import of openssl-0.9.7j

author: djm <> 2006-06-27 05:05:42 +0000
committer: djm <> 2006-06-27 05:05:42 +0000
commit: f6198d4d0ab97685dc56be2d48715ed39fcc74b9 (patch)
tree: 6e28360095ed5ba5ef1760a419c43eef4ef6946b /src/lib/libcrypto/dh
parent: 0ff0f9d99c40072de315264b0f602bd639e7f662 (diff)
download: openbsd-f6198d4d0ab97685dc56be2d48715ed39fcc74b9.tar.gz
openbsd-f6198d4d0ab97685dc56be2d48715ed39fcc74b9.tar.bz2
openbsd-f6198d4d0ab97685dc56be2d48715ed39fcc74b9.zip
3 files changed, 69 insertions, 29 deletions
diff --git a/src/lib/libcrypto/dh/dh.h b/src/lib/libcrypto/dh/dh.h
index 05851f8429..92c7481e10 100644
--- a/src/lib/libcrypto/dh/dh.h
+++ b/src/lib/libcrypto/dh/dh.h
@@ -70,7 +70,14 @@
 #include <openssl/crypto.h>
 #include <openssl/ossl_typ.h>
        
-#define DH_FLAG_CACHE_MONT_P    0x01
+#define DH_FLAG_CACHE_MONT_P     0x01
+#define DH_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DH
+                                       * implementation now uses constant time
+                                       * modular exponentiation for secret exponents
+                                       * by default. This flag causes the
+                                       * faster variable sliding window method to
+                                       * be used for all exponents.
+                                       */
 #ifdef  __cplusplus
 extern "C" {
diff --git a/src/lib/libcrypto/dh/dh_err.c b/src/lib/libcrypto/dh/dh_err.c
index c2715044c9..83ccb41221 100644
--- a/src/lib/libcrypto/dh/dh_err.c
+++ b/src/lib/libcrypto/dh/dh_err.c
@@ -1,6 +1,6 @@
 /* crypto/dh/dh_err.c */
 /* ====================================================================
- * Copyright (c) 1999-2003 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -64,21 +64,25 @@
 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_DH,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_DH,0,reason)
 static ERR_STRING_DATA DH_str_functs[]=
        {
-{ERR_PACK(0,DH_F_DHPARAMS_PRINT,0),     "DHparams_print"},
+{ERR_FUNC(DH_F_DHPARAMS_PRINT), "DHparams_print"},
-{ERR_PACK(0,DH_F_DHPARAMS_PRINT_FP,0),  "DHparams_print_fp"},
+{ERR_FUNC(DH_F_DHPARAMS_PRINT_FP),      "DHparams_print_fp"},
-{ERR_PACK(0,DH_F_DH_COMPUTE_KEY,0),     "DH_compute_key"},
+{ERR_FUNC(DH_F_DH_COMPUTE_KEY), "DH_compute_key"},
-{ERR_PACK(0,DH_F_DH_GENERATE_KEY,0),    "DH_generate_key"},
+{ERR_FUNC(DH_F_DH_GENERATE_KEY),        "DH_generate_key"},
-{ERR_PACK(0,DH_F_DH_GENERATE_PARAMETERS,0),     "DH_generate_parameters"},
+{ERR_FUNC(DH_F_DH_GENERATE_PARAMETERS), "DH_generate_parameters"},
-{ERR_PACK(0,DH_F_DH_NEW_METHOD,0),      "DH_new_method"},
+{ERR_FUNC(DH_F_DH_NEW_METHOD),  "DH_new_method"},
 {0,NULL}
        };
 static ERR_STRING_DATA DH_str_reasons[]=
        {
-{DH_R_BAD_GENERATOR                      ,"bad generator"},
+{ERR_REASON(DH_R_BAD_GENERATOR)          ,"bad generator"},
-{DH_R_NO_PRIVATE_VALUE                   ,"no private value"},
+{ERR_REASON(DH_R_NO_PRIVATE_VALUE)       ,"no private value"},
 {0,NULL}
        };
@@ -92,8 +96,8 @@ void ERR_load_DH_strings(void)
                {
                init=0;
 #ifndef OPENSSL_NO_ERR
-                ERR_load_strings(ERR_LIB_DH,DH_str_functs);
+                ERR_load_strings(0,DH_str_functs);
-                ERR_load_strings(ERR_LIB_DH,DH_str_reasons);
+                ERR_load_strings(0,DH_str_reasons);
 #endif
                }
diff --git a/src/lib/libcrypto/dh/dh_key.c b/src/lib/libcrypto/dh/dh_key.c
index ff125c2296..3a39f7c8ca 100644
--- a/src/lib/libcrypto/dh/dh_key.c
+++ b/src/lib/libcrypto/dh/dh_key.c
@@ -105,7 +105,7 @@ static int generate_key(DH *dh)
        int generate_new_key=0;
        unsigned l;
        BN_CTX *ctx;
-        BN_MONT_CTX *mont;
+        BN_MONT_CTX *mont=NULL;
        BIGNUM *pub_key=NULL,*priv_key=NULL;
        ctx = BN_CTX_new();
