1 files changed, 35 insertions, 95 deletions
diff --git a/src/lib/libcrypto/rsa/rsa_lib.c b/src/lib/libcrypto/rsa/rsa_lib.c
index 104aa4c1f2..e4d622851e 100644
--- a/src/lib/libcrypto/rsa/rsa_lib.c
+++ b/src/lib/libcrypto/rsa/rsa_lib.c
@@ -67,7 +67,7 @@
 #include <openssl/engine.h>
 #endif
-const char RSA_version[]="RSA" OPENSSL_VERSION_PTEXT;
+const char *RSA_version="RSA" OPENSSL_VERSION_PTEXT;
 static const RSA_METHOD *default_RSA_meth=NULL;
@@ -179,7 +179,6 @@ RSA *RSA_new_method(ENGINE *engine)
        ret->_method_mod_p=NULL;
        ret->_method_mod_q=NULL;
        ret->blinding=NULL;
-        ret->mt_blinding=NULL;
        ret->bignum_data=NULL;
        ret->flags=ret->meth->flags;
        CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data);
@@ -233,7 +232,6 @@ void RSA_free(RSA *r)
        if (r->dmq1 != NULL) BN_clear_free(r->dmq1);
        if (r->iqmp != NULL) BN_clear_free(r->iqmp);
        if (r->blinding != NULL) BN_BLINDING_free(r->blinding);
-        if (r->mt_blinding != NULL) BN_BLINDING_free(r->mt_blinding);
        if (r->bignum_data != NULL) OPENSSL_free_locked(r->bignum_data);
        OPENSSL_free(r);
        }
@@ -316,117 +314,59 @@ void RSA_blinding_off(RSA *rsa)
        rsa->flags |= RSA_FLAG_NO_BLINDING;
        }
-int RSA_blinding_on(RSA *rsa, BN_CTX *ctx)
+int RSA_blinding_on(RSA *rsa, BN_CTX *p_ctx)
        {
-        int ret=0;
+        BIGNUM *A,*Ai = NULL;
-        if (rsa->blinding != NULL)
-                RSA_blinding_off(rsa);
-        rsa->blinding = RSA_setup_blinding(rsa, ctx);
-        if (rsa->blinding == NULL)
-                goto err;
-        rsa->flags |= RSA_FLAG_BLINDING;
-        rsa->flags &= ~RSA_FLAG_NO_BLINDING;
-        ret=1;
-err:
-        return(ret);
-        }
-static BIGNUM *rsa_get_public_exp(const BIGNUM *d, const BIGNUM *p,
-        const BIGNUM *q, BN_CTX *ctx)
-{
-        BIGNUM *ret = NULL, *r0, *r1, *r2;
-        if (d == NULL || p == NULL || q == NULL)
-                return NULL;
-        BN_CTX_start(ctx);
-        r0 = BN_CTX_get(ctx);
-        r1 = BN_CTX_get(ctx);
-        r2 = BN_CTX_get(ctx);
-        if (r2 == NULL)
-                goto err;
-        if (!BN_sub(r1, p, BN_value_one())) goto err;
-        if (!BN_sub(r2, q, BN_value_one())) goto err;
-        if (!BN_mul(r0, r1, r2, ctx)) goto err;
-        ret = BN_mod_inverse(NULL, d, r0, ctx);
-err:
-        BN_CTX_end(ctx);
-        return ret;
-}
-BN_BLINDING *RSA_setup_blinding(RSA *rsa, BN_CTX *in_ctx)
-{
-        BIGNUM local_n;
-        BIGNUM *e,*n;
        BN_CTX *ctx;
-        BN_BLINDING *ret = NULL;
+        int ret=0;
-        if (in_ctx == NULL)
+        if (p_ctx == NULL)
                {
-                if ((ctx = BN_CTX_new()) == NULL) return 0;
+                if ((ctx=BN_CTX_new()) == NULL) goto err;
                }
        else
-                ctx = in_ctx;
+                ctx=p_ctx;
-        BN_CTX_start(ctx);
+        /* XXXXX: Shouldn't this be RSA_blinding_off(rsa)? */
-        e  = BN_CTX_get(ctx);
+        if (rsa->blinding != NULL)
-        if (e == NULL)
                {
-                RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_MALLOC_FAILURE);
+                BN_BLINDING_free(rsa->blinding);
