summaryrefslogtreecommitdiff
path: root/src/lib
diff options
context:
space:
mode:
authorbcook <>2016-06-30 02:02:06 +0000
committerbcook <>2016-06-30 02:02:06 +0000
commitf38e0f193e7bb5faea955cd4afea248b830afa18 (patch)
tree0ceecace65c38593a01c1d41cce469bd98529f43 /src/lib
parentaa239d08d6dc87fdd121f62e3130aa5d5357cfff (diff)
downloadopenbsd-f38e0f193e7bb5faea955cd4afea248b830afa18.tar.gz
openbsd-f38e0f193e7bb5faea955cd4afea248b830afa18.tar.bz2
openbsd-f38e0f193e7bb5faea955cd4afea248b830afa18.zip
Remove flags for disabling constant-time operations.
This removes support for DSA_FLAG_NO_EXP_CONSTTIME, DH_FLAG_NO_EXP_CONSTTIME, and RSA_FLAG_NO_CONSTTIME flags, making all of these operations unconditionally constant-time. Based on the original patch by César Pereid. ok beck@
Diffstat (limited to 'src/lib')
-rw-r--r--src/lib/libcrypto/dh/dh.h9
-rw-r--r--src/lib/libcrypto/dh/dh_key.c37
-rw-r--r--src/lib/libcrypto/dsa/dsa.h5
-rw-r--r--src/lib/libcrypto/dsa/dsa_key.c14
-rw-r--r--src/lib/libcrypto/rsa/rsa.h12
-rw-r--r--src/lib/libcrypto/rsa/rsa_crpt.c16
-rw-r--r--src/lib/libcrypto/rsa/rsa_eay.c138
-rw-r--r--src/lib/libcrypto/rsa/rsa_gen.c33
-rw-r--r--src/lib/libssl/src/crypto/dh/dh.h9
-rw-r--r--src/lib/libssl/src/crypto/dh/dh_key.c37
-rw-r--r--src/lib/libssl/src/crypto/dsa/dsa.h5
-rw-r--r--src/lib/libssl/src/crypto/dsa/dsa_key.c14
-rw-r--r--src/lib/libssl/src/crypto/rsa/rsa.h12
-rw-r--r--src/lib/libssl/src/crypto/rsa/rsa_crpt.c16
-rw-r--r--src/lib/libssl/src/crypto/rsa/rsa_eay.c138
-rw-r--r--src/lib/libssl/src/crypto/rsa/rsa_gen.c33
16 files changed, 174 insertions, 354 deletions
diff --git a/src/lib/libcrypto/dh/dh.h b/src/lib/libcrypto/dh/dh.h
index a20467c9d0..631cd5c685 100644
--- a/src/lib/libcrypto/dh/dh.h
+++ b/src/lib/libcrypto/dh/dh.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: dh.h,v 1.16 2014/06/12 15:49:28 deraadt Exp $ */ 1/* $OpenBSD: dh.h,v 1.17 2016/06/30 02:02:06 bcook Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -78,13 +78,6 @@
78#endif 78#endif
79 79
80#define DH_FLAG_CACHE_MONT_P 0x01 80#define DH_FLAG_CACHE_MONT_P 0x01
81#define DH_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DH
82 * implementation now uses constant time
83 * modular exponentiation for secret exponents
84 * by default. This flag causes the
85 * faster variable sliding window method to
86 * be used for all exponents.
87 */
88 81
89/* If this flag is set the DH method is FIPS compliant and can be used 82/* If this flag is set the DH method is FIPS compliant and can be used
90 * in FIPS mode. This is set in the validated module method. If an 83 * in FIPS mode. This is set in the validated module method. If an
diff --git a/src/lib/libcrypto/dh/dh_key.c b/src/lib/libcrypto/dh/dh_key.c
index 31bc7b3dfd..25e8968ef5 100644
--- a/src/lib/libcrypto/dh/dh_key.c
+++ b/src/lib/libcrypto/dh/dh_key.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: dh_key.c,v 1.23 2015/02/09 15:49:22 jsing Exp $ */ 1/* $OpenBSD: dh_key.c,v 1.24 2016/06/30 02:02:06 bcook Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -147,21 +147,16 @@ generate_key(DH *dh)
147 } 147 }
148 148
149 { 149 {
150 BIGNUM local_prk; 150 BIGNUM prk;
151 BIGNUM *prk;
152 151
153 if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) { 152 BN_with_flags(&prk, priv_key, BN_FLG_CONSTTIME);
154 BN_init(&local_prk);
155 prk = &local_prk;
156 BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
157 } else
158 prk = priv_key;
159 153
160 if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, prk, dh->p, ctx, 154 if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, &prk, dh->p, ctx,
161 mont)) 155 mont)) {
162 goto err; 156 goto err;
157 }
163 } 158 }
164 159
165 dh->pub_key = pub_key; 160 dh->pub_key = pub_key;
166 dh->priv_key = priv_key; 161 dh->priv_key = priv_key;
167 ok = 1; 162 ok = 1;
@@ -206,10 +201,9 @@ compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
206 if (dh->flags & DH_FLAG_CACHE_MONT_P) { 201 if (dh->flags & DH_FLAG_CACHE_MONT_P) {
207 mont = BN_MONT_CTX_set_locked(&dh->method_mont_p, 202 mont = BN_MONT_CTX_set_locked(&dh->method_mont_p,
208 CRYPTO_LOCK_DH, dh->p, ctx); 203 CRYPTO_LOCK_DH, dh->p, ctx);
209 if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) { 204
210 /* XXX */ 205 BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME);
211 BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME); 206
212 }
213 if (!mont) 207 if (!mont)
214 goto err; 208 goto err;
215 } 209 }
@@ -238,16 +232,7 @@ static int
238dh_bn_mod_exp(const DH *dh, BIGNUM *r, const BIGNUM *a, const BIGNUM *p, 232dh_bn_mod_exp(const DH *dh, BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
239 const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx) 233 const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
240{ 234{
241 /* 235 return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
242 * If a is only one word long and constant time is false, use the faster
243 * exponenentiation function.
244 */
245 if (a->top == 1 && (dh->flags & DH_FLAG_NO_EXP_CONSTTIME) != 0) {
246 BN_ULONG A = a->d[0];
247
248 return BN_mod_exp_mont_word(r, A, p, m, ctx, m_ctx);
249 } else
250 return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
251} 236}
252 237
253static int 238static int
diff --git a/src/lib/libcrypto/dsa/dsa.h b/src/lib/libcrypto/dsa/dsa.h
index f7f81cfa94..b4d7c1ff0f 100644
--- a/src/lib/libcrypto/dsa/dsa.h
+++ b/src/lib/libcrypto/dsa/dsa.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: dsa.h,v 1.20 2016/06/21 04:16:53 bcook Exp $ */ 1/* $OpenBSD: dsa.h,v 1.21 2016/06/30 02:02:06 bcook Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -89,9 +89,6 @@
89#endif 89#endif
90 90
91#define DSA_FLAG_CACHE_MONT_P 0x01 91#define DSA_FLAG_CACHE_MONT_P 0x01
92#define DSA_FLAG_NO_EXP_CONSTTIME 0x00 /* Does nothing. Previously this switched off
93 * constant time behaviour.
