diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/libcrypto/bn/bn_blind.c | 73 |
1 files changed, 43 insertions, 30 deletions
diff --git a/src/lib/libcrypto/bn/bn_blind.c b/src/lib/libcrypto/bn/bn_blind.c index e530bdfb27..edc1a9d1ab 100644 --- a/src/lib/libcrypto/bn/bn_blind.c +++ b/src/lib/libcrypto/bn/bn_blind.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: bn_blind.c,v 1.33 2023/08/08 13:59:04 tb Exp $ */ | 1 | /* $OpenBSD: bn_blind.c,v 1.34 2023/08/08 14:40:56 tb Exp $ */ |
| 2 | /* ==================================================================== | 2 | /* ==================================================================== |
| 3 | * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. | 3 | * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. |
| 4 | * | 4 | * |
| @@ -179,6 +179,45 @@ BN_BLINDING_free(BN_BLINDING *r) | |||
| 179 | } | 179 | } |
| 180 | 180 | ||
| 181 | static int | 181 | static int |
| 182 | BN_BLINDING_setup(BN_BLINDING *ret, BN_CTX *ctx) | ||
| 183 | { | ||
| 184 | int retry_counter = 32; | ||
| 185 | |||
| 186 | /* | ||
| 187 | * XXX - remove this loop. If we happen to find a non-invertible A, | ||
| 188 | * we have basically factored mod = (p-1)(q-1)... | ||
| 189 | */ | ||
| 190 | do { | ||
| 191 | if (!BN_rand_range(ret->A, ret->mod)) | ||
| 192 | return 0; | ||
| 193 | if (BN_mod_inverse_ct(ret->Ai, ret->A, ret->mod, ctx) == NULL) { | ||
| 194 | /* this should almost never happen for good RSA keys */ | ||
| 195 | unsigned long error = ERR_peek_last_error(); | ||
| 196 | if (ERR_GET_REASON(error) == BN_R_NO_INVERSE) { | ||
| 197 | if (retry_counter-- == 0) { | ||
| 198 | BNerror(BN_R_TOO_MANY_ITERATIONS); | ||
| 199 | return 0; | ||
| 200 | } | ||
| 201 | ERR_clear_error(); | ||
| 202 | } else | ||
| 203 | return 0; | ||
| 204 | } else | ||
| 205 | break; | ||
| 206 | } while (1); | ||
| 207 | |||
| 208 | if (ret->bn_mod_exp != NULL && ret->m_ctx != NULL) { | ||
| 209 | if (!ret->bn_mod_exp(ret->A, ret->A, ret->e, ret->mod, | ||
| 210 | ctx, ret->m_ctx)) | ||
| 211 | return 0; | ||
| 212 | } else { | ||
| 213 | if (!BN_mod_exp_ct(ret->A, ret->A, ret->e, ret->mod, ctx)) | ||
| 214 | return 0; | ||
| 215 | } | ||
| 216 | |||
| 217 | return 1; | ||
| 218 | } | ||
| 219 | |||
| 220 | static int | ||
| 182 | BN_BLINDING_update(BN_BLINDING *b, BN_CTX *ctx) | 221 | BN_BLINDING_update(BN_BLINDING *b, BN_CTX *ctx) |
| 183 | { | 222 | { |
| 184 | int ret = 0; | 223 | int ret = 0; |
| @@ -187,8 +226,7 @@ BN_BLINDING_update(BN_BLINDING *b, BN_CTX *ctx) | |||
| 187 | b->counter = 0; | 226 | b->counter = 0; |
| 188 | 227 | ||
| 189 | if (++b->counter == BN_BLINDING_COUNTER) { | 228 | if (++b->counter == BN_BLINDING_COUNTER) { |
| 190 | /* re-create blinding parameters */ | 229 | if (!BN_BLINDING_setup(b, ctx)) |
| 191 | if (!BN_BLINDING_create_param(b, NULL, NULL, ctx, NULL, NULL)) | ||
| 192 | goto err; | 230 | goto err; |
| 193 | } else { | 231 | } else { |
| 194 | if (!BN_mod_mul(b->A, b->A, b->A, b->mod, ctx)) | 232 | if (!BN_mod_mul(b->A, b->A, b->A, b->mod, ctx)) |
| @@ -258,7 +296,6 @@ BN_BLINDING_create_param(BN_BLINDING *b, const BIGNUM *e, BIGNUM *m, BN_CTX *ctx | |||
| 258 | const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx), BN_MONT_CTX *m_ctx) | 296 | const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx), BN_MONT_CTX *m_ctx) |
| 259 | { | 297 | { |
| 260 | BN_BLINDING *ret = NULL; | 298 | BN_BLINDING *ret = NULL; |
| 261 | int retry_counter = 32; | ||
| 262 | 299 | ||
| 263 | if ((ret = b) == NULL) | 300 | if ((ret = b) == NULL) |
| 264 | ret = BN_BLINDING_new(e, m); | 301 | ret = BN_BLINDING_new(e, m); |
| @@ -270,32 +307,8 @@ BN_BLINDING_create_param(BN_BLINDING *b, const BIGNUM *e, BIGNUM *m, BN_CTX *ctx | |||
| 270 | if (m_ctx != NULL) | 307 | if (m_ctx != NULL) |
| 271 | ret->m_ctx = m_ctx; | 308 | ret->m_ctx = m_ctx; |
| 272 | 309 | ||
| 273 | do { | 310 | if (!BN_BLINDING_setup(ret, ctx)) |
| 274 | if (!BN_rand_range(ret->A, ret->mod)) | 311 | goto err; |
| 275 | goto err; | ||
| 276 | if (BN_mod_inverse_ct(ret->Ai, ret->A, ret->mod, ctx) == NULL) { | ||
| 277 | /* this should almost never happen for good RSA keys */ | ||
| 278 | unsigned long error = ERR_peek_last_error(); | ||
| 279 | if (ERR_GET_REASON(error) == BN_R_NO_INVERSE) { | ||
| 280 | if (retry_counter-- == 0) { | ||
| 281 | BNerror(BN_R_TOO_MANY_ITERATIONS); | ||
| 282 | goto err; | ||
| 283 | } | ||
| 284 | ERR_clear_error(); | ||
| 285 | } else | ||
| 286 | goto err; | ||
| 287 | } else | ||
| 288 | break; | ||
| 289 | } while (1); | ||
| 290 | |||
| 291 | if (ret->bn_mod_exp != NULL && ret->m_ctx != NULL) { | ||
| 292 | if (!ret->bn_mod_exp(ret->A, ret->A, ret->e, ret->mod, | ||
| 293 | ctx, ret->m_ctx)) | ||
| 294 | goto err; | ||
| 295 | } else { | ||
| 296 | if (!BN_mod_exp_ct(ret->A, ret->A, ret->e, ret->mod, ctx)) | ||
| 297 | goto err; | ||
| 298 | } | ||
| 299 | 312 | ||
| 300 | return ret; | 313 | return ret; |
| 301 | 314 | ||