diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/libcrypto/bn/bn_gcd.c | 40 | ||||
| -rw-r--r-- | src/lib/libcrypto/rsa/rsa_eay.c | 3 | ||||
| -rw-r--r-- | src/lib/libcrypto/rsa/rsa_gen.c | 5 |
3 files changed, 33 insertions, 15 deletions
diff --git a/src/lib/libcrypto/bn/bn_gcd.c b/src/lib/libcrypto/bn/bn_gcd.c index 469ae752fb..d756398c8f 100644 --- a/src/lib/libcrypto/bn/bn_gcd.c +++ b/src/lib/libcrypto/bn/bn_gcd.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: bn_gcd.c,v 1.15 2017/01/29 17:49:22 beck Exp $ */ | 1 | /* $OpenBSD: bn_gcd.c,v 1.16 2021/12/26 15:16:50 tb Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -576,6 +576,9 @@ BN_mod_inverse_no_branch(BIGNUM *in, const BIGNUM *a, const BIGNUM *n, | |||
| 576 | bn_check_top(a); | 576 | bn_check_top(a); |
| 577 | bn_check_top(n); | 577 | bn_check_top(n); |
| 578 | 578 | ||
| 579 | BN_init(&local_A); | ||
| 580 | BN_init(&local_B); | ||
| 581 | |||
| 579 | BN_CTX_start(ctx); | 582 | BN_CTX_start(ctx); |
| 580 | if ((A = BN_CTX_get(ctx)) == NULL) | 583 | if ((A = BN_CTX_get(ctx)) == NULL) |
| 581 | goto err; | 584 | goto err; |
| @@ -608,10 +611,12 @@ BN_mod_inverse_no_branch(BIGNUM *in, const BIGNUM *a, const BIGNUM *n, | |||
| 608 | A->neg = 0; | 611 | A->neg = 0; |
| 609 | 612 | ||
| 610 | if (B->neg || (BN_ucmp(B, A) >= 0)) { | 613 | if (B->neg || (BN_ucmp(B, A) >= 0)) { |
| 611 | /* Turn BN_FLG_CONSTTIME flag on, so that when BN_div is invoked, | 614 | /* |
| 612 | * BN_div_no_branch will be called eventually. | 615 | * Turn BN_FLG_CONSTTIME flag on, so that when BN_div is invoked, |
| 613 | */ | 616 | * BN_div_no_branch will be called eventually. |
| 617 | */ | ||
| 614 | pB = &local_B; | 618 | pB = &local_B; |
| 619 | /* BN_init() done at the top of the function. */ | ||
| 615 | BN_with_flags(pB, B, BN_FLG_CONSTTIME); | 620 | BN_with_flags(pB, B, BN_FLG_CONSTTIME); |
| 616 | if (!BN_nnmod(B, pB, A, ctx)) | 621 | if (!BN_nnmod(B, pB, A, ctx)) |
| 617 | goto err; | 622 | goto err; |
| @@ -633,10 +638,12 @@ BN_mod_inverse_no_branch(BIGNUM *in, const BIGNUM *a, const BIGNUM *n, | |||
| 633 | * sign*Y*a == A (mod |n|) | 638 | * sign*Y*a == A (mod |n|) |
| 634 | */ | 639 | */ |
| 635 | 640 | ||
| 636 | /* Turn BN_FLG_CONSTTIME flag on, so that when BN_div is invoked, | 641 | /* |
| 637 | * BN_div_no_branch will be called eventually. | 642 | * Turn BN_FLG_CONSTTIME flag on, so that when BN_div is invoked, |
| 638 | */ | 643 | * BN_div_no_branch will be called eventually. |
| 644 | */ | ||
| 639 | pA = &local_A; | 645 | pA = &local_A; |
| 646 | /* BN_init() done at the top of the function. */ | ||
| 640 | BN_with_flags(pA, A, BN_FLG_CONSTTIME); | 647 | BN_with_flags(pA, A, BN_FLG_CONSTTIME); |
| 641 | 648 | ||
| 642 | /* (D, M) := (A/B, A%B) ... */ | 649 | /* (D, M) := (A/B, A%B) ... */ |
| @@ -740,6 +747,9 @@ BN_gcd_no_branch(BIGNUM *in, const BIGNUM *a, const BIGNUM *n, | |||
| 740 | goto err; | 747 | goto err; |
| 741 | R = in; | 748 | R = in; |
| 742 | 749 | ||
| 750 | BN_init(&local_A); | ||
| 751 | BN_init(&local_B); | ||
| 752 | |||
| 743 | bn_check_top(a); | 753 | bn_check_top(a); |
| 744 | bn_check_top(n); | 754 | bn_check_top(n); |
| 745 | 755 | ||
| @@ -768,10 +778,12 @@ BN_gcd_no_branch(BIGNUM *in, const BIGNUM *a, const BIGNUM *n, | |||
| 768 | A->neg = 0; | 778 | A->neg = 0; |
| 769 | 779 | ||
| 770 | if (B->neg || (BN_ucmp(B, A) >= 0)) { | 780 | if (B->neg || (BN_ucmp(B, A) >= 0)) { |
| 771 | /* Turn BN_FLG_CONSTTIME flag on, so that when BN_div is invoked, | 781 | /* |
| 772 | * BN_div_no_branch will be called eventually. | 782 | * Turn BN_FLG_CONSTTIME flag on, so that when BN_div is invoked, |
| 773 | */ | 783 | * BN_div_no_branch will be called eventually. |
| 784 | */ | ||
| 774 | pB = &local_B; | 785 | pB = &local_B; |
