From d6aa9c1deda4306d122d3cb7226484f51a7a1bd3 Mon Sep 17 00:00:00 2001
From: tb <tb@openbsd.org>
Date: Tue, 8 Aug 2023 14:40:56 +0000
Subject: [PATCH] Factor the actual setup step for the blinding into a helper

ok jsing
---
 lib/libcrypto/bn/bn_blind.c | 73 ++++++++++++++++++++++---------------
 1 file changed, 43 insertions(+), 30 deletions(-)

diff --git a/lib/libcrypto/bn/bn_blind.c b/lib/libcrypto/bn/bn_blind.c
index e530bdfb276..edc1a9d1abb 100644
--- a/lib/libcrypto/bn/bn_blind.c
+++ b/lib/libcrypto/bn/bn_blind.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_blind.c,v 1.33 2023/08/08 13:59:04 tb Exp $ */
+/* $OpenBSD: bn_blind.c,v 1.34 2023/08/08 14:40:56 tb Exp $ */
 /* ====================================================================
  * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
  *
@@ -178,6 +178,45 @@ BN_BLINDING_free(BN_BLINDING *r)
 	free(r);
 }
 
+static int
+BN_BLINDING_setup(BN_BLINDING *ret, BN_CTX *ctx)
+{
+	int retry_counter = 32;
+
+	/*
+	 * XXX - remove this loop. If we happen to find a non-invertible A,
+	 * we have basically factored mod = (p-1)(q-1)...
+	 */
+	do {
+		if (!BN_rand_range(ret->A, ret->mod))
+			return 0;
+		if (BN_mod_inverse_ct(ret->Ai, ret->A, ret->mod, ctx) == NULL) {
+			/* this should almost never happen for good RSA keys */
+			unsigned long error = ERR_peek_last_error();
+			if (ERR_GET_REASON(error) == BN_R_NO_INVERSE) {
+				if (retry_counter-- == 0) {
+					BNerror(BN_R_TOO_MANY_ITERATIONS);
+					return 0;
+				}
+				ERR_clear_error();
+			} else
+				return 0;
+		} else
+			break;
+	} while (1);
+
+	if (ret->bn_mod_exp != NULL && ret->m_ctx != NULL) {
+		if (!ret->bn_mod_exp(ret->A, ret->A, ret->e, ret->mod,
+		    ctx, ret->m_ctx))
+			return 0;
+	} else {
+		if (!BN_mod_exp_ct(ret->A, ret->A, ret->e, ret->mod, ctx))
+			return 0;
+	}
+
+	return 1;
+}
+
 static int
 BN_BLINDING_update(BN_BLINDING *b, BN_CTX *ctx)
 {
@@ -187,8 +226,7 @@ BN_BLINDING_update(BN_BLINDING *b, BN_CTX *ctx)
 		b->counter = 0;
 
 	if (++b->counter == BN_BLINDING_COUNTER) {
-		/* re-create blinding parameters */
-		if (!BN_BLINDING_create_param(b, NULL, NULL, ctx, NULL, NULL))
+		if (!BN_BLINDING_setup(b, ctx))
 			goto err;
 	} else {
 		if (!BN_mod_mul(b->A, b->A, b->A, b->mod, ctx))
@@ -258,7 +296,6 @@ BN_BLINDING_create_param(BN_BLINDING *b, const BIGNUM *e, BIGNUM *m, BN_CTX *ctx
 	const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx), BN_MONT_CTX *m_ctx)
 {
 	BN_BLINDING *ret = NULL;
-	int retry_counter = 32;
 
 	if ((ret = b) == NULL)
 		ret = BN_BLINDING_new(e, m);
@@ -270,32 +307,8 @@ BN_BLINDING_create_param(BN_BLINDING *b, const BIGNUM *e, BIGNUM *m, BN_CTX *ctx
 	if (m_ctx != NULL)
 		ret->m_ctx = m_ctx;
 
-	do {
-		if (!BN_rand_range(ret->A, ret->mod))
-			goto err;
-		if (BN_mod_inverse_ct(ret->Ai, ret->A, ret->mod, ctx) == NULL) {
-			/* this should almost never happen for good RSA keys */
-			unsigned long error = ERR_peek_last_error();
-			if (ERR_GET_REASON(error) == BN_R_NO_INVERSE) {
-				if (retry_counter-- == 0) {
-					BNerror(BN_R_TOO_MANY_ITERATIONS);
-					goto err;
-				}
-				ERR_clear_error();
-			} else
-				goto err;
-		} else
-			break;
-	} while (1);
-
-	if (ret->bn_mod_exp != NULL && ret->m_ctx != NULL) {
-		if (!ret->bn_mod_exp(ret->A, ret->A, ret->e, ret->mod,
-		    ctx, ret->m_ctx))
-			goto err;
-	} else {
-		if (!BN_mod_exp_ct(ret->A, ret->A, ret->e, ret->mod, ctx))
-			goto err;
-	}
+	if (!BN_BLINDING_setup(ret, ctx))
+		goto err;
 
 	return ret;
 
-- 
2.20.1