From: bcook Date: Thu, 30 Jun 2016 02:02:06 +0000 (+0000) Subject: Remove flags for disabling constant-time operations. X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=1b2bbd6a2be0d8567d09a347b008777f6f415bc7;p=openbsd Remove flags for disabling constant-time operations. This removes support for DSA_FLAG_NO_EXP_CONSTTIME, DH_FLAG_NO_EXP_CONSTTIME, and RSA_FLAG_NO_CONSTTIME flags, making all of these operations unconditionally constant-time. Based on the original patch by César Pereid. ok beck@ --- diff --git a/lib/libcrypto/dh/dh.h b/lib/libcrypto/dh/dh.h index a20467c9d00..631cd5c6859 100644 --- a/lib/libcrypto/dh/dh.h +++ b/lib/libcrypto/dh/dh.h @@ -1,4 +1,4 @@ -/* $OpenBSD: dh.h,v 1.16 2014/06/12 15:49:28 deraadt Exp $ */ +/* $OpenBSD: dh.h,v 1.17 2016/06/30 02:02:06 bcook Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -78,13 +78,6 @@ #endif #define DH_FLAG_CACHE_MONT_P 0x01 -#define DH_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DH - * implementation now uses constant time - * modular exponentiation for secret exponents - * by default. This flag causes the - * faster variable sliding window method to - * be used for all exponents. - */ /* If this flag is set the DH method is FIPS compliant and can be used * in FIPS mode. This is set in the validated module method. If an diff --git a/lib/libcrypto/dh/dh_key.c b/lib/libcrypto/dh/dh_key.c index 31bc7b3dfd5..25e8968ef59 100644 --- a/lib/libcrypto/dh/dh_key.c +++ b/lib/libcrypto/dh/dh_key.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dh_key.c,v 1.23 2015/02/09 15:49:22 jsing Exp $ */ +/* $OpenBSD: dh_key.c,v 1.24 2016/06/30 02:02:06 bcook Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -147,21 +147,16 @@ generate_key(DH *dh) } { - BIGNUM local_prk; - BIGNUM *prk; + BIGNUM prk; - if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) { - BN_init(&local_prk); - prk = &local_prk; - BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME); - } else - prk = priv_key; + BN_with_flags(&prk, priv_key, BN_FLG_CONSTTIME); - if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, prk, dh->p, ctx, - mont)) + if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, &prk, dh->p, ctx, + mont)) { goto err; + } } - + dh->pub_key = pub_key; dh->priv_key = priv_key; ok = 1; @@ -206,10 +201,9 @@ compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) if (dh->flags & DH_FLAG_CACHE_MONT_P) { mont = BN_MONT_CTX_set_locked(&dh->method_mont_p, CRYPTO_LOCK_DH, dh->p, ctx); - if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) { - /* XXX */ - BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME); - } + + BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME); + if (!mont) goto err; } @@ -238,16 +232,7 @@ static int dh_bn_mod_exp(const DH *dh, BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx) { - /* - * If a is only one word long and constant time is false, use the faster - * exponenentiation function. - */ - if (a->top == 1 && (dh->flags & DH_FLAG_NO_EXP_CONSTTIME) != 0) { - BN_ULONG A = a->d[0]; - - return BN_mod_exp_mont_word(r, A, p, m, ctx, m_ctx); - } else - return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx); + return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx); } static int diff --git a/lib/libcrypto/dsa/dsa.h b/lib/libcrypto/dsa/dsa.h index f7f81cfa948..b4d7c1ff0f7 100644 --- a/lib/libcrypto/dsa/dsa.h +++ b/lib/libcrypto/dsa/dsa.h @@ -1,4 +1,4 @@ -/* $OpenBSD: dsa.h,v 1.20 2016/06/21 04:16:53 bcook Exp $ */ +/* $OpenBSD: dsa.h,v 1.21 2016/06/30 02:02:06 bcook Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -89,9 +89,6 @@ #endif #define DSA_FLAG_CACHE_MONT_P 0x01 -#define DSA_FLAG_NO_EXP_CONSTTIME 0x00 /* Does nothing. Previously this switched off - * constant time behaviour. - */ /* If this flag is set the DSA method is FIPS compliant and can be used * in FIPS mode. This is set in the validated module method. If an diff --git a/lib/libcrypto/dsa/dsa_key.c b/lib/libcrypto/dsa/dsa_key.c index 4732c471eda..fc4eb9c4331 100644 --- a/lib/libcrypto/dsa/dsa_key.c +++ b/lib/libcrypto/dsa/dsa_key.