Implement internally opaque bn access from rsa
authorMatt Caswell <matt@openssl.org>
Tue, 28 Oct 2014 23:00:29 +0000 (23:00 +0000)
committerMatt Caswell <matt@openssl.org>
Mon, 8 Dec 2014 21:40:57 +0000 (21:40 +0000)
Reviewed-by: Tim Hudson <tjh@openssl.org>
crypto/rsa/Makefile
crypto/rsa/rsa_crpt.c
crypto/rsa/rsa_depr.c
crypto/rsa/rsa_eay.c
crypto/rsa/rsa_gen.c
crypto/rsa/rsa_lib.c
crypto/rsa/rsa_pmeth.c

index bcf753c..18b172c 100644 (file)
@@ -127,7 +127,8 @@ rsa_crpt.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 rsa_crpt.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 rsa_crpt.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
 rsa_crpt.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-rsa_crpt.o: ../../include/openssl/symhacks.h ../cryptlib.h rsa_crpt.c
+rsa_crpt.o: ../../include/openssl/symhacks.h ../cryptlib.h
+rsa_crpt.o: ../include/internal/bn_int.h rsa_crpt.c
 rsa_depr.o: ../../e_os.h ../../include/openssl/asn1.h
 rsa_depr.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 rsa_depr.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
@@ -145,7 +146,8 @@ rsa_eay.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 rsa_eay.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 rsa_eay.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
 rsa_eay.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-rsa_eay.o: ../../include/openssl/symhacks.h ../cryptlib.h rsa_eay.c
+rsa_eay.o: ../../include/openssl/symhacks.h ../cryptlib.h
+rsa_eay.o: ../include/internal/bn_int.h rsa_eay.c
 rsa_err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 rsa_err.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 rsa_err.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
@@ -176,7 +178,7 @@ rsa_lib.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
 rsa_lib.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 rsa_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 rsa_lib.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-rsa_lib.o: ../cryptlib.h rsa_lib.c
+rsa_lib.o: ../cryptlib.h ../include/internal/bn_int.h rsa_lib.c
 rsa_none.o: ../../e_os.h ../../include/openssl/asn1.h
 rsa_none.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 rsa_none.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
index 78b8fce..bd58b20 100644 (file)
@@ -62,7 +62,7 @@
 #include <openssl/crypto.h>
 #include "cryptlib.h"
 #include <openssl/lhash.h>
-#include <openssl/bn.h>
+#include "internal/bn_int.h"
 #include <openssl/rsa.h>
 #include <openssl/rand.h>
 
@@ -156,7 +156,7 @@ err:
 
 BN_BLINDING *RSA_setup_blinding(RSA *rsa, BN_CTX *in_ctx)
 {
-       BIGNUM local_n;
+       BIGNUM *local_n = NULL;
        BIGNUM *e,*n;
        BN_CTX *ctx;
        BN_BLINDING *ret = NULL;
@@ -189,17 +189,22 @@ BN_BLINDING *RSA_setup_blinding(RSA *rsa, BN_CTX *in_ctx)
                e = rsa->e;
 
        
-       if ((RAND_status() == 0) && rsa->d != NULL && rsa->d->d != NULL)
+       if ((RAND_status() == 0) && rsa->d != NULL && bn_get_words(rsa->d) != NULL)
                {
                /* if PRNG is not properly seeded, resort to secret
                 * exponent as unpredictable seed */
-               RAND_add(rsa->d->d, rsa->d->dmax * sizeof rsa->d->d[0], 0.0);
+               RAND_add(bn_get_words(rsa->d), bn_get_dmax(rsa->d) * sizeof(BN_ULONG), 0.0);
                }
 
        if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
                {
                /* Set BN_FLG_CONSTTIME flag */
-               n = &local_n;
+               local_n = n = BN_new();
+               if(!local_n)
+                       {
+                       RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_MALLOC_FAILURE);
+                       goto err;
+                       }
                BN_with_flags(n, rsa->n, BN_FLG_CONSTTIME);
                }
        else
@@ -219,6 +224,8 @@ err:
                BN_CTX_free(ctx);
        if(rsa->e == NULL)
                BN_free(e);
+       if(local_n)
+               BN_free(local_n);
 
        return ret;
 }
index a859ded..cd57086 100644 (file)
@@ -71,12 +71,12 @@ static void *dummy=&dummy;
 RSA *RSA_generate_key(int bits, unsigned long e_value,
             void (*callback)(int,int,void *), void *cb_arg)
        {
-       BN_GENCB cb;
        int i;
+       BN_GENCB *cb = BN_GENCB_new();
        RSA *rsa = RSA_new();
        BIGNUM *e = BN_new();
 