| 786 | /* BN_init() done at the top of the function. */ | ||
| 775 | BN_with_flags(pB, B, BN_FLG_CONSTTIME); | 787 | BN_with_flags(pB, B, BN_FLG_CONSTTIME); |
| 776 | if (!BN_nnmod(B, pB, A, ctx)) | 788 | if (!BN_nnmod(B, pB, A, ctx)) |
| 777 | goto err; | 789 | goto err; |
| @@ -793,10 +805,12 @@ BN_gcd_no_branch(BIGNUM *in, const BIGNUM *a, const BIGNUM *n, | |||
| 793 | * sign*Y*a == A (mod |n|) | 805 | * sign*Y*a == A (mod |n|) |
| 794 | */ | 806 | */ |
| 795 | 807 | ||
| 796 | /* Turn BN_FLG_CONSTTIME flag on, so that when BN_div is invoked, | 808 | /* |
| 797 | * BN_div_no_branch will be called eventually. | 809 | * Turn BN_FLG_CONSTTIME flag on, so that when BN_div is invoked, |
| 798 | */ | 810 | * BN_div_no_branch will be called eventually. |
| 811 | */ | ||
| 799 | pA = &local_A; | 812 | pA = &local_A; |
| 813 | /* BN_init() done at the top of the function. */ | ||
| 800 | BN_with_flags(pA, A, BN_FLG_CONSTTIME); | 814 | BN_with_flags(pA, A, BN_FLG_CONSTTIME); |
| 801 | 815 | ||
| 802 | /* (D, M) := (A/B, A%B) ... */ | 816 | /* (D, M) := (A/B, A%B) ... */ |
diff --git a/src/lib/libcrypto/rsa/rsa_eay.c b/src/lib/libcrypto/rsa/rsa_eay.c index 33201a8a8b..e9fc67349b 100644 --- a/src/lib/libcrypto/rsa/rsa_eay.c +++ b/src/lib/libcrypto/rsa/rsa_eay.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: rsa_eay.c,v 1.51 2019/11/02 13:52:31 jsing Exp $ */ | 1 | /* $OpenBSD: rsa_eay.c,v 1.52 2021/12/26 15:16:50 tb Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -753,6 +753,7 @@ RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) | |||
| 753 | goto err; | 753 | goto err; |
| 754 | 754 | ||
| 755 | /* compute I mod p */ | 755 | /* compute I mod p */ |
| 756 | BN_init(&c); | ||
| 756 | BN_with_flags(&c, I, BN_FLG_CONSTTIME); | 757 | BN_with_flags(&c, I, BN_FLG_CONSTTIME); |
| 757 | 758 | ||
| 758 | if (!BN_mod_ct(r1, &c, rsa->p, ctx)) | 759 | if (!BN_mod_ct(r1, &c, rsa->p, ctx)) |
diff --git a/src/lib/libcrypto/rsa/rsa_gen.c b/src/lib/libcrypto/rsa/rsa_gen.c index 596eb8eb78..1c37d8ef21 100644 --- a/src/lib/libcrypto/rsa/rsa_gen.c +++ b/src/lib/libcrypto/rsa/rsa_gen.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: rsa_gen.c,v 1.22 2017/01/29 17:49:23 beck Exp $ */ | 1 | /* $OpenBSD: rsa_gen.c,v 1.23 2021/12/26 15:16:50 tb Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -194,12 +194,14 @@ rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) | |||
| 194 | if (!BN_mul(r0, r1, r2, ctx)) /* (p-1)(q-1) */ | 194 | if (!BN_mul(r0, r1, r2, ctx)) /* (p-1)(q-1) */ |
| 195 | goto err; | 195 | goto err; |
| 196 | 196 | ||
| 197 | BN_init(&pr0); | ||
| 197 | BN_with_flags(&pr0, r0, BN_FLG_CONSTTIME); | 198 | BN_with_flags(&pr0, r0, BN_FLG_CONSTTIME); |
| 198 | 199 | ||
| 199 | if (!BN_mod_inverse_ct(rsa->d, rsa->e, &pr0, ctx)) /* d */ | 200 | if (!BN_mod_inverse_ct(rsa->d, rsa->e, &pr0, ctx)) /* d */ |
| 200 | goto err; | 201 | goto err; |
| 201 | 202 | ||
| 202 | /* set up d for correct BN_FLG_CONSTTIME flag */ | 203 | /* set up d for correct BN_FLG_CONSTTIME flag */ |
| 204 | BN_init(&d); | ||
| 203 | BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME); | 205 | BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME); |
| 204 | 206 | ||
| 205 | /* calculate d mod (p-1) */ | 207 | /* calculate d mod (p-1) */ |
| @@ -211,6 +213,7 @@ rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) | |||
| 211 | goto err; | 213 | goto err; |
| 212 | 214 | ||
| 213 | /* calculate inverse of q mod p */ | 215 | /* calculate inverse of q mod p */ |
| 216 | BN_init(&p); | ||
| 214 | BN_with_flags(&p, rsa->p, BN_FLG_CONSTTIME); | 217 | BN_with_flags(&p, rsa->p, BN_FLG_CONSTTIME); |
| 215 | if (!BN_mod_inverse_ct(rsa->iqmp, rsa->q, &p, ctx)) | 218 | if (!BN_mod_inverse_ct(rsa->iqmp, rsa->q, &p, ctx)) |
| 216 | goto err; | 219 | goto err; |