Rework BN_exp() a bit

This mostly only cleans up the mess that it was - which doesn't stand out because of the horror that lurks in the rest of this file. It avoids copying the partial calculation out on error and does away with some other weirdness. with/ok jsing
author: tb <> 2023-03-30 14:21:10 +0000
committer: tb <> 2023-03-30 14:21:10 +0000
commit: 442c5fe3daa0d9f181641db965afd2bf416fb83f (patch)
tree: 249491021e280cbe0602487f4b991e83e5282f3b /src
parent: 96037c9aac6865829a4f6bfd58737e272909ed64 (diff)
download: openbsd-442c5fe3daa0d9f181641db965afd2bf416fb83f.tar.gz
openbsd-442c5fe3daa0d9f181641db965afd2bf416fb83f.tar.bz2
openbsd-442c5fe3daa0d9f181641db965afd2bf416fb83f.zip
1 files changed, 28 insertions, 27 deletions
diff --git a/src/lib/libcrypto/bn/bn_exp.c b/src/lib/libcrypto/bn/bn_exp.c
index 4e90d5d871..ff9933578c 100644
--- a/src/lib/libcrypto/bn/bn_exp.c
+++ b/src/lib/libcrypto/bn/bn_exp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_exp.c,v 1.44 2023/03/27 10:25:02 tb Exp $ */
+/* $OpenBSD: bn_exp.c,v 1.45 2023/03/30 14:21:10 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -120,57 +120,58 @@
 /* maximum precomputation table size for *variable* sliding windows */
 #define TABLE_SIZE      32
-/* this one works - simple but works */
+/* Calculates r = a^p by successive squaring of a. Not constant time. */
 int
 BN_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
 {
-        int i, bits, ret = 0;
+        BIGNUM *rr, *v;
-        BIGNUM *v, *rr;
+        int i;
+        int ret = 0;
        if (BN_get_flags(p, BN_FLG_CONSTTIME) != 0) {
-                /* BN_FLG_CONSTTIME only supported by BN_mod_exp_mont() */
                BNerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
                return -1;
        }
        BN_CTX_start(ctx);
-        if ((r == a) || (r == p))
-                rr = BN_CTX_get(ctx);
+        if ((v = BN_CTX_get(ctx)) == NULL)
-        else
-                rr = r;
-        v = BN_CTX_get(ctx);
-        if (rr == NULL || v == NULL)
                goto err;
-        if (!bn_copy(v, a))
+        rr = r;
+        if (r == a || r == p)
+                rr = BN_CTX_get(ctx);
+        if (rr == NULL)
                goto err;
-        bits = BN_num_bits(p);
+        if (!BN_one(rr))
+                goto err;
        if (BN_is_odd(p)) {
                if (!bn_copy(rr, a))
                        goto err;
-        } else {
-                if (!BN_one(rr))
-                        goto err;
        }
-        for (i = 1; i < bits; i++) {
+        if (!bn_copy(v, a))
+                goto err;
+        for (i = 1; i < BN_num_bits(p); i++) {
                if (!BN_sqr(v, v, ctx))
                        goto err;
-                if (BN_is_bit_set(p, i)) {
+                if (!BN_is_bit_set(p, i))
-                        if (!BN_mul(rr, rr, v, ctx))
+                        continue;
-                                goto err;
+                if (!BN_mul(rr, rr, v, ctx))
-                }
+                        goto err;
        }
+        if (!bn_copy(r, rr))
+                goto err;
        ret = 1;
-err:
+ err:
-        if (r != rr && rr != NULL) {
-                if (!bn_copy(r, rr))
-                        ret = 0;
-        }
        BN_CTX_end(ctx);