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dsa_key.c,v 1.21 2016/06/21 04:16:53 bcook Exp $ */ +/* $OpenBSD: dsa_key.c,v 1.22 2016/06/30 02:02:06 bcook Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -104,18 +104,12 @@ dsa_builtin_keygen(DSA *dsa) pub_key=dsa->pub_key; { - BIGNUM *prk = BN_new(); + BIGNUM prk; - if (prk == NULL) - goto err; - - BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME); + BN_with_flags(&prk, priv_key, BN_FLG_CONSTTIME); - if (!BN_mod_exp(pub_key, dsa->g, prk, dsa->p, ctx)) { - BN_free(prk); + if (!BN_mod_exp(pub_key, dsa->g, &prk, dsa->p, ctx)) goto err; - } - BN_free(prk); } dsa->priv_key = priv_key; diff --git a/lib/libcrypto/rsa/rsa.h b/lib/libcrypto/rsa/rsa.h index 4045a6cbf37..d240294809f 100644 --- a/lib/libcrypto/rsa/rsa.h +++ b/lib/libcrypto/rsa/rsa.h @@ -1,4 +1,4 @@ -/* $OpenBSD: rsa.h,v 1.27 2015/02/14 15:10:39 miod Exp $ */ +/* $OpenBSD: rsa.h,v 1.28 2016/06/30 02:02:06 bcook Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -194,16 +194,6 @@ struct rsa_st { */ #define RSA_FLAG_NO_BLINDING 0x0080 -/* - * The built-in RSA implementation uses constant time operations by default - * in private key operations, e.g., constant time modular exponentiation, - * modular inverse without leaking branches, division without leaking branches. - * This flag disables these constant time operations and results in faster RSA - * private key operations. - */ -#define RSA_FLAG_NO_CONSTTIME 0x0100 - - #define EVP_PKEY_CTX_set_rsa_padding(ctx, pad) \ EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, -1, EVP_PKEY_CTRL_RSA_PADDING, \ pad, NULL) diff --git a/lib/libcrypto/rsa/rsa_crpt.c b/lib/libcrypto/rsa/rsa_crpt.c index 809dd14c928..b50e4a4a6fc 100644 --- a/lib/libcrypto/rsa/rsa_crpt.c +++ b/lib/libcrypto/rsa/rsa_crpt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rsa_crpt.c,v 1.14 2015/02/11 03:19:37 doug Exp $ */ +/* $OpenBSD: rsa_crpt.c,v 1.15 2016/06/30 02:02:06 bcook Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -169,8 +169,8 @@ err: BN_BLINDING * RSA_setup_blinding(RSA *rsa, BN_CTX *in_ctx) { - BIGNUM local_n; - BIGNUM *e, *n; + BIGNUM *e; + BIGNUM n; BN_CTX *ctx; BN_BLINDING *ret = NULL; @@ -192,15 +192,11 @@ RSA_setup_blinding(RSA *rsa, BN_CTX *in_ctx) } else e = rsa->e; - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { - /* Set BN_FLG_CONSTTIME flag */ - n = &local_n; - BN_with_flags(n, rsa->n, BN_FLG_CONSTTIME); - } else - n = rsa->n; + BN_with_flags(&n, rsa->n, BN_FLG_CONSTTIME); - ret = BN_BLINDING_create_param(NULL, e, n, ctx, rsa->meth->bn_mod_exp, + ret = BN_BLINDING_create_param(NULL, e, &n, ctx, rsa->meth->bn_mod_exp, rsa->_method_mod_n); + if (ret == NULL) { RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_BN_LIB); goto err; diff --git a/lib/libcrypto/rsa/rsa_eay.c b/lib/libcrypto/rsa/rsa_eay.c index 76863e7220e..6edfd7e5fdc 100644 --- a/lib/libcrypto/rsa/rsa_eay.c +++ b/lib/libcrypto/rsa/rsa_eay.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rsa_eay.c,v 1.40 2015/09/10 15:56:25 jsing Exp $ */ +/* $OpenBSD: rsa_eay.c,v 1.41 2016/06/30 02:02:06 bcook Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -177,11 +177,13 @@ RSA_eay_public_encrypt(int flen, const unsigned char *from, unsigned char *to, if ((ctx = BN_CTX_new()) == NULL) goto err; + BN_CTX_start(ctx); f = BN_CTX_get(ctx); ret = BN_CTX_get(ctx); num = BN_num_bytes(rsa->n); buf = malloc(num); + if (f == NULL || ret == NULL || buf == NULL) { RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, ERR_R_MALLOC_FAILURE); goto err; @@ -362,11 +364,13 @@ RSA_eay_private_encrypt(int flen, const unsigned char *from, unsigned char *to, if ((ctx = BN_CTX_new()) == NULL) goto err; + BN_CTX_start(ctx); f = BN_CTX_get(ctx); ret = BN_CTX_get(ctx); num = BN_num_bytes(rsa->n); buf = malloc(num); + if (f == NULL || ret == NULL || buf == NULL) { RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE); goto err; @@ -426,24 +430,19 @@ RSA_eay_private_encrypt(int flen, const unsigned char *from, unsigned char *to, if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) goto err; } else { - BIGNUM local_d; - BIGNUM *d = NULL; + BIGNUM d; - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { - BN_init(&local_d); - d = &local_d; - BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); - } else - d = rsa->d; + BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME); if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) goto err; - if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx, - rsa->_method_mod_n)) + if (!rsa->meth->bn_mod_exp(ret, f, &d, rsa->n, ctx, + rsa->_method_mod_n)) { goto err; + } } if (blinding) @@ -499,11 +498,13 @@ RSA_eay_private_decrypt(int