b->bn_mod_exp(b->A, b->A, b->e, b->mod, ctx, b->m_ctx))
author	tb <>	2023-08-09 08:35:59 +0000
committer	tb <>	2023-08-09 08:35:59 +0000
commit	fe61ca1a9898f7a0aac80b732c2fd7e1099ec53d (patch)
tree	f76b1c3f8010c02b61d3f3257cd3ecbe3637310f /src/lib/libc
parent	ea3f8524120c837fea811a9e0ad28a41387fab92 (diff)
download	openbsd-fe61ca1a9898f7a0aac80b732c2fd7e1099ec53d.tar.gz openbsd-fe61ca1a9898f7a0aac80b732c2fd7e1099ec53d.tar.bz2 openbsd-fe61ca1a9898f7a0aac80b732c2fd7e1099ec53d.zip

diff --git a/src/lib/libcrypto/bn/bn_blind.c b/src/lib/libcrypto/bn/bn_blind.c index 1cf2a4b1f4..cca211fb4f 100644 --- a/src/lib/libcrypto/bn/bn_blind.c +++ b/src/lib/libcrypto/bn/bn_blind.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: bn_blind.c,v 1.39 2023/08/09 08:31:13 tb Exp $ */	1	/* $OpenBSD: bn_blind.c,v 1.40 2023/08/09 08:35:59 tb Exp $ */
2	/* ====================================================================	2	/* ====================================================================
3	* Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.	3	* Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
4	*	4	*
@@ -181,29 +181,10 @@ BN_BLINDING_free(BN_BLINDING *r)
181	static int	181	static int
182	BN_BLINDING_setup(BN_BLINDING b, BN_CTX ctx)	182	BN_BLINDING_setup(BN_BLINDING b, BN_CTX ctx)
183	{	183	{
184	int retry_counter = 32;	184	if (!bn_rand_interval(b->A, 1, b->mod))
185		185	return 0;
186	/*	186	if (BN_mod_inverse_ct(b->Ai, b->A, b->mod, ctx) == NULL)
187	* XXX - remove this loop. If we happen to find a non-invertible A,	187	return 0;
188	* we have basically factored mod = (p-1)(q-1)...
189	*/
190	do {
191	if (!BN_rand_range(b->A, b->mod))
192	return 0;
193	if (BN_mod_inverse_ct(b->Ai, b->A, b->mod, ctx) == NULL) {
194	/* this should almost never happen for good RSA keys */
195	unsigned long error = ERR_peek_last_error();
196	if (ERR_GET_REASON(error) == BN_R_NO_INVERSE) {
197	if (retry_counter-- == 0) {
198	BNerror(BN_R_TOO_MANY_ITERATIONS);
199	return 0;
200	}
201	ERR_clear_error();
202	} else
203	return 0;
204	} else
205	break;
206	} while (1);
207		188
208	if (b->bn_mod_exp != NULL && b->m_ctx != NULL) {	189	if (b->bn_mod_exp != NULL && b->m_ctx != NULL) {
209	if (!b->bn_mod_exp(b->A, b->A, b->e, b->mod, ctx, b->m_ctx))	190	if (!b->bn_mod_exp(b->A, b->A, b->e, b->mod, ctx, b->m_ctx))