94 */
95 92
96/* If this flag is set the DSA method is FIPS compliant and can be used 93/* If this flag is set the DSA method is FIPS compliant and can be used
97 * in FIPS mode. This is set in the validated module method. If an 94 * in FIPS mode. This is set in the validated module method. If an
diff --git a/src/lib/libcrypto/dsa/dsa_key.c b/src/lib/libcrypto/dsa/dsa_key.c
index 4732c471ed..fc4eb9c433 100644
--- a/src/lib/libcrypto/dsa/dsa_key.c
+++ b/src/lib/libcrypto/dsa/dsa_key.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: dsa_key.c,v 1.21 2016/06/21 04:16:53 bcook Exp $ */ 1/* $OpenBSD: dsa_key.c,v 1.22 2016/06/30 02:02:06 bcook Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -104,18 +104,12 @@ dsa_builtin_keygen(DSA *dsa)
104 pub_key=dsa->pub_key; 104 pub_key=dsa->pub_key;
105 105
106 { 106 {
107 BIGNUM *prk = BN_new(); 107 BIGNUM prk;
108 108
109 if (prk == NULL) 109 BN_with_flags(&prk, priv_key, BN_FLG_CONSTTIME);
110 goto err;
111
112 BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
113 110
114 if (!BN_mod_exp(pub_key, dsa->g, prk, dsa->p, ctx)) { 111 if (!BN_mod_exp(pub_key, dsa->g, &prk, dsa->p, ctx))
115 BN_free(prk);
116 goto err; 112 goto err;
117 }
118 BN_free(prk);
119 } 113 }
120 114
121 dsa->priv_key = priv_key; 115 dsa->priv_key = priv_key;
diff --git a/src/lib/libcrypto/rsa/rsa.h b/src/lib/libcrypto/rsa/rsa.h
index 4045a6cbf3..d240294809 100644
--- a/src/lib/libcrypto/rsa/rsa.h
+++ b/src/lib/libcrypto/rsa/rsa.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: rsa.h,v 1.27 2015/02/14 15:10:39 miod Exp $ */ 1/* $OpenBSD: rsa.h,v 1.28 2016/06/30 02:02:06 bcook Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -194,16 +194,6 @@ struct rsa_st {
194 */ 194 */
195#define RSA_FLAG_NO_BLINDING 0x0080 195#define RSA_FLAG_NO_BLINDING 0x0080
196 196
197/*
198 * The built-in RSA implementation uses constant time operations by default
199 * in private key operations, e.g., constant time modular exponentiation,
200 * modular inverse without leaking branches, division without leaking branches.
201 * This flag disables these constant time operations and results in faster RSA
202 * private key operations.
203 */
204#define RSA_FLAG_NO_CONSTTIME 0x0100
205
206
207#define EVP_PKEY_CTX_set_rsa_padding(ctx, pad) \ 197#define EVP_PKEY_CTX_set_rsa_padding(ctx, pad) \
208 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, -1, EVP_PKEY_CTRL_RSA_PADDING, \ 198 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, -1, EVP_PKEY_CTRL_RSA_PADDING, \
209 pad, NULL) 199 pad, NULL)
diff --git a/src/lib/libcrypto/rsa/rsa_crpt.c b/src/lib/libcrypto/rsa/rsa_crpt.c
index 809dd14c92..b50e4a4a6f 100644
--- a/src/lib/libcrypto/rsa/rsa_crpt.c
+++ b/src/lib/libcrypto/rsa/rsa_crpt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: rsa_crpt.c,v 1.14 2015/02/11 03:19:37 doug Exp $ */ 1/* $OpenBSD: rsa_crpt.c,v 1.15 2016/06/30 02:02:06 bcook Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -169,8 +169,8 @@ err:
169BN_BLINDING * 169BN_BLINDING *
170RSA_setup_blinding(RSA *rsa, BN_CTX *in_ctx) 170RSA_setup_blinding(RSA *rsa, BN_CTX *in_ctx)
171{ 171{
172 BIGNUM local_n; 172 BIGNUM *e;
173 BIGNUM *e, *n; 173 BIGNUM n;
174 BN_CTX *ctx; 174 BN_CTX *ctx;
175 BN_BLINDING *ret = NULL; 175 BN_BLINDING *ret = NULL;
176 176
@@ -192,15 +192,11 @@ RSA_setup_blinding(RSA *rsa, BN_CTX *in_ctx)
192 } else 192 } else
193 e = rsa->e; 193 e = rsa->e;
194 194
195 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 195 BN_with_flags(&n, rsa->n, BN_FLG_CONSTTIME);
196 /* Set BN_FLG_CONSTTIME flag */
197 n = &local_n;
198 BN_with_flags(n, rsa->n, BN_FLG_CONSTTIME);
199 } else
200 n = rsa->n;
201 196
202 ret = BN_BLINDING_create_param(NULL, e, n, ctx, rsa->meth->bn_mod_exp, 197 ret = BN_BLINDING_create_param(NULL, e, &n, ctx, rsa->meth->bn_mod_exp,
203 rsa->_method_mod_n); 198 rsa->_method_mod_n);
199
204 if (ret == NULL) { 200 if (ret == NULL) {
205 RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_BN_LIB); 201 RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_BN_LIB);
206 goto err; 202 goto err;
diff --git a/src/lib/libcrypto/rsa/rsa_eay.c b/src/lib/libcrypto/rsa/rsa_eay.c
index 76863e7220..6edfd7e5fd 100644
--- a/src/lib/libcrypto/rsa/rsa_eay.c
+++ b/src/lib/libcrypto/rsa/rsa_eay.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: rsa_eay.c,v 1.40 2015/09/10 15:56:25 jsing Exp $ */ 1/* $OpenBSD: rsa_eay.c,v 1.41 2016/06/30 02:02:06 bcook Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -177,11 +177,13 @@ RSA_eay_public_encrypt(int flen, const unsigned char *from, unsigned char *to,
177 177
178 if ((ctx = BN_CTX_new()) == NULL) 178 if ((ctx = BN_CTX_new()) == NULL)
179 goto err; 179 goto err;
180
180 BN_CTX_start(ctx); 181 BN_CTX_start(ctx);
181 f = BN_CTX_get(ctx); 182 f = BN_CTX_get(ctx);
182 ret = BN_CTX_get(ctx); 183 ret = BN_CTX_get(ctx);
183 num = BN_num_bytes(rsa->n); 184 num = BN_num_bytes(rsa->n);
184 buf = malloc(num); 185 buf = malloc(num);
186
185 if (f == NULL || ret == NULL || buf == NULL) { 187 if (f == NULL || ret == NULL || buf == NULL) {
186 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, ERR_R_MALLOC_FAILURE); 188 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, ERR_R_MALLOC_FAILURE);
187 goto err; 189 goto err;
@@ -362,11 +364,13 @@ RSA_eay_private_encrypt(int flen, const unsigned char *from, unsigned char *to,
362 364
363 if ((ctx = BN_CTX_new()) == NULL) 365 if ((ctx = BN_CTX_new()) == NULL)
364 goto err; 366 goto err;
367
365 BN_CTX_start(ctx); 368 BN_CTX_start(ctx);
366 f = BN_CTX_get(ctx); 369 f = BN_CTX_get(ctx);
367 ret = BN_CTX_get(ctx); 370 ret = BN_CTX_get(ctx);
368 num = BN_num_bytes(rsa->n); 371 num = BN_num_bytes(rsa->n);
369 buf = malloc(num); 372 buf = malloc(num);
373
370 if (f == NULL || ret == NULL || buf == NULL) { 374 if (f == NULL || ret == NULL || buf == NULL) {
371 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE); 375 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE);
372 goto err; 376 goto err;
@@ -426,24 +430,19 @@ RSA_eay_private_encrypt(int flen, const unsigned char *from, unsigned char *to,
426 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) 430 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx))
427 goto err; 431 goto err;
428 } else { 432 } else {
