-/* $OpenBSD: dh.h,v 1.16 2014/06/12 15:49:28 deraadt Exp $ */
+/* $OpenBSD: dh.h,v 1.17 2016/06/30 02:02:06 bcook Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
#endif
#define DH_FLAG_CACHE_MONT_P 0x01
-#define DH_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DH
- * implementation now uses constant time
- * modular exponentiation for secret exponents
- * by default. This flag causes the
- * faster variable sliding window method to
- * be used for all exponents.
- */
/* If this flag is set the DH method is FIPS compliant and can be used
* in FIPS mode. This is set in the validated module method. If an
-/* $OpenBSD: dh_key.c,v 1.23 2015/02/09 15:49:22 jsing Exp $ */
+/* $OpenBSD: dh_key.c,v 1.24 2016/06/30 02:02:06 bcook Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
}
{
- BIGNUM local_prk;
- BIGNUM *prk;
+ BIGNUM prk;
- if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) {
- BN_init(&local_prk);
- prk = &local_prk;
- BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
- } else
- prk = priv_key;
+ BN_with_flags(&prk, priv_key, BN_FLG_CONSTTIME);
- if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, prk, dh->p, ctx,
- mont))
+ if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, &prk, dh->p, ctx,
+ mont)) {
goto err;
+ }
}
-
+
dh->pub_key = pub_key;
dh->priv_key = priv_key;
ok = 1;
if (dh->flags & DH_FLAG_CACHE_MONT_P) {
mont = BN_MONT_CTX_set_locked(&dh->method_mont_p,
CRYPTO_LOCK_DH, dh->p, ctx);
- if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) {
- /* XXX */
- BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME);
- }
+
+ BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME);
+
if (!mont)
goto err;
}
dh_bn_mod_exp(const DH *dh, BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
{
- /*
- * If a is only one word long and constant time is false, use the faster
- * exponenentiation function.
- */
- if (a->top == 1 && (dh->flags & DH_FLAG_NO_EXP_CONSTTIME) != 0) {
- BN_ULONG A = a->d[0];
-
- return BN_mod_exp_mont_word(r, A, p, m, ctx, m_ctx);
- } else
- return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
+ return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
}
static int
-/* $OpenBSD: dsa.h,v 1.20 2016/06/21 04:16:53 bcook Exp $ */
+/* $OpenBSD: dsa.h,v 1.21 2016/06/30 02:02:06 bcook Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
#endif
#define DSA_FLAG_CACHE_MONT_P 0x01
-#define DSA_FLAG_NO_EXP_CONSTTIME 0x00 /* Does nothing. Previously this switched off
- * constant time behaviour.
- */
/* If this flag is set the DSA method is FIPS compliant and can be used
* in FIPS mode. This is set in the validated module method. If an
-/* $OpenBSD: dsa_key.c,v 1.21 2016/06/21 04:16:53 bcook Exp $ */
+/* $OpenBSD: dsa_key.c,v 1.22 2016/06/30 02:02:06 bcook Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
pub_key=dsa->pub_key;
{
- BIGNUM *prk = BN_new();
+ BIGNUM prk;
- if (prk == NULL)
- goto err;
-
- BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
+ BN_with_flags(&prk, priv_key, BN_FLG_CONSTTIME);
- if (!BN_mod_exp(pub_key, dsa->g, prk, dsa->p, ctx)) {
- BN_free(prk);
+ if (!BN_mod_exp(pub_key, dsa->g, &prk, dsa->p, ctx))
goto err;
- }
- BN_free(prk);
}
dsa->priv_key = priv_key;
-/* $OpenBSD: rsa.h,v 1.27 2015/02/14 15:10:39 miod Exp $ */
+/* $OpenBSD: rsa.h,v 1.28 2016/06/30 02:02:06 bcook Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
*/
#define RSA_FLAG_NO_BLINDING 0x0080
-/*
- * The built-in RSA implementation uses constant time operations by default
- * in private key operations, e.g., constant time modular exponentiation,
- * modular inverse without leaking branches, division without leaking branches.
- * This flag disables these constant time operations and results in faster RSA
- * private key operations.