flen, const unsigned char *from, unsigned char *to, if ((ctx = BN_CTX_new()) == NULL) goto err; + BN_CTX_start(ctx); f = BN_CTX_get(ctx); ret = BN_CTX_get(ctx); num = BN_num_bytes(rsa->n); buf = malloc(num); + if (!f || !ret || !buf) { RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE); goto err; @@ -553,22 +554,19 @@ RSA_eay_private_decrypt(int flen, const unsigned char *from, unsigned char *to, if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) goto err; } else { - BIGNUM local_d; - BIGNUM *d = NULL; + BIGNUM d; - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { - d = &local_d; - BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); - } else - d = rsa->d; + BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME); if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) goto err; - if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx, - rsa->_method_mod_n)) + + if (!rsa->meth->bn_mod_exp(ret, f, &d, rsa->n, ctx, + rsa->_method_mod_n)) { goto err; + } } if (blinding) @@ -645,11 +643,13 @@ RSA_eay_public_decrypt(int flen, const unsigned char *from, unsigned char *to, if ((ctx = BN_CTX_new()) == NULL) goto err; + BN_CTX_start(ctx); f = BN_CTX_get(ctx); ret = BN_CTX_get(ctx); num = BN_num_bytes(rsa->n); buf = malloc(num); + if (!f || !ret || !buf) { RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, ERR_R_MALLOC_FAILURE); goto err; @@ -723,8 +723,7 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) { BIGNUM *r1, *m1, *vrfy; - BIGNUM local_dmp1, local_dmq1, local_c, local_r1; - BIGNUM *dmp1, *dmq1, *c, *pr1; + BIGNUM dmp1, dmq1, c, pr1; int ret = 0; BN_CTX_start(ctx); @@ -737,33 +736,22 @@ RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) } { - BIGNUM local_p, local_q; - BIGNUM *p = NULL, *q = NULL; + BIGNUM p, q; /* * Make sure BN_mod_inverse in Montgomery intialization uses the - * BN_FLG_CONSTTIME flag (unless RSA_FLAG_NO_CONSTTIME is set) + * BN_FLG_CONSTTIME flag */ - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { - BN_init(&local_p); - p = &local_p; - BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME); - - BN_init(&local_q); - q = &local_q; - BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME); - } else { - p = rsa->p; - q = rsa->q; - } + BN_with_flags(&p, rsa->p, BN_FLG_CONSTTIME); + BN_with_flags(&q, rsa->q, BN_FLG_CONSTTIME); if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) { if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p, - CRYPTO_LOCK_RSA, p, ctx)) - goto err; - if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q, - CRYPTO_LOCK_RSA, q, ctx)) + CRYPTO_LOCK_RSA, &p, ctx) || + !BN_MONT_CTX_set_locked(&rsa->_method_mod_q, + CRYPTO_LOCK_RSA, &q, ctx)) { goto err; + } } } @@ -773,49 +761,34 @@ RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) goto err; /* compute I mod q */ - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { - c = &local_c; - BN_with_flags(c, I, BN_FLG_CONSTTIME); - if (!BN_mod(r1, c, rsa->q, ctx)) - goto err; - } else { - if (!BN_mod(r1, I, rsa->q, ctx)) - goto err; - } + BN_with_flags(&c, I, BN_FLG_CONSTTIME); + + if (!BN_mod(r1, &c, rsa->q, ctx)) + goto err; /* compute r1^dmq1 mod q */ - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { - dmq1 = &local_dmq1; - BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME); - } else - dmq1 = rsa->dmq1; - if (!rsa->meth->bn_mod_exp(m1, r1, dmq1, rsa->q, ctx, + BN_with_flags(&dmq1, rsa->dmq1, BN_FLG_CONSTTIME); + + if (!rsa->meth->bn_mod_exp(m1, r1, &dmq1, rsa->q, ctx, rsa->_method_mod_q)) goto err; /* compute I mod p */ - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { - c = &local_c; - BN_with_flags(c, I, BN_FLG_CONSTTIME); - if (!BN_mod(r1, c, rsa->p, ctx)) - goto err; - } else { - if (!BN_mod(r1, I, rsa->p, ctx)) - goto err; - } + BN_with_flags(&c, I, BN_FLG_CONSTTIME); + + if (!BN_mod(r1, &c, rsa->p, ctx)) + goto err; /* compute r1^dmp1 mod p */ - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { - dmp1 = &local_dmp1; - BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME); - } else - dmp1 = rsa->dmp1; - if (!rsa->meth->bn_mod_exp(r0, r1, dmp1, rsa->p, ctx, + BN_with_flags(&dmp1, rsa->dmp1, BN_FLG_CONSTTIME); + + if (!rsa->meth->bn_mod_exp(r0, r1, &dmp1, rsa->p, ctx, rsa->_method_mod_p)) goto err; if (!BN_sub(r0, r0, m1)) goto err; + /* * This will help stop the size of r0 increasing, which does * affect the