429 BIGNUM local_d; 433 BIGNUM d;
430 BIGNUM *d = NULL;
431 434
432 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 435 BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME);
433 BN_init(&local_d);
434 d = &local_d;
435 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
436 } else
437 d = rsa->d;
438 436
439 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 437 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
440 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, 438 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
441 CRYPTO_LOCK_RSA, rsa->n, ctx)) 439 CRYPTO_LOCK_RSA, rsa->n, ctx))
442 goto err; 440 goto err;
443 441
444 if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx, 442 if (!rsa->meth->bn_mod_exp(ret, f, &d, rsa->n, ctx,
445 rsa->_method_mod_n)) 443 rsa->_method_mod_n)) {
446 goto err; 444 goto err;
445 }
447 } 446 }
448 447
449 if (blinding) 448 if (blinding)
@@ -499,11 +498,13 @@ RSA_eay_private_decrypt(int flen, const unsigned char *from, unsigned char *to,
499 498
500 if ((ctx = BN_CTX_new()) == NULL) 499 if ((ctx = BN_CTX_new()) == NULL)
501 goto err; 500 goto err;
501
502 BN_CTX_start(ctx); 502 BN_CTX_start(ctx);
503 f = BN_CTX_get(ctx); 503 f = BN_CTX_get(ctx);
504 ret = BN_CTX_get(ctx); 504 ret = BN_CTX_get(ctx);
505 num = BN_num_bytes(rsa->n); 505 num = BN_num_bytes(rsa->n);
506 buf = malloc(num); 506 buf = malloc(num);
507
507 if (!f || !ret || !buf) { 508 if (!f || !ret || !buf) {
508 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE); 509 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE);
509 goto err; 510 goto err;
@@ -553,22 +554,19 @@ RSA_eay_private_decrypt(int flen, const unsigned char *from, unsigned char *to,
553 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) 554 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx))
554 goto err; 555 goto err;
555 } else { 556 } else {
556 BIGNUM local_d; 557 BIGNUM d;
557 BIGNUM *d = NULL;
558 558
559 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 559 BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME);
560 d = &local_d;
561 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
562 } else
563 d = rsa->d;
564 560
565 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 561 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
566 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, 562 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
567 CRYPTO_LOCK_RSA, rsa->n, ctx)) 563 CRYPTO_LOCK_RSA, rsa->n, ctx))
568 goto err; 564 goto err;
569 if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx, 565
570 rsa->_method_mod_n)) 566 if (!rsa->meth->bn_mod_exp(ret, f, &d, rsa->n, ctx,
567 rsa->_method_mod_n)) {
571 goto err; 568 goto err;
569 }
572 } 570 }
573 571
574 if (blinding) 572 if (blinding)
@@ -645,11 +643,13 @@ RSA_eay_public_decrypt(int flen, const unsigned char *from, unsigned char *to,
645 643
646 if ((ctx = BN_CTX_new()) == NULL) 644 if ((ctx = BN_CTX_new()) == NULL)
647 goto err; 645 goto err;
646
648 BN_CTX_start(ctx); 647 BN_CTX_start(ctx);
649 f = BN_CTX_get(ctx); 648 f = BN_CTX_get(ctx);
650 ret = BN_CTX_get(ctx); 649 ret = BN_CTX_get(ctx);
651 num = BN_num_bytes(rsa->n); 650 num = BN_num_bytes(rsa->n);
652 buf = malloc(num); 651 buf = malloc(num);
652
653 if (!f || !ret || !buf) { 653 if (!f || !ret || !buf) {
654 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, ERR_R_MALLOC_FAILURE); 654 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, ERR_R_MALLOC_FAILURE);
655 goto err; 655 goto err;
@@ -723,8 +723,7 @@ static int
723RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) 723RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
724{ 724{
725 BIGNUM *r1, *m1, *vrfy; 725 BIGNUM *r1, *m1, *vrfy;
726 BIGNUM local_dmp1, local_dmq1, local_c, local_r1; 726 BIGNUM dmp1, dmq1, c, pr1;
727 BIGNUM *dmp1, *dmq1, *c, *pr1;
728 int ret = 0; 727 int ret = 0;
729 728
730 BN_CTX_start(ctx); 729 BN_CTX_start(ctx);
@@ -737,33 +736,22 @@ RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
737 } 736 }
738 737
739 { 738 {
740 BIGNUM local_p, local_q; 739 BIGNUM p, q;
741 BIGNUM *p = NULL, *q = NULL;
742 740
743 /* 741 /*
744 * Make sure BN_mod_inverse in Montgomery intialization uses the 742 * Make sure BN_mod_inverse in Montgomery intialization uses the
745 * BN_FLG_CONSTTIME flag (unless RSA_FLAG_NO_CONSTTIME is set) 743 * BN_FLG_CONSTTIME flag
746 */ 744 */
747 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 745 BN_with_flags(&p, rsa->p, BN_FLG_CONSTTIME);
748 BN_init(&local_p); 746 BN_with_flags(&q, rsa->q, BN_FLG_CONSTTIME);
749 p = &local_p;
750 BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
751
752 BN_init(&local_q);
753 q = &local_q;
754 BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME);
755 } else {
756 p = rsa->p;
757 q = rsa->q;
758 }
759 747
760 if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) { 748 if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) {
761 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p, 749 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p,
762 CRYPTO_LOCK_RSA, p, ctx)) 750 CRYPTO_LOCK_RSA, &p, ctx) ||
763 goto err; 751 !BN_MONT_CTX_set_locked(&rsa->_method_mod_q,
764 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q, 752 CRYPTO_LOCK_RSA, &q, ctx)) {
765 CRYPTO_LOCK_RSA, q, ctx))
766 goto err; 753 goto err;
754 }
767 } 755 }
768 } 756 }
769 757
@@ -773,49 +761,34 @@ RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
773 goto err; 761 goto err;
774 762
775 /* compute I mod q */ 763 /* compute I mod q */
776 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 764 BN_with_flags(&c, I, BN_FLG_CONSTTIME);
777 c = &local_c; 765
778 BN_with_flags(c, I, BN_FLG_CONSTTIME); 766 if (!BN_mod(r1, &c, rsa->q, ctx))
779 if (!BN_mod(r1, c, rsa->q, ctx)) 767 goto err;
780 goto err;
781 } else {
782 if (!BN_mod(r1, I, rsa->q, ctx))
783 goto err;
784 }
785 768
786 /* compute r1^dmq1 mod q */ 769 /* compute r1^dmq1 mod q */
787 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 770 BN_with_flags(&dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
788 dmq1 = &local_dmq1; 771
789 BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME); 772 if (!rsa->meth->bn_mod_exp(m1, r1, &dmq1, rsa->q, ctx,
790 } else
791 dmq1 = rsa->dmq1;
