bn_blind.c 11.2 KB
Newer Older
1
/* crypto/bn/bn_blind.c */
2
/* ====================================================================
3
 * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer. 
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
 *    openssl-core@openssl.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 *
 * This product includes cryptographic software written by Eric Young
 * (eay@cryptsoft.com).  This product includes software written by Tim
 * Hudson (tjh@cryptsoft.com).
 *
 */
55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
 * 
 * This library is free for commercial and non-commercial use as long as
 * the following conditions are aheared to.  The following conditions
 * apply to all code found in this distribution, be it the RC4, RSA,
 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
 * included with this distribution is covered by the same copyright terms
 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
 * 
 * Copyright remains Eric Young's, and as such any Copyright notices in
 * the code are not to be removed.
 * If this package is used in a product, Eric Young should be given attribution
 * as the author of the parts of the library used.
 * This can be in the form of a textual message at program startup or
 * in documentation (online or textual) provided with the package.
 * 
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. All advertising materials mentioning features or use of this software
 *    must display the following acknowledgement:
 *    "This product includes cryptographic software written by
 *     Eric Young (eay@cryptsoft.com)"
 *    The word 'cryptographic' can be left out if the rouines from the library
 *    being used are not cryptographic related :-).
 * 4. If you include any Windows specific code (or a derivative thereof) from 
 *    the apps directory (application code) you must include an acknowledgement:
 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
 * 
 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 * 
 * The licence and distribution terms for any publically available version or
 * derivative of this code cannot be changed.  i.e. this code cannot simply be
 * copied and put under another distribution licence
 * [including the GNU Public Licence.]
 */

#include <stdio.h>
#include "cryptlib.h"
#include "bn_lcl.h"

116 117 118 119 120 121 122 123
#define BN_BLINDING_COUNTER	32

struct bn_blinding_st
	{
	BIGNUM *A;
	BIGNUM *Ai;
	BIGNUM *e;
	BIGNUM *mod; /* just a reference */
124 125 126
/* FIXME: should really try to remove these, but the deprecated APIs that are
 * using them would need to be fudged somehow. */
#ifndef OPENSSL_NO_DEPRECATED
127 128
	unsigned long thread_id; /* added in OpenSSL 0.9.6j and 0.9.7b;
				  * used only by crypto/rsa/rsa_eay.c, rsa_lib.c */
129 130
#endif
	CRYPTO_THREADID tid;
131 132 133 134 135 136 137 138 139
	unsigned int  counter;
	unsigned long flags;
	BN_MONT_CTX *m_ctx;
	int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
			  const BIGNUM *m, BN_CTX *ctx,
			  BN_MONT_CTX *m_ctx);
	};

BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod)
140 141 142
	{
	BN_BLINDING *ret=NULL;

143 144
	bn_check_top(mod);

145
	if ((ret=(BN_BLINDING *)OPENSSL_malloc(sizeof(BN_BLINDING))) == NULL)
146
		{
147
		BNerr(BN_F_BN_BLINDING_NEW,ERR_R_MALLOC_FAILURE);
148 149
		return(NULL);
		}
150
	memset(ret,0,sizeof(BN_BLINDING));
151 152 153 154 155 156 157 158
	if (A != NULL)
		{
		if ((ret->A  = BN_dup(A))  == NULL) goto err;
		}
	if (Ai != NULL)
		{
		if ((ret->Ai = BN_dup(Ai)) == NULL) goto err;
		}
159 160 161 162 163 164

	/* save a copy of mod in the BN_BLINDING structure */
	if ((ret->mod = BN_dup(mod)) == NULL) goto err;
	if (BN_get_flags(mod, BN_FLG_CONSTTIME) != 0)
		BN_set_flags(ret->mod, BN_FLG_CONSTTIME);

165
	ret->counter = BN_BLINDING_COUNTER;
166 167 168
	return(ret);
err:
	if (ret != NULL) BN_BLINDING_free(ret);
169
	return(NULL);
170 171
	}

U
Ulf Möller 已提交
172
void BN_BLINDING_free(BN_BLINDING *r)
173
	{
B
Ben Laurie 已提交
174 175 176
	if(r == NULL)
	    return;

177 178
	if (r->A  != NULL) BN_free(r->A );
	if (r->Ai != NULL) BN_free(r->Ai);
179
	if (r->e  != NULL) BN_free(r->e );
180
	if (r->mod != NULL) BN_free(r->mod); 
181
	OPENSSL_free(r);
182 183
	}

U
Ulf Möller 已提交
184
int BN_BLINDING_update(BN_BLINDING *b, BN_CTX *ctx)
185 186 187 188 189
	{
	int ret=0;

	if ((b->A == NULL) || (b->Ai == NULL))
		{
U
Ulf Möller 已提交
190
		BNerr(BN_F_BN_BLINDING_UPDATE,BN_R_NOT_INITIALIZED);
191 192
		goto err;
		}
193 194 195 196 197 198 199 200 201 202 203 204 205

	if (--(b->counter) == 0 && b->e != NULL &&
		!(b->flags & BN_BLINDING_NO_RECREATE))
		{
		/* re-create blinding parameters */
		if (!BN_BLINDING_create_param(b, NULL, NULL, ctx, NULL, NULL))
			goto err;
		}
	else if (!(b->flags & BN_BLINDING_NO_UPDATE))
		{
		if (!BN_mod_mul(b->A,b->A,b->A,b->mod,ctx)) goto err;
		if (!BN_mod_mul(b->Ai,b->Ai,b->Ai,b->mod,ctx)) goto err;
		}
206 207 208

	ret=1;
err:
209 210
	if (b->counter == 0)
		b->counter = BN_BLINDING_COUNTER;
211 212 213
	return(ret);
	}

