summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/bn/bn_blind.c
diff options
context:
space:
mode:
authorjsing <>2014-05-08 13:20:49 +0000
committerjsing <>2014-05-08 13:20:49 +0000
commit2e8879604fe3abbc2431ca79a4a923f1e87da75e (patch)
tree18398455223278c0cb2bd44f57e4499a4370f665 /src/lib/libcrypto/bn/bn_blind.c
parentf7d9a959949e5f3918c1cf2b27fb4cd7b62d07d5 (diff)
downloadopenbsd-2e8879604fe3abbc2431ca79a4a923f1e87da75e.tar.gz
openbsd-2e8879604fe3abbc2431ca79a4a923f1e87da75e.tar.bz2
openbsd-2e8879604fe3abbc2431ca79a4a923f1e87da75e.zip
Emergency knfectomie requested by tedu@.
Diffstat (limited to 'src/lib/libcrypto/bn/bn_blind.c')
-rw-r--r--src/lib/libcrypto/bn/bn_blind.c291
1 files changed, 148 insertions, 143 deletions
diff --git a/src/lib/libcrypto/bn/bn_blind.c b/src/lib/libcrypto/bn/bn_blind.c
index f424e479d3..7cced4f67f 100644
--- a/src/lib/libcrypto/bn/bn_blind.c
+++ b/src/lib/libcrypto/bn/bn_blind.c
@@ -7,7 +7,7 @@
7 * are met: 7 * are met:
8 * 8 *
9 * 1. Redistributions of source code must retain the above copyright 9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer. 10 * notice, this list of conditions and the following disclaimer.
11 * 11 *
12 * 2. Redistributions in binary form must reproduce the above copyright 12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in 13 * notice, this list of conditions and the following disclaimer in
@@ -58,21 +58,21 @@
58 * This package is an SSL implementation written 58 * This package is an SSL implementation written
59 * by Eric Young (eay@cryptsoft.com). 59 * by Eric Young (eay@cryptsoft.com).
60 * The implementation was written so as to conform with Netscapes SSL. 60 * The implementation was written so as to conform with Netscapes SSL.
61 * 61 *
62 * This library is free for commercial and non-commercial use as long as 62 * This library is free for commercial and non-commercial use as long as
63 * the following conditions are aheared to. The following conditions 63 * the following conditions are aheared to. The following conditions
64 * apply to all code found in this distribution, be it the RC4, RSA, 64 * apply to all code found in this distribution, be it the RC4, RSA,
65 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 65 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
66 * included with this distribution is covered by the same copyright terms 66 * included with this distribution is covered by the same copyright terms
67 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 67 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
68 * 68 *
69 * Copyright remains Eric Young's, and as such any Copyright notices in 69 * Copyright remains Eric Young's, and as such any Copyright notices in
70 * the code are not to be removed. 70 * the code are not to be removed.
71 * If this package is used in a product, Eric Young should be given attribution 71 * If this package is used in a product, Eric Young should be given attribution
72 * as the author of the parts of the library used. 72 * as the author of the parts of the library used.
73 * This can be in the form of a textual message at program startup or 73 * This can be in the form of a textual message at program startup or
74 * in documentation (online or textual) provided with the package. 74 * in documentation (online or textual) provided with the package.
75 * 75 *
76 * Redistribution and use in source and binary forms, with or without 76 * Redistribution and use in source and binary forms, with or without
77 * modification, are permitted provided that the following conditions 77 * modification, are permitted provided that the following conditions
78 * are met: 78 * are met:
@@ -87,10 +87,10 @@
87 * Eric Young (eay@cryptsoft.com)" 87 * Eric Young (eay@cryptsoft.com)"
88 * The word 'cryptographic' can be left out if the rouines from the library 88 * The word 'cryptographic' can be left out if the rouines from the library
89 * being used are not cryptographic related :-). 89 * being used are not cryptographic related :-).
90 * 4. If you include any Windows specific code (or a derivative thereof) from 90 * 4. If you include any Windows specific code (or a derivative thereof) from
91 * the apps directory (application code) you must include an acknowledgement: 91 * the apps directory (application code) you must include an acknowledgement:
92 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 92 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
93 * 93 *
94 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 94 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
95 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 95 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
96 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 96 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -102,7 +102,7 @@
102 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 102 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
103 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 103 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
104 * SUCH DAMAGE. 104 * SUCH DAMAGE.