multiply if it optimised for a power of 2 size @@ -828,12 +801,9 @@ RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) goto err; /* Turn BN_FLG_CONSTTIME flag on before division operation */ - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { - pr1 = &local_r1; - BN_with_flags(pr1, r1, BN_FLG_CONSTTIME); - } else - pr1 = r1; - if (!BN_mod(r0, pr1, rsa->p, ctx)) + BN_with_flags(&pr1, r1, BN_FLG_CONSTTIME); + + if (!BN_mod(r0, &pr1, rsa->p, ctx)) goto err; /* @@ -875,18 +845,14 @@ RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) * miscalculated CRT output, just do a raw (slower) * mod_exp and return that instead. */ + BIGNUM d; - BIGNUM local_d; - BIGNUM *d = NULL; + BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME); - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { - d = &local_d; - BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); - } else - d = rsa->d; - if (!rsa->meth->bn_mod_exp(r0, I, d, rsa->n, ctx, - rsa->_method_mod_n)) + if (!rsa->meth->bn_mod_exp(r0, I, &d, rsa->n, ctx, + rsa->_method_mod_n)) { goto err; + } } } ret = 1; diff --git a/lib/libcrypto/rsa/rsa_gen.c b/lib/libcrypto/rsa/rsa_gen.c index f6f051c4427..d46f4f2478f 100644 --- a/lib/libcrypto/rsa/rsa_gen.c +++ b/lib/libcrypto/rsa/rsa_gen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rsa_gen.c,v 1.17 2015/02/09 15:49:22 jsing Exp $ */ +/* $OpenBSD: rsa_gen.c,v 1.18 2016/06/30 02:02:06 bcook Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -90,8 +90,7 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) { BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *r3 = NULL, *tmp; - BIGNUM local_r0, local_d, local_p; - BIGNUM *pr0, *d, *p; + BIGNUM pr0, d, p; int bitsp, bitsq, ok = -1, n = 0; BN_CTX *ctx = NULL; @@ -193,36 +192,26 @@ rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) goto err; if (!BN_mul(r0, r1, r2, ctx)) /* (p-1)(q-1) */ goto err; - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { - pr0 = &local_r0; - BN_with_flags(pr0, r0, BN_FLG_CONSTTIME); - } else - pr0 = r0; - if (!BN_mod_inverse(rsa->d, rsa->e, pr0, ctx)) /* d */ + + BN_with_flags(&pr0, r0, BN_FLG_CONSTTIME); + + if (!BN_mod_inverse(rsa->d, rsa->e, &pr0, ctx)) /* d */ goto err; /* set up d for correct BN_FLG_CONSTTIME flag */ - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { - d = &local_d; - BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); - } else - d = rsa->d; + BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME); /* calculate d mod (p-1) */ - if (!BN_mod(rsa->dmp1, d, r1, ctx)) + if (!BN_mod(rsa->dmp1, &d, r1, ctx)) goto err; /* calculate d mod (q-1) */ - if (!BN_mod(rsa->dmq1, d, r2, ctx)) + if (!BN_mod(rsa->dmq1, &d, r2, ctx)) goto err; /* calculate inverse of q mod p */ - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { - p = &local_p; - BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME); - } else - p = rsa->p; - if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx)) + BN_with_flags(&p, rsa->p, BN_FLG_CONSTTIME); + if (!BN_mod_inverse(rsa->iqmp, rsa->q, &p, ctx)) goto err; ok = 1; diff --git a/lib/libssl/src/crypto/dh/dh.h b/lib/libssl/src/crypto/dh/dh.h index a20467c9d00..631cd5c6859 100644 --- a/lib/libssl/src/crypto/dh/dh.h +++ b/lib/libssl/src/crypto/dh/dh.h @@ -1,4 +1,4 @@ -/* $OpenBSD: dh.h,v 1.16 2014/06/12 15:49:28 deraadt Exp $ */ +/* $OpenBSD: dh.h,v 1.17 2016/06/30 02:02:06 bcook Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -78,13 +78,6 @@ #endif #define DH_FLAG_CACHE_MONT_P 0x01 -#define DH_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DH - * implementation now uses constant time - * modular exponentiation for secret exponents - * by default. This flag causes the - * faster variable sliding window method to - * be used for all exponents. - */ /* If this flag is set the DH method is FIPS compliant and can be used * in FIPS mode. This is set in the validated module method. If an diff --git a/lib/libssl/src/crypto/dh/dh_key.c b/lib/libssl/src/crypto/dh/dh_key.c index 31bc7b3dfd5..25e8968ef59 100644 --- a/lib/libssl/src/crypto/dh/dh_key.c +++ b/lib/libssl/src/crypto/dh/dh_key.