792 if (!rsa->meth->bn_mod_exp(m1, r1, dmq1, rsa->q, ctx,
793 rsa->_method_mod_q)) 773 rsa->_method_mod_q))
794 goto err; 774 goto err;
795 775
796 /* compute I mod p */ 776 /* compute I mod p */
797 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 777 BN_with_flags(&c, I, BN_FLG_CONSTTIME);
798 c = &local_c; 778
799 BN_with_flags(c, I, BN_FLG_CONSTTIME); 779 if (!BN_mod(r1, &c, rsa->p, ctx))
800 if (!BN_mod(r1, c, rsa->p, ctx)) 780 goto err;
801 goto err;
802 } else {
803 if (!BN_mod(r1, I, rsa->p, ctx))
804 goto err;
805 }
806 781
807 /* compute r1^dmp1 mod p */ 782 /* compute r1^dmp1 mod p */
808 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 783 BN_with_flags(&dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
809 dmp1 = &local_dmp1; 784
810 BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME); 785 if (!rsa->meth->bn_mod_exp(r0, r1, &dmp1, rsa->p, ctx,
811 } else
812 dmp1 = rsa->dmp1;
813 if (!rsa->meth->bn_mod_exp(r0, r1, dmp1, rsa->p, ctx,
814 rsa->_method_mod_p)) 786 rsa->_method_mod_p))
815 goto err; 787 goto err;
816 788
817 if (!BN_sub(r0, r0, m1)) 789 if (!BN_sub(r0, r0, m1))
818 goto err; 790 goto err;
791
819 /* 792 /*
820 * This will help stop the size of r0 increasing, which does 793 * This will help stop the size of r0 increasing, which does
821 * affect the multiply if it optimised for a power of 2 size 794 * affect the multiply if it optimised for a power of 2 size
@@ -828,12 +801,9 @@ RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
828 goto err; 801 goto err;
829 802
830 /* Turn BN_FLG_CONSTTIME flag on before division operation */ 803 /* Turn BN_FLG_CONSTTIME flag on before division operation */
831 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 804 BN_with_flags(&pr1, r1, BN_FLG_CONSTTIME);
832 pr1 = &local_r1; 805
833 BN_with_flags(pr1, r1, BN_FLG_CONSTTIME); 806 if (!BN_mod(r0, &pr1, rsa->p, ctx))
834 } else
835 pr1 = r1;
836 if (!BN_mod(r0, pr1, rsa->p, ctx))
837 goto err; 807 goto err;
838 808
839 /* 809 /*
@@ -875,18 +845,14 @@ RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
875 * miscalculated CRT output, just do a raw (slower) 845 * miscalculated CRT output, just do a raw (slower)
876 * mod_exp and return that instead. 846 * mod_exp and return that instead.
877 */ 847 */
848 BIGNUM d;
878 849
879 BIGNUM local_d; 850 BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME);
880 BIGNUM *d = NULL;
881 851
882 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 852 if (!rsa->meth->bn_mod_exp(r0, I, &d, rsa->n, ctx,
883 d = &local_d; 853 rsa->_method_mod_n)) {
884 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
885 } else
886 d = rsa->d;
887 if (!rsa->meth->bn_mod_exp(r0, I, d, rsa->n, ctx,
888 rsa->_method_mod_n))
889 goto err; 854 goto err;
855 }
890 } 856 }
891 } 857 }
892 ret = 1; 858 ret = 1;
diff --git a/src/lib/libcrypto/rsa/rsa_gen.c b/src/lib/libcrypto/rsa/rsa_gen.c
index f6f051c442..d46f4f2478 100644
--- a/src/lib/libcrypto/rsa/rsa_gen.c
+++ b/src/lib/libcrypto/rsa/rsa_gen.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: rsa_gen.c,v 1.17 2015/02/09 15:49:22 jsing Exp $ */ 1/* $OpenBSD: rsa_gen.c,v 1.18 2016/06/30 02:02:06 bcook Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -90,8 +90,7 @@ static int
90rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) 90rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
91{ 91{
92 BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *r3 = NULL, *tmp; 92 BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *r3 = NULL, *tmp;
93 BIGNUM local_r0, local_d, local_p; 93 BIGNUM pr0, d, p;
94 BIGNUM *pr0, *d, *p;
95 int bitsp, bitsq, ok = -1, n = 0; 94 int bitsp, bitsq, ok = -1, n = 0;
96 BN_CTX *ctx = NULL; 95 BN_CTX *ctx = NULL;
97 96
@@ -193,36 +192,26 @@ rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
193 goto err; 192 goto err;
194 if (!BN_mul(r0, r1, r2, ctx)) /* (p-1)(q-1) */ 193 if (!BN_mul(r0, r1, r2, ctx)) /* (p-1)(q-1) */
195 goto err; 194 goto err;
196 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 195
197 pr0 = &local_r0; 196 BN_with_flags(&pr0, r0, BN_FLG_CONSTTIME);
198 BN_with_flags(pr0, r0, BN_FLG_CONSTTIME); 197
199 } else 198 if (!BN_mod_inverse(rsa->d, rsa->e, &pr0, ctx)) /* d */
200 pr0 = r0;
201 if (!BN_mod_inverse(rsa->d, rsa->e, pr0, ctx)) /* d */
202 goto err; 199 goto err;
203 200
204 /* set up d for correct BN_FLG_CONSTTIME flag */ 201 /* set up d for correct BN_FLG_CONSTTIME flag */
205 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 202 BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME);
206 d = &local_d;
207 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
208 } else
209 d = rsa->d;
210 203
211 /* calculate d mod (p-1) */ 204 /* calculate d mod (p-1) */
212 if (!BN_mod(rsa->dmp1, d, r1, ctx)) 205 if (!BN_mod(rsa->dmp1, &d, r1, ctx))
213 goto err; 206 goto err;
214 207
215 /* calculate d mod (q-1) */ 208 /* calculate d mod (q-1) */
216 if (!BN_mod(rsa->dmq1, d, r2, ctx)) 209 if (!BN_mod(rsa->dmq1, &d, r2, ctx))
217 goto err; 210 goto err;
218 211
219 /* calculate inverse of q mod p */ 212 /* calculate inverse of q mod p */
220 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 213 BN_with_flags(&p, rsa->p, BN_FLG_CONSTTIME);
221 p = &local_p; 214 if (!BN_mod_inverse(rsa->iqmp, rsa->q, &p, ctx))
222 BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
223 } else
224 p = rsa->p;
225 if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx))
226 goto err; 215 goto err;
227 216
228 ok = 1; 217 ok = 1;
diff --git a/src/lib/libssl/src/crypto/dh/dh.h b/src/lib/libssl/src/crypto/dh/dh.h
index a20467c9d0..631cd5c685 100644
--- a/src/lib/libssl/src/crypto/dh/dh.h
+++ b/src/lib/libssl/src/crypto/dh/dh.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: dh.h,v 1.16 2014/06/12 15:49:28 deraadt Exp $ */ 1/* $OpenBSD: dh.h,v 1.17 2016/06/30 02:02:06 bcook Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -78,13 +78,6 @@
78#endif 78#endif
79 79
80#define DH_FLAG_CACHE_MONT_P 0x01 80#define DH_FLAG_CACHE_MONT_P 0x01
81#define DH_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DH
82 * implementation now uses constant time
83 * modular exponentiation for secret exponents
84 * by default. This flag causes the
85 * faster variable sliding window method to
86 * be used for all exponents.