-       if(!rsa || !e) goto err;
+       if(!cb || !rsa || !e) goto err;
 
        /* The problem is when building with 8, 16, or 32 BN_ULONG,
         * unsigned long can be larger */
@@ -87,15 +87,17 @@ RSA *RSA_generate_key(int bits, unsigned long e_value,
                                goto err;
                }
 
-       BN_GENCB_set_old(&cb, callback, cb_arg);
+       BN_GENCB_set_old(cb, callback, cb_arg);
 
-       if(RSA_generate_key_ex(rsa, bits, e, &cb)) {
+       if(RSA_generate_key_ex(rsa, bits, e, cb)) {
                BN_free(e);
+               BN_GENCB_free(cb);
                return rsa;
        }
 err:
        if(e) BN_free(e);
        if(rsa) RSA_free(rsa);
+       if(cb) BN_GENCB_free(cb);
        return 0;
        }
 #endif
index 80dab8a..3e08fe7 100644 (file)
 
 
 #include "cryptlib.h"
-#include <openssl/bn.h>
+#include "internal/bn_int.h"
 #include <openssl/rsa.h>
 #include <openssl/rand.h>
 
@@ -433,13 +433,16 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
                }
        else
                {
-               BIGNUM local_d;
-               BIGNUM *d = NULL;
+               BIGNUM *d = NULL, *local_d = NULL;
                
                if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
                        {
-                       BN_init(&local_d);
-                       d = &local_d;
+                       local_d = d = BN_new();
+                       if(!d)
+                               {
+                               RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE);
+                               goto err;
+                               }
                        BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
                        }
                else
@@ -447,10 +450,18 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
 
                if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
                        if(!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
+                               {
+                               if(local_d) BN_free(local_d);
                                goto err;
+                               }
 
                if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx,
-                               rsa->_method_mod_n)) goto err;
+                               rsa->_method_mod_n))
+                       {
+                       if(local_d) BN_free(local_d);
+                       goto err;
+                       }
+               if(local_d) BN_free(local_d);
                }
 
        if (blinding)
@@ -567,12 +578,16 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
                }
        else
                {
-               BIGNUM local_d;
-               BIGNUM *d = NULL;
+               BIGNUM *d = NULL, *local_d = NULL;
                
                if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
                        {
-                       d = &local_d;
+                       local_d = d = BN_new();
+                       if(!d)
+                               {
+                               RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE);
+                               goto err;
+                               }
                        BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
                        }
                else
@@ -580,10 +595,17 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
 
                if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
                        if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
+                               {
+                               if(local_d) BN_free(local_d);
                                goto err;
+                               }
                if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx,
                                rsa->_method_mod_n))
-                 goto err;
+                       {
+                       if(local_d) BN_free(local_d);
+                       goto err;
+                       }
+               if(local_d) BN_free(local_d);
                }
 
        if (blinding)
@@ -697,7 +719,7 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
        if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx,
                rsa->_method_mod_n)) goto err;
 
-       if ((padding == RSA_X931_PADDING) && ((ret->d[0] & 0xf) != 12))
+       if ((padding == RSA_X931_PADDING) && ((bn_get_words(ret)[0] & 0xf) != 12))
                if (!BN_sub(ret, rsa->n, ret)) goto err;
 
        p=buf;
@@ -738,17 +760,25 @@ err:
 static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
        {
        BIGNUM *r1,*m1,*vrfy;
-       BIGNUM local_dmp1,local_dmq1,local_c,local_r1;
+       BIGNUM *local_dmp1, *local_dmq1, *local_c, *local_r1;
        BIGNUM *dmp1,*dmq1,*c,*pr1;
        int ret=0;
 
+
+       local_dmp1 = BN_new();
+       local_dmq1 = BN_new();
+       local_c = BN_new();
+       local_r1 = BN_new();
+       if(!local_dmp1 || !local_dmq1 || !local_c || !local_r1)
+               goto err;
+
        BN_CTX_start(ctx);
        r1 = BN_CTX_get(ctx);
        m1 = BN_CTX_get(ctx);
        vrfy = BN_CTX_get(ctx);
 
        {
-               BIGNUM local_p, local_q;
+               BIGNUM *local_p = NULL, *local_q = NULL;
                BIGNUM *p = NULL, *q = NULL;
 