-                goto err;
+                rsa->blinding = NULL;
                }
-        if (rsa->e == NULL)
+        /* NB: similar code appears in setup_blinding (rsa_eay.c);
-                {
+         * this should be placed in a new function of its own, but for reasons
-                e = rsa_get_public_exp(rsa->d, rsa->p, rsa->q, ctx);
+         * of binary compatibility can't */
-                if (e == NULL)
-                        {
-                        RSAerr(RSA_F_RSA_SETUP_BLINDING, RSA_R_NO_PUBLIC_EXPONENT);
-                        goto err;
-                        }
-                }
-        else
-                e = rsa->e;
-        
+        BN_CTX_start(ctx);
+        A = BN_CTX_get(ctx);
        if ((RAND_status() == 0) && rsa->d != NULL && rsa->d->d != NULL)
                {
-                /* if PRNG is not properly seeded, resort to secret
+                /* if PRNG is not properly seeded, resort to secret exponent as unpredictable seed */
-                 * exponent as unpredictable seed */
+                RAND_add(rsa->d->d, rsa->d->dmax * sizeof rsa->d->d[0], 0);
-                RAND_add(rsa->d->d, rsa->d->dmax * sizeof rsa->d->d[0], 0.0);
+                if (!BN_pseudo_rand_range(A,rsa->n)) goto err;
                }
+        else
-        if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
                {
-                /* Set BN_FLG_CONSTTIME flag */
+                if (!BN_rand_range(A,rsa->n)) goto err;
-                n = &local_n;
-                BN_with_flags(n, rsa->n, BN_FLG_CONSTTIME);
                }
-        else
+        if ((Ai=BN_mod_inverse(NULL,A,rsa->n,ctx)) == NULL) goto err;
-                n = rsa->n;
-        ret = BN_BLINDING_create_param(NULL, e, n, ctx,
+        if (!rsa->meth->bn_mod_exp(A,A,rsa->e,rsa->n,ctx,rsa->_method_mod_n))
-                        rsa->meth->bn_mod_exp, rsa->_method_mod_n);
-        if (ret == NULL)
-                {
-                RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_BN_LIB);
                goto err;
-                }
+        if ((rsa->blinding=BN_BLINDING_new(A,Ai,rsa->n)) == NULL) goto err;
-        BN_BLINDING_set_thread_id(ret, CRYPTO_thread_id());
+        /* to make things thread-safe without excessive locking,
+         * rsa->blinding will be used just by the current thread: */
+        rsa->blinding->thread_id = CRYPTO_thread_id();
+        rsa->flags |= RSA_FLAG_BLINDING;
+        rsa->flags &= ~RSA_FLAG_NO_BLINDING;
+        ret=1;
 err:
+        if (Ai != NULL) BN_free(Ai);
        BN_CTX_end(ctx);
-        if (in_ctx == NULL)
+        if (ctx != p_ctx) BN_CTX_free(ctx);
-                BN_CTX_free(ctx);
+        return(ret);
-        if(rsa->e == NULL)
+        }
-                BN_free(e);
-        return ret;
-}
 int RSA_memory_lock(RSA *r)
        {
@@ -449,7 +389,7 @@ int RSA_memory_lock(RSA *r)
                j+= (*t[i])->top;
        if ((p=OPENSSL_malloc_locked((off+j)*sizeof(BN_ULONG))) == NULL)
                {
-                RSAerr(RSA_F_RSA_MEMORY_LOCK,ERR_R_MALLOC_FAILURE);
+                RSAerr(RSA_F_MEMORY_LOCK,ERR_R_MALLOC_FAILURE);
                return(0);
                }
