merge 0.9.7b with local changes; crank majors for libssl/libcrypto

author: markus <> 2003-05-12 02:18:40 +0000
committer: markus <> 2003-05-12 02:18:40 +0000
commit: d4fcd82bb7f6d603bd61e19a81ba97337b89dfca (patch)
tree: d52e3a0f1f08f65ad283027e560e17ed0d720462 /src/lib/libcrypto/rsa/rsa_eay.c
parent: 582bbd139cd2afd58d10dc051c5b0b989b441074 (diff)
download: openbsd-d4fcd82bb7f6d603bd61e19a81ba97337b89dfca.tar.gz
openbsd-d4fcd82bb7f6d603bd61e19a81ba97337b89dfca.tar.bz2
openbsd-d4fcd82bb7f6d603bd61e19a81ba97337b89dfca.zip
1 files changed, 114 insertions, 17 deletions
diff --git a/src/lib/libcrypto/rsa/rsa_eay.c b/src/lib/libcrypto/rsa/rsa_eay.c
index a3f549d8e6..027b4dc754 100644
--- a/src/lib/libcrypto/rsa/rsa_eay.c
+++ b/src/lib/libcrypto/rsa/rsa_eay.c
@@ -61,7 +61,6 @@
 #include <openssl/bn.h>
 #include <openssl/rsa.h>
 #include <openssl/rand.h>
-#include <openssl/engine.h>
 #ifndef RSA_NULL
@@ -187,7 +186,7 @@ err:
        BN_clear_free(&ret);
        if (buf != NULL) 
                {
-                memset(buf,0,num);
+                OPENSSL_cleanse(buf,num);
                OPENSSL_free(buf);
                }
        return(r);
@@ -206,12 +205,46 @@ static int rsa_eay_blinding(RSA *rsa, BN_CTX *ctx)
 #define BLINDING_HELPER(rsa, ctx, err_instr) \
        do { \
-                if(((rsa)->flags & RSA_FLAG_BLINDING) && \
+                if((!((rsa)->flags & RSA_FLAG_NO_BLINDING)) && \
-                                ((rsa)->blinding == NULL) && \
+                    ((rsa)->blinding == NULL) && \
-                                !rsa_eay_blinding(rsa, ctx)) \
+                    !rsa_eay_blinding(rsa, ctx)) \
-                        err_instr \
+                    err_instr \
        } while(0)
+static BN_BLINDING *setup_blinding(RSA *rsa, BN_CTX *ctx)
+        {
+        BIGNUM *A, *Ai;
+        BN_BLINDING *ret = NULL;
+        /* added in OpenSSL 0.9.6j and 0.9.7b */
+        /* NB: similar code appears in RSA_blinding_on (rsa_lib.c);
+         * this should be placed in a new function of its own, but for reasons
+         * of binary compatibility can't */
+        BN_CTX_start(ctx);
+        A = BN_CTX_get(ctx);
+        if ((RAND_status() == 0) && rsa->d != NULL && rsa->d->d != NULL)
+                {
+                /* if PRNG is not properly seeded, resort to secret exponent as unpredictable seed */
+                RAND_add(rsa->d->d, rsa->d->dmax * sizeof rsa->d->d[0], 0);
+                if (!BN_pseudo_rand_range(A,rsa->n)) goto err;
+                }
+        else
+                {
+                if (!BN_rand_range(A,rsa->n)) goto err;
+                }
+        if ((Ai=BN_mod_inverse(NULL,A,rsa->n,ctx)) == NULL) goto err;
+        if (!rsa->meth->bn_mod_exp(A,A,rsa->e,rsa->n,ctx,rsa->_method_mod_n))
+                goto err;
+        ret = BN_BLINDING_new(A,Ai,rsa->n);
+        BN_free(Ai);
+err:
+        BN_CTX_end(ctx);
+        return ret;
+        }
 /* signing */
 static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
             unsigned char *to, RSA *rsa, int padding)
@@ -220,6 +253,8 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
        int i,j,k,num=0,r= -1;
        unsigned char *buf=NULL;
        BN_CTX *ctx=NULL;
+        int local_blinding = 0;
+        BN_BLINDING *blinding = NULL;
        BN_init(&f);
        BN_init(&ret);
@@ -257,9 +292,38 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
                }
        BLINDING_HELPER(rsa, ctx, goto err;);
+        blinding = rsa->blinding;
+        
+        /* Now unless blinding is disabled, 'blinding' is non-NULL.