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dh_key.c,v 1.23 2015/02/09 15:49:22 jsing Exp $ */ +/* $OpenBSD: dh_key.c,v 1.24 2016/06/30 02:02:06 bcook Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -147,21 +147,16 @@ generate_key(DH *dh) } { - BIGNUM local_prk; - BIGNUM *prk; + BIGNUM prk; - if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) { - BN_init(&local_prk); - prk = &local_prk; - BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME); - } else - prk = priv_key; + BN_with_flags(&prk, priv_key, BN_FLG_CONSTTIME); - if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, prk, dh->p, ctx, - mont)) + if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, &prk, dh->p, ctx, + mont)) { goto err; + } } - + dh->pub_key = pub_key; dh->priv_key = priv_key; ok = 1; @@ -206,10 +201,9 @@ compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) if (dh->flags & DH_FLAG_CACHE_MONT_P) { mont = BN_MONT_CTX_set_locked(&dh->method_mont_p, CRYPTO_LOCK_DH, dh->p, ctx); - if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) { - /* XXX */ - BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME); - } + + BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME); + if (!mont) goto err; } @@ -238,16 +232,7 @@ static int dh_bn_mod_exp(const DH *dh, BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx) { - /* - * If a is only one word long and constant time is false, use the faster - * exponenentiation function. - */ - if (a->top == 1 && (dh->flags & DH_FLAG_NO_EXP_CONSTTIME) != 0) { - BN_ULONG A = a->d[0]; - - return BN_mod_exp_mont_word(r, A, p, m, ctx, m_ctx); - } else - return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx); + return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx); } static int diff --git a/lib/libssl/src/crypto/dsa/dsa.h b/lib/libssl/src/crypto/dsa/dsa.h index f7f81cfa948..b4d7c1ff0f7 100644 --- a/lib/libssl/src/crypto/dsa/dsa.h +++ b/lib/libssl/src/crypto/dsa/dsa.h @@ -1,4 +1,4 @@ -/* $OpenBSD: dsa.h,v 1.20 2016/06/21 04:16:53 bcook Exp $ */ +/* $OpenBSD: dsa.h,v 1.21 2016/06/30 02:02:06 bcook Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -89,9 +89,6 @@ #endif #define DSA_FLAG_CACHE_MONT_P 0x01 -#define DSA_FLAG_NO_EXP_CONSTTIME 0x00 /* Does nothing. Previously this switched off - * constant time behaviour. - */ /* If this flag is set the DSA method is FIPS compliant and can be used * in FIPS mode. This is set in the validated module method. If an diff --git a/lib/libssl/src/crypto/dsa/dsa_key.c b/lib/libssl/src/crypto/dsa/dsa_key.c index 4732c471eda..fc4eb9c4331 100644 --- a/lib/libssl/src/crypto/dsa/dsa_key.c +++ b/lib/libssl/src/crypto/dsa/dsa_key.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dsa_key.c,v 1.21 2016/06/21 04:16:53 bcook Exp $ */ +/* $OpenBSD: dsa_key.c,v 1.22 2016/06/30 02:02:06 bcook Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -104,18 +104,12 @@ dsa_builtin_keygen(DSA *dsa) pub_key=dsa->pub_key; { - BIGNUM *prk = BN_new(); + BIGNUM prk; - if (prk == NULL) - goto err; - - BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME); + BN_with_flags(&prk, priv_key, BN_FLG_CONSTTIME); - if (!BN_mod_exp(pub_key, dsa->g, prk, dsa->p, ctx)) { - BN_free(prk); + if (!BN_mod_exp(pub_key, dsa->g, &prk, dsa->p, ctx)) goto err; - } - BN_free(prk); } dsa->priv_key = priv_key; diff --git a/lib/libssl/src/crypto/rsa/rsa.h b/lib/libssl/src/crypto/rsa/rsa.h index 4045a6cbf37..d240294809f 100644 --- a/lib/libssl/src/crypto/rsa/rsa.h +++ b/lib/libssl/src/crypto/rsa/rsa.h @@ -1,4 +1,4 @@ -/* $OpenBSD: rsa.h,v 1.27 2015/02/14 15:10:39 miod Exp $ */ +/* $OpenBSD: rsa.h,v 1.28 2016/06/30 02:02:06 bcook Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -194,16 +194,6 @@ struct rsa_st { */ #define RSA_FLAG_NO_BLINDING 0x0080 -/* - * The built-in RSA implementation uses constant time operations by default - * in private key operations, e.g., constant time modular exponentiation, - * modular inverse without leaking branches, division without leaking branches. - * This flag disables these constant time operations and results in faster RSA - * private key operations. - */ -#define RSA_FLAG_NO_CONSTTIME 0x0100 - - #define EVP_PKEY_CTX_set_rsa_padding(ctx, pad) \ EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, -1, EVP_PKEY_CTRL_RSA_PADDING, \ pad, NULL) diff --git a/lib/libssl/src/crypto/rsa/rsa_crpt.c b/lib/libssl/src/crypto/rsa/rsa_crpt.c index 809dd14c928..b50e4a4a6fc 100644 --- a/lib/libssl/src/crypto/rsa/rsa_crpt.c +++ b/lib/libssl/src/crypto/rsa/rsa_crpt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rsa_crpt.c,v 1.14 2015/02/11 03:19:37 doug Exp $ */ +/* $OpenBSD: rsa_crpt.c,v 1.15 2016/06/30 