87 */
88 81
89/* If this flag is set the DH method is FIPS compliant and can be used 82/* If this flag is set the DH method is FIPS compliant and can be used
90 * in FIPS mode. This is set in the validated module method. If an 83 * in FIPS mode. This is set in the validated module method. If an
diff --git a/src/lib/libssl/src/crypto/dh/dh_key.c b/src/lib/libssl/src/crypto/dh/dh_key.c
index 31bc7b3dfd..25e8968ef5 100644
--- a/src/lib/libssl/src/crypto/dh/dh_key.c
+++ b/src/lib/libssl/src/crypto/dh/dh_key.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: dh_key.c,v 1.23 2015/02/09 15:49:22 jsing Exp $ */ 1/* $OpenBSD: dh_key.c,v 1.24 2016/06/30 02:02:06 bcook Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -147,21 +147,16 @@ generate_key(DH *dh)
147 } 147 }
148 148
149 { 149 {
150 BIGNUM local_prk; 150 BIGNUM prk;
151 BIGNUM *prk;
152 151
153 if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) { 152 BN_with_flags(&prk, priv_key, BN_FLG_CONSTTIME);
154 BN_init(&local_prk);
155 prk = &local_prk;
156 BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
157 } else
158 prk = priv_key;
159 153
160 if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, prk, dh->p, ctx, 154 if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, &prk, dh->p, ctx,
161 mont)) 155 mont)) {
162 goto err; 156 goto err;
157 }
163 } 158 }
164 159
165 dh->pub_key = pub_key; 160 dh->pub_key = pub_key;
166 dh->priv_key = priv_key; 161 dh->priv_key = priv_key;
167 ok = 1; 162 ok = 1;
@@ -206,10 +201,9 @@ compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
206 if (dh->flags & DH_FLAG_CACHE_MONT_P) { 201 if (dh->flags & DH_FLAG_CACHE_MONT_P) {
207 mont = BN_MONT_CTX_set_locked(&dh->method_mont_p, 202 mont = BN_MONT_CTX_set_locked(&dh->method_mont_p,
208 CRYPTO_LOCK_DH, dh->p, ctx); 203 CRYPTO_LOCK_DH, dh->p, ctx);
209 if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) { 204
210 /* XXX */ 205 BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME);
211 BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME); 206
212 }
213 if (!mont) 207 if (!mont)
214 goto err; 208 goto err;
215 } 209 }
@@ -238,16 +232,7 @@ static int
238dh_bn_mod_exp(const DH *dh, BIGNUM *r, const BIGNUM *a, const BIGNUM *p, 232dh_bn_mod_exp(const DH *dh, BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
239 const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx) 233 const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
240{ 234{
241 /* 235 return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
242 * If a is only one word long and constant time is false, use the faster
243 * exponenentiation function.
244 */
245 if (a->top == 1 && (dh->flags & DH_FLAG_NO_EXP_CONSTTIME) != 0) {
246 BN_ULONG A = a->d[0];
247
248 return BN_mod_exp_mont_word(r, A, p, m, ctx, m_ctx);
249 } else
250 return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
251} 236}
252 237
253static int 238static int
diff --git a/src/lib/libssl/src/crypto/dsa/dsa.h b/src/lib/libssl/src/crypto/dsa/dsa.h
index f7f81cfa94..b4d7c1ff0f 100644
--- a/src/lib/libssl/src/crypto/dsa/dsa.h
+++ b/src/lib/libssl/src/crypto/dsa/dsa.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: dsa.h,v 1.20 2016/06/21 04:16:53 bcook Exp $ */ 1/* $OpenBSD: dsa.h,v 1.21 2016/06/30 02:02:06 bcook Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -89,9 +89,6 @@
89#endif 89#endif
90 90
91#define DSA_FLAG_CACHE_MONT_P 0x01 91#define DSA_FLAG_CACHE_MONT_P 0x01
92#define DSA_FLAG_NO_EXP_CONSTTIME 0x00 /* Does nothing. Previously this switched off
93 * constant time behaviour.