- */
-#define RSA_FLAG_NO_CONSTTIME 0x0100
-
-
#define EVP_PKEY_CTX_set_rsa_padding(ctx, pad) \
EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, -1, EVP_PKEY_CTRL_RSA_PADDING, \
pad, NULL)
-/* $OpenBSD: rsa_crpt.c,v 1.14 2015/02/11 03:19:37 doug Exp $ */
+/* $OpenBSD: rsa_crpt.c,v 1.15 2016/06/30 02:02:06 bcook Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
BN_BLINDING *
RSA_setup_blinding(RSA *rsa, BN_CTX *in_ctx)
{
- BIGNUM local_n;
- BIGNUM *e, *n;
+ BIGNUM *e;
+ BIGNUM n;
BN_CTX *ctx;
BN_BLINDING *ret = NULL;
} else
e = rsa->e;
- if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
- /* Set BN_FLG_CONSTTIME flag */
- n = &local_n;
- BN_with_flags(n, rsa->n, BN_FLG_CONSTTIME);
- } else
- n = rsa->n;
+ BN_with_flags(&n, rsa->n, BN_FLG_CONSTTIME);
- ret = BN_BLINDING_create_param(NULL, e, n, ctx, rsa->meth->bn_mod_exp,
+ ret = BN_BLINDING_create_param(NULL, e, &n, ctx, rsa->meth->bn_mod_exp,
rsa->_method_mod_n);
+
if (ret == NULL) {
RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_BN_LIB);
goto err;
-/* $OpenBSD: rsa_eay.c,v 1.40 2015/09/10 15:56:25 jsing Exp $ */
+/* $OpenBSD: rsa_eay.c,v 1.41 2016/06/30 02:02:06 bcook Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
if ((ctx = BN_CTX_new()) == NULL)
goto err;
+
BN_CTX_start(ctx);
f = BN_CTX_get(ctx);
ret = BN_CTX_get(ctx);
num = BN_num_bytes(rsa->n);
buf = malloc(num);
+
if (f == NULL || ret == NULL || buf == NULL) {
RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, ERR_R_MALLOC_FAILURE);
goto err;
if ((ctx = BN_CTX_new()) == NULL)
goto err;
+
BN_CTX_start(ctx);
f = BN_CTX_get(ctx);
ret = BN_CTX_get(ctx);
num = BN_num_bytes(rsa->n);
buf = malloc(num);
+
if (f == NULL || ret == NULL || buf == NULL) {
RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE);
goto err;
if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx))
goto err;
} else {
- BIGNUM local_d;
- BIGNUM *d = NULL;
+ BIGNUM d;
- if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
- BN_init(&local_d);
- d = &local_d;
- BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
- } else
- d = rsa->d;
+ BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME);
if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
CRYPTO_LOCK_RSA, rsa->n, ctx))
goto err;
- if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,
- rsa->_method_mod_n))
+ if (!rsa->meth->bn_mod_exp(ret, f, &d, rsa->n, ctx,
+ rsa->_method_mod_n)) {
goto err;
+ }
}
if (blinding)
if ((ctx = BN_CTX_new()) == NULL)
goto err;
+
BN_CTX_start(ctx);
f = BN_CTX_get(ctx);
ret = BN_CTX_get(ctx);
num = BN_num_bytes(rsa->n);
buf = malloc(num);
+
if (!f || !ret || !buf) {
RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE);
goto err;
if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx))
goto err;
} else {
- BIGNUM local_d;
- BIGNUM *d = NULL;
+ BIGNUM d;
- if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
- d = &local_d;
- BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
- } else
- d = rsa->d;
+ BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME);
if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
CRYPTO_LOCK_RSA, rsa->n, ctx))
goto err;
- if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,
- rsa->_method_mod_n))
+
+ if (!rsa->meth->bn_mod_exp(ret, f, &d, rsa->n, ctx,
+ rsa->_method_mod_n)) {
goto err;
+ }
}
if (blinding)
if ((ctx = BN_CTX_new()) == NULL)
goto err;
+
BN_CTX_start(ctx);
f = BN_CTX_get(ctx);
ret = BN_CTX_get(ctx);
num = BN_num_bytes(rsa->n);