02:02:06 bcook Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -169,8 +169,8 @@ err: BN_BLINDING * RSA_setup_blinding(RSA *rsa, BN_CTX *in_ctx) { - BIGNUM local_n; - BIGNUM *e, *n; + BIGNUM *e; + BIGNUM n; BN_CTX *ctx; BN_BLINDING *ret = NULL; @@ -192,15 +192,11 @@ RSA_setup_blinding(RSA *rsa, BN_CTX *in_ctx) } else e = rsa->e; - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { - /* Set BN_FLG_CONSTTIME flag */ - n = &local_n; - BN_with_flags(n, rsa->n, BN_FLG_CONSTTIME); - } else - n = rsa->n; + BN_with_flags(&n, rsa->n, BN_FLG_CONSTTIME); - ret = BN_BLINDING_create_param(NULL, e, n, ctx, rsa->meth->bn_mod_exp, + ret = BN_BLINDING_create_param(NULL, e, &n, ctx, rsa->meth->bn_mod_exp, rsa->_method_mod_n); + if (ret == NULL) { RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_BN_LIB); goto err; diff --git a/lib/libssl/src/crypto/rsa/rsa_eay.c b/lib/libssl/src/crypto/rsa/rsa_eay.c index 76863e7220e..6edfd7e5fdc 100644 --- a/lib/libssl/src/crypto/rsa/rsa_eay.c +++ b/lib/libssl/src/crypto/rsa/rsa_eay.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rsa_eay.c,v 1.40 2015/09/10 15:56:25 jsing Exp $ */ +/* $OpenBSD: rsa_eay.c,v 1.41 2016/06/30 02:02:06 bcook Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -177,11 +177,13 @@ RSA_eay_public_encrypt(int flen, const unsigned char *from, unsigned char *to, if ((ctx = BN_CTX_new()) == NULL) goto err; + BN_CTX_start(ctx); f = BN_CTX_get(ctx); ret = BN_CTX_get(ctx); num = BN_num_bytes(rsa->n); buf = malloc(num); + if (f == NULL || ret == NULL || buf == NULL) { RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, ERR_R_MALLOC_FAILURE); goto err; @@ -362,11 +364,13 @@ RSA_eay_private_encrypt(int flen, const unsigned char *from, unsigned char *to, if ((ctx = BN_CTX_new()) == NULL) goto err; + BN_CTX_start(ctx); f = BN_CTX_get(ctx); ret = BN_CTX_get(ctx); num = BN_num_bytes(rsa->n); buf = malloc(num); + if (f == NULL || ret == NULL || buf == NULL) { RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE); goto err; @@ -426,24 +430,19 @@ RSA_eay_private_encrypt(int flen, const unsigned char *from, unsigned char *to, if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) goto err; } else { - BIGNUM local_d; - BIGNUM *d = NULL; + BIGNUM d; - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { - BN_init(&local_d); - d = &local_d; - BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); - } else - d = rsa->d; + BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME); if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) goto err; - if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx, - rsa->_method_mod_n)) + if (!rsa->meth->bn_mod_exp(ret, f, &d, rsa->n, ctx, + rsa->_method_mod_n)) { goto err; + } } if (blinding) @@ -499,11 +498,13 @@ RSA_eay_private_decrypt(int flen, const unsigned char *from, unsigned char *to, if ((ctx = BN_CTX_new()) == NULL) goto err; + BN_CTX_start(ctx); f = BN_CTX_get(ctx); ret = BN_CTX_get(ctx); num = BN_num_bytes(rsa->n); buf = malloc(num); + if (!f || !ret || !buf) { RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE); goto err; @@ -553,22 +554,19 @@ RSA_eay_private_decrypt(int flen, const unsigned char *from, unsigned char *to, if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) goto err; } else { - BIGNUM local_d; - BIGNUM *d = NULL; + BIGNUM d; - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { - d = &local_d; - BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); - } else - d = rsa->d; + BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME); if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) goto err; - if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx, - rsa->_method_mod_n)) + + if (!rsa->meth->bn_mod_exp(ret, f, &d, rsa->n, ctx, + rsa->_method_mod_n)) { goto err; + } } if (blinding) @@ -645,11 +643,13 @@ RSA_eay_public_decrypt(int flen, const unsigned char *from, unsigned char *to, if ((ctx = BN_CTX_new()) == NULL) goto err; + BN_CTX_start(ctx); f = BN_CTX_get(ctx); ret = BN_CTX_get(ctx); num = BN_num_bytes(rsa->n); buf = malloc(num); + if (!f || !ret || !buf) { RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, ERR_R_MALLOC_FAILURE); goto err; @@ -723,8 +723,7 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) { BIGNUM *r1, *m1, *vrfy; - BIGNUM local_dmp1, local_dmq1, local_c, local_r1; - BIGNUM *dmp1, *dmq1, *c, *pr1; + BIGNUM dmp1, dmq1, c, pr1; int