diff options
author | tb <> | 2023-07-28 10:05:16 +0000 |
---|---|---|
committer | tb <> | 2023-07-28 10:05:16 +0000 |
commit | 6cc5955271563c498eb75bea6798690a380d43cf (patch) | |
tree | 9d9e5e88058fce53bb18a48739125946a2639657 /src/lib/libcrypto/bn | |
parent | 8d8ca2c8c440c1df72455fe4055627e4110c3973 (diff) | |
download | openbsd-6cc5955271563c498eb75bea6798690a380d43cf.tar.gz openbsd-6cc5955271563c498eb75bea6798690a380d43cf.tar.bz2 openbsd-6cc5955271563c498eb75bea6798690a380d43cf.zip |
Make BN_BLINDING internal
RSA is pretty bad. In my most optimistic moments I dream of a world that
stopped using it. That won't happen during my lifetime, unfortunately.
Blinding is one way of making it a little less leaky. Unfortunately this
side-channel leak mitigation leaked out of the library for no good reason.
Let's at least fix that aspect of it.
ok jsing
Diffstat (limited to 'src/lib/libcrypto/bn')
-rw-r--r-- | src/lib/libcrypto/bn/bn.h | 23 | ||||
-rw-r--r-- | src/lib/libcrypto/bn/bn_blind.c | 13 | ||||
-rw-r--r-- | src/lib/libcrypto/bn/bn_local.h | 23 |
3 files changed, 24 insertions, 35 deletions
diff --git a/src/lib/libcrypto/bn/bn.h b/src/lib/libcrypto/bn/bn.h index 7dc138d170..689196c911 100644 --- a/src/lib/libcrypto/bn/bn.h +++ b/src/lib/libcrypto/bn/bn.h | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: bn.h,v 1.72 2023/06/13 09:12:22 tb Exp $ */ | 1 | /* $OpenBSD: bn.h,v 1.73 2023/07/28 10:05:16 tb Exp $ */ |
2 | /* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com) |
3 | * All rights reserved. | 3 | * All rights reserved. |
4 | * | 4 | * |
@@ -449,27 +449,6 @@ BN_MONT_CTX *BN_MONT_CTX_copy(BN_MONT_CTX *to, BN_MONT_CTX *from); | |||
449 | BN_MONT_CTX *BN_MONT_CTX_set_locked(BN_MONT_CTX **pmont, int lock, | 449 | BN_MONT_CTX *BN_MONT_CTX_set_locked(BN_MONT_CTX **pmont, int lock, |
450 | const BIGNUM *mod, BN_CTX *ctx); | 450 | const BIGNUM *mod, BN_CTX *ctx); |
451 | 451 | ||
452 | /* BN_BLINDING flags */ | ||
453 | #define BN_BLINDING_NO_UPDATE 0x00000001 | ||
454 | #define BN_BLINDING_NO_RECREATE 0x00000002 | ||
455 | |||
456 | BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod); | ||
457 | void BN_BLINDING_free(BN_BLINDING *b); | ||
458 | int BN_BLINDING_update(BN_BLINDING *b, BN_CTX *ctx); | ||
459 | int BN_BLINDING_convert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx); | ||
460 | int BN_BLINDING_invert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx); | ||
461 | int BN_BLINDING_convert_ex(BIGNUM *n, BIGNUM *r, BN_BLINDING *b, BN_CTX *); | ||
462 | int BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b, BN_CTX *); | ||
463 | |||
464 | CRYPTO_THREADID *BN_BLINDING_thread_id(BN_BLINDING *); | ||
465 | unsigned long BN_BLINDING_get_flags(const BN_BLINDING *); | ||
466 | void BN_BLINDING_set_flags(BN_BLINDING *, unsigned long); | ||
467 | BN_BLINDING *BN_BLINDING_create_param(BN_BLINDING *b, | ||
468 | const BIGNUM *e, BIGNUM *m, BN_CTX *ctx, | ||
469 | int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, | ||
470 | const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx), | ||
471 | BN_MONT_CTX *m_ctx); | ||
472 | |||
473 | /* Primes from RFC 2409 */ | 452 | /* Primes from RFC 2409 */ |
474 | BIGNUM *get_rfc2409_prime_768(BIGNUM *bn); | 453 | BIGNUM *get_rfc2409_prime_768(BIGNUM *bn); |
475 | BIGNUM *get_rfc2409_prime_1024(BIGNUM *bn); | 454 | BIGNUM *get_rfc2409_prime_1024(BIGNUM *bn); |