94 */
95 92
96/* If this flag is set the DSA method is FIPS compliant and can be used 93/* If this flag is set the DSA method is FIPS compliant and can be used
97 * in FIPS mode. This is set in the validated module method. If an 94 * in FIPS mode. This is set in the validated module method. If an
diff --git a/src/lib/libssl/src/crypto/dsa/dsa_key.c b/src/lib/libssl/src/crypto/dsa/dsa_key.c
index 4732c471ed..fc4eb9c433 100644
--- a/src/lib/libssl/src/crypto/dsa/dsa_key.c
+++ b/src/lib/libssl/src/crypto/dsa/dsa_key.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: dsa_key.c,v 1.21 2016/06/21 04:16:53 bcook Exp $ */ 1/* $OpenBSD: dsa_key.c,v 1.22 2016/06/30 02:02:06 bcook Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -104,18 +104,12 @@ dsa_builtin_keygen(DSA *dsa)
104 pub_key=dsa->pub_key; 104 pub_key=dsa->pub_key;
105 105
106 { 106 {
107 BIGNUM *prk = BN_new(); 107 BIGNUM prk;
108 108
109 if (prk == NULL) 109 BN_with_flags(&prk, priv_key, BN_FLG_CONSTTIME);
110 goto err;
111
112 BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
113 110
114 if (!BN_mod_exp(pub_key, dsa->g, prk, dsa->p, ctx)) { 111 if (!BN_mod_exp(pub_key, dsa->g, &prk, dsa->p, ctx))
115 BN_free(prk);
116 goto err; 112 goto err;
117 }
118 BN_free(prk);
119 } 113 }
120 114
121 dsa->priv_key = priv_key; 115 dsa->priv_key = priv_key;
diff --git a/src/lib/libssl/src/crypto/rsa/rsa.h b/src/lib/libssl/src/crypto/rsa/rsa.h
index 4045a6cbf3..d240294809 100644
--- a/src/lib/libssl/src/crypto/rsa/rsa.h
+++ b/src/lib/libssl/src/crypto/rsa/rsa.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: rsa.h,v 1.27 2015/02/14 15:10:39 miod Exp $ */ 1/* $OpenBSD: rsa.h,v 1.28 2016/06/30 02:02:06 bcook Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -194,16 +194,6 @@ struct rsa_st {
194 */ 194 */
195#define RSA_FLAG_NO_BLINDING 0x0080 195#define RSA_FLAG_NO_BLINDING 0x0080
196 196
197/*
198 * The built-in RSA implementation uses constant time operations by default
199 * in private key operations, e.g., constant time modular exponentiation,
200 * modular inverse without leaking branches, division without leaking branches.
201 * This flag disables these constant time operations and results in faster RSA
202 * private key operations.
203 */
204#define RSA_FLAG_NO_CONSTTIME 0x0100
205
206
207#define EVP_PKEY_CTX_set_rsa_padding(ctx, pad) \ 197#define EVP_PKEY_CTX_set_rsa_padding(ctx, pad) \
208 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, -1, EVP_PKEY_CTRL_RSA_PADDING, \ 198 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, -1, EVP_PKEY_CTRL_RSA_PADDING, \
209 pad, NULL) 199 pad, NULL)
diff --git a/src/lib/libssl/src/crypto/rsa/rsa_crpt.c b/src/lib/libssl/src/crypto/rsa/rsa_crpt.c
index 809dd14c92..b50e4a4a6f 100644
--- a/src/lib/libssl/src/crypto/rsa/rsa_crpt.c
+++ b/src/lib/libssl/src/crypto/rsa/rsa_crpt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: rsa_crpt.c,v 1.14 2015/02/11 03:19:37 doug Exp $ */ 1/* $OpenBSD: rsa_crpt.c,v 1.15 2016/06/30 02:02:06 bcook Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -169,8 +169,8 @@ err:
169BN_BLINDING * 169BN_BLINDING *
170RSA_setup_blinding(RSA *rsa, BN_CTX *in_ctx) 170RSA_setup_blinding(RSA *rsa, BN_CTX *in_ctx)
171{ 171{
172 BIGNUM local_n; 172 BIGNUM *e;
173 BIGNUM *e, *n; 173 BIGNUM n;
174 BN_CTX *ctx; 174 BN_CTX *ctx;
175 BN_BLINDING *ret = NULL; 175 BN_BLINDING *ret = NULL;
176 176
@@ -192,15 +192,11 @@ RSA_setup_blinding(RSA *rsa, BN_CTX *in_ctx)
192 } else 192 } else
193 e = rsa->e; 193 e = rsa->e;
194 194
195 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 195 BN_with_flags(&n, rsa->n, BN_FLG_CONSTTIME);
196 /* Set BN_FLG_CONSTTIME flag */
197 n = &local_n;
198 BN_with_flags(n, rsa->n, BN_FLG_CONSTTIME);
199 } else
200 n = rsa->n;
201 196
202 ret = BN_BLINDING_create_param(NULL, e, n, ctx, rsa->meth->bn_mod_exp, 197 ret = BN_BLINDING_create_param(NULL, e, &n, ctx, rsa->meth->bn_mod_exp,
203 rsa->_method_mod_n); 198 rsa->_method_mod_n);
199
204 if (ret == NULL) { 200 if (ret == NULL) {
205 RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_BN_LIB); 201 RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_BN_LIB);
206 goto err; 202 goto err;
diff --git a/src/lib/libssl/src/crypto/rsa/rsa_eay.c b/src/lib/libssl/src/crypto/rsa/rsa_eay.c
index 76863e7220..6edfd7e5fd 100644
--- a/src/lib/libssl/src/crypto/rsa/rsa_eay.c
+++ b/src/lib/libssl/src/crypto/rsa/rsa_eay.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: rsa_eay.c,v 1.40 2015/09/10 15:56:25 jsing Exp $ */ 1/* $OpenBSD: rsa_eay.c,v 1.41 2016/06/30 02:02:06 bcook Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -177,11 +177,13 @@ RSA_eay_public_encrypt(int flen, const unsigned char *from, unsigned char *to,
177 177
178 if ((ctx = BN_CTX_new()) == NULL) 178 if ((ctx = BN_CTX_new()) == NULL)
179 goto err; 179 goto err;
180
180 BN_CTX_start(ctx); 181 BN_CTX_start(ctx);
181 f = BN_CTX_get(ctx); 182 f = BN_CTX_get(ctx);
182 ret = BN_CTX_get(ctx); 183 ret = BN_CTX_get(ctx);
183 num = BN_num_bytes(rsa->n); 184 num = BN_num_bytes(rsa->n);
184 buf = malloc(num); 185 buf = malloc(num);
186
185 if (f == NULL || ret == NULL || buf == NULL) { 187 if (f == NULL || ret == NULL || buf == NULL) {
186 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, ERR_R_MALLOC_FAILURE); 188 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, ERR_R_MALLOC_FAILURE);
187 goto err; 189 goto err;
@@ -362,11 +364,13 @@ RSA_eay_private_encrypt(int flen, const unsigned char *from, unsigned char *to,
362 364
363 if ((ctx = BN_CTX_new()) == NULL) 365 if ((ctx = BN_CTX_new()) == NULL)
364 goto err; 366 goto err;
367
365 BN_CTX_start(ctx); 368 BN_CTX_start(ctx);
366 f = BN_CTX_get(ctx); 369 f = BN_CTX_get(ctx);
367 ret = BN_CTX_get(ctx); 370 ret = BN_CTX_get(ctx);
368 num = BN_num_bytes(rsa->n); 371 num = BN_num_bytes(rsa->n);
369 buf = malloc(num); 372 buf = malloc(num);
373
370 if (f == NULL || ret == NULL || buf == NULL) { 374 if (f == NULL || ret == NULL || buf == NULL) {
371 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE); 375 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE);