buf = malloc(num);
+
if (!f || !ret || !buf) {
RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, ERR_R_MALLOC_FAILURE);
goto err;
RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
{
BIGNUM *r1, *m1, *vrfy;
- BIGNUM local_dmp1, local_dmq1, local_c, local_r1;
- BIGNUM *dmp1, *dmq1, *c, *pr1;
+ BIGNUM dmp1, dmq1, c, pr1;
int ret = 0;
BN_CTX_start(ctx);
}
{
- BIGNUM local_p, local_q;
- BIGNUM *p = NULL, *q = NULL;
+ BIGNUM p, q;
/*
* Make sure BN_mod_inverse in Montgomery intialization uses the
- * BN_FLG_CONSTTIME flag (unless RSA_FLAG_NO_CONSTTIME is set)
+ * BN_FLG_CONSTTIME flag
*/
- if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
- BN_init(&local_p);
- p = &local_p;
- BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
-
- BN_init(&local_q);
- q = &local_q;
- BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME);
- } else {
- p = rsa->p;
- q = rsa->q;
- }
+ BN_with_flags(&p, rsa->p, BN_FLG_CONSTTIME);
+ BN_with_flags(&q, rsa->q, BN_FLG_CONSTTIME);
if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) {
if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p,
- CRYPTO_LOCK_RSA, p, ctx))
- goto err;
- if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q,
- CRYPTO_LOCK_RSA, q, ctx))
+ CRYPTO_LOCK_RSA, &p, ctx) ||
+ !BN_MONT_CTX_set_locked(&rsa->_method_mod_q,
+ CRYPTO_LOCK_RSA, &q, ctx)) {
goto err;
+ }
}
}
goto err;
/* compute I mod q */
- if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
- c = &local_c;
- BN_with_flags(c, I, BN_FLG_CONSTTIME);
- if (!BN_mod(r1, c, rsa->q, ctx))
- goto err;
- } else {
- if (!BN_mod(r1, I, rsa->q, ctx))
- goto err;
- }
+ BN_with_flags(&c, I, BN_FLG_CONSTTIME);
+
+ if (!BN_mod(r1, &c, rsa->q, ctx))
+ goto err;
/* compute r1^dmq1 mod q */
- if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
- dmq1 = &local_dmq1;
- BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
- } else
- dmq1 = rsa->dmq1;
- if (!rsa->meth->bn_mod_exp(m1, r1, dmq1, rsa->q, ctx,
+ BN_with_flags(&dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
+
+ if (!rsa->meth->bn_mod_exp(m1, r1, &dmq1, rsa->q, ctx,
rsa->_method_mod_q))
goto err;
/* compute I mod p */
- if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
- c = &local_c;
- BN_with_flags(c, I, BN_FLG_CONSTTIME);
- if (!BN_mod(r1, c, rsa->p, ctx))
- goto err;
- } else {
- if (!BN_mod(r1, I, rsa->p, ctx))
- goto err;
- }
+ BN_with_flags(&c, I, BN_FLG_CONSTTIME);
+
+ if (!BN_mod(r1, &c, rsa->p, ctx))
+ goto err;
/* compute r1^dmp1 mod p */
- if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
- dmp1 = &local_dmp1;
- BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
- } else
- dmp1 = rsa->dmp1;
- if (!rsa->meth->bn_mod_exp(r0, r1, dmp1, rsa->p, ctx,
+ BN_with_flags(&dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
+
+ if (!rsa->meth->bn_mod_exp(r0, r1, &dmp1, rsa->p, ctx,
rsa->_method_mod_p))
goto err;
if (!BN_sub(r0, r0, m1))
goto err;
+
/*
* This will help stop the size of r0 increasing, which does
* affect the multiply if it optimised for a power of 2 size
goto err;
/* Turn BN_FLG_CONSTTIME flag on before division operation */
- if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
- pr1 = &local_r1;
- BN_with_flags(pr1, r1, BN_FLG_CONSTTIME);
- } else
- pr1 = r1;
- if (!BN_mod(r0, pr1, rsa->p, ctx))
+ BN_with_flags(&pr1, r1, BN_FLG_CONSTTIME);
+
+ if (!BN_mod(r0, &pr1, rsa->p, ctx))
goto err;
/*
* miscalculated CRT output, just do a raw (slower)
* mod_exp and return that instead.
