|
 |
5820f5 |
Fix BN flag handling in RSA_eay_mod_exp() and BN_MONT_CTX_set()
|
|
|
5820f5 |
to get the expected BN_FLG_CONSTTIME behavior.
|
|
|
5820f5 |
[Bodo Moeller (Google)]
|
|
|
5820f5 |
|
|
|
5820f5 |
openssl/crypto/bn/bn_mont.c 1.36.2.8 -> 1.36.2.9
|
|
|
5820f5 |
|
|
|
5820f5 |
--- openssl/crypto/bn/bn_mont.c 2007/11/11 20:43:23 1.36.2.8
|
|
|
5820f5 |
+++ openssl/crypto/bn/bn_mont.c 2008/02/27 06:01:59 1.36.2.9
|
|
|
5820f5 |
@@ -413,6 +413,8 @@
|
|
|
5820f5 |
|
|
|
5820f5 |
buf[0]=mod->d[0]; /* tmod = N mod word size */
|
|
|
5820f5 |
buf[1]=0;
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+ BN_init(&tmod);
|
|
|
5820f5 |
tmod.d=buf;
|
|
|
5820f5 |
tmod.top = buf[0] != 0 ? 1 : 0;
|
|
|
5820f5 |
tmod.dmax=2;
|
|
|
5820f5 |
|
|
|
5820f5 |
openssl/crypto/rsa/rsa_eay.c 1.46.2.8 -> 1.46.2.9
|
|
|
5820f5 |
|
|
|
5820f5 |
--- openssl/crypto/rsa/rsa_eay.c 2007/03/28 00:14:21 1.46.2.8
|
|
|
5820f5 |
+++ openssl/crypto/rsa/rsa_eay.c 2008/02/27 06:02:00 1.46.2.9
|
|
|
5820f5 |
@@ -151,13 +151,13 @@
|
|
|
5820f5 |
}
|
|
|
5820f5 |
|
|
|
5820f5 |
/* Usage example;
|
|
|
5820f5 |
- * MONT_HELPER(rsa, bn_ctx, p, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
|
|
|
5820f5 |
+ * MONT_HELPER(rsa->_method_mod_p, bn_ctx, rsa->p, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
|
|
|
5820f5 |
*/
|
|
|
5820f5 |
-#define MONT_HELPER(rsa, ctx, m, pre_cond, err_instr) \
|
|
|
5820f5 |
- if((pre_cond) && ((rsa)->_method_mod_##m == NULL) && \
|
|
|
5820f5 |
- !BN_MONT_CTX_set_locked(&((rsa)->_method_mod_##m), \
|
|
|
5820f5 |
+#define MONT_HELPER(method_mod, ctx, m, pre_cond, err_instr) \
|
|
|
5820f5 |
+ if ((pre_cond) && ((method_mod) == NULL) && \
|
|
|
5820f5 |
+ !BN_MONT_CTX_set_locked(&(method_mod), \
|
|
|
5820f5 |
CRYPTO_LOCK_RSA, \
|
|
|
5820f5 |
- (rsa)->m, (ctx))) \
|
|
|
5820f5 |
+ (m), (ctx))) \
|
|
|
5820f5 |
err_instr
|
|
|
5820f5 |
|
|
|
5820f5 |
static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
|
|
|
5820f5 |
@@ -227,13 +227,13 @@
|
|
|
5820f5 |
if (BN_bin2bn(buf,num,f) == NULL) goto err;
|
|
|
5820f5 |
|
|
|
5820f5 |
if (BN_ucmp(f, rsa->n) >= 0)
|
|
|
5820f5 |
- {
|
|
|
5820f5 |
+ {
|
|
|
5820f5 |
/* usually the padding functions would catch this */
|
|
|
5820f5 |
RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
|
|
|
5820f5 |
goto err;
|
|
|
5820f5 |
}
|
|
|
5820f5 |
|
|
|
5820f5 |
- MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
|
|
|
5820f5 |
+ MONT_HELPER(rsa->_method_mod_n, ctx, rsa->n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
|
|
|
5820f5 |
|
|
|
5820f5 |
if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx,
|
|
|
5820f5 |
rsa->_method_mod_n)) goto err;
|
|
|
5820f5 |
@@ -436,9 +436,9 @@
|
|
|
5820f5 |
BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
|
|
|
5820f5 |
}
|
|
|
5820f5 |
else
|
|
|
5820f5 |
- d = rsa->d;
|
|
|
5820f5 |
+ d= rsa->d;
|
|
|
5820f5 |
|
|
|
5820f5 |
- MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
|
|
|
5820f5 |
+ MONT_HELPER(rsa->_method_mod_n, ctx, rsa->n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
|
|
|
5820f5 |
|
|
|
5820f5 |
if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx,
|
|
|
5820f5 |
rsa->_method_mod_n)) goto err;
|
|
|
5820f5 |
@@ -559,7 +559,7 @@
|
|
|
5820f5 |
else
|
|
|
5820f5 |
d = rsa->d;
|
|
|
5820f5 |
|
|
|
5820f5 |
- MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
|
|
|
5820f5 |
+ MONT_HELPER(rsa->_method_mod_n, ctx, rsa->n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