diff --git a/src/lib/libcrypto/bn/bn_blind.c b/src/lib/libcrypto/bn/bn_blind.c index 07cd359e7e..7332df2b56 100644 --- a/src/lib/libcrypto/bn/bn_blind.c +++ b/src/lib/libcrypto/bn/bn_blind.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: bn_blind.c,v 1.23 2023/07/08 12:21:58 beck Exp $ */ | 1 | /* $OpenBSD: bn_blind.c,v 1.24 2023/07/28 10:05:16 tb Exp $ */ |
2 | /* ==================================================================== | 2 | /* ==================================================================== |
3 | * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. | 3 | * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. |
4 | * | 4 | * |
@@ -169,7 +169,6 @@ err: | |||
169 | BN_BLINDING_free(ret); | 169 | BN_BLINDING_free(ret); |
170 | return (NULL); | 170 | return (NULL); |
171 | } | 171 | } |
172 | LCRYPTO_ALIAS(BN_BLINDING_new); | ||
173 | 172 | ||
174 | void | 173 | void |
175 | BN_BLINDING_free(BN_BLINDING *r) | 174 | BN_BLINDING_free(BN_BLINDING *r) |
@@ -183,7 +182,6 @@ BN_BLINDING_free(BN_BLINDING *r) | |||
183 | BN_free(r->mod); | 182 | BN_free(r->mod); |
184 | free(r); | 183 | free(r); |
185 | } | 184 | } |
186 | LCRYPTO_ALIAS(BN_BLINDING_free); | ||
187 | 185 | ||
188 | int | 186 | int |
189 | BN_BLINDING_update(BN_BLINDING *b, BN_CTX *ctx) | 187 | BN_BLINDING_update(BN_BLINDING *b, BN_CTX *ctx) |
@@ -217,14 +215,12 @@ err: | |||
217 | b->counter = 0; | 215 | b->counter = 0; |
218 | return (ret); | 216 | return (ret); |
219 | } | 217 | } |
220 | LCRYPTO_ALIAS(BN_BLINDING_update); | ||
221 | 218 | ||
222 | int | 219 | int |
223 | BN_BLINDING_convert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx) | 220 | BN_BLINDING_convert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx) |
224 | { | 221 | { |
225 | return BN_BLINDING_convert_ex(n, NULL, b, ctx); | 222 | return BN_BLINDING_convert_ex(n, NULL, b, ctx); |
226 | } | 223 | } |
227 | LCRYPTO_ALIAS(BN_BLINDING_convert); | ||
228 | 224 | ||
229 | int | 225 | int |
230 | BN_BLINDING_convert_ex(BIGNUM *n, BIGNUM *r, BN_BLINDING *b, BN_CTX *ctx) | 226 | BN_BLINDING_convert_ex(BIGNUM *n, BIGNUM *r, BN_BLINDING *b, BN_CTX *ctx) |
@@ -253,14 +249,12 @@ BN_BLINDING_convert_ex(BIGNUM *n, BIGNUM *r, BN_BLINDING *b, BN_CTX *ctx) | |||
253 | 249 | ||
254 | return ret; | 250 | return ret; |
255 | } | 251 | } |
256 | LCRYPTO_ALIAS(BN_BLINDING_convert_ex); | ||
257 | 252 | ||
258 | int | 253 | int |
259 | BN_BLINDING_invert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx) | 254 | BN_BLINDING_invert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx) |
260 | { | 255 | { |
261 | return BN_BLINDING_invert_ex(n, NULL, b, ctx); | 256 | return BN_BLINDING_invert_ex(n, NULL, b, ctx); |
262 | } | 257 | } |
263 | LCRYPTO_ALIAS(BN_BLINDING_invert); | ||
264 | 258 | ||
265 | int | 259 | int |
266 | BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b, BN_CTX *ctx) | 260 | BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b, BN_CTX *ctx) |
@@ -280,28 +274,24 @@ BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b, BN_CTX *ctx) | |||
280 | 274 | ||
281 | return (ret); | 275 | return (ret); |
282 | } | 276 | } |
283 | LCRYPTO_ALIAS(BN_BLINDING_invert_ex); | ||
284 | 277 | ||
285 | CRYPTO_THREADID * | 278 | CRYPTO_THREADID * |
286 | BN_BLINDING_thread_id(BN_BLINDING *b) | 279 | BN_BLINDING_thread_id(BN_BLINDING *b) |
287 | { | 280 | { |
288 | return &b->tid; | 281 | return &b->tid; |
289 | } | 282 | } |
290 | LCRYPTO_ALIAS(BN_BLINDING_thread_id); | ||