        bn=(BIGNUM *)p;

diff --git a/src/lib/libcrypto/rsa/rsa_lib.c b/src/lib/libcrypto/rsa/rsa_lib.c index 104aa4c1f2..e4d622851e 100644 --- a/src/lib/libcrypto/rsa/rsa_lib.c +++ b/src/lib/libcrypto/rsa/rsa_lib.c
@@ -67,7 +67,7 @@
67	#include <openssl/engine.h>	67	#include <openssl/engine.h>
68	#endif	68	#endif
69		69
70	const char RSA_version[]="RSA" OPENSSL_VERSION_PTEXT;	70	const char *RSA_version="RSA" OPENSSL_VERSION_PTEXT;
71		71
72	static const RSA_METHOD *default_RSA_meth=NULL;	72	static const RSA_METHOD *default_RSA_meth=NULL;
73		73
@@ -179,7 +179,6 @@ RSA RSA_new_method(ENGINE engine)
179	ret->_method_mod_p=NULL;	179	ret->_method_mod_p=NULL;
180	ret->_method_mod_q=NULL;	180	ret->_method_mod_q=NULL;
181	ret->blinding=NULL;	181	ret->blinding=NULL;
182	ret->mt_blinding=NULL;
183	ret->bignum_data=NULL;	182	ret->bignum_data=NULL;
184	ret->flags=ret->meth->flags;	183	ret->flags=ret->meth->flags;
185	CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data);	184	CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data);
@@ -233,7 +232,6 @@ void RSA_free(RSA *r)
233	if (r->dmq1 != NULL) BN_clear_free(r->dmq1);	232	if (r->dmq1 != NULL) BN_clear_free(r->dmq1);
234	if (r->iqmp != NULL) BN_clear_free(r->iqmp);	233	if (r->iqmp != NULL) BN_clear_free(r->iqmp);
235	if (r->blinding != NULL) BN_BLINDING_free(r->blinding);	234	if (r->blinding != NULL) BN_BLINDING_free(r->blinding);
236	if (r->mt_blinding != NULL) BN_BLINDING_free(r->mt_blinding);
237	if (r->bignum_data != NULL) OPENSSL_free_locked(r->bignum_data);	235	if (r->bignum_data != NULL) OPENSSL_free_locked(r->bignum_data);
238	OPENSSL_free(r);	236	OPENSSL_free(r);
239	}	237	}
@@ -316,117 +314,59 @@ void RSA_blinding_off(RSA *rsa)
316	rsa->flags \|= RSA_FLAG_NO_BLINDING;	314	rsa->flags \|= RSA_FLAG_NO_BLINDING;
317	}	315	}
318		316
319	int RSA_blinding_on(RSA rsa, BN_CTX ctx)	317	int RSA_blinding_on(RSA rsa, BN_CTX p_ctx)
320	{	318	{
321	int ret=0;	319	BIGNUM A,Ai = NULL;
322
323	if (rsa->blinding != NULL)
324	RSA_blinding_off(rsa);
325
326	rsa->blinding = RSA_setup_blinding(rsa, ctx);
327	if (rsa->blinding == NULL)
328	goto err;
329
330	rsa->flags \|= RSA_FLAG_BLINDING;
331	rsa->flags &= ~RSA_FLAG_NO_BLINDING;
332	ret=1;
333	err:
334	return(ret);
335	}
336
337	static BIGNUM rsa_get_public_exp(const BIGNUM d, const BIGNUM *p,
338	const BIGNUM q, BN_CTX ctx)
339	{
340	BIGNUM ret = NULL, r0, r1, r2;
341
342	if (d == NULL \|\| p == NULL \|\| q == NULL)
343	return NULL;
344
345	BN_CTX_start(ctx);
346	r0 = BN_CTX_get(ctx);
347	r1 = BN_CTX_get(ctx);
348	r2 = BN_CTX_get(ctx);
349	if (r2 == NULL)
350	goto err;
351
352	if (!BN_sub(r1, p, BN_value_one())) goto err;
353	if (!BN_sub(r2, q, BN_value_one())) goto err;
354	if (!BN_mul(r0, r1, r2, ctx)) goto err;
355
356	ret = BN_mod_inverse(NULL, d, r0, ctx);
357	err:
358	BN_CTX_end(ctx);
359	return ret;
360	}
361
362	BN_BLINDING RSA_setup_blinding(RSA rsa, BN_CTX *in_ctx)
363	{
364	BIGNUM local_n;
365	BIGNUM e,n;
366	BN_CTX *ctx;	320	BN_CTX *ctx;
367	BN_BLINDING *ret = NULL;	321	int ret=0;
368		322
369	if (in_ctx == NULL)	323	if (p_ctx == NULL)
370	{	324	{
371	if ((ctx = BN_CTX_new()) == NULL) return 0;	325	if ((ctx=BN_CTX_new()) == NULL) goto err;
372	}	326	}
373	else	327	else