@@ -128,21 +128,37 @@ static int generate_key(DH *dh)
        else
                pub_key=dh->pub_key;
-        if ((dh->method_mont_p == NULL) && (dh->flags & DH_FLAG_CACHE_MONT_P))
+        if (dh->flags & DH_FLAG_CACHE_MONT_P)
                {
-                if ((dh->method_mont_p=(char *)BN_MONT_CTX_new()) != NULL)
+                mont = BN_MONT_CTX_set_locked(
-                        if (!BN_MONT_CTX_set((BN_MONT_CTX *)dh->method_mont_p,
+                                (BN_MONT_CTX **)&dh->method_mont_p,
-                                dh->p,ctx)) goto err;
+                                CRYPTO_LOCK_DH, dh->p, ctx);
+                if (!mont)
+                        goto err;
                }
-        mont=(BN_MONT_CTX *)dh->method_mont_p;
        if (generate_new_key)
                {
                l = dh->length ? dh->length : BN_num_bits(dh->p)-1; /* secret exponent length */
                if (!BN_rand(priv_key, l, 0, 0)) goto err;
                }
-        if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, priv_key,dh->p,ctx,mont))
-                goto err;
+        {
+                BIGNUM local_prk;
+                BIGNUM *prk;
+                if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0)
+                        {
+                        BN_init(&local_prk);
+                        prk = &local_prk;
+                        BN_with_flags(prk, priv_key, BN_FLG_EXP_CONSTTIME);
+                        }
+                else
+                        prk = priv_key;
+                if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, prk, dh->p, ctx, mont)) goto err;
+        }
                
        dh->pub_key=pub_key;
        dh->priv_key=priv_key;
@@ -160,7 +176,7 @@ err:
 static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
        {
        BN_CTX *ctx;
-        BN_MONT_CTX *mont;
+        BN_MONT_CTX *mont=NULL;
        BIGNUM *tmp;
        int ret= -1;
@@ -174,14 +190,21 @@ static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
                DHerr(DH_F_DH_COMPUTE_KEY,DH_R_NO_PRIVATE_VALUE);
                goto err;
                }
-        if ((dh->method_mont_p == NULL) && (dh->flags & DH_FLAG_CACHE_MONT_P))
+        if (dh->flags & DH_FLAG_CACHE_MONT_P)
                {
-                if ((dh->method_mont_p=(char *)BN_MONT_CTX_new()) != NULL)
+                mont = BN_MONT_CTX_set_locked(
-                        if (!BN_MONT_CTX_set((BN_MONT_CTX *)dh->method_mont_p,
+                                (BN_MONT_CTX **)&dh->method_mont_p,
-                                dh->p,ctx)) goto err;
+                                CRYPTO_LOCK_DH, dh->p, ctx);
+                if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0)
+                        {
+                        /* XXX */
+                        BN_set_flags(dh->priv_key, BN_FLG_EXP_CONSTTIME);
+                        }
+                if (!mont)
+                        goto err;
                }
-        mont=(BN_MONT_CTX *)dh->method_mont_p;
        if (!dh->meth->bn_mod_exp(dh, tmp, pub_key, dh->priv_key,dh->p,ctx,mont))
                {
                DHerr(DH_F_DH_COMPUTE_KEY,ERR_R_BN_LIB);
@@ -190,8 +213,11 @@ static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
        ret=BN_bn2bin(tmp,key);
 err:
-        BN_CTX_end(ctx);
+        if (ctx != NULL)
-        BN_CTX_free(ctx);
+                {
+                BN_CTX_end(ctx);
+                BN_CTX_free(ctx);
+                }
        return(ret);
        }
@@ -200,7 +226,10 @@ static int dh_bn_mod_exp(const DH *dh, BIGNUM *r,
                        const BIGNUM *m, BN_CTX *ctx,
                        BN_MONT_CTX *m_ctx)
        {
-        if (a->top == 1)
+        /* If a is only one word long and constant time is false, use the faster
+         * exponenentiation function.