372 goto err; 376 goto err;
@@ -426,24 +430,19 @@ RSA_eay_private_encrypt(int flen, const unsigned char *from, unsigned char *to,
426 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) 430 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx))
427 goto err; 431 goto err;
428 } else { 432 } else {
429 BIGNUM local_d; 433 BIGNUM d;
430 BIGNUM *d = NULL;
431 434
432 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 435 BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME);
433 BN_init(&local_d);
434 d = &local_d;
435 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
436 } else
437 d = rsa->d;
438 436
439 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 437 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
440 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, 438 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
441 CRYPTO_LOCK_RSA, rsa->n, ctx)) 439 CRYPTO_LOCK_RSA, rsa->n, ctx))
442 goto err; 440 goto err;
443 441
444 if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx, 442 if (!rsa->meth->bn_mod_exp(ret, f, &d, rsa->n, ctx,
445 rsa->_method_mod_n)) 443 rsa->_method_mod_n)) {
446 goto err; 444 goto err;
445 }
447 } 446 }
448 447
449 if (blinding) 448 if (blinding)
@@ -499,11 +498,13 @@ RSA_eay_private_decrypt(int flen, const unsigned char *from, unsigned char *to,
499 498
500 if ((ctx = BN_CTX_new()) == NULL) 499 if ((ctx = BN_CTX_new()) == NULL)
501 goto err; 500 goto err;
501
502 BN_CTX_start(ctx); 502 BN_CTX_start(ctx);
503 f = BN_CTX_get(ctx); 503 f = BN_CTX_get(ctx);
504 ret = BN_CTX_get(ctx); 504 ret = BN_CTX_get(ctx);
505 num = BN_num_bytes(rsa->n); 505 num = BN_num_bytes(rsa->n);
506 buf = malloc(num); 506 buf = malloc(num);
507
507 if (!f || !ret || !buf) { 508 if (!f || !ret || !buf) {
508 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE); 509 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE);
509 goto err; 510 goto err;
@@ -553,22 +554,19 @@ RSA_eay_private_decrypt(int flen, const unsigned char *from, unsigned char *to,
553 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) 554 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx))
554 goto err; 555 goto err;
555 } else { 556 } else {
556 BIGNUM local_d; 557 BIGNUM d;
557 BIGNUM *d = NULL;
558 558
559 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 559 BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME);
560 d = &local_d;
561 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
562 } else
563 d = rsa->d;
564 560
565 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) 561 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
566 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, 562 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
567 CRYPTO_LOCK_RSA, rsa->n, ctx)) 563 CRYPTO_LOCK_RSA, rsa->n, ctx))
568 goto err; 564 goto err;
569 if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx, 565
570 rsa->_method_mod_n)) 566 if (!rsa->meth->bn_mod_exp(ret, f, &d, rsa->n, ctx,
567 rsa->_method_mod_n)) {
571 goto err; 568 goto err;
569 }
572 } 570 }
573 571
574 if (blinding) 572 if (blinding)
@@ -645,11 +643,13 @@ RSA_eay_public_decrypt(int flen, const unsigned char *from, unsigned char *to,
645 643
646 if ((ctx = BN_CTX_new()) == NULL) 644 if ((ctx = BN_CTX_new()) == NULL)
647 goto err; 645 goto err;
646
648 BN_CTX_start(ctx); 647 BN_CTX_start(ctx);
649 f = BN_CTX_get(ctx); 648 f = BN_CTX_get(ctx);
650 ret = BN_CTX_get(ctx); 649 ret = BN_CTX_get(ctx);
651 num = BN_num_bytes(rsa->n); 650 num = BN_num_bytes(rsa->n);
652 buf = malloc(num); 651 buf = malloc(num);
652
653 if (!f || !ret || !buf) { 653 if (!f || !ret || !buf) {
654 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, ERR_R_MALLOC_FAILURE); 654 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, ERR_R_MALLOC_FAILURE);
655 goto err; 655 goto err;
@@ -723,8 +723,7 @@ static int
723RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) 723RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
724{ 724{
725 BIGNUM *r1, *m1, *vrfy; 725 BIGNUM *r1, *m1, *vrfy;
726 BIGNUM local_dmp1, local_dmq1, local_c, local_r1; 726 BIGNUM dmp1, dmq1, c, pr1;
727 BIGNUM *dmp1, *dmq1, *c, *pr1;
728 int ret = 0; 727 int ret = 0;
729 728
730 BN_CTX_start(ctx); 729 BN_CTX_start(ctx);
@@ -737,33 +736,22 @@ RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
737 } 736 }
738 737
739 { 738 {
740 BIGNUM local_p, local_q; 739 BIGNUM p, q;
741 BIGNUM *p = NULL, *q = NULL;
742 740
743 /* 741 /*
744 * Make sure BN_mod_inverse in Montgomery intialization uses the 742 * Make sure BN_mod_inverse in Montgomery intialization uses the
745 * BN_FLG_CONSTTIME flag (unless RSA_FLAG_NO_CONSTTIME is set) 743 * BN_FLG_CONSTTIME flag
746 */ 744 */
747 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 745 BN_with_flags(&p, rsa->p, BN_FLG_CONSTTIME);
748 BN_init(&local_p); 746 BN_with_flags(&q, rsa->q, BN_FLG_CONSTTIME);
749 p = &local_p;
750 BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
751
752 BN_init(&local_q);
753 q = &local_q;
754 BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME);
755 } else {
756 p = rsa->p;
757 q = rsa->q;
758 }
759 747
760 if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) { 748 if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) {
761 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p, 749 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p,
762 CRYPTO_LOCK_RSA, p, ctx)) 750 CRYPTO_LOCK_RSA, &p, ctx) ||
763 goto err; 751 !BN_MONT_CTX_set_locked(&rsa->_method_mod_q,
764 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q, 752 CRYPTO_LOCK_RSA, &q, ctx)) {
765 CRYPTO_LOCK_RSA, q, ctx))
766 goto err; 753 goto err;
754 }
767 } 755 }
768 } 756 }
769 757
@@ -773,49 +761,34 @@ RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
773 goto err; 761 goto err;
774 762
775 /* compute I mod q */ 763 /* compute I mod q */
776 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 764 BN_with_flags(&c, I, BN_FLG_CONSTTIME);
777 c = &local_c; 765
778 BN_with_flags(c, I, BN_FLG_CONSTTIME); 766 if (!BN_mod(r1, &c, rsa->q, ctx))
779 if (!BN_mod(r1, c, rsa->q, ctx)) 767 goto err;