374	ctx = in_ctx;	328	ctx=p_ctx;
375		329
376	BN_CTX_start(ctx);	330	/* XXXXX: Shouldn't this be RSA_blinding_off(rsa)? */
377	e = BN_CTX_get(ctx);	331	if (rsa->blinding != NULL)
378	if (e == NULL)
379	{	332	{
380	RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_MALLOC_FAILURE);	333	BN_BLINDING_free(rsa->blinding);
381	goto err;	334	rsa->blinding = NULL;
382	}	335	}
383		336
384	if (rsa->e == NULL)	337	/* NB: similar code appears in setup_blinding (rsa_eay.c);
385	{	338	* this should be placed in a new function of its own, but for reasons
386	e = rsa_get_public_exp(rsa->d, rsa->p, rsa->q, ctx);	339	* of binary compatibility can't */
387	if (e == NULL)
388	{
389	RSAerr(RSA_F_RSA_SETUP_BLINDING, RSA_R_NO_PUBLIC_EXPONENT);
390	goto err;
391	}
392	}
393	else
394	e = rsa->e;
395		340
396		341	BN_CTX_start(ctx);
		342	A = BN_CTX_get(ctx);
397	if ((RAND_status() == 0) && rsa->d != NULL && rsa->d->d != NULL)	343	if ((RAND_status() == 0) && rsa->d != NULL && rsa->d->d != NULL)
398	{	344	{
399	/* if PRNG is not properly seeded, resort to secret	345	/* if PRNG is not properly seeded, resort to secret exponent as unpredictable seed */
400	* exponent as unpredictable seed */	346	RAND_add(rsa->d->d, rsa->d->dmax * sizeof rsa->d->d[0], 0);
401	RAND_add(rsa->d->d, rsa->d->dmax * sizeof rsa->d->d[0], 0.0);	347	if (!BN_pseudo_rand_range(A,rsa->n)) goto err;
402	}	348	}
403		349	else
404	if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
405	{	350	{
406	/* Set BN_FLG_CONSTTIME flag */	351	if (!BN_rand_range(A,rsa->n)) goto err;
407	n = &local_n;
408	BN_with_flags(n, rsa->n, BN_FLG_CONSTTIME);
409	}	352	}
410	else	353	if ((Ai=BN_mod_inverse(NULL,A,rsa->n,ctx)) == NULL) goto err;
411	n = rsa->n;
412		354
413	ret = BN_BLINDING_create_param(NULL, e, n, ctx,	355	if (!rsa->meth->bn_mod_exp(A,A,rsa->e,rsa->n,ctx,rsa->_method_mod_n))
414	rsa->meth->bn_mod_exp, rsa->_method_mod_n);
415	if (ret == NULL)
416	{
417	RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_BN_LIB);
418	goto err;	356	goto err;
419	}	357	if ((rsa->blinding=BN_BLINDING_new(A,Ai,rsa->n)) == NULL) goto err;
420	BN_BLINDING_set_thread_id(ret, CRYPTO_thread_id());	358	/* to make things thread-safe without excessive locking,
		359	* rsa->blinding will be used just by the current thread: */
		360	rsa->blinding->thread_id = CRYPTO_thread_id();
		361	rsa->flags \|= RSA_FLAG_BLINDING;
		362	rsa->flags &= ~RSA_FLAG_NO_BLINDING;
		363	ret=1;
421	err:	364	err:
		365	if (Ai != NULL) BN_free(Ai);
422	BN_CTX_end(ctx);	366	BN_CTX_end(ctx);
423	if (in_ctx == NULL)	367	if (ctx != p_ctx) BN_CTX_free(ctx);
424	BN_CTX_free(ctx);	368	return(ret);
425	if(rsa->e == NULL)	369	}
426	BN_free(e);
427
428	return ret;
429	}
430		370
431	int RSA_memory_lock(RSA *r)	371	int RSA_memory_lock(RSA *r)
432	{	372	{
@@ -449,7 +389,7 @@ int RSA_memory_lock(RSA *r)
449	j+= (*t[i])->top;	389	j+= (*t[i])->top;
450	if ((p=OPENSSL_malloc_locked((off+j)*sizeof(BN_ULONG))) == NULL)	390	if ((p=OPENSSL_malloc_locked((off+j)*sizeof(BN_ULONG))) == NULL)
451	{	391	{
452	RSAerr(RSA_F_RSA_MEMORY_LOCK,ERR_R_MALLOC_FAILURE);	392	RSAerr(RSA_F_MEMORY_LOCK,ERR_R_MALLOC_FAILURE);
453	return(0);	393	return(0);
454	}	394	}
455	bn=(BIGNUM *)p;	395	bn=(BIGNUM *)p;