1 files changed, 17 insertions, 114 deletions
diff --git a/src/lib/libcrypto/rsa/rsa_eay.c b/src/lib/libcrypto/rsa/rsa_eay.c
index 027b4dc754..a3f549d8e6 100644
--- a/src/lib/libcrypto/rsa/rsa_eay.c
+++ b/src/lib/libcrypto/rsa/rsa_eay.c
@@ -61,6 +61,7 @@
 #include <openssl/bn.h>
 #include <openssl/rsa.h>
 #include <openssl/rand.h>
+#include <openssl/engine.h>
 #ifndef RSA_NULL
@@ -186,7 +187,7 @@ err:
        BN_clear_free(&ret);
        if (buf != NULL) 
                {
-                OPENSSL_cleanse(buf,num);
+                memset(buf,0,num);
                OPENSSL_free(buf);
                }
        return(r);
@@ -205,46 +206,12 @@ static int rsa_eay_blinding(RSA *rsa, BN_CTX *ctx)
 #define BLINDING_HELPER(rsa, ctx, err_instr) \
        do { \
-                if((!((rsa)->flags & RSA_FLAG_NO_BLINDING)) && \
+                if(((rsa)->flags & RSA_FLAG_BLINDING) && \
-                    ((rsa)->blinding == NULL) && \
+                                ((rsa)->blinding == NULL) && \
-                    !rsa_eay_blinding(rsa, ctx)) \
+                                !rsa_eay_blinding(rsa, ctx)) \
-                    err_instr \
+                        err_instr \
        } while(0)
-static BN_BLINDING *setup_blinding(RSA *rsa, BN_CTX *ctx)
-        {
-        BIGNUM *A, *Ai;
-        BN_BLINDING *ret = NULL;
-        /* added in OpenSSL 0.9.6j and 0.9.7b */
-        /* NB: similar code appears in RSA_blinding_on (rsa_lib.c);
-         * this should be placed in a new function of its own, but for reasons
-         * of binary compatibility can't */
-        BN_CTX_start(ctx);
-        A = BN_CTX_get(ctx);
-        if ((RAND_status() == 0) && rsa->d != NULL && rsa->d->d != NULL)
-                {
-                /* if PRNG is not properly seeded, resort to secret exponent as unpredictable seed */
-                RAND_add(rsa->d->d, rsa->d->dmax * sizeof rsa->d->d[0], 0);
-                if (!BN_pseudo_rand_range(A,rsa->n)) goto err;
-                }
-        else
-                {
-                if (!BN_rand_range(A,rsa->n)) goto err;
-                }
-        if ((Ai=BN_mod_inverse(NULL,A,rsa->n,ctx)) == NULL) goto err;
-        if (!rsa->meth->bn_mod_exp(A,A,rsa->e,rsa->n,ctx,rsa->_method_mod_n))
-                goto err;
-        ret = BN_BLINDING_new(A,Ai,rsa->n);
-        BN_free(Ai);
-err:
-        BN_CTX_end(ctx);
-        return ret;
-        }
 /* signing */
 static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
             unsigned char *to, RSA *rsa, int padding)
@@ -253,8 +220,6 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
        int i,j,k,num=0,r= -1;
        unsigned char *buf=NULL;
        BN_CTX *ctx=NULL;
-        int local_blinding = 0;
-        BN_BLINDING *blinding = NULL;
        BN_init(&f);
        BN_init(&ret);
@@ -292,38 +257,9 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
                }
        BLINDING_HELPER(rsa, ctx, goto err;);
-        blinding = rsa->blinding;
-        
-        /* Now unless blinding is disabled, 'blinding' is non-NULL.