105 * 105 *
106 * The licence and distribution terms for any publically available version or 106 * The licence and distribution terms for any publically available version or
107 * derivative of this code cannot be changed. i.e. this code cannot simply be 107 * derivative of this code cannot be changed. i.e. this code cannot simply be
108 * copied and put under another distribution licence 108 * copied and put under another distribution licence
@@ -115,8 +115,7 @@
115 115
116#define BN_BLINDING_COUNTER 32 116#define BN_BLINDING_COUNTER 32
117 117
118struct bn_blinding_st 118struct bn_blinding_st {
119 {
120 BIGNUM *A; 119 BIGNUM *A;
121 BIGNUM *Ai; 120 BIGNUM *Ai;
122 BIGNUM *e; 121 BIGNUM *e;
@@ -130,33 +129,33 @@ struct bn_blinding_st
130 unsigned long flags; 129 unsigned long flags;
131 BN_MONT_CTX *m_ctx; 130 BN_MONT_CTX *m_ctx;
132 int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, 131 int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
133 const BIGNUM *m, BN_CTX *ctx, 132 const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
134 BN_MONT_CTX *m_ctx); 133};
135 };
136 134
137BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod) 135BN_BLINDING *
138 { 136BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod)
139 BN_BLINDING *ret=NULL; 137{
138 BN_BLINDING *ret = NULL;
140 139
141 bn_check_top(mod); 140 bn_check_top(mod);
142 141
143 if ((ret=(BN_BLINDING *)malloc(sizeof(BN_BLINDING))) == NULL) 142 if ((ret = (BN_BLINDING *)malloc(sizeof(BN_BLINDING))) == NULL) {
144 { 143 BNerr(BN_F_BN_BLINDING_NEW, ERR_R_MALLOC_FAILURE);
145 BNerr(BN_F_BN_BLINDING_NEW,ERR_R_MALLOC_FAILURE); 144 return (NULL);
146 return(NULL); 145 }
147 } 146 memset(ret, 0, sizeof(BN_BLINDING));
148 memset(ret,0,sizeof(BN_BLINDING)); 147 if (A != NULL) {
149 if (A != NULL) 148 if ((ret->A = BN_dup(A)) == NULL)
150 { 149 goto err;
151 if ((ret->A = BN_dup(A)) == NULL) goto err; 150 }
152 } 151 if (Ai != NULL) {
153 if (Ai != NULL) 152 if ((ret->Ai = BN_dup(Ai)) == NULL)
154 { 153 goto err;
155 if ((ret->Ai = BN_dup(Ai)) == NULL) goto err; 154 }
156 }
157 155
158 /* save a copy of mod in the BN_BLINDING structure */ 156 /* save a copy of mod in the BN_BLINDING structure */
159 if ((ret->mod = BN_dup(mod)) == NULL) goto err; 157 if ((ret->mod = BN_dup(mod)) == NULL)
158 goto err;
160 if (BN_get_flags(mod, BN_FLG_CONSTTIME) != 0) 159 if (BN_get_flags(mod, BN_FLG_CONSTTIME) != 0)
161 BN_set_flags(ret->mod, BN_FLG_CONSTTIME); 160 BN_set_flags(ret->mod, BN_FLG_CONSTTIME);
162 161
@@ -165,149 +164,162 @@ BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod)
165 * that does not need updating before first use. */ 164 * that does not need updating before first use. */
166 ret->counter = -1; 165 ret->counter = -1;
167 CRYPTO_THREADID_current(&ret->tid); 166 CRYPTO_THREADID_current(&ret->tid);
168 return(ret); 167 return (ret);
169err:
170 if (ret != NULL) BN_BLINDING_free(ret);
171 return(NULL);
172 }
173 168
174void BN_BLINDING_free(BN_BLINDING *r) 169err:
175 { 170 if (ret != NULL)
176 if(r == NULL) 171 BN_BLINDING_free(ret);
