From 6cdee16f62867686db9a168c7a0532f63c1cbf0c Mon Sep 17 00:00:00 2001 From: tb Date: Wed, 9 Aug 2023 08:35:59 +0000 Subject: [PATCH] Remove retry loop in BN_BLINDING_setup() If we generate a non-invertible blinding, we have accidentally factored the modulus. This won't happen, so get rid of this ugly complication. ok jsing --- lib/libcrypto/bn/bn_blind.c | 29 +++++------------------------ 1 file changed, 5 insertions(+), 24 deletions(-) diff --git a/lib/libcrypto/bn/bn_blind.c b/lib/libcrypto/bn/bn_blind.c index 1cf2a4b1f4e..cca211fb4f3 100644 --- a/lib/libcrypto/bn/bn_blind.c +++ b/lib/libcrypto/bn/bn_blind.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bn_blind.c,v 1.39 2023/08/09 08:31:13 tb Exp $ */ +/* $OpenBSD: bn_blind.c,v 1.40 2023/08/09 08:35:59 tb Exp $ */ /* ==================================================================== * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. * @@ -181,29 +181,10 @@ BN_BLINDING_free(BN_BLINDING *r) static int BN_BLINDING_setup(BN_BLINDING *b, BN_CTX *ctx) { - int retry_counter = 32; - - /* - * XXX - remove this loop. If we happen to find a non-invertible A, - * we have basically factored mod = (p-1)(q-1)... - */ - do { - if (!BN_rand_range(b->A, b->mod)) - return 0; - if (BN_mod_inverse_ct(b->Ai, b->A, b->mod, ctx) == NULL) { - /* this should almost never happen for good RSA keys */ - unsigned long error = ERR_peek_last_error(); - if (ERR_GET_REASON(error) == BN_R_NO_INVERSE) { - if (retry_counter-- == 0) { - BNerror(BN_R_TOO_MANY_ITERATIONS); - return 0; - } - ERR_clear_error(); - } else - return 0; - } else - break; - } while (1); + if (!bn_rand_interval(b->A, 1, b->mod)) + return 0; + if (BN_mod_inverse_ct(b->Ai, b->A, b->mod, ctx) == NULL) + return 0; if (b->bn_mod_exp != NULL && b->m_ctx != NULL) { if (!b->bn_mod_exp(b->A, b->A, b->e, b->mod, ctx, b->m_ctx)) -- 2.20.1