U
Ulf Möller 已提交
214
int BN_BLINDING_convert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx)
215 216 217 218 219
	{
	return BN_BLINDING_convert_ex(n, NULL, b, ctx);
	}

int BN_BLINDING_convert_ex(BIGNUM *n, BIGNUM *r, BN_BLINDING *b, BN_CTX *ctx)
220
	{
B
Bodo Möller 已提交
221 222
	int ret = 1;

223 224
	bn_check_top(n);

225 226
	if ((b->A == NULL) || (b->Ai == NULL))
		{
B
Bodo Möller 已提交
227
		BNerr(BN_F_BN_BLINDING_CONVERT_EX,BN_R_NOT_INITIALIZED);
228 229
		return(0);
		}
230 231

	if (r != NULL)
B
Bodo Möller 已提交
232 233 234
		{
		if (!BN_copy(r, b->Ai)) ret=0;
		}
235

B
Bodo Möller 已提交
236 237 238
	if (!BN_mod_mul(n,n,b->A,b->mod,ctx)) ret=0;
	
	return ret;
239 240
	}

U
Ulf Möller 已提交
241
int BN_BLINDING_invert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx)
242 243 244 245 246
	{
	return BN_BLINDING_invert_ex(n, NULL, b, ctx);
	}

int BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b, BN_CTX *ctx)
247 248
	{
	int ret;
249 250

	bn_check_top(n);
251 252
	if ((b->A == NULL) || (b->Ai == NULL))
		{
B
Bodo Möller 已提交
253
		BNerr(BN_F_BN_BLINDING_INVERT_EX,BN_R_NOT_INITIALIZED);
254 255
		return(0);
		}
256 257 258 259 260 261 262

	if (r != NULL)
		ret = BN_mod_mul(n, n, r, b->mod, ctx);
	else
		ret = BN_mod_mul(n, n, b->Ai, b->mod, ctx);

	if (ret >= 0)
263 264 265 266
		{
		if (!BN_BLINDING_update(b,ctx))
			return(0);
		}
267
	bn_check_top(n);
268 269 270
	return(ret);
	}

271
#ifndef OPENSSL_NO_DEPRECATED
272 273 274 275 276 277 278 279 280
unsigned long BN_BLINDING_get_thread_id(const BN_BLINDING *b)
	{
	return b->thread_id;
	}

void BN_BLINDING_set_thread_id(BN_BLINDING *b, unsigned long n)
	{
	b->thread_id = n;
	}
281
#endif
282

283
void BN_BLINDING_set_thread(BN_BLINDING *b)
284
	{
285
	CRYPTO_THREADID_set(&b->tid);
286 287
	}

288
int BN_BLINDING_cmp_thread(const BN_BLINDING *b, const CRYPTO_THREADID *tid)
289
	{
290
	return CRYPTO_THREADID_cmp(&b->tid, tid);
291 292
	}

293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382
unsigned long BN_BLINDING_get_flags(const BN_BLINDING *b)
	{
	return b->flags;
	}

void BN_BLINDING_set_flags(BN_BLINDING *b, unsigned long flags)
	{
	b->flags = flags;
	}

BN_BLINDING *BN_BLINDING_create_param(BN_BLINDING *b,
	const BIGNUM *e, BIGNUM *m, BN_CTX *ctx,
	int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
			  const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx),
	BN_MONT_CTX *m_ctx)
{
	int    retry_counter = 32;
	BN_BLINDING *ret = NULL;

	if (b == NULL)
		ret = BN_BLINDING_new(NULL, NULL, m);
	else
		ret = b;

	if (ret == NULL)
		goto err;

	if (ret->A  == NULL && (ret->A  = BN_new()) == NULL)
		goto err;
	if (ret->Ai == NULL && (ret->Ai	= BN_new()) == NULL)
		goto err;

	if (e != NULL)
		{
		if (ret->e != NULL)
			BN_free(ret->e);
		ret->e = BN_dup(e);
		}
	if (ret->e == NULL)
		goto err;

	if (bn_mod_exp != NULL)
		ret->bn_mod_exp = bn_mod_exp;
	if (m_ctx != NULL)
		ret->m_ctx = m_ctx;

	do {
		if (!BN_rand_range(ret->A, ret->mod)) goto err;
		if (BN_mod_inverse(ret->Ai, ret->A, ret->mod, ctx) == NULL)
			{
			/* this should almost never happen for good RSA keys */
			unsigned long error = ERR_peek_last_error();
			if (ERR_GET_REASON(error) == BN_R_NO_INVERSE)
				{
				if (retry_counter-- == 0)
				{
					BNerr(BN_F_BN_BLINDING_CREATE_PARAM,
						BN_R_TOO_MANY_ITERATIONS);
					goto err;
				}
				ERR_clear_error();
				}
			else
				goto err;
			}
		else
			break;
	} while (1);

	if (ret->bn_mod_exp != NULL && ret->m_ctx != NULL)
		{
		if (!ret->bn_mod_exp(ret->A, ret->A, ret->e, ret->mod, ctx, ret->m_ctx))
			goto err;
		}
	else
		{
		if (!BN_mod_exp(ret->A, ret->A, ret->e, ret->mod, ctx))
			goto err;
		}

	return ret;
err:
	if (b == NULL && ret != NULL)
		{
		BN_BLINDING_free(ret);
		ret = NULL;
		}

	return ret;
}