177 return; 172 return (NULL);
173}
178 174
179 if (r->A != NULL) BN_clear_free(r->A ); 175void
180 if (r->Ai != NULL) BN_clear_free(r->Ai); 176BN_BLINDING_free(BN_BLINDING *r)
181 if (r->e != NULL) BN_clear_free(r->e ); 177{
182 if (r->mod != NULL) BN_clear_free(r->mod); 178 if (r == NULL)
179 return;
180
181 if (r->A != NULL)
182 BN_clear_free(r->A );
183 if (r->Ai != NULL)
184 BN_clear_free(r->Ai);
185 if (r->e != NULL)
186 BN_clear_free(r->e );
187 if (r->mod != NULL)
188 BN_clear_free(r->mod);
183 free(r); 189 free(r);
184 } 190}
185 191
186int BN_BLINDING_update(BN_BLINDING *b, BN_CTX *ctx) 192int
187 { 193BN_BLINDING_update(BN_BLINDING *b, BN_CTX *ctx)
188 int ret=0; 194{
195 int ret = 0;
189 196
190 if ((b->A == NULL) || (b->Ai == NULL)) 197 if ((b->A == NULL) || (b->Ai == NULL)) {
191 { 198 BNerr(BN_F_BN_BLINDING_UPDATE, BN_R_NOT_INITIALIZED);
192 BNerr(BN_F_BN_BLINDING_UPDATE,BN_R_NOT_INITIALIZED);
193 goto err; 199 goto err;
194 } 200 }
195 201
196 if (b->counter == -1) 202 if (b->counter == -1)
197 b->counter = 0; 203 b->counter = 0;
198 204
199 if (++b->counter == BN_BLINDING_COUNTER && b->e != NULL && 205 if (++b->counter == BN_BLINDING_COUNTER && b->e != NULL &&
200 !(b->flags & BN_BLINDING_NO_RECREATE)) 206 !(b->flags & BN_BLINDING_NO_RECREATE)) {
201 {
202 /* re-create blinding parameters */ 207 /* re-create blinding parameters */
203 if (!BN_BLINDING_create_param(b, NULL, NULL, ctx, NULL, NULL)) 208 if (!BN_BLINDING_create_param(b, NULL, NULL, ctx, NULL, NULL))
204 goto err; 209 goto err;
205 } 210 } else if (!(b->flags & BN_BLINDING_NO_UPDATE)) {
206 else if (!(b->flags & BN_BLINDING_NO_UPDATE)) 211 if (!BN_mod_mul(b->A, b->A, b->A, b->mod, ctx))
207 { 212 goto err;
208 if (!BN_mod_mul(b->A,b->A,b->A,b->mod,ctx)) goto err; 213 if (!BN_mod_mul(b->Ai, b->Ai, b->Ai, b->mod, ctx))
209 if (!BN_mod_mul(b->Ai,b->Ai,b->Ai,b->mod,ctx)) goto err; 214 goto err;
210 } 215 }
216
217 ret = 1;
211 218
212 ret=1;
213err: 219err:
214 if (b->counter == BN_BLINDING_COUNTER) 220 if (b->counter == BN_BLINDING_COUNTER)
215 b->counter = 0; 221 b->counter = 0;
216 return(ret); 222 return (ret);
217 } 223}
218 224
219int BN_BLINDING_convert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx) 225int
220 { 226BN_BLINDING_convert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx)
227{
221 return BN_BLINDING_convert_ex(n, NULL, b, ctx); 228 return BN_BLINDING_convert_ex(n, NULL, b, ctx);
222 } 229}
223 230
224int BN_BLINDING_convert_ex(BIGNUM *n, BIGNUM *r, BN_BLINDING *b, BN_CTX *ctx) 231int
225 { 232BN_BLINDING_convert_ex(BIGNUM *n, BIGNUM *r, BN_BLINDING *b, BN_CTX *ctx)
233{
226 int ret = 1; 234 int ret = 1;
227 235
228 bn_check_top(n); 236 bn_check_top(n);
229 237
230 if ((b->A == NULL) || (b->Ai == NULL)) 238 if ((b->A == NULL) || (b->Ai == NULL)) {
231 { 239 BNerr(BN_F_BN_BLINDING_CONVERT_EX, BN_R_NOT_INITIALIZED);
232 BNerr(BN_F_BN_BLINDING_CONVERT_EX,BN_R_NOT_INITIALIZED); 240 return (0);
233 return(0); 241 }
234 }
235 242
236 if (b->counter == -1) 243 if (b->counter == -1)