+         */
+        if (a->top == 1 && ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) != 0))
                {
                BN_ULONG A = a->d[0];
                return BN_mod_exp_mont_word(r,A,p,m,ctx,m_ctx);
author	djm <>	2006-06-27 05:05:42 +0000
committer	djm <>	2006-06-27 05:05:42 +0000
commit	f6198d4d0ab97685dc56be2d48715ed39fcc74b9 (patch)
tree	6e28360095ed5ba5ef1760a419c43eef4ef6946b /src/lib/libcrypto/dh
parent	0ff0f9d99c40072de315264b0f602bd639e7f662 (diff)
download	openbsd-f6198d4d0ab97685dc56be2d48715ed39fcc74b9.tar.gz openbsd-f6198d4d0ab97685dc56be2d48715ed39fcc74b9.tar.bz2 openbsd-f6198d4d0ab97685dc56be2d48715ed39fcc74b9.zip

diff --git a/src/lib/libcrypto/dh/dh.h b/src/lib/libcrypto/dh/dh.h index 05851f8429..92c7481e10 100644 --- a/src/lib/libcrypto/dh/dh.h +++ b/src/lib/libcrypto/dh/dh.h
@@ -70,7 +70,14 @@
70	#include <openssl/crypto.h>	70	#include <openssl/crypto.h>
71	#include <openssl/ossl_typ.h>	71	#include <openssl/ossl_typ.h>
72		72
73	#define DH_FLAG_CACHE_MONT_P 0x01	73	#define DH_FLAG_CACHE_MONT_P 0x01
		74	#define DH_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DH
		75	* implementation now uses constant time
		76	* modular exponentiation for secret exponents
		77	* by default. This flag causes the
		78	* faster variable sliding window method to
		79	* be used for all exponents.
		80	*/
74		81
75	#ifdef __cplusplus	82	#ifdef __cplusplus
76	extern "C" {	83	extern "C" {


diff --git a/src/lib/libcrypto/dh/dh_err.c b/src/lib/libcrypto/dh/dh_err.c index c2715044c9..83ccb41221 100644 --- a/src/lib/libcrypto/dh/dh_err.c +++ b/src/lib/libcrypto/dh/dh_err.c
@@ -1,6 +1,6 @@
1	/* crypto/dh/dh_err.c */	1	/* crypto/dh/dh_err.c */
2	/* ====================================================================	2	/* ====================================================================
3	* Copyright (c) 1999-2003 The OpenSSL Project. All rights reserved.	3	* Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved.
4	*	4	*
5	* Redistribution and use in source and binary forms, with or without	5	* Redistribution and use in source and binary forms, with or without
6	* modification, are permitted provided that the following conditions	6	* modification, are permitted provided that the following conditions
@@ -64,21 +64,25 @@
64		64
65	/* BEGIN ERROR CODES */	65	/* BEGIN ERROR CODES */
66	#ifndef OPENSSL_NO_ERR	66	#ifndef OPENSSL_NO_ERR
		67
		68	#define ERR_FUNC(func) ERR_PACK(ERR_LIB_DH,func,0)
		69	#define ERR_REASON(reason) ERR_PACK(ERR_LIB_DH,0,reason)
		70
67	static ERR_STRING_DATA DH_str_functs[]=	71	static ERR_STRING_DATA DH_str_functs[]=
68	{	72	{
69	{ERR_PACK(0,DH_F_DHPARAMS_PRINT,0), "DHparams_print"},	73	{ERR_FUNC(DH_F_DHPARAMS_PRINT), "DHparams_print"},
70	{ERR_PACK(0,DH_F_DHPARAMS_PRINT_FP,0), "DHparams_print_fp"},	74	{ERR_FUNC(DH_F_DHPARAMS_PRINT_FP), "DHparams_print_fp"},