*/
+ BIGNUM d;
- BIGNUM local_d;
- BIGNUM *d = NULL;
+ BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME);
- if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
- d = &local_d;
- BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
- } else
- d = rsa->d;
- if (!rsa->meth->bn_mod_exp(r0, I, d, rsa->n, ctx,
- rsa->_method_mod_n))
+ if (!rsa->meth->bn_mod_exp(r0, I, &d, rsa->n, ctx,
+ rsa->_method_mod_n)) {
goto err;
+ }
}
}
ret = 1;
-/* $OpenBSD: rsa_gen.c,v 1.17 2015/02/09 15:49:22 jsing Exp $ */
+/* $OpenBSD: rsa_gen.c,v 1.18 2016/06/30 02:02:06 bcook Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
{
BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *r3 = NULL, *tmp;
- BIGNUM local_r0, local_d, local_p;
- BIGNUM *pr0, *d, *p;
+ BIGNUM pr0, d, p;
int bitsp, bitsq, ok = -1, n = 0;
BN_CTX *ctx = NULL;
goto err;
if (!BN_mul(r0, r1, r2, ctx)) /* (p-1)(q-1) */
goto err;
- if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
- pr0 = &local_r0;
- BN_with_flags(pr0, r0, BN_FLG_CONSTTIME);
- } else
- pr0 = r0;
- if (!BN_mod_inverse(rsa->d, rsa->e, pr0, ctx)) /* d */
+
+ BN_with_flags(&pr0, r0, BN_FLG_CONSTTIME);
+
+ if (!BN_mod_inverse(rsa->d, rsa->e, &pr0, ctx)) /* d */
goto err;
/* set up d for correct BN_FLG_CONSTTIME flag */
- if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
- d = &local_d;
- BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
- } else
- d = rsa->d;
+ BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME);
/* calculate d mod (p-1) */
- if (!BN_mod(rsa->dmp1, d, r1, ctx))
+ if (!BN_mod(rsa->dmp1, &d, r1, ctx))
goto err;
/* calculate d mod (q-1) */
- if (!BN_mod(rsa->dmq1, d, r2, ctx))
+ if (!BN_mod(rsa->dmq1, &d, r2, ctx))
goto err;
/* calculate inverse of q mod p */
- if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
- p = &local_p;
- BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
- } else
- p = rsa->p;
- if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx))
+ BN_with_flags(&p, rsa->p, BN_FLG_CONSTTIME);
+ if (!BN_mod_inverse(rsa->iqmp, rsa->q, &p, ctx))
goto err;
ok = 1;
-/* $OpenBSD: dh.h,v 1.16 2014/06/12 15:49:28 deraadt Exp $ */
+/* $OpenBSD: dh.h,v 1.17 2016/06/30 02:02:06 bcook Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
#endif
#define DH_FLAG_CACHE_MONT_P 0x01
-#define DH_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DH
- * implementation now uses constant time
- * modular exponentiation for secret exponents
- * by default. This flag causes the
- * faster variable sliding window method to
- * be used for all exponents.
- */
/* If this flag is set the DH method is FIPS compliant and can be used
* in FIPS mode. This is set in the validated module method. If an
-/* $OpenBSD: dh_key.c,v 1.23 2015/02/09 15:49:22 jsing Exp $ */
+/* $OpenBSD: dh_key.c,v 1.24 2016/06/30 02:02:06 bcook Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
}
{
- BIGNUM local_prk;
- BIGNUM *prk;
+ BIGNUM prk;
- if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) {
- BN_init(&local_prk);
- prk = &local_prk;
- BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
- } else
- prk = priv_key;
+ BN_with_flags(&prk, priv_key, BN_FLG_CONSTTIME);
- if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, prk, dh->p, ctx,
- mont))
+ if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, &prk, dh->p, ctx,
+ mont)) {
goto err;
+ }
}
-
+
dh->pub_key = pub_key;
dh->priv_key = priv_key;
ok = 1;
if (dh->flags & DH_FLAG_CACHE_MONT_P) {
mont = BN_MONT_CTX_set_locked(&dh->method_mont_p,
CRYPTO_LOCK_DH, dh->p, ctx);
- if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) {
- /* XXX */
- BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME);
- }
+
+ BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME);
+
if (!mont)
goto err;
}
dh_bn_mod_exp(const DH *dh, BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
{
- /*
- * If a is only one word long and constant time is false, use the faster
- * exponenentiation function.
- */
- if (a->top == 1 && (dh->flags & DH_FLAG_NO_EXP_CONSTTIME) != 0) {
- BN_ULONG A = a->d[0];
-
- return BN_mod_exp_mont_word(r, A, p, m, ctx, m_ctx);
- } else
- return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
+ return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
}
static int
-/* $OpenBSD: dsa.h,v 1.20 2016/06/21 04:16:53 bcook Exp $ */
+/* $OpenBSD: dsa.h,v 1.21 2016/06/30 02:02:06 bcook Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
#endif
#define DSA_FLAG_CACHE_MONT_P 0x01
-#define DSA_FLAG_NO_EXP_CONSTTIME 0x00 /* Does nothing. Previously this switched off
- * constant time behaviour.