237 /* Fresh blinding, doesn't need updating. */ 244 /* Fresh blinding, doesn't need updating. */
238 b->counter = 0; 245 b->counter = 0;
239 else if (!BN_BLINDING_update(b,ctx)) 246 else if (!BN_BLINDING_update(b, ctx))
240 return(0); 247 return (0);
241 248
242 if (r != NULL) 249 if (r != NULL) {
243 { 250 if (!BN_copy(r, b->Ai))
244 if (!BN_copy(r, b->Ai)) ret=0; 251 ret = 0;
245 } 252 }
253
254 if (!BN_mod_mul(n, n,b->A, b->mod, ctx))
255 ret = 0;
246 256
247 if (!BN_mod_mul(n,n,b->A,b->mod,ctx)) ret=0;
248
249 return ret; 257 return ret;
250 } 258}
251 259
252int BN_BLINDING_invert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx) 260int
253 { 261BN_BLINDING_invert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx)
262{
254 return BN_BLINDING_invert_ex(n, NULL, b, ctx); 263 return BN_BLINDING_invert_ex(n, NULL, b, ctx);
255 } 264}
256 265
257int BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b, BN_CTX *ctx) 266int
258 { 267BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b, BN_CTX *ctx)
268{
259 int ret; 269 int ret;
260 270
261 bn_check_top(n); 271 bn_check_top(n);
262 272
263 if (r != NULL) 273 if (r != NULL)
264 ret = BN_mod_mul(n, n, r, b->mod, ctx); 274 ret = BN_mod_mul(n, n, r, b->mod, ctx);
265 else 275 else {
266 { 276 if (b->Ai == NULL) {
267 if (b->Ai == NULL) 277 BNerr(BN_F_BN_BLINDING_INVERT_EX, BN_R_NOT_INITIALIZED);
268 { 278 return (0);
269 BNerr(BN_F_BN_BLINDING_INVERT_EX,BN_R_NOT_INITIALIZED);
270 return(0);
271 }
272 ret = BN_mod_mul(n, n, b->Ai, b->mod, ctx);
273 } 279 }
280 ret = BN_mod_mul(n, n, b->Ai, b->mod, ctx);
281 }
274 282
275 bn_check_top(n); 283 bn_check_top(n);
276 return(ret); 284 return (ret);
277 } 285}
278 286
279#ifndef OPENSSL_NO_DEPRECATED 287#ifndef OPENSSL_NO_DEPRECATED
280unsigned long BN_BLINDING_get_thread_id(const BN_BLINDING *b) 288unsigned long
281 { 289BN_BLINDING_get_thread_id(const BN_BLINDING *b)
290{
282 return b->thread_id; 291 return b->thread_id;
283 } 292}
284 293
285void BN_BLINDING_set_thread_id(BN_BLINDING *b, unsigned long n) 294void
286 { 295BN_BLINDING_set_thread_id(BN_BLINDING *b, unsigned long n)
296{
287 b->thread_id = n; 297 b->thread_id = n;
288 } 298}
289#endif 299#endif
290 300
291CRYPTO_THREADID *BN_BLINDING_thread_id(BN_BLINDING *b) 301CRYPTO_THREADID *
292 { 302BN_BLINDING_thread_id(BN_BLINDING *b)
303{
293 return &b->tid; 304 return &b->tid;
294 } 305}
295 306
296unsigned long BN_BLINDING_get_flags(const BN_BLINDING *b) 307unsigned long
297 { 308BN_BLINDING_get_flags(const BN_BLINDING *b)
309{
298 return b->flags; 310 return b->flags;
299 } 311}
300 312
301void BN_BLINDING_set_flags(BN_BLINDING *b, unsigned long flags) 313void
302 { 314BN_BLINDING_set_flags(BN_BLINDING *b, unsigned long flags)
315{
303 b->flags = flags; 316 b->flags = flags;
304 } 317}
305 318
306BN_BLINDING *BN_BLINDING_create_param(BN_BLINDING *b, 319BN_BLINDING *
307 const BIGNUM *e, BIGNUM *m, BN_CTX *ctx, 320BN_BLINDING_create_param(BN_BLINDING *b, const BIGNUM *e, BIGNUM *m,
308 int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, 321 BN_CTX *ctx, int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