291 | 283 | ||
292 | unsigned long | 284 | unsigned long |
293 | BN_BLINDING_get_flags(const BN_BLINDING *b) | 285 | BN_BLINDING_get_flags(const BN_BLINDING *b) |
294 | { | 286 | { |
295 | return b->flags; | 287 | return b->flags; |
296 | } | 288 | } |
297 | LCRYPTO_ALIAS(BN_BLINDING_get_flags); | ||
298 | 289 | ||
299 | void | 290 | void |
300 | BN_BLINDING_set_flags(BN_BLINDING *b, unsigned long flags) | 291 | BN_BLINDING_set_flags(BN_BLINDING *b, unsigned long flags) |
301 | { | 292 | { |
302 | b->flags = flags; | 293 | b->flags = flags; |
303 | } | 294 | } |
304 | LCRYPTO_ALIAS(BN_BLINDING_set_flags); | ||
305 | 295 | ||
306 | BN_BLINDING * | 296 | BN_BLINDING * |
307 | BN_BLINDING_create_param(BN_BLINDING *b, const BIGNUM *e, BIGNUM *m, | 297 | BN_BLINDING_create_param(BN_BLINDING *b, const BIGNUM *e, BIGNUM *m, |
@@ -373,4 +363,3 @@ err: | |||
373 | 363 | ||
374 | return ret; | 364 | return ret; |
375 | } | 365 | } |
376 | LCRYPTO_ALIAS(BN_BLINDING_create_param); | ||
diff --git a/src/lib/libcrypto/bn/bn_local.h b/src/lib/libcrypto/bn/bn_local.h index a8d40fbcc8..989770f2d6 100644 --- a/src/lib/libcrypto/bn/bn_local.h +++ b/src/lib/libcrypto/bn/bn_local.h | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: bn_local.h,v 1.26 2023/07/09 18:27:22 tb Exp $ */ | 1 | /* $OpenBSD: bn_local.h,v 1.27 2023/07/28 10:05:16 tb Exp $ */ |
2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
3 | * All rights reserved. | 3 | * All rights reserved. |
4 | * | 4 | * |
@@ -291,6 +291,27 @@ int BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, | |||
291 | int BN_div_recp(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, | 291 | int BN_div_recp(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, |
292 | BN_RECP_CTX *recp, BN_CTX *ctx); | 292 | BN_RECP_CTX *recp, BN_CTX *ctx); |
293 | 293 | ||
294 | /* BN_BLINDING flags */ | ||
295 | #define BN_BLINDING_NO_UPDATE 0x00000001 | ||
296 | #define BN_BLINDING_NO_RECREATE 0x00000002 | ||
297 | |||
298 | BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod); | ||
299 | void BN_BLINDING_free(BN_BLINDING *b); | ||
300 | int BN_BLINDING_update(BN_BLINDING *b, BN_CTX *ctx); | ||
301 | int BN_BLINDING_convert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx); | ||
302 | int BN_BLINDING_invert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx); | ||
303 | int BN_BLINDING_convert_ex(BIGNUM *n, BIGNUM *r, BN_BLINDING *b, BN_CTX *); | ||
304 | int BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b, BN_CTX *); | ||
305 | |||
306 | CRYPTO_THREADID *BN_BLINDING_thread_id(BN_BLINDING *); | ||
307 | unsigned long BN_BLINDING_get_flags(const BN_BLINDING *); | ||
308 | void BN_BLINDING_set_flags(BN_BLINDING *, unsigned long); | ||
309 | BN_BLINDING *BN_BLINDING_create_param(BN_BLINDING *b, | ||
310 | const BIGNUM *e, BIGNUM *m, BN_CTX *ctx, | ||
311 | int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, | ||
312 | const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx), | ||
313 | BN_MONT_CTX *m_ctx); | ||
314 | |||
294 | /* Explicitly const time / non-const time versions for internal use */ | 315 | /* Explicitly const time / non-const time versions for internal use */ |
295 | int BN_mod_exp_ct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, | 316 | int BN_mod_exp_ct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, |
296 | const BIGNUM *m, BN_CTX *ctx); | 317 | const BIGNUM *m, BN_CTX *ctx); |