- */
/* If this flag is set the DSA method is FIPS compliant and can be used
* in FIPS mode. This is set in the validated module method. If an
-/* $OpenBSD: dsa_key.c,v 1.21 2016/06/21 04:16:53 bcook Exp $ */
+/* $OpenBSD: dsa_key.c,v 1.22 2016/06/30 02:02:06 bcook Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
pub_key=dsa->pub_key;
{
- BIGNUM *prk = BN_new();
+ BIGNUM prk;
- if (prk == NULL)
- goto err;
-
- BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
+ BN_with_flags(&prk, priv_key, BN_FLG_CONSTTIME);
- if (!BN_mod_exp(pub_key, dsa->g, prk, dsa->p, ctx)) {
- BN_free(prk);
+ if (!BN_mod_exp(pub_key, dsa->g, &prk, dsa->p, ctx))
goto err;
- }
- BN_free(prk);
}
dsa->priv_key = priv_key;
-/* $OpenBSD: rsa.h,v 1.27 2015/02/14 15:10:39 miod Exp $ */
+/* $OpenBSD: rsa.h,v 1.28 2016/06/30 02:02:06 bcook Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
*/
#define RSA_FLAG_NO_BLINDING 0x0080
-/*
- * The built-in RSA implementation uses constant time operations by default
- * in private key operations, e.g., constant time modular exponentiation,
- * modular inverse without leaking branches, division without leaking branches.
- * This flag disables these constant time operations and results in faster RSA
- * private key operations.
- */
-#define RSA_FLAG_NO_CONSTTIME 0x0100
-
-
#define EVP_PKEY_CTX_set_rsa_padding(ctx, pad) \
EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, -1, EVP_PKEY_CTRL_RSA_PADDING, \
pad, NULL)
-/* $OpenBSD: rsa_crpt.c,v 1.14 2015/02/11 03:19:37 doug Exp $ */
+/* $OpenBSD: rsa_crpt.c,v 1.15 2016/06/30 02:02:06 bcook Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
BN_BLINDING *
RSA_setup_blinding(RSA *rsa, BN_CTX *in_ctx)
{
- BIGNUM local_n;
- BIGNUM *e, *n;
+ BIGNUM *e;
+ BIGNUM n;
BN_CTX *ctx;
BN_BLINDING *ret = NULL;
} else
e = rsa->e;
- if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
- /* Set BN_FLG_CONSTTIME flag */
- n = &local_n;
- BN_with_flags(n, rsa->n, BN_FLG_CONSTTIME);
- } else
- n = rsa->n;
+ BN_with_flags(&n, rsa->n, BN_FLG_CONSTTIME);
- ret = BN_BLINDING_create_param(NULL, e, n, ctx, rsa->meth->bn_mod_exp,
+ ret = BN_BLINDING_create_param(NULL, e, &n, ctx, rsa->meth->bn_mod_exp,
rsa->_method_mod_n);
+
if (ret == NULL) {
RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_BN_LIB);
goto err;
-/* $OpenBSD: rsa_eay.c,v 1.40 2015/09/10 15:56:25 jsing Exp $ */
+/* $OpenBSD: rsa_eay.c,v 1.41 2016/06/30 02:02:06 bcook Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
if ((ctx = BN_CTX_new()) == NULL)
goto err;
+
BN_CTX_start(ctx);
f = BN_CTX_get(ctx);
ret = BN_CTX_get(ctx);
num = BN_num_bytes(rsa->n);
buf = malloc(num);
+
if (f == NULL || ret == NULL || buf == NULL) {
RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, ERR_R_MALLOC_FAILURE);
goto err;
if ((ctx = BN_CTX_new()) == NULL)
goto err;
+
BN_CTX_start(ctx);
f = BN_CTX_get(ctx);
ret = BN_CTX_get(ctx);
num = BN_num_bytes(rsa->n);
buf = malloc(num);
+
if (f == NULL || ret == NULL || buf == NULL) {
RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE);
goto err;
if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx))
goto err;
} else {
- BIGNUM local_d;
- BIGNUM *d = NULL;
+ BIGNUM d;
- if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
- BN_init(&local_d);
- d = &local_d;
- BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
- } else
- d = rsa->d;
+ BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME);
if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
CRYPTO_LOCK_RSA, rsa->n, ctx))
goto err;
- if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,
- rsa->_method_mod_n))
+ if (!rsa->meth->bn_mod_exp(ret, f, &d, rsa->n, ctx,
+ rsa->_method_mod_n)) {
goto err;
+ }
}
if (blinding)
if ((ctx = BN_CTX_new()) == NULL)
goto err;
+
BN_CTX_start(ctx);
f = BN_CTX_get(ctx);
ret = BN_CTX_get(ctx);
num = BN_num_bytes(rsa->n);
buf = malloc(num);
+
if (!f || !ret || !buf) {
RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE);
goto err;
if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx))
goto err;
} else {
- BIGNUM local_d;
- BIGNUM *d = NULL;
+ BIGNUM d;
