1 files changed, 133 insertions, 17 deletions
diff --git a/src/lib/libcrypto/rsa/rsa_eay.c b/src/lib/libcrypto/rsa/rsa_eay.c
index 0eda816081..027b4dc754 100644
--- a/src/lib/libcrypto/rsa/rsa_eay.c
+++ b/src/lib/libcrypto/rsa/rsa_eay.c
@@ -61,7 +61,6 @@
 #include <openssl/bn.h>
 #include <openssl/rsa.h>
 #include <openssl/rand.h>
-#include <openssl/engine.h>
 #ifndef RSA_NULL
@@ -187,12 +186,65 @@ err:
        BN_clear_free(&ret);
        if (buf != NULL) 
                {
-                memset(buf,0,num);
+                OPENSSL_cleanse(buf,num);
                OPENSSL_free(buf);
                }
        return(r);
        }
+static int rsa_eay_blinding(RSA *rsa, BN_CTX *ctx)
+        {
+        int ret = 1;
+        CRYPTO_w_lock(CRYPTO_LOCK_RSA);
+        /* Check again inside the lock - the macro's check is racey */
+        if(rsa->blinding == NULL)
+                ret = RSA_blinding_on(rsa, ctx);
+        CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
+        return ret;
+        }
+#define BLINDING_HELPER(rsa, ctx, err_instr) \
+        do { \
+                if((!((rsa)->flags & RSA_FLAG_NO_BLINDING)) && \
+                    ((rsa)->blinding == NULL) && \
+                    !rsa_eay_blinding(rsa, ctx)) \
+                    err_instr \
+        } while(0)
+static BN_BLINDING *setup_blinding(RSA *rsa, BN_CTX *ctx)
+        {
+        BIGNUM *A, *Ai;
+        BN_BLINDING *ret = NULL;
+        /* added in OpenSSL 0.9.6j and 0.9.7b */
+        /* NB: similar code appears in RSA_blinding_on (rsa_lib.c);
+         * this should be placed in a new function of its own, but for reasons
+         * of binary compatibility can't */
+        BN_CTX_start(ctx);
+        A = BN_CTX_get(ctx);
+        if ((RAND_status() == 0) && rsa->d != NULL && rsa->d->d != NULL)
+                {
+                /* if PRNG is not properly seeded, resort to secret exponent as unpredictable seed */
+                RAND_add(rsa->d->d, rsa->d->dmax * sizeof rsa->d->d[0], 0);
+                if (!BN_pseudo_rand_range(A,rsa->n)) goto err;
+                }
+        else
+                {
+                if (!BN_rand_range(A,rsa->n)) goto err;
+                }
+        if ((Ai=BN_mod_inverse(NULL,A,rsa->n,ctx)) == NULL) goto err;
+        if (!rsa->meth->bn_mod_exp(A,A,rsa->e,rsa->n,ctx,rsa->_method_mod_n))
+                goto err;
+        ret = BN_BLINDING_new(A,Ai,rsa->n);
+        BN_free(Ai);
+err:
+        BN_CTX_end(ctx);
+        return ret;
+        }
 /* signing */
 static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
             unsigned char *to, RSA *rsa, int padding)
@@ -201,6 +253,8 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
        int i,j,k,num=0,r= -1;
        unsigned char *buf=NULL;
        BN_CTX *ctx=NULL;
+        int local_blinding = 0;
+        BN_BLINDING *blinding = NULL;
        BN_init(&f);
        BN_init(&ret);
@@ -237,10 +291,39 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
                goto err;
                }
-        if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
+        BLINDING_HELPER(rsa, ctx, goto err;);
-                RSA_blinding_on(rsa,ctx);
+        blinding = rsa->blinding;
-        if (rsa->flags & RSA_FLAG_BLINDING)
+        
-                if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
+        /* Now unless blinding is disabled, 'blinding' is non-NULL.