+         * But the BN_BLINDING object may be owned by some other thread
+         * (we don't want to keep it constant and we don't want to use
+         * lots of locking to avoid race conditions, so only a single
+         * thread can use it; other threads have to use local blinding
+         * factors) */
+        if (!(rsa->flags & RSA_FLAG_NO_BLINDING))
+                {
+                if (blinding == NULL)
+                        {
+                        RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR);
+                        goto err;
+                        }
+                }
+        
+        if (blinding != NULL)
+                {
+                if (blinding->thread_id != CRYPTO_thread_id())
+                        {
+                        /* we need a local one-time blinding factor */
+                        blinding = setup_blinding(rsa, ctx);
+                        if (blinding == NULL)
+                                goto err;
+                        local_blinding = 1;
+                        }
+                }
-        if (rsa->flags & RSA_FLAG_BLINDING)
+        if (blinding)
-                if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
+                if (!BN_BLINDING_convert(&f, blinding, ctx)) goto err;
        if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
                ((rsa->p != NULL) &&
@@ -273,8 +337,8 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
                if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) goto err;
                }
-        if (rsa->flags & RSA_FLAG_BLINDING)
+        if (blinding)
-                if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err;
+                if (!BN_BLINDING_invert(&ret, blinding, ctx)) goto err;
        /* put in leading 0 bytes if the number is less than the
         * length of the modulus */
@@ -288,9 +352,11 @@ err:
        if (ctx != NULL) BN_CTX_free(ctx);
        BN_clear_free(&ret);
        BN_clear_free(&f);
+        if (local_blinding)
+                BN_BLINDING_free(blinding);
        if (buf != NULL)
                {
-                memset(buf,0,num);
+                OPENSSL_cleanse(buf,num);
                OPENSSL_free(buf);
                }
        return(r);
@@ -304,6 +370,8 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
        unsigned char *p;
        unsigned char *buf=NULL;
        BN_CTX *ctx=NULL;
+        int local_blinding = 0;
+        BN_BLINDING *blinding = NULL;
        BN_init(&f);
        BN_init(&ret);
@@ -336,9 +404,38 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
                }
        BLINDING_HELPER(rsa, ctx, goto err;);
+        blinding = rsa->blinding;
+        
+        /* Now unless blinding is disabled, 'blinding' is non-NULL.
+         * But the BN_BLINDING object may be owned by some other thread
+         * (we don't want to keep it constant and we don't want to use
+         * lots of locking to avoid race conditions, so only a single
+         * thread can use it; other threads have to use local blinding
+         * factors) */
+        if (!(rsa->flags & RSA_FLAG_NO_BLINDING))
+                {
+                if (blinding == NULL)
+                        {
+                        RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_INTERNAL_ERROR);
+                        goto err;
+                        }
+                }
+        