|
|
|
5820f5 |
if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx,
|
|
|
5820f5 |
rsa->_method_mod_n))
|
|
|
5820f5 |
goto err;
|
|
|
5820f5 |
@@ -669,7 +669,7 @@
|
|
|
5820f5 |
goto err;
|
|
|
5820f5 |
}
|
|
|
5820f5 |
|
|
|
5820f5 |
- MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
|
|
|
5820f5 |
+ MONT_HELPER(rsa->_method_mod_n, ctx, rsa->n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
|
|
|
5820f5 |
|
|
|
5820f5 |
if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx,
|
|
|
5820f5 |
rsa->_method_mod_n)) goto err;
|
|
|
5820f5 |
@@ -717,7 +717,6 @@
|
|
|
5820f5 |
BIGNUM *r1,*m1,*vrfy;
|
|
|
5820f5 |
BIGNUM local_dmp1,local_dmq1,local_c,local_r1;
|
|
|
5820f5 |
BIGNUM *dmp1,*dmq1,*c,*pr1;
|
|
|
5820f5 |
- int bn_flags;
|
|
|
5820f5 |
int ret=0;
|
|
|
5820f5 |
|
|
|
5820f5 |
BN_CTX_start(ctx);
|
|
|
5820f5 |
@@ -725,31 +724,34 @@
|
|
|
5820f5 |
m1 = BN_CTX_get(ctx);
|
|
|
5820f5 |
vrfy = BN_CTX_get(ctx);
|
|
|
5820f5 |
|
|
|
5820f5 |
- /* Make sure mod_inverse in montgomerey intialization use correct
|
|
|
5820f5 |
- * BN_FLG_CONSTTIME flag.
|
|
|
5820f5 |
- */
|
|
|
5820f5 |
- bn_flags = rsa->p->flags;
|
|
|
5820f5 |
- if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
|
|
|
5820f5 |
- {
|
|
|
5820f5 |
- rsa->p->flags |= BN_FLG_CONSTTIME;
|
|
|
5820f5 |
- }
|
|
|
5820f5 |
- MONT_HELPER(rsa, ctx, p, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
|
|
|
5820f5 |
- /* We restore bn_flags back */
|
|
|
5820f5 |
- rsa->p->flags = bn_flags;
|
|
|
5820f5 |
+ {
|
|
|
5820f5 |
+ BIGNUM local_p, local_q;
|
|
|
5820f5 |
+ BIGNUM *p = NULL, *q = NULL;
|
|
|
5820f5 |
|
|
|
5820f5 |
- /* Make sure mod_inverse in montgomerey intialization use correct
|
|
|
5820f5 |
- * BN_FLG_CONSTTIME flag.
|
|
|
5820f5 |
- */
|
|
|
5820f5 |
- bn_flags = rsa->q->flags;
|
|
|
5820f5 |
- if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
|
|
|
5820f5 |
- {
|
|
|
5820f5 |
- rsa->q->flags |= BN_FLG_CONSTTIME;
|
|
|
5820f5 |
- }
|
|
|
5820f5 |
- MONT_HELPER(rsa, ctx, q, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
|
|
|
5820f5 |
- /* We restore bn_flags back */
|
|
|
5820f5 |
- rsa->q->flags = bn_flags;
|
|
|
5820f5 |
+ /* Make sure BN_mod_inverse in Montgomery intialization uses the
|
|
|
5820f5 |
+ * BN_FLG_CONSTTIME flag (unless RSA_FLAG_NO_CONSTTIME is set)
|
|
|
5820f5 |
+ */
|
|
|
5820f5 |
+ if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
|
|
|
5820f5 |
+ {
|
|
|
5820f5 |
+ BN_init(&local_p);
|
|
|
5820f5 |
+ p = &local_p;
|
|
|
5820f5 |
+ BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+ BN_init(&local_q);
|
|
|
5820f5 |
+ q = &local_q;
|
|
|
5820f5 |
+ BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME);
|
|
|
5820f5 |
+ }
|
|
|
5820f5 |
+ else
|
|
|
5820f5 |
+ {
|
|
|
5820f5 |
+ p = rsa->p;
|
|
|
5820f5 |
+ q = rsa->q;
|
|
|
5820f5 |
+ }
|
|
|
5820f5 |
+
|
|
|
5820f5 |
+ MONT_HELPER(rsa->_method_mod_p, ctx, p, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
|
|
|
5820f5 |
+ MONT_HELPER(rsa->_method_mod_q, ctx, q, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
|
|
|
5820f5 |
+ }
|
|
|
5820f5 |
|
|
|
5820f5 |
- MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
|
|
|
5820f5 |
+ MONT_HELPER(rsa->_method_mod_n, ctx, rsa->n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
|
|
|
5820f5 |
|
|
|
5820f5 |
/* compute I mod q */
|
|
|
5820f5 |
if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
|
|
|
5820f5 |
|
|
|
5820f5 |
Fix DH with certain moduli.