-         * But the BN_BLINDING object may be owned by some other thread
-         * (we don't want to keep it constant and we don't want to use
-         * lots of locking to avoid race conditions, so only a single
-         * thread can use it; other threads have to use local blinding
-         * factors) */
-        if (!(rsa->flags & RSA_FLAG_NO_BLINDING))
-                {
-                if (blinding == NULL)
-                        {
-                        RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR);
-                        goto err;
-                        }
-                }
-        
-        if (blinding != NULL)
-                {
-                if (blinding->thread_id != CRYPTO_thread_id())
-                        {
-                        /* we need a local one-time blinding factor */
-                        blinding = setup_blinding(rsa, ctx);
-                        if (blinding == NULL)
-                                goto err;
-                        local_blinding = 1;
-                        }
-                }
-        if (blinding)
+        if (rsa->flags & RSA_FLAG_BLINDING)
-                if (!BN_BLINDING_convert(&f, blinding, ctx)) goto err;
+                if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
        if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
                ((rsa->p != NULL) &&
@@ -337,8 +273,8 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
                if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) goto err;
                }
-        if (blinding)
+        if (rsa->flags & RSA_FLAG_BLINDING)
-                if (!BN_BLINDING_invert(&ret, blinding, ctx)) goto err;
+                if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err;
        /* put in leading 0 bytes if the number is less than the
         * length of the modulus */
@@ -352,11 +288,9 @@ err:
        if (ctx != NULL) BN_CTX_free(ctx);
        BN_clear_free(&ret);
        BN_clear_free(&f);
-        if (local_blinding)
-                BN_BLINDING_free(blinding);
        if (buf != NULL)
                {
-                OPENSSL_cleanse(buf,num);
+                memset(buf,0,num);
                OPENSSL_free(buf);
                }
        return(r);
@@ -370,8 +304,6 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
        unsigned char *p;
        unsigned char *buf=NULL;
        BN_CTX *ctx=NULL;
-        int local_blinding = 0;
-        BN_BLINDING *blinding = NULL;
        BN_init(&f);
        BN_init(&ret);
@@ -404,38 +336,9 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
                }
        BLINDING_HELPER(rsa, ctx, goto err;);
-        blinding = rsa->blinding;
-        
-        /* Now unless blinding is disabled, 'blinding' is non-NULL.
-         * But the BN_BLINDING object may be owned by some other thread
-         * (we don't want to keep it constant and we don't want to use
-         * lots of locking to avoid race conditions, so only a single
-         * thread can use it; other threads have to use local blinding
-         * factors) */
-        if (!(rsa->flags & RSA_FLAG_NO_BLINDING))
-                {
-                if (blinding == NULL)
-                        {
-                        RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_INTERNAL_ERROR);
-                        goto err;
-                        }
-                }
-        
-        if (blinding != NULL)
-                {
-                if (blinding->thread_id != CRYPTO_thread_id())
-                        {
-                        /* we need a local one-time blinding factor */
-                        blinding = setup_blinding(rsa, ctx);
-                        if (blinding == NULL)
-                                goto err;
-                        local_blinding = 1;
-                        }
-                }
-        if (blinding)
+        if (rsa->flags & RSA_FLAG_BLINDING)
-                if (!BN_BLINDING_convert(&f, blinding, ctx)) goto err;
+                if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
        /* do the decrypt */