-        return (ret);
+        return ret;
 }
 /* The old fallback, simple version :-) */
author	tb <>	2023-03-30 14:21:10 +0000
committer	tb <>	2023-03-30 14:21:10 +0000
commit	442c5fe3daa0d9f181641db965afd2bf416fb83f (patch)
tree	249491021e280cbe0602487f4b991e83e5282f3b /src
parent	96037c9aac6865829a4f6bfd58737e272909ed64 (diff)
download	openbsd-442c5fe3daa0d9f181641db965afd2bf416fb83f.tar.gz openbsd-442c5fe3daa0d9f181641db965afd2bf416fb83f.tar.bz2 openbsd-442c5fe3daa0d9f181641db965afd2bf416fb83f.zip

diff --git a/src/lib/libcrypto/bn/bn_exp.c b/src/lib/libcrypto/bn/bn_exp.c index 4e90d5d871..ff9933578c 100644 --- a/src/lib/libcrypto/bn/bn_exp.c +++ b/src/lib/libcrypto/bn/bn_exp.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: bn_exp.c,v 1.44 2023/03/27 10:25:02 tb Exp $ */	1	/* $OpenBSD: bn_exp.c,v 1.45 2023/03/30 14:21:10 tb Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -120,57 +120,58 @@
120	/* maximum precomputation table size for variable sliding windows */	120	/* maximum precomputation table size for variable sliding windows */
121	#define TABLE_SIZE 32	121	#define TABLE_SIZE 32
122		122
123	/* this one works - simple but works */	123	/* Calculates r = a^p by successive squaring of a. Not constant time. */
124	int	124	int
125	BN_exp(BIGNUM r, const BIGNUM a, const BIGNUM p, BN_CTX ctx)	125	BN_exp(BIGNUM r, const BIGNUM a, const BIGNUM p, BN_CTX ctx)
126	{	126	{
127	int i, bits, ret = 0;	127	BIGNUM rr, v;
128	BIGNUM v, rr;	128	int i;
		129	int ret = 0;
129		130
130	if (BN_get_flags(p, BN_FLG_CONSTTIME) != 0) {	131	if (BN_get_flags(p, BN_FLG_CONSTTIME) != 0) {
131	/* BN_FLG_CONSTTIME only supported by BN_mod_exp_mont() */
132	BNerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);	132	BNerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
133	return -1;	133	return -1;
134	}	134	}
135		135
136	BN_CTX_start(ctx);	136	BN_CTX_start(ctx);
137	if ((r == a) \|\| (r == p))	137
138	rr = BN_CTX_get(ctx);	138	if ((v = BN_CTX_get(ctx)) == NULL)
139	else
140	rr = r;
141	v = BN_CTX_get(ctx);
142	if (rr == NULL \|\| v == NULL)
143	goto err;	139	goto err;
144		140
145	if (!bn_copy(v, a))	141	rr = r;
		142	if (r == a \|\| r == p)
		143	rr = BN_CTX_get(ctx);
		144	if (rr == NULL)
146	goto err;	145	goto err;
147	bits = BN_num_bits(p);
148		146
		147	if (!BN_one(rr))
		148	goto err;
149	if (BN_is_odd(p)) {	149	if (BN_is_odd(p)) {
150	if (!bn_copy(rr, a))	150	if (!bn_copy(rr, a))
151	goto err;	151	goto err;
152	} else {
153	if (!BN_one(rr))
154	goto err;
155	}	152	}
156		153
157	for (i = 1; i < bits; i++) {	154	if (!bn_copy(v, a))
		155	goto err;
		156
		157	for (i = 1; i < BN_num_bits(p); i++) {
158	if (!BN_sqr(v, v, ctx))	158	if (!BN_sqr(v, v, ctx))
159	goto err;	159	goto err;
160	if (BN_is_bit_set(p, i)) {	160	if (!BN_is_bit_set(p, i))
161	if (!BN_mul(rr, rr, v, ctx))	161	continue;
162	goto err;	162	if (!BN_mul(rr, rr, v, ctx))
163	}	163	goto err;
164	}	164	}
		165
		166	if (!bn_copy(r, rr))
		167	goto err;
		168
165	ret = 1;	169	ret = 1;
166		170
167	err:	171	err:
168	if (r != rr && rr != NULL) {
169	if (!bn_copy(r, rr))
170	ret = 0;
171	}
172	BN_CTX_end(ctx);	172	BN_CTX_end(ctx);
173	return (ret);	173
		174	return ret;
174	}	175	}
175		176
176	/* The old fallback, simple version :-) */	177	/* The old fallback, simple version :-) */