|
|
|
5820f5 |
|
|
|
5820f5 |
openssl/crypto/bn/bn_mul.c 1.36.4.1 -> 1.36.4.2
|
|
|
5820f5 |
|
|
|
5820f5 |
--- openssl/crypto/bn/bn_mul.c 2007/07/08 18:55:51 1.36.4.1
|
|
|
5820f5 |
+++ openssl/crypto/bn/bn_mul.c 2007/11/03 20:10:10 1.36.4.2
|
|
|
5820f5 |
@@ -389,6 +389,7 @@
|
|
|
5820f5 |
* a[0]*b[0]+a[1]*b[1]+(a[0]-a[1])*(b[1]-b[0])
|
|
|
5820f5 |
* a[1]*b[1]
|
|
|
5820f5 |
*/
|
|
|
5820f5 |
+/* dnX may not be positive, but n2/2+dnX has to be */
|
|
|
5820f5 |
void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
|
|
|
5820f5 |
int dna, int dnb, BN_ULONG *t)
|
|
|
5820f5 |
{
|
|
|
5820f5 |
@@ -398,7 +399,7 @@
|
|
|
5820f5 |
BN_ULONG ln,lo,*p;
|
|
|
5820f5 |
|
|
|
5820f5 |
# ifdef BN_COUNT
|
|
|
5820f5 |
- fprintf(stderr," bn_mul_recursive %d * %d\n",n2,n2);
|
|
|
5820f5 |
+ fprintf(stderr," bn_mul_recursive %d%+d * %d%+d\n",n2,dna,n2,dnb);
|
|
|
5820f5 |
# endif
|
|
|
5820f5 |
# ifdef BN_MUL_COMBA
|
|
|
5820f5 |
# if 0
|
|
|
5820f5 |
@@ -545,6 +546,7 @@
|
|
|
5820f5 |
|
|
|
5820f5 |
/* n+tn is the word length
|
|
|
5820f5 |
* t needs to be n*4 is size, as does r */
|
|
|
5820f5 |
+/* tnX may not be negative but less than n */
|
|
|
5820f5 |
void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n,
|
|
|
5820f5 |
int tna, int tnb, BN_ULONG *t)
|
|
|
5820f5 |
{
|
|
|
5820f5 |
@@ -553,8 +555,8 @@
|
|
|
5820f5 |
BN_ULONG ln,lo,*p;
|
|
|
5820f5 |
|
|
|
5820f5 |
# ifdef BN_COUNT
|
|
|
5820f5 |
- fprintf(stderr," bn_mul_part_recursive (%d+%d) * (%d+%d)\n",
|
|
|
5820f5 |
- tna, n, tnb, n);
|
|
|
5820f5 |
+ fprintf(stderr," bn_mul_part_recursive (%d%+d) * (%d%+d)\n",
|
|
|
5820f5 |
+ n, tna, n, tnb);
|
|
|
5820f5 |
# endif
|
|
|
5820f5 |
if (n < 8)
|
|
|
5820f5 |
{
|
|
|
5820f5 |
@@ -655,16 +657,19 @@
|
|
|
5820f5 |
for (;;)
|
|
|
5820f5 |
{
|
|
|
5820f5 |
i/=2;
|
|
|
5820f5 |
- if (i <= tna && tna == tnb)
|
|
|
5820f5 |
+ /* these simplified conditions work
|
|
|
5820f5 |
+ * exclusively because difference
|
|
|
5820f5 |
+ * between tna and tnb is 1 or 0 */
|
|
|
5820f5 |
+ if (i < tna || i < tnb)
|
|
|
5820f5 |
{
|
|
|
5820f5 |
- bn_mul_recursive(&(r[n2]),
|
|
|
5820f5 |
+ bn_mul_part_recursive(&(r[n2]),
|
|
|
5820f5 |
&(a[n]),&(b[n]),
|
|
|
5820f5 |
i,tna-i,tnb-i,p);
|
|
|
5820f5 |
break;
|
|
|
5820f5 |
}
|
|
|
5820f5 |
- else if (i < tna || i < tnb)
|
|
|
5820f5 |
+ else if (i == tna || i == tnb)
|
|
|
5820f5 |
{
|
|
|
5820f5 |
- bn_mul_part_recursive(&(r[n2]),
|
|
|
5820f5 |
+ bn_mul_recursive(&(r[n2]),
|
|
|
5820f5 |
&(a[n]),&(b[n]),
|
|
|
5820f5 |
i,tna-i,tnb-i,p);
|
|
|
5820f5 |
break;
|