780 goto err;
781 } else {
782 if (!BN_mod(r1, I, rsa->q, ctx))
783 goto err;
784 }
785 768
786 /* compute r1^dmq1 mod q */ 769 /* compute r1^dmq1 mod q */
787 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 770 BN_with_flags(&dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
788 dmq1 = &local_dmq1; 771
789 BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME); 772 if (!rsa->meth->bn_mod_exp(m1, r1, &dmq1, rsa->q, ctx,
790 } else
791 dmq1 = rsa->dmq1;
792 if (!rsa->meth->bn_mod_exp(m1, r1, dmq1, rsa->q, ctx,
793 rsa->_method_mod_q)) 773 rsa->_method_mod_q))
794 goto err; 774 goto err;
795 775
796 /* compute I mod p */ 776 /* compute I mod p */
797 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 777 BN_with_flags(&c, I, BN_FLG_CONSTTIME);
798 c = &local_c; 778
799 BN_with_flags(c, I, BN_FLG_CONSTTIME); 779 if (!BN_mod(r1, &c, rsa->p, ctx))
800 if (!BN_mod(r1, c, rsa->p, ctx)) 780 goto err;
801 goto err;
802 } else {
803 if (!BN_mod(r1, I, rsa->p, ctx))
804 goto err;
805 }
806 781
807 /* compute r1^dmp1 mod p */ 782 /* compute r1^dmp1 mod p */
808 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 783 BN_with_flags(&dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
809 dmp1 = &local_dmp1; 784
810 BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME); 785 if (!rsa->meth->bn_mod_exp(r0, r1, &dmp1, rsa->p, ctx,
811 } else
812 dmp1 = rsa->dmp1;
813 if (!rsa->meth->bn_mod_exp(r0, r1, dmp1, rsa->p, ctx,
814 rsa->_method_mod_p)) 786 rsa->_method_mod_p))
815 goto err; 787 goto err;
816 788
817 if (!BN_sub(r0, r0, m1)) 789 if (!BN_sub(r0, r0, m1))
818 goto err; 790 goto err;
791
819 /* 792 /*
820 * This will help stop the size of r0 increasing, which does 793 * This will help stop the size of r0 increasing, which does
821 * affect the multiply if it optimised for a power of 2 size 794 * affect the multiply if it optimised for a power of 2 size
@@ -828,12 +801,9 @@ RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
828 goto err; 801 goto err;
829 802
830 /* Turn BN_FLG_CONSTTIME flag on before division operation */ 803 /* Turn BN_FLG_CONSTTIME flag on before division operation */
831 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 804 BN_with_flags(&pr1, r1, BN_FLG_CONSTTIME);
832 pr1 = &local_r1; 805
833 BN_with_flags(pr1, r1, BN_FLG_CONSTTIME); 806 if (!BN_mod(r0, &pr1, rsa->p, ctx))
834 } else
835 pr1 = r1;
836 if (!BN_mod(r0, pr1, rsa->p, ctx))
837 goto err; 807 goto err;
838 808
839 /* 809 /*
@@ -875,18 +845,14 @@ RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
875 * miscalculated CRT output, just do a raw (slower) 845 * miscalculated CRT output, just do a raw (slower)
876 * mod_exp and return that instead. 846 * mod_exp and return that instead.
877 */ 847 */
848 BIGNUM d;
878 849
879 BIGNUM local_d; 850 BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME);
880 BIGNUM *d = NULL;
881 851
882 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 852 if (!rsa->meth->bn_mod_exp(r0, I, &d, rsa->n, ctx,
883 d = &local_d; 853 rsa->_method_mod_n)) {
884 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
885 } else
886 d = rsa->d;
887 if (!rsa->meth->bn_mod_exp(r0, I, d, rsa->n, ctx,
888 rsa->_method_mod_n))
889 goto err; 854 goto err;
855 }
890 } 856 }
891 } 857 }
892 ret = 1; 858 ret = 1;
diff --git a/src/lib/libssl/src/crypto/rsa/rsa_gen.c b/src/lib/libssl/src/crypto/rsa/rsa_gen.c
index f6f051c442..d46f4f2478 100644
--- a/src/lib/libssl/src/crypto/rsa/rsa_gen.c
+++ b/src/lib/libssl/src/crypto/rsa/rsa_gen.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: rsa_gen.c,v 1.17 2015/02/09 15:49:22 jsing Exp $ */ 1/* $OpenBSD: rsa_gen.c,v 1.18 2016/06/30 02:02:06 bcook Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -90,8 +90,7 @@ static int
90rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) 90rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
91{ 91{
92 BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *r3 = NULL, *tmp; 92 BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *r3 = NULL, *tmp;
93 BIGNUM local_r0, local_d, local_p; 93 BIGNUM pr0, d, p;
94 BIGNUM *pr0, *d, *p;
95 int bitsp, bitsq, ok = -1, n = 0; 94 int bitsp, bitsq, ok = -1, n = 0;
96 BN_CTX *ctx = NULL; 95 BN_CTX *ctx = NULL;
97 96
@@ -193,36 +192,26 @@ rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
193 goto err; 192 goto err;
194 if (!BN_mul(r0, r1, r2, ctx)) /* (p-1)(q-1) */ 193 if (!BN_mul(r0, r1, r2, ctx)) /* (p-1)(q-1) */
195 goto err; 194 goto err;
196 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 195
197 pr0 = &local_r0; 196 BN_with_flags(&pr0, r0, BN_FLG_CONSTTIME);
198 BN_with_flags(pr0, r0, BN_FLG_CONSTTIME); 197
199 } else 198 if (!BN_mod_inverse(rsa->d, rsa->e, &pr0, ctx)) /* d */
200 pr0 = r0;
201 if (!BN_mod_inverse(rsa->d, rsa->e, pr0, ctx)) /* d */
202 goto err; 199 goto err;
203 200
204 /* set up d for correct BN_FLG_CONSTTIME flag */ 201 /* set up d for correct BN_FLG_CONSTTIME flag */
205 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 202 BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME);
206 d = &local_d;
207 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
208 } else
209 d = rsa->d;
210 203
211 /* calculate d mod (p-1) */ 204 /* calculate d mod (p-1) */
212 if (!BN_mod(rsa->dmp1, d, r1, ctx)) 205 if (!BN_mod(rsa->dmp1, &d, r1, ctx))
213 goto err; 206 goto err;
214 207
215 /* calculate d mod (q-1) */ 208 /* calculate d mod (q-1) */
216 if (!BN_mod(rsa->dmq1, d, r2, ctx)) 209 if (!BN_mod(rsa->dmq1, &d, r2, ctx))
217 goto err; 210 goto err;
218 211
219 /* calculate inverse of q mod p */ 212 /* calculate inverse of q mod p */
220 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { 213 BN_with_flags(&p, rsa->p, BN_FLG_CONSTTIME);
221 p = &local_p; 214 if (!BN_mod_inverse(rsa->iqmp, rsa->q, &p, ctx))
222 BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
223 } else
224 p = rsa->p;
225 if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx))
226 goto err; 215 goto err;
227 216
228 ok = 1; 217 ok = 1;
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-22 12:18:52 +0000