        if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
@@ -451,8 +354,8 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
                        goto err;
                }
-        if (blinding)
+        if (rsa->flags & RSA_FLAG_BLINDING)
-                if (!BN_BLINDING_invert(&ret, blinding, ctx)) goto err;
+                if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err;
        p=buf;
        j=BN_bn2bin(&ret,p); /* j is only used with no-padding mode */
@@ -486,7 +389,7 @@ err:
        BN_clear_free(&ret);
        if (buf != NULL)
                {
-                OPENSSL_cleanse(buf,num);
+                memset(buf,0,num);
                OPENSSL_free(buf);
                }
        return(r);
@@ -583,7 +486,7 @@ err:
        BN_clear_free(&ret);
        if (buf != NULL)
                {
-                OPENSSL_cleanse(buf,num);
+                memset(buf,0,num);
                OPENSSL_free(buf);
                }
        return(r);

diff --git a/src/lib/libcrypto/rsa/rsa_eay.c b/src/lib/libcrypto/rsa/rsa_eay.c index 027b4dc754..a3f549d8e6 100644 --- a/src/lib/libcrypto/rsa/rsa_eay.c +++ b/src/lib/libcrypto/rsa/rsa_eay.c
@@ -61,6 +61,7 @@
61	#include <openssl/bn.h>	61	#include <openssl/bn.h>
62	#include <openssl/rsa.h>	62	#include <openssl/rsa.h>
63	#include <openssl/rand.h>	63	#include <openssl/rand.h>
		64	#include <openssl/engine.h>
64		65
65	#ifndef RSA_NULL	66	#ifndef RSA_NULL
66		67
@@ -186,7 +187,7 @@ err:
186	BN_clear_free(&ret);	187	BN_clear_free(&ret);
187	if (buf != NULL)	188	if (buf != NULL)
188	{	189	{
189	OPENSSL_cleanse(buf,num);	190	memset(buf,0,num);
190	OPENSSL_free(buf);	191	OPENSSL_free(buf);
191	}	192	}
192	return(r);	193	return(r);
@@ -205,46 +206,12 @@ static int rsa_eay_blinding(RSA rsa, BN_CTX ctx)
205		206
206	#define BLINDING_HELPER(rsa, ctx, err_instr) \	207	#define BLINDING_HELPER(rsa, ctx, err_instr) \
207	do { \	208	do { \
208	if((!((rsa)->flags & RSA_FLAG_NO_BLINDING)) && \	209	if(((rsa)->flags & RSA_FLAG_BLINDING) && \
209	((rsa)->blinding == NULL) && \	210	((rsa)->blinding == NULL) && \
210	!rsa_eay_blinding(rsa, ctx)) \	211	!rsa_eay_blinding(rsa, ctx)) \
211	err_instr \	212	err_instr \
212	} while(0)	213	} while(0)
213		214
214	static BN_BLINDING setup_blinding(RSA rsa, BN_CTX *ctx)
215	{
216	BIGNUM A, Ai;
217	BN_BLINDING *ret = NULL;
218
219	/* added in OpenSSL 0.9.6j and 0.9.7b */
220
221	/* NB: similar code appears in RSA_blinding_on (rsa_lib.c);
222	* this should be placed in a new function of its own, but for reasons
223	* of binary compatibility can't */
224
225	BN_CTX_start(ctx);
226	A = BN_CTX_get(ctx);
227	if ((RAND_status() == 0) && rsa->d != NULL && rsa->d->d != NULL)
228	{
229	/* if PRNG is not properly seeded, resort to secret exponent as unpredictable seed */
230	RAND_add(rsa->d->d, rsa->d->dmax * sizeof rsa->d->d[0], 0);
231	if (!BN_pseudo_rand_range(A,rsa->n)) goto err;
232	}
233	else
234	{
235	if (!BN_rand_range(A,rsa->n)) goto err;
236	}
237	if ((Ai=BN_mod_inverse(NULL,A,rsa->n,ctx)) == NULL) goto err;
238
239	if (!rsa->meth->bn_mod_exp(A,A,rsa->e,rsa->n,ctx,rsa->_method_mod_n))
240	goto err;
241	ret = BN_BLINDING_new(A,Ai,rsa->n);
242	BN_free(Ai);
243	err:
244	BN_CTX_end(ctx);
245	return ret;
246	}
247
248	/* signing */	215	/* signing */
249	static int RSA_eay_private_encrypt(int flen, const unsigned char *from,	216	static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
250	unsigned char to, RSA rsa, int padding)	217	unsigned char to, RSA rsa, int padding)
@@ -253,8 +220,6 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
253	int i,j,k,num=0,r= -1;	220	int i,j,k,num=0,r= -1;
254	unsigned char *buf=NULL;	221	unsigned char *buf=NULL;
255	BN_CTX *ctx=NULL;	222	BN_CTX *ctx=NULL;
256	int local_blinding = 0;
257	BN_BLINDING *blinding = NULL;
258		223
259	BN_init(&f);	224	BN_init(&f);
260	BN_init(&ret);	225	BN_init(&ret);
@@ -292,38 +257,9 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
292	}	257	}
293		258
294	BLINDING_HELPER(rsa, ctx, goto err;);	259	BLINDING_HELPER(rsa, ctx, goto err;);
295	blinding = rsa->blinding;
296
297	/* Now unless blinding is disabled, 'blinding' is non-NULL.