ret = 0; BN_CTX_start(ctx); @@ -737,33 +736,22 @@ RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) } { - BIGNUM local_p, local_q; - BIGNUM *p = NULL, *q = NULL; + BIGNUM p, q; /* * Make sure BN_mod_inverse in Montgomery intialization uses the - * BN_FLG_CONSTTIME flag (unless RSA_FLAG_NO_CONSTTIME is set) + * BN_FLG_CONSTTIME flag */ - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { - BN_init(&local_p); - p = &local_p; - BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME); - - BN_init(&local_q); - q = &local_q; - BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME); - } else { - p = rsa->p; - q = rsa->q; - } + BN_with_flags(&p, rsa->p, BN_FLG_CONSTTIME); + BN_with_flags(&q, rsa->q, BN_FLG_CONSTTIME); if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) { if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p, - CRYPTO_LOCK_RSA, p, ctx)) - goto err; - if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q, - CRYPTO_LOCK_RSA, q, ctx)) + CRYPTO_LOCK_RSA, &p, ctx) || + !BN_MONT_CTX_set_locked(&rsa->_method_mod_q, + CRYPTO_LOCK_RSA, &q, ctx)) { goto err; + } } } @@ -773,49 +761,34 @@ RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) goto err; /* compute I mod q */ - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { - c = &local_c; - BN_with_flags(c, I, BN_FLG_CONSTTIME); - if (!BN_mod(r1, c, rsa->q, ctx)) - goto err; - } else { - if (!BN_mod(r1, I, rsa->q, ctx)) - goto err; - } + BN_with_flags(&c, I, BN_FLG_CONSTTIME); + + if (!BN_mod(r1, &c, rsa->q, ctx)) + goto err; /* compute r1^dmq1 mod q */ - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { - dmq1 = &local_dmq1; - BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME); - } else - dmq1 = rsa->dmq1; - if (!rsa->meth->bn_mod_exp(m1, r1, dmq1, rsa->q, ctx, + BN_with_flags(&dmq1, rsa->dmq1, BN_FLG_CONSTTIME); + + if (!rsa->meth->bn_mod_exp(m1, r1, &dmq1, rsa->q, ctx, rsa->_method_mod_q)) goto err; /* compute I mod p */ - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { - c = &local_c; - BN_with_flags(c, I, BN_FLG_CONSTTIME); - if (!BN_mod(r1, c, rsa->p, ctx)) - goto err; - } else { - if (!BN_mod(r1, I, rsa->p, ctx)) - goto err; - } + BN_with_flags(&c, I, BN_FLG_CONSTTIME); + + if (!BN_mod(r1, &c, rsa->p, ctx)) + goto err; /* compute r1^dmp1 mod p */ - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { - dmp1 = &local_dmp1; - BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME); - } else - dmp1 = rsa->dmp1; - if (!rsa->meth->bn_mod_exp(r0, r1, dmp1, rsa->p, ctx, + BN_with_flags(&dmp1, rsa->dmp1, BN_FLG_CONSTTIME); + + if (!rsa->meth->bn_mod_exp(r0, r1, &dmp1, rsa->p, ctx, rsa->_method_mod_p)) goto err; if (!BN_sub(r0, r0, m1)) goto err; + /* * This will help stop the size of r0 increasing, which does * affect the multiply if it optimised for a power of 2 size @@ -828,12 +801,9 @@ RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) goto err; /* Turn BN_FLG_CONSTTIME flag on before division operation */ - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { - pr1 = &local_r1; - BN_with_flags(pr1, r1, BN_FLG_CONSTTIME); - } else - pr1 = r1; - if (!BN_mod(r0, pr1, rsa->p, ctx)) + BN_with_flags(&pr1, r1, BN_FLG_CONSTTIME); + + if (!BN_mod(r0, &pr1, rsa->p, ctx)) goto err; /* @@ -875,18 +845,14 @@ RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) * miscalculated CRT output, just do a raw (slower) * mod_exp and return that instead. */ + BIGNUM d; - BIGNUM local_d; - BIGNUM *d = NULL; + BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME); - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { - d = &local_d; - BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); - } else - d = rsa->d; - if (!rsa->meth->bn_mod_exp(r0, I, d, rsa->n, ctx, - rsa->_method_mod_n)) + if (!rsa->meth->bn_mod_exp(r0, I, &d, rsa->n, ctx, + rsa->_method_mod_n)) { goto err; + } } } ret = 1; diff --git a/lib/libssl/src/crypto/rsa/rsa_gen.c b/lib/libssl/src/crypto/rsa/rsa_gen.c index f6f051c4427..d46f4f2478f 100644 --- a/lib/libssl/src/crypto/rsa/rsa_gen.c +++ b/lib/libssl/src/crypto/rsa/rsa_gen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rsa_gen.c,v 1.17 2015/02/09 15:49:22 jsing Exp $ */ +/* $OpenBSD: rsa_gen.c,v 1.18 2016/06/30 02:02:06 bcook Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -90,8 +90,7 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) { BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *r3 = NULL, *tmp; - BIGNUM local_r0, local_d, local_p; - BIGNUM *pr0, *d, *p; + BIGNUM pr0, d, p; int bitsp, bitsq, ok = -1, n = 0; BN_CTX *ctx = NULL; @@ -193,36 +192,26 @@ rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) goto err; if (!BN_mul(r0, r1, r2, ctx)) /* (p-1)(q-1) */ goto err; - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { - pr0 = &local_r0; - BN_with_flags(pr0, r0, BN_FLG_CONSTTIME); - } else - pr0 = r0; - if (!BN_mod_inverse(rsa->d, rsa->e, pr0, ctx)) /* d */ + + BN_with_flags(&pr0, r0, BN_FLG_CONSTTIME); + + if (!BN_mod_inverse(rsa->d, rsa->e, &pr0, ctx)) /* d */ goto err; /* set up d for correct BN_FLG_CONSTTIME flag */ - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { - d = &local_d; - BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); - } else - d = rsa->d; + BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME); /* calculate d mod (p-1) */ - if (!BN_mod(rsa->dmp1, d, r1, ctx)) + if (!BN_mod(rsa->dmp1, &d, r1, ctx)) goto err; /* calculate d mod (q-1) */ - if (!BN_mod(rsa->dmq1, d, r2, ctx)) + if (!BN_mod(rsa->dmq1, &d, r2, ctx)) goto err; /* calculate inverse of q mod p */ - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { - p = &local_p; - BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME); - } else - p = rsa->p; - if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx)) + BN_with_flags(&p, rsa->p, BN_FLG_CONSTTIME); + if (!BN_mod_inverse(rsa->iqmp, rsa->q, &p, ctx)) goto err; ok = 1; diff --git a/regress/lib/libcrypto/dh/dhtest.c b/regress/lib/libcrypto/dh/dhtest.c index f1ddc5ccf5d..9c2d507d971 100644 --- a/regress/lib/libcrypto/dh/dhtest.c +++ b/regress/lib/libcrypto/dh/dhtest.c @@ -73,16 +73,30 @@ #include -static int cb(int p, int n, BN_GENCB *arg); +static int cb(int p, int n, BN_GENCB *arg) +{ + char c='*'; + + if (p == 0) + c='.'; + if (p == 1) + c='+'; + if (p == 2) + c='*'; + if (p == 3) + c='\n'; + BIO_write(arg->arg,&c,1); + (void)BIO_flush(arg->arg); + return 1; +} int main(int argc, char *argv[]) - { +{ BN_GENCB _cb; DH *a; - DH *b=NULL; char buf[12]; - unsigned char *abuf=NULL,*bbuf=NULL; - int i,alen,blen,aout,bout,ret=1; + unsigned char *abuf=NULL; + int i,alen,aout,ret=1; BIO *out; out=BIO_new(BIO_s_file()); @@ -90,11 +104,12 @@ int main(int argc, char *argv[]) BIO_set_fp(out,stdout,BIO_NOCLOSE); BN_GENCB_set(&_cb, &cb, out); - if(((a = DH_new()) == NULL) || !DH_generate_parameters_ex(a, 64, - DH_GENERATOR_5, &_cb)) + if (((a = DH_new()) == NULL) || + !DH_generate_parameters_ex(a, 64, DH_GENERATOR_5, &_cb)) goto err; - if (!DH_check(a, &i)) goto err; + if (!DH_check(a, &i)) + goto err; if (i & DH_CHECK_P_NOT_PRIME) BIO_puts(out, "p value is not prime\n"); if (i & DH_CHECK_P_NOT_SAFE_PRIME) @@ -110,81 +125,36 @@ int main(int argc, char *argv[]) BN_print(out,a->g); BIO_puts(out,"\n"); - b=DH_new(); - if (b == NULL) goto err; - - b->p=BN_dup(a->p); - b->g=BN_dup(a->g); - if ((b->p == NULL) || (b->g == NULL)) goto err; - - /* Set a to run with normal modexp and b to use constant time */ - a->flags &= ~DH_FLAG_NO_EXP_CONSTTIME; - b->flags |= DH_FLAG_NO_EXP_CONSTTIME; - - if (!DH_generate_key(a)) goto err; + if (!DH_generate_key(a)) + goto err; BIO_puts(out,"pri 1="); BN_print(out,a->priv_key); BIO_puts(out,"\npub 1="); BN_print(out,a->pub_key); BIO_puts(out,"\n"); - if (!DH_generate_key(b)) goto err; - BIO_puts(out,"pri 2="); - BN_print(out,b->priv_key); - BIO_puts(out,"\npub 2="); - BN_print(out,b->pub_key); - BIO_puts(out,"\n"); - alen=DH_size(a); abuf=malloc(alen); - aout=DH_compute_key(abuf,b->pub_key,a); + aout=DH_compute_key(abuf,a->pub_key,a); BIO_puts(out,"key1 ="); - for (i=0; ipub_key,b); - - BIO_puts(out,"key2 ="); - for (i=0; iarg,&c,1); - (void)BIO_flush(arg->arg); - return 1; - } +} diff --git a/regress/lib/libcrypto/dsa/dsatest.c b/regress/lib/libcrypto/dsa/dsatest.c index 1fb929a6895..444cda532d0 100644 --- a/regress/lib/libcrypto/dsa/dsatest.c +++ b/regress/lib/libcrypto/dsa/dsatest.c @@ -182,13 +182,6 @@ int main(int argc, char **argv) goto end; } - dsa->flags |= DSA_FLAG_NO_EXP_CONSTTIME; - DSA_generate_key(dsa); - DSA_sign(0, str1, 20, sig, &siglen, dsa); - if (DSA_verify(0, str1, 20, sig, siglen, dsa) == 1) - ret=1; - - dsa->flags &= ~DSA_FLAG_NO_EXP_CONSTTIME; DSA_generate_key(dsa); DSA_sign(0, str1, 20, sig, &siglen, dsa); if (DSA_verify(0, str1, 20, sig, siglen, dsa) == 1)