diff options
Diffstat (limited to '')
| -rw-r--r-- | src/lib/libcrypto/bn/bn_exp.c | 55 |
1 files changed, 28 insertions, 27 deletions
diff --git a/src/lib/libcrypto/bn/bn_exp.c b/src/lib/libcrypto/bn/bn_exp.c index 4e90d5d871..ff9933578c 100644 --- a/src/lib/libcrypto/bn/bn_exp.c +++ b/src/lib/libcrypto/bn/bn_exp.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: bn_exp.c,v 1.44 2023/03/27 10:25:02 tb Exp $ */ | 1 | /* $OpenBSD: bn_exp.c,v 1.45 2023/03/30 14:21:10 tb Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -120,57 +120,58 @@ | |||
| 120 | /* maximum precomputation table size for *variable* sliding windows */ | 120 | /* maximum precomputation table size for *variable* sliding windows */ |
| 121 | #define TABLE_SIZE 32 | 121 | #define TABLE_SIZE 32 |
| 122 | 122 | ||
| 123 | /* this one works - simple but works */ | 123 | /* Calculates r = a^p by successive squaring of a. Not constant time. */ |
| 124 | int | 124 | int |
| 125 | BN_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) | 125 | BN_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) |
| 126 | { | 126 | { |
| 127 | int i, bits, ret = 0; | 127 | BIGNUM *rr, *v; |
| 128 | BIGNUM *v, *rr; | 128 | int i; |
| 129 | int ret = 0; | ||
| 129 | 130 | ||
| 130 | if (BN_get_flags(p, BN_FLG_CONSTTIME) != 0) { | 131 | if (BN_get_flags(p, BN_FLG_CONSTTIME) != 0) { |
| 131 | /* BN_FLG_CONSTTIME only supported by BN_mod_exp_mont() */ | ||
| 132 | BNerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); | 132 | BNerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); |
| 133 | return -1; | 133 | return -1; |
| 134 | } | 134 | } |
| 135 | 135 | ||
| 136 | BN_CTX_start(ctx); | 136 | BN_CTX_start(ctx); |
| 137 | if ((r == a) || (r == p)) | 137 | |
| 138 | rr = BN_CTX_get(ctx); | 138 | if ((v = BN_CTX_get(ctx)) == NULL) |
| 139 | else | ||
| 140 | rr = r; | ||
| 141 | v = BN_CTX_get(ctx); | ||
| 142 | if (rr == NULL || v == NULL) | ||
| 143 | goto err; | 139 | goto err; |
| 144 | 140 | ||
| 145 | if (!bn_copy(v, a)) | 141 | rr = r; |
| 142 | if (r == a || r == p) | ||
| 143 | rr = BN_CTX_get(ctx); | ||
| 144 | if (rr == NULL) | ||
| 146 | goto err; | 145 | goto err; |
| 147 | bits = BN_num_bits(p); | ||
| 148 | 146 | ||
| 147 | if (!BN_one(rr)) | ||
| 148 | goto err; | ||
| 149 | if (BN_is_odd(p)) { | 149 | if (BN_is_odd(p)) { |
| 150 | if (!bn_copy(rr, a)) | 150 | if (!bn_copy(rr, a)) |
| 151 | goto err; | 151 | goto err; |
| 152 | } else { | ||
| 153 | if (!BN_one(rr)) | ||
| 154 | goto err; | ||
| 155 | } | 152 | } |
| 156 | 153 | ||
| 157 | for (i = 1; i < bits; i++) { | 154 | if (!bn_copy(v, a)) |
| 155 | goto err; | ||
| 156 | |||
| 157 | for (i = 1; i < BN_num_bits(p); i++) { | ||
| 158 | if (!BN_sqr(v, v, ctx)) | 158 | if (!BN_sqr(v, v, ctx)) |
| 159 | goto err; | 159 | goto err; |
| 160 | if (BN_is_bit_set(p, i)) { | 160 | if (!BN_is_bit_set(p, i)) |
| 161 | if (!BN_mul(rr, rr, v, ctx)) | 161 | continue; |
| 162 | goto err; | 162 | if (!BN_mul(rr, rr, v, ctx)) |
| 163 | } | 163 | goto err; |
| 164 | } | 164 | } |
| 165 | |||
| 166 | if (!bn_copy(r, rr)) | ||
| 167 | goto err; | ||
| 168 | |||
| 165 | ret = 1; | 169 | ret = 1; |
| 166 | 170 | ||
| 167 | err: | 171 | err: |
| 168 | if (r != rr && rr != NULL) { | ||
| 169 | if (!bn_copy(r, rr)) | ||
| 170 | ret = 0; | ||
| 171 | } | ||
| 172 | BN_CTX_end(ctx); | 172 | BN_CTX_end(ctx); |
| 173 | return (ret); | 173 | |
| 174 | return ret; | ||
| 174 | } | 175 | } |
| 175 | 176 | ||
| 176 | /* The old fallback, simple version :-) */ | 177 | /* The old fallback, simple version :-) */ |