309 const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx), 322 const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx), BN_MONT_CTX *m_ctx)
310 BN_MONT_CTX *m_ctx)
311{ 323{
312 int retry_counter = 32; 324 int retry_counter = 32;
313 BN_BLINDING *ret = NULL; 325 BN_BLINDING *ret = NULL;
@@ -320,17 +332,16 @@ BN_BLINDING *BN_BLINDING_create_param(BN_BLINDING *b,
320 if (ret == NULL) 332 if (ret == NULL)
321 goto err; 333 goto err;
322 334
323 if (ret->A == NULL && (ret->A = BN_new()) == NULL) 335 if (ret->A == NULL && (ret->A = BN_new()) == NULL)
324 goto err; 336 goto err;
325 if (ret->Ai == NULL && (ret->Ai = BN_new()) == NULL) 337 if (ret->Ai == NULL && (ret->Ai = BN_new()) == NULL)
326 goto err; 338 goto err;
327 339
328 if (e != NULL) 340 if (e != NULL) {
329 {
330 if (ret->e != NULL) 341 if (ret->e != NULL)
331 BN_free(ret->e); 342 BN_free(ret->e);
332 ret->e = BN_dup(e); 343 ret->e = BN_dup(e);
333 } 344 }
334 if (ret->e == NULL) 345 if (ret->e == NULL)
335 goto err; 346 goto err;
336 347
@@ -340,46 +351,40 @@ BN_BLINDING *BN_BLINDING_create_param(BN_BLINDING *b,
340 ret->m_ctx = m_ctx; 351 ret->m_ctx = m_ctx;
341 352
342 do { 353 do {
343 if (!BN_rand_range(ret->A, ret->mod)) goto err; 354 if (!BN_rand_range(ret->A, ret->mod))
344 if (BN_mod_inverse(ret->Ai, ret->A, ret->mod, ctx) == NULL) 355 goto err;
345 { 356 if (BN_mod_inverse(ret->Ai, ret->A, ret->mod, ctx) == NULL) {
346 /* this should almost never happen for good RSA keys */ 357 /* this should almost never happen for good RSA keys */
347 unsigned long error = ERR_peek_last_error(); 358 unsigned long error = ERR_peek_last_error();
348 if (ERR_GET_REASON(error) == BN_R_NO_INVERSE) 359 if (ERR_GET_REASON(error) == BN_R_NO_INVERSE) {
349 { 360 if (retry_counter-- == 0) {
350 if (retry_counter-- == 0)
351 {
352 BNerr(BN_F_BN_BLINDING_CREATE_PARAM, 361 BNerr(BN_F_BN_BLINDING_CREATE_PARAM,
353 BN_R_TOO_MANY_ITERATIONS); 362 BN_R_TOO_MANY_ITERATIONS);
354 goto err; 363 goto err;
355 } 364 }
356 ERR_clear_error(); 365 ERR_clear_error();
357 } 366 } else
358 else
359 goto err; 367 goto err;
360 } 368 } else
361 else
362 break; 369 break;
363 } while (1); 370 } while (1);
364 371
365 if (ret->bn_mod_exp != NULL && ret->m_ctx != NULL) 372 if (ret->bn_mod_exp != NULL && ret->m_ctx != NULL) {
366 { 373 if (!ret->bn_mod_exp(ret->A, ret->A, ret->e, ret->mod,
367 if (!ret->bn_mod_exp(ret->A, ret->A, ret->e, ret->mod, ctx, ret->m_ctx)) 374 ctx, ret->m_ctx))
368 goto err; 375 goto err;
369 } 376 } else {
370 else
371 {
372 if (!BN_mod_exp(ret->A, ret->A, ret->e, ret->mod, ctx)) 377 if (!BN_mod_exp(ret->A, ret->A, ret->e, ret->mod, ctx))
373 goto err; 378 goto err;
374 } 379 }
375 380
376 return ret; 381 return ret;
382
377err: 383err:
378 if (b == NULL && ret != NULL) 384 if (b == NULL && ret != NULL) {
379 {
380 BN_BLINDING_free(ret); 385 BN_BLINDING_free(ret);
381 ret = NULL; 386 ret = NULL;
382 } 387 }
383 388
384 return ret; 389 return ret;
385} 390}
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-29 08:07:51 +0000