+         * But the BN_BLINDING object may be owned by some other thread
+         * (we don't want to keep it constant and we don't want to use
+         * lots of locking to avoid race conditions, so only a single
+         * thread can use it; other threads have to use local blinding
+         * factors) */
+        if (!(rsa->flags & RSA_FLAG_NO_BLINDING))
+                {
+                if (blinding == NULL)
+                        {
+                        RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR);
+                        goto err;
+                        }
+                }
+        
+        if (blinding != NULL)
+                {
+                if (blinding->thread_id != CRYPTO_thread_id())
+                        {
+                        /* we need a local one-time blinding factor */
+                        blinding = setup_blinding(rsa, ctx);
+                        if (blinding == NULL)
+                                goto err;
+                        local_blinding = 1;
+                        }
+                }
+        if (blinding)
+                if (!BN_BLINDING_convert(&f, blinding, ctx)) goto err;
        if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
                ((rsa->p != NULL) &&
@@ -254,8 +337,8 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
                if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) goto err;
                }
-        if (rsa->flags & RSA_FLAG_BLINDING)
+        if (blinding)
-                if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err;
+                if (!BN_BLINDING_invert(&ret, blinding, ctx)) goto err;
        /* put in leading 0 bytes if the number is less than the
         * length of the modulus */
@@ -269,9 +352,11 @@ err:
        if (ctx != NULL) BN_CTX_free(ctx);
        BN_clear_free(&ret);
        BN_clear_free(&f);
+        if (local_blinding)
+                BN_BLINDING_free(blinding);
        if (buf != NULL)
                {
-                memset(buf,0,num);
+                OPENSSL_cleanse(buf,num);
                OPENSSL_free(buf);
                }
        return(r);
@@ -285,6 +370,8 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
        unsigned char *p;
        unsigned char *buf=NULL;
        BN_CTX *ctx=NULL;
+        int local_blinding = 0;
+        BN_BLINDING *blinding = NULL;
        BN_init(&f);
        BN_init(&ret);
@@ -316,10 +403,39 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
                goto err;
                }
-        if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
+        BLINDING_HELPER(rsa, ctx, goto err;);
-                RSA_blinding_on(rsa,ctx);
+        blinding = rsa->blinding;
-        if (rsa->flags & RSA_FLAG_BLINDING)
+        
-                if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
+        /* Now unless blinding is disabled, 'blinding' is non-NULL.
+         * But the BN_BLINDING object may be owned by some other thread
+         * (we don't want to keep it constant and we don't want to use
+         * lots of locking to avoid race conditions, so only a single
+         * thread can use it; other threads have to use local blinding
+         * factors) */
+        if (!(rsa->flags & RSA_FLAG_NO_BLINDING))
+                {
+                if (blinding == NULL)
+                        {
+                        RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_INTERNAL_ERROR);
+                        goto err;
+                        }
+                }
+        
+        if (blinding != NULL)
+                {
+                if (blinding->thread_id != CRYPTO_thread_id())
+                        {
+                        /* we need a local one-time blinding factor */
+                        blinding = setup_blinding(rsa, ctx);
+                        if (blinding == NULL)
+                                goto err;
+                        local_blinding = 1;
+                        }
+                }
+        if (blinding)
+                if (!BN_BLINDING_convert(&f, blinding, ctx)) goto err;
        /* do the decrypt */
        if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
@@ -335,8 +451,8 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
                        goto err;
                }