71	{ERR_PACK(0,DH_F_DH_COMPUTE_KEY,0), "DH_compute_key"},	75	{ERR_FUNC(DH_F_DH_COMPUTE_KEY), "DH_compute_key"},
72	{ERR_PACK(0,DH_F_DH_GENERATE_KEY,0), "DH_generate_key"},	76	{ERR_FUNC(DH_F_DH_GENERATE_KEY), "DH_generate_key"},
73	{ERR_PACK(0,DH_F_DH_GENERATE_PARAMETERS,0), "DH_generate_parameters"},	77	{ERR_FUNC(DH_F_DH_GENERATE_PARAMETERS), "DH_generate_parameters"},
74	{ERR_PACK(0,DH_F_DH_NEW_METHOD,0), "DH_new_method"},	78	{ERR_FUNC(DH_F_DH_NEW_METHOD), "DH_new_method"},
75	{0,NULL}	79	{0,NULL}
76	};	80	};
77		81
78	static ERR_STRING_DATA DH_str_reasons[]=	82	static ERR_STRING_DATA DH_str_reasons[]=
79	{	83	{
80	{DH_R_BAD_GENERATOR ,"bad generator"},	84	{ERR_REASON(DH_R_BAD_GENERATOR) ,"bad generator"},
81	{DH_R_NO_PRIVATE_VALUE ,"no private value"},	85	{ERR_REASON(DH_R_NO_PRIVATE_VALUE) ,"no private value"},
82	{0,NULL}	86	{0,NULL}
83	};	87	};
84		88
@@ -92,8 +96,8 @@ void ERR_load_DH_strings(void)
92	{	96	{
93	init=0;	97	init=0;
94	#ifndef OPENSSL_NO_ERR	98	#ifndef OPENSSL_NO_ERR
95	ERR_load_strings(ERR_LIB_DH,DH_str_functs);	99	ERR_load_strings(0,DH_str_functs);
96	ERR_load_strings(ERR_LIB_DH,DH_str_reasons);	100	ERR_load_strings(0,DH_str_reasons);
97	#endif	101	#endif
98		102
99	}	103	}


diff --git a/src/lib/libcrypto/dh/dh_key.c b/src/lib/libcrypto/dh/dh_key.c index ff125c2296..3a39f7c8ca 100644 --- a/src/lib/libcrypto/dh/dh_key.c +++ b/src/lib/libcrypto/dh/dh_key.c
@@ -105,7 +105,7 @@ static int generate_key(DH *dh)
105	int generate_new_key=0;	105	int generate_new_key=0;
106	unsigned l;	106	unsigned l;
107	BN_CTX *ctx;	107	BN_CTX *ctx;
108	BN_MONT_CTX *mont;	108	BN_MONT_CTX *mont=NULL;
109	BIGNUM pub_key=NULL,priv_key=NULL;	109	BIGNUM pub_key=NULL,priv_key=NULL;
110		110
111	ctx = BN_CTX_new();	111	ctx = BN_CTX_new();
@@ -128,21 +128,37 @@ static int generate_key(DH *dh)
128	else	128	else
129	pub_key=dh->pub_key;	129	pub_key=dh->pub_key;
130		130
131	if ((dh->method_mont_p == NULL) && (dh->flags & DH_FLAG_CACHE_MONT_P))	131
		132	if (dh->flags & DH_FLAG_CACHE_MONT_P)
132	{	133	{
133	if ((dh->method_mont_p=(char *)BN_MONT_CTX_new()) != NULL)	134	mont = BN_MONT_CTX_set_locked(
134	if (!BN_MONT_CTX_set((BN_MONT_CTX *)dh->method_mont_p,	135	(BN_MONT_CTX **)&dh->method_mont_p,
135	dh->p,ctx)) goto err;	136	CRYPTO_LOCK_DH, dh->p, ctx);
		137	if (!mont)
		138	goto err;
136	}	139	}
137	mont=(BN_MONT_CTX *)dh->method_mont_p;
138		140
139	if (generate_new_key)	141	if (generate_new_key)
140	{	142	{
141	l = dh->length ? dh->length : BN_num_bits(dh->p)-1; /* secret exponent length */	143	l = dh->length ? dh->length : BN_num_bits(dh->p)-1; /* secret exponent length */
142	if (!BN_rand(priv_key, l, 0, 0)) goto err;	144	if (!BN_rand(priv_key, l, 0, 0)) goto err;
143	}	145	}
144	if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, priv_key,dh->p,ctx,mont))	146
145	goto err;	147	{
		148	BIGNUM local_prk;
		149	BIGNUM *prk;
		150
