diff options
| author | Matt Caswell <matt@openssl.org> | 2014-10-28 23:00:29 +0000 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2014-12-08 21:40:57 +0000 |
| commit | 18125f7f554034d95c64851bee23fb058a23bfd9 (patch) | |
| tree | 2079d890f829b34910893d9c96a1f96670a5a3fe /crypto/rsa/rsa_eay.c | |
| parent | 68c29f61a404db3d620278878d77ca90ad853b8d (diff) | |
| download | openssl-18125f7f554034d95c64851bee23fb058a23bfd9.zip openssl-18125f7f554034d95c64851bee23fb058a23bfd9.tar.gz openssl-18125f7f554034d95c64851bee23fb058a23bfd9.tar.bz2 | |
Implement internally opaque bn access from rsa
Reviewed-by: Tim Hudson <tjh@openssl.org>
Diffstat (limited to 'crypto/rsa/rsa_eay.c')
| -rw-r--r-- | crypto/rsa/rsa_eay.c | 105 |
1 files changed, 77 insertions, 28 deletions
diff --git a/crypto/rsa/rsa_eay.c b/crypto/rsa/rsa_eay.c index 80dab8a..3e08fe7 100644 --- a/crypto/rsa/rsa_eay.c +++ b/crypto/rsa/rsa_eay.c @@ -112,7 +112,7 @@ #include "cryptlib.h" -#include <openssl/bn.h> +#include "internal/bn_int.h" #include <openssl/rsa.h> #include <openssl/rand.h> @@ -433,13 +433,16 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from, } else { - BIGNUM local_d; - BIGNUM *d = NULL; + BIGNUM *d = NULL, *local_d = NULL; if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { - BN_init(&local_d); - d = &local_d; + local_d = d = BN_new(); + if(!d) + { + RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE); + goto err; + } BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); } else @@ -447,10 +450,18 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from, if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) if(!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) + { + if(local_d) BN_free(local_d); goto err; + } if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx, - rsa->_method_mod_n)) goto err; + rsa->_method_mod_n)) + { + if(local_d) BN_free(local_d); + goto err; + } + if(local_d) BN_free(local_d); } if (blinding) @@ -567,12 +578,16 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from, } else { - BIGNUM local_d; - BIGNUM *d = NULL; + BIGNUM *d = NULL, *local_d = NULL; if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { - d = &local_d; + local_d = d = BN_new(); + if(!d) + { + RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE); + goto err; + } BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); } else @@ -580,10 +595,17 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from, if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) + { + if(local_d) BN_free(local_d); goto err; + } if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx, rsa->_method_mod_n)) - goto err; + { + if(local_d) BN_free(local_d); + goto err; + } + if(local_d) BN_free(local_d); } if (blinding) @@ -697,7 +719,7 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from, if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx, rsa->_method_mod_n)) goto err; - if ((padding == RSA_X931_PADDING) && ((ret->d[0] & 0xf) != 12)) + if ((padding == RSA_X931_PADDING) && ((bn_get_words(ret)[0] & 0xf) != 12)) if (!BN_sub(ret, rsa->n, ret)) goto err; p=buf; @@ -738,17 +760,25 @@ err: static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) { BIGNUM *r1,*m1,*vrfy; - BIGNUM local_dmp1,local_dmq1,local_c,local_r1; + BIGNUM *local_dmp1, *local_dmq1, *local_c, *local_r1; BIGNUM *dmp1,*dmq1,*c,*pr1; int ret=0; + + local_dmp1 = BN_new(); + local_dmq1 = BN_new(); + local_c = BN_new(); + local_r1 = BN_new(); + if(!local_dmp1 || !local_dmq1 || !local_c || !local_r1) + goto err; + BN_CTX_start(ctx); r1 = BN_CTX_get(ctx); m1 = BN_CTX_get(ctx); vrfy = BN_CTX_get(ctx); { - BIGNUM local_p, local_q; + BIGNUM *local_p = NULL, *local_q = NULL; BIGNUM *p = NULL, *q = NULL; /* Make sure BN_mod_inverse in Montgomery intialization uses the @@ -756,12 +786,16 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) */ if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { - BN_init(&local_p); - p = &local_p; + local_p = p = BN_new(); + if(!p) goto err; BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME); - BN_init(&local_q); - q = &local_q; + local_q = q = BN_new(); + if(!q) + { + BN_free(local_p); + goto err; + } BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME); } else @@ -772,11 +806,15 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) { - if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p, CRYPTO_LOCK_RSA, p, ctx)) - goto err; - if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q, CRYPTO_LOCK_RSA, q, ctx)) + if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p, CRYPTO_LOCK_RSA, p, ctx) || !BN_MONT_CTX_set_locked(&rsa->_method_mod_q, CRYPTO_LOCK_RSA, q, ctx)) + { + if(local_p) BN_free(local_p); + if(local_q) BN_free(local_q); goto err; + } } + if(local_p) BN_free(local_p); + if(local_q) BN_free(local_q); } if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) @@ -786,7 +824,7 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) /* compute I mod q */ if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { - c = &local_c; + c = local_c; BN_with_flags(c, I, BN_FLG_CONSTTIME); if (!BN_mod(r1,c,rsa->q,ctx)) goto err; } @@ -798,7 +836,7 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) /* compute r1^dmq1 mod q */ if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { - dmq1 = &local_dmq1; + dmq1 = local_dmq1; BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME); } else @@ -809,7 +847,7 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) /* compute I mod p */ if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { - c = &local_c; + c = local_c; BN_with_flags(c, I, BN_FLG_CONSTTIME); if (!BN_mod(r1,c,rsa->p,ctx)) goto err; } @@ -821,7 +859,7 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) /* compute r1^dmp1 mod p */ if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { - dmp1 = &local_dmp1; + dmp1 = local_dmp1; BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME); } else @@ -840,7 +878,7 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) /* Turn BN_FLG_CONSTTIME flag on before division operation */ if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { - pr1 = &local_r1; + pr1 = local_r1; BN_with_flags(pr1, r1, BN_FLG_CONSTTIME); } else @@ -876,22 +914,33 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) * miscalculated CRT output, just do a raw (slower) * mod_exp and return that instead. */ - BIGNUM local_d; + BIGNUM *local_d = NULL; BIGNUM *d = NULL; if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { - d = &local_d; + local_d = d = BN_new(); + if(!d) goto err; BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); } else d = rsa->d; if (!rsa->meth->bn_mod_exp(r0,I,d,rsa->n,ctx, - rsa->_method_mod_n)) goto err; + rsa->_method_mod_n)) + { + if(local_d) BN_free(local_d); + goto err; + } + + if(local_d) BN_free(local_d); } } ret=1; err: + if(local_dmp1) BN_free(local_dmp1); + if(local_dmq1) BN_free(local_dmq1); + if(local_c) BN_free(local_c); + if(local_r1) BN_free(local_r1); BN_CTX_end(ctx); return(ret); } |