-        if (rsa->flags & RSA_FLAG_BLINDING)
+        if (blinding)
-                if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err;
+                if (!BN_BLINDING_invert(&ret, blinding, ctx)) goto err;
        p=buf;
        j=BN_bn2bin(&ret,p); /* j is only used with no-padding mode */
@@ -370,7 +486,7 @@ err:
        BN_clear_free(&ret);
        if (buf != NULL)
                {
-                memset(buf,0,num);
+                OPENSSL_cleanse(buf,num);
                OPENSSL_free(buf);
                }
        return(r);
@@ -467,7 +583,7 @@ err:
        BN_clear_free(&ret);
        if (buf != NULL)
                {
-                memset(buf,0,num);
+                OPENSSL_cleanse(buf,num);
                OPENSSL_free(buf);
                }
        return(r);

diff --git a/src/lib/libcrypto/rsa/rsa_eay.c b/src/lib/libcrypto/rsa/rsa_eay.c index 0eda816081..027b4dc754 100644 --- a/src/lib/libcrypto/rsa/rsa_eay.c +++ b/src/lib/libcrypto/rsa/rsa_eay.c
@@ -61,7 +61,6 @@
61	#include <openssl/bn.h>	61	#include <openssl/bn.h>
62	#include <openssl/rsa.h>	62	#include <openssl/rsa.h>
63	#include <openssl/rand.h>	63	#include <openssl/rand.h>
64	#include <openssl/engine.h>
65		64
66	#ifndef RSA_NULL	65	#ifndef RSA_NULL
67		66
@@ -187,12 +186,65 @@ err:
187	BN_clear_free(&ret);	186	BN_clear_free(&ret);
188	if (buf != NULL)	187	if (buf != NULL)
189	{	188	{
190	memset(buf,0,num);	189	OPENSSL_cleanse(buf,num);
191	OPENSSL_free(buf);	190	OPENSSL_free(buf);
192	}	191	}
193	return(r);	192	return(r);
194	}	193	}
195		194
		195	static int rsa_eay_blinding(RSA rsa, BN_CTX ctx)
		196	{
		197	int ret = 1;
		198	CRYPTO_w_lock(CRYPTO_LOCK_RSA);
		199	/* Check again inside the lock - the macro's check is racey */
		200	if(rsa->blinding == NULL)
		201	ret = RSA_blinding_on(rsa, ctx);
		202	CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
		203	return ret;
		204	}
		205
		206	#define BLINDING_HELPER(rsa, ctx, err_instr) \
		207	do { \
		208	if((!((rsa)->flags & RSA_FLAG_NO_BLINDING)) && \
		209	((rsa)->blinding == NULL) && \
		210	!rsa_eay_blinding(rsa, ctx)) \
		211	err_instr \
		212	} while(0)
		213
		214	static BN_BLINDING setup_blinding(RSA rsa, BN_CTX *ctx)
		215	{
		216	BIGNUM A, Ai;
		217	BN_BLINDING *ret = NULL;
		218
		219	/* added in OpenSSL 0.9.6j and 0.9.7b */
		220
		221	/* NB: similar code appears in RSA_blinding_on (rsa_lib.c);
		222	* this should be placed in a new function of its own, but for reasons
		223	* of binary compatibility can't */
		224
		225	BN_CTX_start(ctx);
		226	A = BN_CTX_get(ctx);
		227	if ((RAND_status() == 0) && rsa->d != NULL && rsa->d->d != NULL)
		228	{
		229	/* if PRNG is not properly seeded, resort to secret exponent as unpredictable seed */
		230	RAND_add(rsa->d->d, rsa->d->dmax * sizeof rsa->d->d[0], 0);
		231	if (!BN_pseudo_rand_range(A,rsa->n)) goto err;
		232	}
		233	else
		234	{
		235	if (!BN_rand_range(A,rsa->n)) goto err;
		236	}
		237	if ((Ai=BN_mod_inverse(NULL,A,rsa->n,ctx)) == NULL) goto err;
		238
		239	if (!rsa->meth->bn_mod_exp(A,A,rsa->e,rsa->n,ctx,rsa->_method_mod_n))
		240	goto err;
		241	ret = BN_BLINDING_new(A,Ai,rsa->n);
		242	BN_free(Ai);
		243	err:
		244	BN_CTX_end(ctx);
		245	return ret;
		246	}
		247
196	/* signing */	248	/* signing */
197	static int RSA_eay_private_encrypt(int flen, const unsigned char *from,	249	static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
198	unsigned char to, RSA rsa, int padding)	250	unsigned char to, RSA rsa, int padding)
@@ -201,6 +253,8 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
201	int i,j,k,num=0,r= -1;	253	int i,j,k,num=0,r= -1;
202	unsigned char *buf=NULL;	254	unsigned char *buf=NULL;
203	BN_CTX *ctx=NULL;	255	BN_CTX *ctx=NULL;
		256	int local_blinding = 0;
		257	BN_BLINDING *blinding = NULL;
204		258
205	BN_init(&f);	259	BN_init(&f);
206	BN_init(&ret);	260	BN_init(&ret);
@@ -237,10 +291,39 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
237	goto err;	291	goto err;
238	}	292	}
239		293
240	if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))	294	BLINDING_HELPER(rsa, ctx, goto err;);
241	RSA_blinding_on(rsa,ctx);	295	blinding = rsa->blinding;
242	if (rsa->flags & RSA_FLAG_BLINDING)	296
243	if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;	297	/* Now unless blinding is disabled, 'blinding' is non-NULL.