+        if (blinding != NULL)
+                {
+                if (blinding->thread_id != CRYPTO_thread_id())
+                        {
+                        /* we need a local one-time blinding factor */
+                        blinding = setup_blinding(rsa, ctx);
+                        if (blinding == NULL)
+                                goto err;
+                        local_blinding = 1;
+                        }
+                }
-        if (rsa->flags & RSA_FLAG_BLINDING)
+        if (blinding)
-                if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
+                if (!BN_BLINDING_convert(&f, blinding, ctx)) goto err;
        /* do the decrypt */
        if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
@@ -354,8 +451,8 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
                        goto err;
                }
-        if (rsa->flags & RSA_FLAG_BLINDING)
+        if (blinding)
-                if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err;
+                if (!BN_BLINDING_invert(&ret, blinding, ctx)) goto err;
        p=buf;
        j=BN_bn2bin(&ret,p); /* j is only used with no-padding mode */
@@ -389,7 +486,7 @@ err:
        BN_clear_free(&ret);
        if (buf != NULL)
                {
-                memset(buf,0,num);
+                OPENSSL_cleanse(buf,num);
                OPENSSL_free(buf);
                }
        return(r);
@@ -486,7 +583,7 @@ err:
        BN_clear_free(&ret);
        if (buf != NULL)
                {
-                memset(buf,0,num);
+                OPENSSL_cleanse(buf,num);
                OPENSSL_free(buf);
                }
        return(r);
author	markus <>	2003-05-12 02:18:40 +0000
committer	markus <>	2003-05-12 02:18:40 +0000
commit	d4fcd82bb7f6d603bd61e19a81ba97337b89dfca (patch)
tree	d52e3a0f1f08f65ad283027e560e17ed0d720462 /src/lib/libcrypto/rsa/rsa_eay.c
parent	582bbd139cd2afd58d10dc051c5b0b989b441074 (diff)
download	openbsd-d4fcd82bb7f6d603bd61e19a81ba97337b89dfca.tar.gz openbsd-d4fcd82bb7f6d603bd61e19a81ba97337b89dfca.tar.bz2 openbsd-d4fcd82bb7f6d603bd61e19a81ba97337b89dfca.zip

diff --git a/src/lib/libcrypto/rsa/rsa_eay.c b/src/lib/libcrypto/rsa/rsa_eay.c index a3f549d8e6..027b4dc754 100644 --- a/src/lib/libcrypto/rsa/rsa_eay.c +++ b/src/lib/libcrypto/rsa/rsa_eay.c
@@ -61,7 +61,6 @@
61	#include <openssl/bn.h>	61	#include <openssl/bn.h>
62	#include <openssl/rsa.h>	62	#include <openssl/rsa.h>
63	#include <openssl/rand.h>	63	#include <openssl/rand.h>
64	#include <openssl/engine.h>
65		64
66	#ifndef RSA_NULL	65	#ifndef RSA_NULL
67		66
@@ -187,7 +186,7 @@ err:
187	BN_clear_free(&ret);	186	BN_clear_free(&ret);
188	if (buf != NULL)	187	if (buf != NULL)
189	{	188	{
190	memset(buf,0,num);	189	OPENSSL_cleanse(buf,num);
191	OPENSSL_free(buf);	190	OPENSSL_free(buf);
192	}	191	}
193	return(r);	192	return(r);
@@ -206,12 +205,46 @@ static int rsa_eay_blinding(RSA rsa, BN_CTX ctx)
206		205
207	#define BLINDING_HELPER(rsa, ctx, err_instr) \	206	#define BLINDING_HELPER(rsa, ctx, err_instr) \
208	do { \	207	do { \
209	if(((rsa)->flags & RSA_FLAG_BLINDING) && \	208	if((!((rsa)->flags & RSA_FLAG_NO_BLINDING)) && \
210	((rsa)->blinding == NULL) && \	209	((rsa)->blinding == NULL) && \
211	!rsa_eay_blinding(rsa, ctx)) \	210	!rsa_eay_blinding(rsa, ctx)) \
212	err_instr \	211	err_instr \
213	} while(0)	212	} while(0)
214		213
		214	static BN_BLINDING setup_blinding(RSA rsa, BN_CTX *ctx)
		215	{