- if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
- d = &local_d;
- BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
- } else
- d = rsa->d;
+ BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME);
if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
CRYPTO_LOCK_RSA, rsa->n, ctx))
goto err;
- if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,
- rsa->_method_mod_n))
+
+ if (!rsa->meth->bn_mod_exp(ret, f, &d, rsa->n, ctx,
+ rsa->_method_mod_n)) {
goto err;
+ }
}
if (blinding)
if ((ctx = BN_CTX_new()) == NULL)
goto err;
+
BN_CTX_start(ctx);
f = BN_CTX_get(ctx);
ret = BN_CTX_get(ctx);
num = BN_num_bytes(rsa->n);
buf = malloc(num);
+
if (!f || !ret || !buf) {
RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, ERR_R_MALLOC_FAILURE);
goto err;
RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
{
BIGNUM *r1, *m1, *vrfy;
- BIGNUM local_dmp1, local_dmq1, local_c, local_r1;
- BIGNUM *dmp1, *dmq1, *c, *pr1;
+ BIGNUM dmp1, dmq1, c, pr1;
int ret = 0;
BN_CTX_start(ctx);
}
{
- BIGNUM local_p, local_q;
- BIGNUM *p = NULL, *q = NULL;
+ BIGNUM p, q;
/*
* Make sure BN_mod_inverse in Montgomery intialization uses the
- * BN_FLG_CONSTTIME flag (unless RSA_FLAG_NO_CONSTTIME is set)
+ * BN_FLG_CONSTTIME flag
*/
- if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
- BN_init(&local_p);
- p = &local_p;
- BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
-
- BN_init(&local_q);
- q = &local_q;
- BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME);
- } else {
- p = rsa->p;
- q = rsa->q;
- }
+ BN_with_flags(&p, rsa->p, BN_FLG_CONSTTIME);
+ BN_with_flags(&q, rsa->q, BN_FLG_CONSTTIME);
if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) {
if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p,
- CRYPTO_LOCK_RSA, p, ctx))
- goto err;
- if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q,
- CRYPTO_LOCK_RSA, q, ctx))
+ CRYPTO_LOCK_RSA, &p, ctx) ||
+ !BN_MONT_CTX_set_locked(&rsa->_method_mod_q,
+ CRYPTO_LOCK_RSA, &q, ctx)) {
goto err;
+ }
}
}
goto err;
/* compute I mod q */
- if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
- c = &local_c;
- BN_with_flags(c, I, BN_FLG_CONSTTIME);
- if (!BN_mod(r1, c, rsa->q, ctx))
- goto err;
- } else {
- if (!BN_mod(r1, I, rsa->q, ctx))
- goto err;
- }
+ BN_with_flags(&c, I, BN_FLG_CONSTTIME);
+
+ if (!BN_mod(r1, &c, rsa->q, ctx))
+ goto err;
/* compute r1^dmq1 mod q */
- if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
- dmq1 = &local_dmq1;
- BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
- } else
- dmq1 = rsa->dmq1;
- if (!rsa->meth->bn_mod_exp(m1, r1, dmq1, rsa->q, ctx,
+ BN_with_flags(&dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
+
+ if (!rsa->meth->bn_mod_exp(m1, r1, &dmq1, rsa->q, ctx,
rsa->_method_mod_q))
goto err;
/* compute I mod p */
- if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
- c = &local_c;
- BN_with_flags(c, I, BN_FLG_CONSTTIME);
- if (!BN_mod(r1, c, rsa->p, ctx))
- goto err;
- } else {
- if (!BN_mod(r1, I, rsa->p, ctx))
- goto err;
- }
+ BN_with_flags(&c, I, BN_FLG_CONSTTIME);
+
+ if (!BN_mod(r1, &c, rsa->p, ctx))
+ goto err;
/* compute r1^dmp1 mod p */
- if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
- dmp1 = &local_dmp1;
- BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
- } else
- dmp1 = rsa->dmp1;
- if (!rsa->meth->bn_mod_exp(r0, r1, dmp1, rsa->p, ctx,
+ BN_with_flags(&dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
+
+ if (!rsa->meth->bn_mod_exp(r0, r1, &dmp1, rsa->p, ctx,
rsa->_method_mod_p))
goto err;
if (!BN_sub(r0, r0, m1))
goto err;
+
/*
* This will help stop the size of r0 increasing, which does
* affect the multiply if it optimised for a power of 2 size
goto err;
/* Turn BN_FLG_CONSTTIME flag on before division operation */
- if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
- pr1 = &local_r1;
- BN_with_flags(pr1, r1, BN_FLG_CONSTTIME);
- } else
- pr1 = r1;
- if (!BN_mod(r0, pr1, rsa->p, ctx))
+ BN_with_flags(&pr1, r1, BN_FLG_CONSTTIME);
+
+ if (!BN_mod(r0, &pr1, rsa->p, ctx))
goto err;
/*
* miscalculated CRT output, just do a raw (slower)
* mod_exp and return that instead.