298	* But the BN_BLINDING object may be owned by some other thread
299	* (we don't want to keep it constant and we don't want to use
300	* lots of locking to avoid race conditions, so only a single
301	* thread can use it; other threads have to use local blinding
302	* factors) */
303	if (!(rsa->flags & RSA_FLAG_NO_BLINDING))
304	{
305	if (blinding == NULL)
306	{
307	RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR);
308	goto err;
309	}
310	}
311
312	if (blinding != NULL)
313	{
314	if (blinding->thread_id != CRYPTO_thread_id())
315	{
316	/* we need a local one-time blinding factor */
317
318	blinding = setup_blinding(rsa, ctx);
319	if (blinding == NULL)
320	goto err;
321	local_blinding = 1;
322	}
323	}
324		260
325	if (blinding)	261	if (rsa->flags & RSA_FLAG_BLINDING)
326	if (!BN_BLINDING_convert(&f, blinding, ctx)) goto err;	262	if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
327		263
328	if ( (rsa->flags & RSA_FLAG_EXT_PKEY) \|\|	264	if ( (rsa->flags & RSA_FLAG_EXT_PKEY) \|\|
329	((rsa->p != NULL) &&	265	((rsa->p != NULL) &&
@@ -337,8 +273,8 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
337	if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) goto err;	273	if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) goto err;
338	}	274	}
339		275
340	if (blinding)	276	if (rsa->flags & RSA_FLAG_BLINDING)
341	if (!BN_BLINDING_invert(&ret, blinding, ctx)) goto err;	277	if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err;
342		278
343	/* put in leading 0 bytes if the number is less than the	279	/* put in leading 0 bytes if the number is less than the
344	* length of the modulus */	280	* length of the modulus */
@@ -352,11 +288,9 @@ err:
352	if (ctx != NULL) BN_CTX_free(ctx);	288	if (ctx != NULL) BN_CTX_free(ctx);
353	BN_clear_free(&ret);	289	BN_clear_free(&ret);
354	BN_clear_free(&f);	290	BN_clear_free(&f);
355	if (local_blinding)
356	BN_BLINDING_free(blinding);
357	if (buf != NULL)	291	if (buf != NULL)
358	{	292	{
359	OPENSSL_cleanse(buf,num);	293	memset(buf,0,num);
360	OPENSSL_free(buf);	294	OPENSSL_free(buf);
361	}	295	}
362	return(r);	296	return(r);
@@ -370,8 +304,6 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
370	unsigned char *p;	304	unsigned char *p;
371	unsigned char *buf=NULL;	305	unsigned char *buf=NULL;
372	BN_CTX *ctx=NULL;	306	BN_CTX *ctx=NULL;
373	int local_blinding = 0;
374	BN_BLINDING *blinding = NULL;
375		307
376	BN_init(&f);	308	BN_init(&f);
377	BN_init(&ret);	309	BN_init(&ret);
@@ -404,38 +336,9 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
404	}	336	}
405		337
406	BLINDING_HELPER(rsa, ctx, goto err;);	338	BLINDING_HELPER(rsa, ctx, goto err;);
407	blinding = rsa->blinding;
408
409	/* Now unless blinding is disabled, 'blinding' is non-NULL.
410	* But the BN_BLINDING object may be owned by some other thread
411	* (we don't want to keep it constant and we don't want to use
412	* lots of locking to avoid race conditions, so only a single
413	* thread can use it; other threads have to use local blinding
414	* factors) */
415	if (!(rsa->flags & RSA_FLAG_NO_BLINDING))
416	{
417	if (blinding == NULL)
418	{
419	RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_INTERNAL_ERROR);
420	goto err;
421	}
422	}
423
424	if (blinding != NULL)
425	{
426	if (blinding->thread_id != CRYPTO_thread_id())
427	{
428	/* we need a local one-time blinding factor */
429
430	blinding = setup_blinding(rsa, ctx);
431	if (blinding == NULL)
432	goto err;
433	local_blinding = 1;
434	}
435	}
436		339
437	if (blinding)	340	if (rsa->flags & RSA_FLAG_BLINDING)
438	if (!BN_BLINDING_convert(&f, blinding, ctx)) goto err;	341	if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
439		342
440	/* do the decrypt */	343	/* do the decrypt */
441	if ( (rsa->flags & RSA_FLAG_EXT_PKEY) \|\|	344	if ( (rsa->flags & RSA_FLAG_EXT_PKEY) \|\|
@@ -451,8 +354,8 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
451	goto err;	354	goto err;
452	}	355	}
453		356
454	if (blinding)	357	if (rsa->flags & RSA_FLAG_BLINDING)
455	if (!BN_BLINDING_invert(&ret, blinding, ctx)) goto err;	358	if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err;
456		359
457	p=buf;	360	p=buf;
458	j=BN_bn2bin(&ret,p); /* j is only used with no-padding mode */	361	j=BN_bn2bin(&ret,p); /* j is only used with no-padding mode */
@@ -486,7 +389,7 @@ err:
486	BN_clear_free(&ret);	389	BN_clear_free(&ret);
487	if (buf != NULL)	390	if (buf != NULL)
488	{	391	{
489	OPENSSL_cleanse(buf,num);	392	memset(buf,0,num);
490	OPENSSL_free(buf);	393	OPENSSL_free(buf);
491	}	394	}
492	return(r);	395	return(r);
@@ -583,7 +486,7 @@ err:
583	BN_clear_free(&ret);	486	BN_clear_free(&ret);
584	if (buf != NULL)	487	if (buf != NULL)
585	{	488	{
586	OPENSSL_cleanse(buf,num);	489	memset(buf,0,num);
587	OPENSSL_free(buf);	490	OPENSSL_free(buf);
588	}	491	}
589	return(r);	492	return(r);