		216	BIGNUM A, Ai;
		217	BN_BLINDING *ret = NULL;
		218
		219	/* added in OpenSSL 0.9.6j and 0.9.7b */
		220
		221	/* NB: similar code appears in RSA_blinding_on (rsa_lib.c);
		222	* this should be placed in a new function of its own, but for reasons
		223	* of binary compatibility can't */
		224
		225	BN_CTX_start(ctx);
		226	A = BN_CTX_get(ctx);
		227	if ((RAND_status() == 0) && rsa->d != NULL && rsa->d->d != NULL)
		228	{
		229	/* if PRNG is not properly seeded, resort to secret exponent as unpredictable seed */
		230	RAND_add(rsa->d->d, rsa->d->dmax * sizeof rsa->d->d[0], 0);
		231	if (!BN_pseudo_rand_range(A,rsa->n)) goto err;
		232	}
		233	else
		234	{
		235	if (!BN_rand_range(A,rsa->n)) goto err;
		236	}
		237	if ((Ai=BN_mod_inverse(NULL,A,rsa->n,ctx)) == NULL) goto err;
		238
		239	if (!rsa->meth->bn_mod_exp(A,A,rsa->e,rsa->n,ctx,rsa->_method_mod_n))
		240	goto err;
		241	ret = BN_BLINDING_new(A,Ai,rsa->n);
		242	BN_free(Ai);
		243	err:
		244	BN_CTX_end(ctx);
		245	return ret;
		246	}
		247
215	/* signing */	248	/* signing */
216	static int RSA_eay_private_encrypt(int flen, const unsigned char *from,	249	static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
217	unsigned char to, RSA rsa, int padding)	250	unsigned char to, RSA rsa, int padding)
@@ -220,6 +253,8 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
220	int i,j,k,num=0,r= -1;	253	int i,j,k,num=0,r= -1;
221	unsigned char *buf=NULL;	254	unsigned char *buf=NULL;
222	BN_CTX *ctx=NULL;	255	BN_CTX *ctx=NULL;
		256	int local_blinding = 0;
		257	BN_BLINDING *blinding = NULL;
223		258
224	BN_init(&f);	259	BN_init(&f);
225	BN_init(&ret);	260	BN_init(&ret);
@@ -257,9 +292,38 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
257	}	292	}
258		293
259	BLINDING_HELPER(rsa, ctx, goto err;);	294	BLINDING_HELPER(rsa, ctx, goto err;);
		295	blinding = rsa->blinding;
		296
		297	/* Now unless blinding is disabled, 'blinding' is non-NULL.
		298	* But the BN_BLINDING object may be owned by some other thread
		299	* (we don't want to keep it constant and we don't want to use
		300	* lots of locking to avoid race conditions, so only a single
		301	* thread can use it; other threads have to use local blinding
		302	* factors) */
		303	if (!(rsa->flags & RSA_FLAG_NO_BLINDING))
		304	{
		305	if (blinding == NULL)
		306	{
		307	RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR);
		308	goto err;
		309	}
		310	}
		311
		312	if (blinding != NULL)
		313	{
		314	if (blinding->thread_id != CRYPTO_thread_id())
		315	{
		316	/* we need a local one-time blinding factor */
		317
		318	blinding = setup_blinding(rsa, ctx);
		319	if (blinding == NULL)
		320	goto err;
		321	local_blinding = 1;
		322	}
		323	}
260		324
261	if (rsa->flags & RSA_FLAG_BLINDING)	325	if (blinding)
262	if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;	326	if (!BN_BLINDING_convert(&f, blinding, ctx)) goto err;
263		327
264	if ( (rsa->flags & RSA_FLAG_EXT_PKEY) \|\|	328	if ( (rsa->flags & RSA_FLAG_EXT_PKEY) \|\|
265	((rsa->p != NULL) &&	329	((rsa->p != NULL) &&
@@ -273,8 +337,8 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
273	if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) goto err;	337	if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) goto err;
274	}	338	}
275		339
276	if (rsa->flags & RSA_FLAG_BLINDING)	340	if (blinding)
277	if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err;	341	if (!BN_BLINDING_invert(&ret, blinding, ctx)) goto err;
