X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=crypto%2Fbn%2Fbn_blind.c;h=7ca13bb31e6ce1635d1fe61787617139a76a328f;hp=d2bba48b0d14c423a177640a04d90f741f1584fc;hb=b51bce942023325e727ca4225252d06c49d8f2b7;hpb=7cc684f4f7fbcdc5cf4683eaf025d4f915acbf3c;ds=sidebyside diff --git a/crypto/bn/bn_blind.c b/crypto/bn/bn_blind.c index d2bba48b0d..7ca13bb31e 100644 --- a/crypto/bn/bn_blind.c +++ b/crypto/bn/bn_blind.c @@ -7,7 +7,7 @@ * are met: * * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in @@ -58,21 +58,21 @@ * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. - * + * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * + * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -87,10 +87,10 @@ * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from + * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * + * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE @@ -102,280 +102,275 @@ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. - * + * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ -#include -#include "cryptlib.h" +#include "internal/cryptlib.h" #include "bn_lcl.h" -#define OPENSSL_FIPSAPI - -#ifdef OPENSSL_FIPS -#include -#endif +#define BN_BLINDING_COUNTER 32 -#define BN_BLINDING_COUNTER 32 - -struct bn_blinding_st - { - BIGNUM *A; - BIGNUM *Ai; - BIGNUM *e; - BIGNUM *mod; /* just a reference */ +struct bn_blinding_st { + BIGNUM *A; + BIGNUM *Ai; + BIGNUM *e; + BIGNUM *mod; /* just a reference */ #ifndef OPENSSL_NO_DEPRECATED - unsigned long thread_id; /* added in OpenSSL 0.9.6j and 0.9.7b; - * used only by crypto/rsa/rsa_eay.c, rsa_lib.c */ + unsigned long thread_id; /* added in OpenSSL 0.9.6j and 0.9.7b; used + * only by crypto/rsa/rsa_eay.c, rsa_lib.c */ #endif - CRYPTO_THREADID tid; - unsigned int counter; - unsigned long flags; - BN_MONT_CTX *m_ctx; - int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, - const BIGNUM *m, BN_CTX *ctx, - BN_MONT_CTX *m_ctx); - }; + CRYPTO_THREADID tid; + int counter; + unsigned long flags; + BN_MONT_CTX *m_ctx; + int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p, + const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); +}; BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod) - { - BN_BLINDING *ret=NULL; - - bn_check_top(mod); - - if ((ret=(BN_BLINDING *)OPENSSL_malloc(sizeof(BN_BLINDING))) == NULL) - { - BNerr(BN_F_BN_BLINDING_NEW,ERR_R_MALLOC_FAILURE); - return(NULL); - } - memset(ret,0,sizeof(BN_BLINDING)); - if (A != NULL) - { - if ((ret->A = BN_dup(A)) == NULL) goto err; - } - if (Ai != NULL) - { - if ((ret->Ai = BN_dup(Ai)) == NULL) goto err; - } - - /* save a copy of mod in the BN_BLINDING structure */ - if ((ret->mod = BN_dup(mod)) == NULL) goto err; - if (BN_get_flags(mod, BN_FLG_CONSTTIME) != 0) - BN_set_flags(ret->mod, BN_FLG_CONSTTIME); - - ret->counter = BN_BLINDING_COUNTER; - CRYPTO_THREADID_current(&ret->tid); - return(ret); -err: - if (ret != NULL) BN_BLINDING_free(ret); - return(NULL); - } +{ + BN_BLINDING *ret = NULL; + + bn_check_top(mod); + + if ((ret = OPENSSL_zalloc(sizeof(*ret))) == NULL) { + BNerr(BN_F_BN_BLINDING_NEW, ERR_R_MALLOC_FAILURE); + return (NULL); + } + if (A != NULL) { + if ((ret->A = BN_dup(A)) == NULL) + goto err; + } + if (Ai != NULL) { + if ((ret->Ai = BN_dup(Ai)) == NULL) + goto err; + } + + /* save a copy of mod in the BN_BLINDING structure */ + if ((ret->mod = BN_dup(mod)) == NULL) + goto err; + if (BN_get_flags(mod, BN_FLG_CONSTTIME) != 0) + BN_set_flags(ret->mod, BN_FLG_CONSTTIME); + + /* + * Set the counter to the special value -1 to indicate that this is + * never-used fresh blinding that does not need updating before first + * use. + */ + ret->counter = -1; + CRYPTO_THREADID_current(&ret->tid); + return (ret); + err: + BN_BLINDING_free(ret); + return (NULL); +} void BN_BLINDING_free(BN_BLINDING *r) - { - if(r == NULL) - return; - - if (r->A != NULL) BN_free(r->A ); - if (r->Ai != NULL) BN_free(r->Ai); - if (r->e != NULL) BN_free(r->e ); - if (r->mod != NULL) BN_free(r->mod); - OPENSSL_free(r); - } +{ + if (r == NULL) + return; + + BN_free(r->A); + BN_free(r->Ai); + BN_free(r->e); + BN_free(r->mod); + OPENSSL_free(r); +} int BN_BLINDING_update(BN_BLINDING *b, BN_CTX *ctx) - { - int ret=0; - - if ((b->A == NULL) || (b->Ai == NULL)) - { - BNerr(BN_F_BN_BLINDING_UPDATE,BN_R_NOT_INITIALIZED); - goto err; - } - - if (--(b->counter) == 0 && b->e != NULL && - !(b->flags & BN_BLINDING_NO_RECREATE)) - { - /* re-create blinding parameters */ - if (!BN_BLINDING_create_param(b, NULL, NULL, ctx, NULL, NULL)) - goto err; - } - else if (!(b->flags & BN_BLINDING_NO_UPDATE)) - { - if (!BN_mod_mul(b->A,b->A,b->A,b->mod,ctx)) goto err; - if (!BN_mod_mul(b->Ai,b->Ai,b->Ai,b->mod,ctx)) goto err; - } - - ret=1; -err: - if (b->counter == 0) - b->counter = BN_BLINDING_COUNTER; - return(ret); - } +{ + int ret = 0; + + if ((b->A == NULL) || (b->Ai == NULL)) { + BNerr(BN_F_BN_BLINDING_UPDATE, BN_R_NOT_INITIALIZED); + goto err; + } + + if (b->counter == -1) + b->counter = 0; + + if (++b->counter == BN_BLINDING_COUNTER && b->e != NULL && + !(b->flags & BN_BLINDING_NO_RECREATE)) { + /* re-create blinding parameters */ + if (!BN_BLINDING_create_param(b, NULL, NULL, ctx, NULL, NULL)) + goto err; + } else if (!(b->flags & BN_BLINDING_NO_UPDATE)) { + if (!BN_mod_mul(b->A, b->A, b->A, b->mod, ctx)) + goto err; + if (!BN_mod_mul(b->Ai, b->Ai, b->Ai, b->mod, ctx)) + goto err; + } + + ret = 1; + err: + if (b->counter == BN_BLINDING_COUNTER) + b->counter = 0; + return (ret); +} int BN_BLINDING_convert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx) - { - return BN_BLINDING_convert_ex(n, NULL, b, ctx); - } +{ + return BN_BLINDING_convert_ex(n, NULL, b, ctx); +} int BN_BLINDING_convert_ex(BIGNUM *n, BIGNUM *r, BN_BLINDING *b, BN_CTX *ctx) - { - int ret = 1; +{ + int ret = 1; - bn_check_top(n); + bn_check_top(n); - if ((b->A == NULL) || (b->Ai == NULL)) - { - BNerr(BN_F_BN_BLINDING_CONVERT_EX,BN_R_NOT_INITIALIZED); - return(0); - } + if ((b->A == NULL) || (b->Ai == NULL)) { + BNerr(BN_F_BN_BLINDING_CONVERT_EX, BN_R_NOT_INITIALIZED); + return (0); + } - if (r != NULL) - { - if (!BN_copy(r, b->Ai)) ret=0; - } + if (b->counter == -1) + /* Fresh blinding, doesn't need updating. */ + b->counter = 0; + else if (!BN_BLINDING_update(b, ctx)) + return (0); - if (!BN_mod_mul(n,n,b->A,b->mod,ctx)) ret=0; - - return ret; - } + if (r != NULL) { + if (!BN_copy(r, b->Ai)) + ret = 0; + } + + if (!BN_mod_mul(n, n, b->A, b->mod, ctx)) + ret = 0; + + return ret; +} int BN_BLINDING_invert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx) - { - return BN_BLINDING_invert_ex(n, NULL, b, ctx); - } - -int BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b, BN_CTX *ctx) - { - int ret; - - bn_check_top(n); - if ((b->A == NULL) || (b->Ai == NULL)) - { - BNerr(BN_F_BN_BLINDING_INVERT_EX,BN_R_NOT_INITIALIZED); - return(0); - } - - if (r != NULL) - ret = BN_mod_mul(n, n, r, b->mod, ctx); - else - ret = BN_mod_mul(n, n, b->Ai, b->mod, ctx); - - if (ret >= 0) - { - if (!BN_BLINDING_update(b,ctx)) - return(0); - } - bn_check_top(n); - return(ret); - } +{ + return BN_BLINDING_invert_ex(n, NULL, b, ctx); +} + +int BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b, + BN_CTX *ctx) +{ + int ret; + + bn_check_top(n); + + if (r != NULL) + ret = BN_mod_mul(n, n, r, b->mod, ctx); + else { + if (b->Ai == NULL) { + BNerr(BN_F_BN_BLINDING_INVERT_EX, BN_R_NOT_INITIALIZED); + return (0); + } + ret = BN_mod_mul(n, n, b->Ai, b->mod, ctx); + } + + bn_check_top(n); + return (ret); +} #ifndef OPENSSL_NO_DEPRECATED unsigned long BN_BLINDING_get_thread_id(const BN_BLINDING *b) - { - return b->thread_id; - } +{ + return b->thread_id; +} void BN_BLINDING_set_thread_id(BN_BLINDING *b, unsigned long n) - { - b->thread_id = n; - } +{ + b->thread_id = n; +} #endif CRYPTO_THREADID *BN_BLINDING_thread_id(BN_BLINDING *b) - { - return &b->tid; - } +{ + return &b->tid; +} unsigned long BN_BLINDING_get_flags(const BN_BLINDING *b) - { - return b->flags; - } +{ + return b->flags; +} void BN_BLINDING_set_flags(BN_BLINDING *b, unsigned long flags) - { - b->flags = flags; - } +{ + b->flags = flags; +} BN_BLINDING *BN_BLINDING_create_param(BN_BLINDING *b, - const BIGNUM *e, BIGNUM *m, BN_CTX *ctx, - int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, - const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx), - BN_MONT_CTX *m_ctx) + const BIGNUM *e, BIGNUM *m, BN_CTX *ctx, + int (*bn_mod_exp) (BIGNUM *r, + const BIGNUM *a, + const BIGNUM *p, + const BIGNUM *m, + BN_CTX *ctx, + BN_MONT_CTX *m_ctx), + BN_MONT_CTX *m_ctx) { - int retry_counter = 32; - BN_BLINDING *ret = NULL; - - if (b == NULL) - ret = BN_BLINDING_new(NULL, NULL, m); - else - ret = b; - - if (ret == NULL) - goto err; - - if (ret->A == NULL && (ret->A = BN_new()) == NULL) - goto err; - if (ret->Ai == NULL && (ret->Ai = BN_new()) == NULL) - goto err; - - if (e != NULL) - { - if (ret->e != NULL) - BN_free(ret->e); - ret->e = BN_dup(e); - } - if (ret->e == NULL) - goto err; - - if (bn_mod_exp != NULL) - ret->bn_mod_exp = bn_mod_exp; - if (m_ctx != NULL) - ret->m_ctx = m_ctx; - - do { - int rv; - if (!BN_rand_range(ret->A, ret->mod)) goto err; - if (!int_bn_mod_inverse(ret->Ai, ret->A, ret->mod, ctx, &rv)) - { - /* this should almost never happen for good RSA keys */ - if (rv) - { - if (retry_counter-- == 0) - { - BNerr(BN_F_BN_BLINDING_CREATE_PARAM, - BN_R_TOO_MANY_ITERATIONS); - goto err; - } - } - else - goto err; - } - else - break; - } while (1); - - if (ret->bn_mod_exp != NULL && ret->m_ctx != NULL) - { - if (!ret->bn_mod_exp(ret->A, ret->A, ret->e, ret->mod, ctx, ret->m_ctx)) - goto err; - } - else - { - if (!BN_mod_exp(ret->A, ret->A, ret->e, ret->mod, ctx)) - goto err; - } - - return ret; -err: - if (b == NULL && ret != NULL) - { - BN_BLINDING_free(ret); - ret = NULL; - } - - return ret; + int retry_counter = 32; + BN_BLINDING *ret = NULL; + + if (b == NULL) + ret = BN_BLINDING_new(NULL, NULL, m); + else + ret = b; + + if (ret == NULL) + goto err; + + if (ret->A == NULL && (ret->A = BN_new()) == NULL) + goto err; + if (ret->Ai == NULL && (ret->Ai = BN_new()) == NULL) + goto err; + + if (e != NULL) { + BN_free(ret->e); + ret->e = BN_dup(e); + } + if (ret->e == NULL) + goto err; + + if (bn_mod_exp != NULL) + ret->bn_mod_exp = bn_mod_exp; + if (m_ctx != NULL) + ret->m_ctx = m_ctx; + + do { + int rv; + if (!BN_rand_range(ret->A, ret->mod)) + goto err; + if (!int_bn_mod_inverse(ret->Ai, ret->A, ret->mod, ctx, &rv)) { + /* + * this should almost never happen for good RSA keys + */ + if (rv) { + if (retry_counter-- == 0) { + BNerr(BN_F_BN_BLINDING_CREATE_PARAM, + BN_R_TOO_MANY_ITERATIONS); + goto err; + } + } else + goto err; + } else + break; + } while (1); + + if (ret->bn_mod_exp != NULL && ret->m_ctx != NULL) { + if (!ret->bn_mod_exp + (ret->A, ret->A, ret->e, ret->mod, ctx, ret->m_ctx)) + goto err; + } else { + if (!BN_mod_exp(ret->A, ret->A, ret->e, ret->mod, ctx)) + goto err; + } + + return ret; + err: + if (b == NULL) { + BN_BLINDING_free(ret); + ret = NULL; + } + + return ret; }