                /* Make sure BN_mod_inverse in Montgomery intialization uses the
@@ -756,12 +786,16 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
                 */
                if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
                        {
-                       BN_init(&local_p);
-                       p = &local_p;
+                       local_p = p = BN_new();
+                       if(!p) goto err;
                        BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
 
-                       BN_init(&local_q);
-                       q = &local_q;
+                       local_q = q = BN_new();
+                       if(!q)
+                               {
+                               BN_free(local_p);
+                               goto err;
+                               }
                        BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME);
                        }
                else
@@ -772,11 +806,15 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
 
                if (rsa->flags & RSA_FLAG_CACHE_PRIVATE)
                        {
-                       if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p, CRYPTO_LOCK_RSA, p, ctx))
-                               goto err;
-                       if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q, CRYPTO_LOCK_RSA, q, ctx))
+                       if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p, CRYPTO_LOCK_RSA, p, ctx) || !BN_MONT_CTX_set_locked(&rsa->_method_mod_q, CRYPTO_LOCK_RSA, q, ctx))
+                               {
+                               if(local_p) BN_free(local_p);
+                               if(local_q) BN_free(local_q);
                                goto err;
+                               }
                        }
+               if(local_p) BN_free(local_p);
+               if(local_q) BN_free(local_q);
        }
 
        if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
@@ -786,7 +824,7 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
        /* compute I mod q */
        if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
                {
-               c = &local_c;
+               c = local_c;
                BN_with_flags(c, I, BN_FLG_CONSTTIME);
                if (!BN_mod(r1,c,rsa->q,ctx)) goto err;
                }
@@ -798,7 +836,7 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
        /* compute r1^dmq1 mod q */
        if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
                {
-               dmq1 = &local_dmq1;
+               dmq1 = local_dmq1;
                BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
                }
        else
@@ -809,7 +847,7 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
        /* compute I mod p */
        if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
                {
-               c = &local_c;
+               c = local_c;
                BN_with_flags(c, I, BN_FLG_CONSTTIME);
                if (!BN_mod(r1,c,rsa->p,ctx)) goto err;
                }
@@ -821,7 +859,7 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
        /* compute r1^dmp1 mod p */
        if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
                {
-               dmp1 = &local_dmp1;
+               dmp1 = local_dmp1;
                BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
                }
        else
@@ -840,7 +878,7 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
        /* Turn BN_FLG_CONSTTIME flag on before division operation */
        if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
                {
-               pr1 = &local_r1;
+               pr1 = local_r1;
                BN_with_flags(pr1, r1, BN_FLG_CONSTTIME);
                }
        else
@@ -876,22 +914,33 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
                         * miscalculated CRT output, just do a raw (slower)
                         * mod_exp and return that instead. */
 
-                       BIGNUM local_d;
+                       BIGNUM *local_d = NULL;
                        BIGNUM *d = NULL;
                
                        if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
                                {
-                               d = &local_d;
+                               local_d = d = BN_new();
+                               if(!d) goto err;
                                BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
                                }
                        else
                                d = rsa->d;
                        if (!rsa->meth->bn_mod_exp(r0,I,d,rsa->n,ctx,
-                                                  rsa->_method_mod_n)) goto err;
+                                                  rsa->_method_mod_n))
+                               {
+                               if(local_d) BN_free(local_d);
+                               goto err;
+                               }
+
+                       if(local_d) BN_free(local_d);
                        }
                }
        ret=1;
 err:
+       if(local_dmp1) BN_free(local_dmp1);
+       if(local_dmq1) BN_free(local_dmq1);
+       if(local_c) BN_free(local_c);
+       if(local_r1) BN_free(local_r1);
        BN_CTX_end(ctx);
        return(ret);
        }
index bf7ac34..2a716ae 100644 (file)
@@ -87,11 +87,17 @@ int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
 static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
        {
        BIGNUM *r0=NULL,*r1=NULL,*r2=NULL,*r3=NULL,*tmp;
-       BIGNUM local_r0,local_d,local_p;
+       BIGNUM *local_r0, *local_d, *local_p;
        BIGNUM *pr0,*d,*p;
        int bitsp,bitsq,ok= -1,n=0;
        BN_CTX *ctx=NULL;
 