*/
+ BIGNUM d;
- BIGNUM local_d;
- BIGNUM *d = NULL;
+ BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME);
- if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
- d = &local_d;
- BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
- } else
- d = rsa->d;
- if (!rsa->meth->bn_mod_exp(r0, I, d, rsa->n, ctx,
- rsa->_method_mod_n))
+ if (!rsa->meth->bn_mod_exp(r0, I, &d, rsa->n, ctx,
+ rsa->_method_mod_n)) {
goto err;
+ }
}
}
ret = 1;
-/* $OpenBSD: rsa_gen.c,v 1.17 2015/02/09 15:49:22 jsing Exp $ */
+/* $OpenBSD: rsa_gen.c,v 1.18 2016/06/30 02:02:06 bcook Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
{
BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *r3 = NULL, *tmp;
- BIGNUM local_r0, local_d, local_p;
- BIGNUM *pr0, *d, *p;
+ BIGNUM pr0, d, p;
int bitsp, bitsq, ok = -1, n = 0;
BN_CTX *ctx = NULL;
goto err;
if (!BN_mul(r0, r1, r2, ctx)) /* (p-1)(q-1) */
goto err;
- if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
- pr0 = &local_r0;
- BN_with_flags(pr0, r0, BN_FLG_CONSTTIME);
- } else
- pr0 = r0;
- if (!BN_mod_inverse(rsa->d, rsa->e, pr0, ctx)) /* d */
+
+ BN_with_flags(&pr0, r0, BN_FLG_CONSTTIME);
+
+ if (!BN_mod_inverse(rsa->d, rsa->e, &pr0, ctx)) /* d */
goto err;
/* set up d for correct BN_FLG_CONSTTIME flag */
- if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
- d = &local_d;
- BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
- } else
- d = rsa->d;
+ BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME);
/* calculate d mod (p-1) */
- if (!BN_mod(rsa->dmp1, d, r1, ctx))
+ if (!BN_mod(rsa->dmp1, &d, r1, ctx))
goto err;
/* calculate d mod (q-1) */
- if (!BN_mod(rsa->dmq1, d, r2, ctx))
+ if (!BN_mod(rsa->dmq1, &d, r2, ctx))
goto err;
/* calculate inverse of q mod p */
- if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
- p = &local_p;
- BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
- } else
- p = rsa->p;
- if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx))
+ BN_with_flags(&p, rsa->p, BN_FLG_CONSTTIME);
+ if (!BN_mod_inverse(rsa->iqmp, rsa->q, &p, ctx))
goto err;
ok = 1;
#include <openssl/dh.h>
-static int cb(int p, int n, BN_GENCB *arg);
+static int cb(int p, int n, BN_GENCB *arg)
+{
+ char c='*';
+
+ if (p == 0)
+ c='.';
+ if (p == 1)
+ c='+';
+ if (p == 2)
+ c='*';
+ if (p == 3)
+ c='\n';
+ BIO_write(arg->arg,&c,1);
+ (void)BIO_flush(arg->arg);
+ return 1;
+}
int main(int argc, char *argv[])
- {
+{
BN_GENCB _cb;
DH *a;
- DH *b=NULL;
char buf[12];
- unsigned char *abuf=NULL,*bbuf=NULL;
- int i,alen,blen,aout,bout,ret=1;
+ unsigned char *abuf=NULL;
+ int i,alen,aout,ret=1;
BIO *out;
out=BIO_new(BIO_s_file());