		151	if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0)
		152	{
		153	BN_init(&local_prk);
		154	prk = &local_prk;
		155	BN_with_flags(prk, priv_key, BN_FLG_EXP_CONSTTIME);
		156	}
		157	else
		158	prk = priv_key;
		159
		160	if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, prk, dh->p, ctx, mont)) goto err;
		161	}
146		162
147	dh->pub_key=pub_key;	163	dh->pub_key=pub_key;
148	dh->priv_key=priv_key;	164	dh->priv_key=priv_key;
@@ -160,7 +176,7 @@ err:
160	static int compute_key(unsigned char key, const BIGNUM pub_key, DH *dh)	176	static int compute_key(unsigned char key, const BIGNUM pub_key, DH *dh)
161	{	177	{
162	BN_CTX *ctx;	178	BN_CTX *ctx;
163	BN_MONT_CTX *mont;	179	BN_MONT_CTX *mont=NULL;
164	BIGNUM *tmp;	180	BIGNUM *tmp;
165	int ret= -1;	181	int ret= -1;
166		182
@@ -174,14 +190,21 @@ static int compute_key(unsigned char key, const BIGNUM pub_key, DH *dh)
174	DHerr(DH_F_DH_COMPUTE_KEY,DH_R_NO_PRIVATE_VALUE);	190	DHerr(DH_F_DH_COMPUTE_KEY,DH_R_NO_PRIVATE_VALUE);
175	goto err;	191	goto err;
176	}	192	}
177	if ((dh->method_mont_p == NULL) && (dh->flags & DH_FLAG_CACHE_MONT_P))	193
		194	if (dh->flags & DH_FLAG_CACHE_MONT_P)
178	{	195	{
179	if ((dh->method_mont_p=(char *)BN_MONT_CTX_new()) != NULL)	196	mont = BN_MONT_CTX_set_locked(
180	if (!BN_MONT_CTX_set((BN_MONT_CTX *)dh->method_mont_p,	197	(BN_MONT_CTX **)&dh->method_mont_p,
181	dh->p,ctx)) goto err;	198	CRYPTO_LOCK_DH, dh->p, ctx);
		199	if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0)
		200	{
		201	/* XXX */
		202	BN_set_flags(dh->priv_key, BN_FLG_EXP_CONSTTIME);
		203	}
		204	if (!mont)
		205	goto err;
182	}	206	}
183		207
184	mont=(BN_MONT_CTX *)dh->method_mont_p;
185	if (!dh->meth->bn_mod_exp(dh, tmp, pub_key, dh->priv_key,dh->p,ctx,mont))	208	if (!dh->meth->bn_mod_exp(dh, tmp, pub_key, dh->priv_key,dh->p,ctx,mont))
186	{	209	{
187	DHerr(DH_F_DH_COMPUTE_KEY,ERR_R_BN_LIB);	210	DHerr(DH_F_DH_COMPUTE_KEY,ERR_R_BN_LIB);
@@ -190,8 +213,11 @@ static int compute_key(unsigned char key, const BIGNUM pub_key, DH *dh)
190		213
191	ret=BN_bn2bin(tmp,key);	214	ret=BN_bn2bin(tmp,key);
192	err:	215	err:
193	BN_CTX_end(ctx);	216	if (ctx != NULL)
194	BN_CTX_free(ctx);	217	{
		218	BN_CTX_end(ctx);
		219	BN_CTX_free(ctx);
		220	}
195	return(ret);	221	return(ret);
196	}	222	}
197		223
@@ -200,7 +226,10 @@ static int dh_bn_mod_exp(const DH dh, BIGNUM r,
200	const BIGNUM m, BN_CTX ctx,	226	const BIGNUM m, BN_CTX ctx,
201	BN_MONT_CTX *m_ctx)	227	BN_MONT_CTX *m_ctx)
202	{	228	{
203	if (a->top == 1)	229	/* If a is only one word long and constant time is false, use the faster
		230	* exponenentiation function.
		231	*/
		232	if (a->top == 1 && ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) != 0))
204	{	233	{
205	BN_ULONG A = a->d[0];	234	BN_ULONG A = a->d[0];
206	return BN_mod_exp_mont_word(r,A,p,m,ctx,m_ctx);	235	return BN_mod_exp_mont_word(r,A,p,m,ctx,m_ctx);