+       local_r0 = BN_new();
+       local_d = BN_new();
+       local_p = BN_new();
+       if(!local_r0 || !local_d || !local_p)
+               goto err;
+
        ctx=BN_CTX_new();
        if (ctx == NULL) goto err;
        BN_CTX_start(ctx);
@@ -171,7 +177,7 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
        if (!BN_mul(r0,r1,r2,ctx)) goto err;    /* (p-1)(q-1) */
        if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
                {
-                 pr0 = &local_r0;
+                 pr0 = local_r0;
                  BN_with_flags(pr0, r0, BN_FLG_CONSTTIME);
                }
        else
@@ -181,7 +187,7 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
        /* set up d for correct BN_FLG_CONSTTIME flag */
        if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
                {
-               d = &local_d;
+               d = local_d;
                BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
                }
        else
@@ -196,7 +202,7 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
        /* calculate inverse of q mod p */
        if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
                {
-               p = &local_p;
+               p = local_p;
                BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
                }
        else
@@ -205,6 +211,9 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
 
        ok=1;
 err:
+       if(local_r0) BN_free(local_r0);
+       if(local_d) BN_free(local_d);
+       if(local_p) BN_free(local_p);
        if (ok == -1)
                {
                RSAerr(RSA_F_RSA_BUILTIN_KEYGEN,ERR_LIB_BN);
index ba277ca..37c0f4e 100644 (file)
@@ -60,7 +60,7 @@
 #include <openssl/crypto.h>
 #include "cryptlib.h"
 #include <openssl/lhash.h>
-#include <openssl/bn.h>
+#include "internal/bn_int.h"
 #include <openssl/rsa.h>
 #include <openssl/rand.h>
 #ifndef OPENSSL_NO_ENGINE
@@ -290,27 +290,27 @@ int RSA_memory_lock(RSA *r)
        t[3]= &r->dmp1;
        t[4]= &r->dmq1;
        t[5]= &r->iqmp;
-       k=sizeof(BIGNUM)*6;
+       k=bn_sizeof_BIGNUM()*6;
        off=k/sizeof(BN_ULONG)+1;
        j=1;
        for (i=0; i<6; i++)
-               j+= (*t[i])->top;
+               j+= bn_get_top(*t[i]);
        if ((p=OPENSSL_malloc_locked((off+j)*sizeof(BN_ULONG))) == NULL)
                {
                RSAerr(RSA_F_RSA_MEMORY_LOCK,ERR_R_MALLOC_FAILURE);
                return(0);
                }
+       memset(p, 0, (off+j)*sizeof(BN_ULONG));
        bn=(BIGNUM *)p;
        ul=(BN_ULONG *)&(p[off]);
        for (i=0; i<6; i++)
                {
                b= *(t[i]);
-               *(t[i])= &(bn[i]);
-               memcpy((char *)&(bn[i]),(char *)b,sizeof(BIGNUM));
-               bn[i].flags=BN_FLG_STATIC_DATA;
-               bn[i].d=ul;
-               memcpy((char *)ul,b->d,sizeof(BN_ULONG)*b->top);
-               ul+=b->top;
+               *(t[i])= bn_array_el(bn, i);
+               memcpy((char *)bn_array_el(bn, i),(char *)b,bn_sizeof_BIGNUM());
+               memcpy((char *)ul,bn_get_words(b),sizeof(BN_ULONG)*bn_get_top(b));
+               bn_set_static_words(bn_array_el(bn, i), ul, bn_get_top(b));
+               ul+=bn_get_top(b);
                BN_clear_free(b);
                }
        
index 6511278..868be91 100644 (file)
@@ -716,7 +716,7 @@ static int pkey_rsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
        {
        RSA *rsa = NULL;
        RSA_PKEY_CTX *rctx = ctx->data;
-       BN_GENCB *pcb, cb;
+       BN_GENCB *pcb;
        int ret;
        if (!rctx->pub_exp)
                {
@@ -729,12 +729,18 @@ static int pkey_rsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
                return 0;
        if (ctx->pkey_gencb)
                {
-               pcb = &cb;
+               pcb = BN_GENCB_new();
+               if(!pcb)
+                       {
+                       RSA_free(rsa);
+                       return 0;
+                       }
                evp_pkey_set_cb_translate(pcb, ctx);
                }
        else
                pcb = NULL;
        ret = RSA_generate_key_ex(rsa, rctx->nbits, rctx->pub_exp, pcb);
+       BN_GENCB_free(pcb);
        if (ret > 0)
                EVP_PKEY_assign_RSA(pkey, rsa);
        else