BIO_set_fp(out,stdout,BIO_NOCLOSE);
BN_GENCB_set(&_cb, &cb, out);
- if(((a = DH_new()) == NULL) || !DH_generate_parameters_ex(a, 64,
- DH_GENERATOR_5, &_cb))
+ if (((a = DH_new()) == NULL) ||
+ !DH_generate_parameters_ex(a, 64, DH_GENERATOR_5, &_cb))
goto err;
- if (!DH_check(a, &i)) goto err;
+ if (!DH_check(a, &i))
+ goto err;
if (i & DH_CHECK_P_NOT_PRIME)
BIO_puts(out, "p value is not prime\n");
if (i & DH_CHECK_P_NOT_SAFE_PRIME)
BN_print(out,a->g);
BIO_puts(out,"\n");
- b=DH_new();
- if (b == NULL) goto err;
-
- b->p=BN_dup(a->p);
- b->g=BN_dup(a->g);
- if ((b->p == NULL) || (b->g == NULL)) goto err;
-
- /* Set a to run with normal modexp and b to use constant time */
- a->flags &= ~DH_FLAG_NO_EXP_CONSTTIME;
- b->flags |= DH_FLAG_NO_EXP_CONSTTIME;
-
- if (!DH_generate_key(a)) goto err;
+ if (!DH_generate_key(a))
+ goto err;
BIO_puts(out,"pri 1=");
BN_print(out,a->priv_key);
BIO_puts(out,"\npub 1=");
BN_print(out,a->pub_key);
BIO_puts(out,"\n");
- if (!DH_generate_key(b)) goto err;
- BIO_puts(out,"pri 2=");
- BN_print(out,b->priv_key);
- BIO_puts(out,"\npub 2=");
- BN_print(out,b->pub_key);
- BIO_puts(out,"\n");
-
alen=DH_size(a);
abuf=malloc(alen);
- aout=DH_compute_key(abuf,b->pub_key,a);
+ aout=DH_compute_key(abuf,a->pub_key,a);
BIO_puts(out,"key1 =");
- for (i=0; i<aout; i++)
- {
+ for (i=0; i<aout; i++) {
snprintf(buf,sizeof buf,"%02X",abuf[i]);
BIO_puts(out,buf);
- }
+ }
BIO_puts(out,"\n");
- blen=DH_size(b);
- bbuf=malloc(blen);
- bout=DH_compute_key(bbuf,a->pub_key,b);
-
- BIO_puts(out,"key2 =");
- for (i=0; i<bout; i++)
- {
- snprintf(buf,sizeof buf,"%02X",bbuf[i]);
- BIO_puts(out,buf);
- }
- BIO_puts(out,"\n");
- if ((aout < 4) || (bout != aout) || (memcmp(abuf,bbuf,aout) != 0))
- {
+ if (aout < 4) {
fprintf(stderr,"Error in DH routines\n");
ret=1;
- }
- else
+ } else
ret=0;
err:
ERR_print_errors_fp(stderr);
free(abuf);
- free(bbuf);
- if(b != NULL) DH_free(b);
- if(a != NULL) DH_free(a);
+ if (a != NULL)
+ DH_free(a);
BIO_free(out);
exit(ret);
- }
-
-static int cb(int p, int n, BN_GENCB *arg)
- {
- char c='*';
-
- if (p == 0) c='.';
- if (p == 1) c='+';
- if (p == 2) c='*';
- if (p == 3) c='\n';
- BIO_write(arg->arg,&c,1);
- (void)BIO_flush(arg->arg);
- return 1;
- }
+}
goto end;
}
- dsa->flags |= DSA_FLAG_NO_EXP_CONSTTIME;
- DSA_generate_key(dsa);
- DSA_sign(0, str1, 20, sig, &siglen, dsa);
- if (DSA_verify(0, str1, 20, sig, siglen, dsa) == 1)
- ret=1;
-
- dsa->flags &= ~DSA_FLAG_NO_EXP_CONSTTIME;
DSA_generate_key(dsa);
DSA_sign(0, str1, 20, sig, &siglen, dsa);
if (DSA_verify(0, str1, 20, sig, siglen, dsa) == 1)
projects / openbsd / commitdiff