		298	* But the BN_BLINDING object may be owned by some other thread
		299	* (we don't want to keep it constant and we don't want to use
		300	* lots of locking to avoid race conditions, so only a single
		301	* thread can use it; other threads have to use local blinding
		302	* factors) */
		303	if (!(rsa->flags & RSA_FLAG_NO_BLINDING))
		304	{
		305	if (blinding == NULL)
		306	{
		307	RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR);
		308	goto err;
		309	}
		310	}
		311
		312	if (blinding != NULL)
		313	{
		314	if (blinding->thread_id != CRYPTO_thread_id())
		315	{
		316	/* we need a local one-time blinding factor */
		317
		318	blinding = setup_blinding(rsa, ctx);
		319	if (blinding == NULL)
		320	goto err;
		321	local_blinding = 1;
		322	}
		323	}
		324
		325	if (blinding)
		326	if (!BN_BLINDING_convert(&f, blinding, ctx)) goto err;
244		327
245	if ( (rsa->flags & RSA_FLAG_EXT_PKEY) \|\|	328	if ( (rsa->flags & RSA_FLAG_EXT_PKEY) \|\|
246	((rsa->p != NULL) &&	329	((rsa->p != NULL) &&
@@ -254,8 +337,8 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
254	if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) goto err;	337	if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) goto err;
255	}	338	}
256		339
257	if (rsa->flags & RSA_FLAG_BLINDING)	340	if (blinding)
258	if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err;	341	if (!BN_BLINDING_invert(&ret, blinding, ctx)) goto err;
259		342
260	/* put in leading 0 bytes if the number is less than the	343	/* put in leading 0 bytes if the number is less than the
261	* length of the modulus */	344	* length of the modulus */
@@ -269,9 +352,11 @@ err:
269	if (ctx != NULL) BN_CTX_free(ctx);	352	if (ctx != NULL) BN_CTX_free(ctx);
270	BN_clear_free(&ret);	353	BN_clear_free(&ret);
271	BN_clear_free(&f);	354	BN_clear_free(&f);
		355	if (local_blinding)
		356	BN_BLINDING_free(blinding);
272	if (buf != NULL)	357	if (buf != NULL)
273	{	358	{
274	memset(buf,0,num);	359	OPENSSL_cleanse(buf,num);
275	OPENSSL_free(buf);	360	OPENSSL_free(buf);
276	}	361	}
277	return(r);	362	return(r);
@@ -285,6 +370,8 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
285	unsigned char *p;	370	unsigned char *p;
286	unsigned char *buf=NULL;	371	unsigned char *buf=NULL;
287	BN_CTX *ctx=NULL;	372	BN_CTX *ctx=NULL;
		373	int local_blinding = 0;
		374	BN_BLINDING *blinding = NULL;
288		375
289	BN_init(&f);	376	BN_init(&f);
290	BN_init(&ret);	377	BN_init(&ret);
@@ -316,10 +403,39 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
316	goto err;	403	goto err;
317	}	404	}
318		405
319	if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))	406	BLINDING_HELPER(rsa, ctx, goto err;);
320	RSA_blinding_on(rsa,ctx);	407	blinding = rsa->blinding;
321	if (rsa->flags & RSA_FLAG_BLINDING)	408
322	if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;	409	/* Now unless blinding is disabled, 'blinding' is non-NULL.
		410	* But the BN_BLINDING object may be owned by some other thread
		411	* (we don't want to keep it constant and we don't want to use
		412	* lots of locking to avoid race conditions, so only a single
		413	* thread can use it; other threads have to use local blinding
		414	* factors) */
		415	if (!(rsa->flags & RSA_FLAG_NO_BLINDING))
		416	{
		417	if (blinding == NULL)
		418	{
		419	RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_INTERNAL_ERROR);
		420	goto err;
		421	}
		422	}
		423
		424	if (blinding != NULL)
		425	{
		426	if (blinding->thread_id != CRYPTO_thread_id())
		427	{
		428	/* we need a local one-time blinding factor */
		429
		430	blinding = setup_blinding(rsa, ctx);
		431	if (blinding == NULL)
		432	goto err;
		433	local_blinding = 1;
		434	}
		435	}
		436
		437	if (blinding)
		438	if (!BN_BLINDING_convert(&f, blinding, ctx)) goto err;
323		439
324	/* do the decrypt */	440	/* do the decrypt */
325	if ( (rsa->flags & RSA_FLAG_EXT_PKEY) \|\|	441	if ( (rsa->flags & RSA_FLAG_EXT_PKEY) \|\|
@@ -335,8 +451,8 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
335	goto err;	451	goto err;
336	}	452	}
337		453
338	if (rsa->flags & RSA_FLAG_BLINDING)	454	if (blinding)
339	if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err;	455	if (!BN_BLINDING_invert(&ret, blinding, ctx)) goto err;
340		456
341	p=buf;	457	p=buf;
342	j=BN_bn2bin(&ret,p); /* j is only used with no-padding mode */	458	j=BN_bn2bin(&ret,p); /* j is only used with no-padding mode */
@@ -370,7 +486,7 @@ err:
370	BN_clear_free(&ret);	486	BN_clear_free(&ret);
371	if (buf != NULL)	487	if (buf != NULL)
372	{	488	{
373	memset(buf,0,num);	489	OPENSSL_cleanse(buf,num);
374	OPENSSL_free(buf);	490	OPENSSL_free(buf);
375	}	491	}
376	return(r);	492	return(r);
@@ -467,7 +583,7 @@ err:
467	BN_clear_free(&ret);	583	BN_clear_free(&ret);
468	if (buf != NULL)	584	if (buf != NULL)
469	{	585	{
470	memset(buf,0,num);	586	OPENSSL_cleanse(buf,num);
471	OPENSSL_free(buf);	587	OPENSSL_free(buf);
472	}	588	}
473	return(r);	589	return(r);