278		342
279	/* put in leading 0 bytes if the number is less than the	343	/* put in leading 0 bytes if the number is less than the
280	* length of the modulus */	344	* length of the modulus */
@@ -288,9 +352,11 @@ err:
288	if (ctx != NULL) BN_CTX_free(ctx);	352	if (ctx != NULL) BN_CTX_free(ctx);
289	BN_clear_free(&ret);	353	BN_clear_free(&ret);
290	BN_clear_free(&f);	354	BN_clear_free(&f);
		355	if (local_blinding)
		356	BN_BLINDING_free(blinding);
291	if (buf != NULL)	357	if (buf != NULL)
292	{	358	{
293	memset(buf,0,num);	359	OPENSSL_cleanse(buf,num);
294	OPENSSL_free(buf);	360	OPENSSL_free(buf);
295	}	361	}
296	return(r);	362	return(r);
@@ -304,6 +370,8 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
304	unsigned char *p;	370	unsigned char *p;
305	unsigned char *buf=NULL;	371	unsigned char *buf=NULL;
306	BN_CTX *ctx=NULL;	372	BN_CTX *ctx=NULL;
		373	int local_blinding = 0;
		374	BN_BLINDING *blinding = NULL;
307		375
308	BN_init(&f);	376	BN_init(&f);
309	BN_init(&ret);	377	BN_init(&ret);
@@ -336,9 +404,38 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
336	}	404	}
337		405
338	BLINDING_HELPER(rsa, ctx, goto err;);	406	BLINDING_HELPER(rsa, ctx, goto err;);
		407	blinding = rsa->blinding;
		408
		409	/* Now unless blinding is disabled, 'blinding' is non-NULL.
		410	* But the BN_BLINDING object may be owned by some other thread
		411	* (we don't want to keep it constant and we don't want to use
		412	* lots of locking to avoid race conditions, so only a single
		413	* thread can use it; other threads have to use local blinding
		414	* factors) */
		415	if (!(rsa->flags & RSA_FLAG_NO_BLINDING))
		416	{
		417	if (blinding == NULL)
		418	{
		419	RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_INTERNAL_ERROR);
		420	goto err;
		421	}
		422	}
		423
		424	if (blinding != NULL)
		425	{
		426	if (blinding->thread_id != CRYPTO_thread_id())
		427	{
		428	/* we need a local one-time blinding factor */
		429
		430	blinding = setup_blinding(rsa, ctx);
		431	if (blinding == NULL)
		432	goto err;
		433	local_blinding = 1;
		434	}
		435	}
339		436
340	if (rsa->flags & RSA_FLAG_BLINDING)	437	if (blinding)
341	if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;	438	if (!BN_BLINDING_convert(&f, blinding, ctx)) goto err;
342		439
343	/* do the decrypt */	440	/* do the decrypt */
344	if ( (rsa->flags & RSA_FLAG_EXT_PKEY) \|\|	441	if ( (rsa->flags & RSA_FLAG_EXT_PKEY) \|\|
@@ -354,8 +451,8 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
354	goto err;	451	goto err;
355	}	452	}
356		453
357	if (rsa->flags & RSA_FLAG_BLINDING)	454	if (blinding)
358	if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err;	455	if (!BN_BLINDING_invert(&ret, blinding, ctx)) goto err;
359		456
360	p=buf;	457	p=buf;
361	j=BN_bn2bin(&ret,p); /* j is only used with no-padding mode */	458	j=BN_bn2bin(&ret,p); /* j is only used with no-padding mode */
@@ -389,7 +486,7 @@ err:
389	BN_clear_free(&ret);	486	BN_clear_free(&ret);
390	if (buf != NULL)	487	if (buf != NULL)
391	{	488	{
392	memset(buf,0,num);	489	OPENSSL_cleanse(buf,num);
393	OPENSSL_free(buf);	490	OPENSSL_free(buf);
394	}	491	}
395	return(r);	492	return(r);
@@ -486,7 +583,7 @@ err:
486	BN_clear_free(&ret);	583	BN_clear_free(&ret);
487	if (buf != NULL)	584	if (buf != NULL)
488	{	585	{
489	memset(buf,0,num);	586	OPENSSL_cleanse(buf,num);
490	OPENSSL_free(buf);	587	OPENSSL_free(buf);
491	}	588	}
492	return(r);	589	return(r);