1 files changed, 28 insertions, 27 deletions
diff --git a/src/lib/libcrypto/bn/bn_exp.c b/src/lib/libcrypto/bn/bn_exp.c
index 4e90d5d871..ff9933578c 100644
--- a/src/lib/libcrypto/bn/bn_exp.c
+++ b/src/lib/libcrypto/bn/bn_exp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_exp.c,v 1.44 2023/03/27 10:25:02 tb Exp $ */
+/* $OpenBSD: bn_exp.c,v 1.45 2023/03/30 14:21:10 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -120,57 +120,58 @@
 /* maximum precomputation table size for *variable* sliding windows */
 #define TABLE_SIZE      32
-/* this one works - simple but works */
+/* Calculates r = a^p by successive squaring of a. Not constant time. */
 int
 BN_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
 {
-        int i, bits, ret = 0;
+        BIGNUM *rr, *v;
-        BIGNUM *v, *rr;
+        int i;
+        int ret = 0;
        if (BN_get_flags(p, BN_FLG_CONSTTIME) != 0) {
-                /* BN_FLG_CONSTTIME only supported by BN_mod_exp_mont() */
                BNerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
                return -1;
        }
        BN_CTX_start(ctx);
-        if ((r == a) || (r == p))
-                rr = BN_CTX_get(ctx);
+        if ((v = BN_CTX_get(ctx)) == NULL)
-        else
-                rr = r;
-        v = BN_CTX_get(ctx);
-        if (rr == NULL || v == NULL)
                goto err;
-        if (!bn_copy(v, a))
+        rr = r;
+        if (r == a || r == p)
+                rr = BN_CTX_get(ctx);
+        if (rr == NULL)
                goto err;
-        bits = BN_num_bits(p);
+        if (!BN_one(rr))
+                goto err;
        if (BN_is_odd(p)) {
                if (!bn_copy(rr, a))
                        goto err;
-        } else {
-                if (!BN_one(rr))
-                        goto err;
        }
-        for (i = 1; i < bits; i++) {
+        if (!bn_copy(v, a))
+                goto err;
+        for (i = 1; i < BN_num_bits(p); i++) {
                if (!BN_sqr(v, v, ctx))
                        goto err;
-                if (BN_is_bit_set(p, i)) {
+                if (!BN_is_bit_set(p, i))
-                        if (!BN_mul(rr, rr, v, ctx))
+                        continue;
-                                goto err;
+                if (!BN_mul(rr, rr, v, ctx))
-                }
+                        goto err;
        }
+        if (!bn_copy(r, rr))
+                goto err;
        ret = 1;
-err:
+ err:
-        if (r != rr && rr != NULL) {
-                if (!bn_copy(r, rr))
-                        ret = 0;
-        }
        BN_CTX_end(ctx);
-        return (ret);
+        return ret;
 }
 /* The old fallback, simple version :-) */

diff --git a/src/lib/libcrypto/bn/bn_exp.c b/src/lib/libcrypto/bn/bn_exp.c index 4e90d5d871..ff9933578c 100644 --- a/src/lib/libcrypto/bn/bn_exp.c +++ b/src/lib/libcrypto/bn/bn_exp.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: bn_exp.c,v 1.44 2023/03/27 10:25:02 tb Exp $ */	1	/* $OpenBSD: bn_exp.c,v 1.45 2023/03/30 14:21:10 tb Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -120,57 +120,58 @@
120	/* maximum precomputation table size for variable sliding windows */	120	/* maximum precomputation table size for variable sliding windows */
121	#define TABLE_SIZE 32	121	#define TABLE_SIZE 32
122		122
123	/* this one works - simple but works */	123	/* Calculates r = a^p by successive squaring of a. Not constant time. */
124	int	124	int
125	BN_exp(BIGNUM r, const BIGNUM a, const BIGNUM p, BN_CTX ctx)	125	BN_exp(BIGNUM r, const BIGNUM a, const BIGNUM p, BN_CTX ctx)
126	{	126	{
127	int i, bits, ret = 0;	127	BIGNUM rr, v;
128	BIGNUM v, rr;	128	int i;
		129	int ret = 0;
129		130
130	if (BN_get_flags(p, BN_FLG_CONSTTIME) != 0) {	131	if (BN_get_flags(p, BN_FLG_CONSTTIME) != 0) {
131	/* BN_FLG_CONSTTIME only supported by BN_mod_exp_mont() */
132	BNerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);	132	BNerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
133	return -1;	133	return -1;
134	}	134	}
135		135
136	BN_CTX_start(ctx);	136	BN_CTX_start(ctx);
137	if ((r == a) \|\| (r == p))	137
138	rr = BN_CTX_get(ctx);	138	if ((v = BN_CTX_get(ctx)) == NULL)
139	else
140	rr = r;
141	v = BN_CTX_get(ctx);
142	if (rr == NULL \|\| v == NULL)
143	goto err;	139	goto err;
144		140
145	if (!bn_copy(v, a))	141	rr = r;
		142	if (r == a \|\| r == p)
		143	rr = BN_CTX_get(ctx);
		144	if (rr == NULL)
146	goto err;	145	goto err;
147	bits = BN_num_bits(p);
148		146
		147	if (!BN_one(rr))
		148	goto err;
149	if (BN_is_odd(p)) {	149	if (BN_is_odd(p)) {
150	if (!bn_copy(rr, a))	150	if (!bn_copy(rr, a))
151	goto err;	151	goto err;
152	} else {
153	if (!BN_one(rr))
154	goto err;
155	}	152	}
156		153
157	for (i = 1; i < bits; i++) {	154	if (!bn_copy(v, a))
		155	goto err;
		156
		157	for (i = 1; i < BN_num_bits(p); i++) {
158	if (!BN_sqr(v, v, ctx))	158	if (!BN_sqr(v, v, ctx))
159	goto err;	159	goto err;
160	if (BN_is_bit_set(p, i)) {	160	if (!BN_is_bit_set(p, i))
161	if (!BN_mul(rr, rr, v, ctx))	161	continue;
162	goto err;	162	if (!BN_mul(rr, rr, v, ctx))
163	}	163	goto err;
164	}	164	}
		165
		166	if (!bn_copy(r, rr))
		167	goto err;
		168
165	ret = 1;	169	ret = 1;
166		170
167	err:	171	err:
168	if (r != rr && rr != NULL) {
169	if (!bn_copy(r, rr))
170	ret = 0;
171	}
172	BN_CTX_end(ctx);	172	BN_CTX_end(ctx);
173	return (ret);	173
		174	return ret;
174	}	175	}
175		176
176	/* The old fallback, simple version :-) */	177	/* The old fallback, simple version :-) */