Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
OpenHarmony
Third Party Openssl
提交
5679bcce
T
Third Party Openssl
项目概览
OpenHarmony
/
Third Party Openssl
1 年多 前同步成功
通知
9
Star
18
Fork
1
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
T
Third Party Openssl
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
提交
5679bcce
编写于
4月 02, 2003
作者:
B
Bodo Möller
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
make RSA blinding thread-safe
上级
24692fc5
变更
4
隐藏空白更改
内联
并排
Showing
4 changed file
with
124 addition
and
12 deletion
+124
-12
CHANGES
CHANGES
+7
-2
crypto/bn/bn.h
crypto/bn/bn.h
+2
-0
crypto/rsa/rsa_eay.c
crypto/rsa/rsa_eay.c
+106
-8
crypto/rsa/rsa_lib.c
crypto/rsa/rsa_lib.c
+9
-2
未找到文件。
CHANGES
浏览文件 @
5679bcce
...
...
@@ -483,12 +483,17 @@
to avoid a timing attack. Applications that don't want it can call
RSA_blinding_off() or use the new flag RSA_FLAG_NO_BLINDING.
They would be ill-advised to do so in most cases.
[Ben Laurie, Steve Henson, Geoff Thorpe]
[Ben Laurie, Steve Henson, Geoff Thorpe
, Bodo Moeller
]
*) Change RSA blinding code so that it works when the PRNG is not
seeded (in this case, the secret RSA exponent is abused as
an unpredictable seed -- if it is not unpredictable, there
is no point in blinding anyway).
is no point in blinding anyway). Make RSA blinding thread-safe
by remembering the creator's thread ID in rsa->blinding and
having all other threads use local one-time blinding factors
(this requires more computation than sharing rsa->blinding, but
avoids excessive locking; and if an RSA object is not shared
between threads, blinding will still be very fast).
[Bodo Moeller]
yet to be integrated into this CVS branch:
...
...
crypto/bn/bn.h
浏览文件 @
5679bcce
...
...
@@ -261,6 +261,8 @@ typedef struct bn_blinding_st
BIGNUM
*
A
;
BIGNUM
*
Ai
;
BIGNUM
*
mod
;
/* just a reference */
unsigned
long
thread_id
;
/* added in OpenSSL 0.9.6j and 0.9.7b;
* used only by crypto/rsa/rsa_eay.c, rsa_lib.c */
}
BN_BLINDING
;
/* Used for montgomery multiplication */
...
...
crypto/rsa/rsa_eay.c
浏览文件 @
5679bcce
...
...
@@ -230,6 +230,40 @@ static int rsa_eay_blinding(RSA *rsa, BN_CTX *ctx)
err_instr \
} while(0)
static
BN_BLINDING
*
setup_blinding
(
RSA
*
rsa
,
BN_CTX
*
ctx
)
{
BIGNUM
*
A
,
*
Ai
;
BN_BLINDING
*
ret
=
NULL
;
/* added in OpenSSL 0.9.6j and 0.9.7b */
/* NB: similar code appears in RSA_blinding_on (rsa_lib.c);
* this should be placed in a new function of its own, but for reasons
* of binary compatibility can't */
BN_CTX_start
(
ctx
);
A
=
BN_CTX_get
(
ctx
);
if
((
RAND_status
()
==
0
)
&&
rsa
->
d
!=
NULL
&&
rsa
->
d
->
d
!=
NULL
)
{
/* if PRNG is not properly seeded, resort to secret exponent as unpredictable seed */
RAND_add
(
rsa
->
d
->
d
,
rsa
->
d
->
dmax
*
sizeof
rsa
->
d
->
d
[
0
],
0
);
if
(
!
BN_pseudo_rand_range
(
A
,
rsa
->
n
))
goto
err
;
}
else
{
if
(
!
BN_rand_range
(
A
,
rsa
->
n
))
goto
err
;
}
if
((
Ai
=
BN_mod_inverse
(
NULL
,
A
,
rsa
->
n
,
ctx
))
==
NULL
)
goto
err
;
if
(
!
rsa
->
meth
->
bn_mod_exp
(
A
,
A
,
rsa
->
e
,
rsa
->
n
,
ctx
,
rsa
->
_method_mod_n
))
goto
err
;
ret
=
BN_BLINDING_new
(
A
,
Ai
,
rsa
->
n
);
BN_free
(
Ai
);
err:
BN_CTX_end
(
ctx
);
return
ret
;
}
/* signing */
static
int
RSA_eay_private_encrypt
(
int
flen
,
const
unsigned
char
*
from
,
unsigned
char
*
to
,
RSA
*
rsa
,
int
padding
)
...
...
@@ -238,6 +272,8 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
int
i
,
j
,
k
,
num
=
0
,
r
=
-
1
;
unsigned
char
*
buf
=
NULL
;
BN_CTX
*
ctx
=
NULL
;
int
local_blinding
=
0
;
BN_BLINDING
*
blinding
=
NULL
;
BN_init
(
&
f
);
BN_init
(
&
ret
);
...
...
@@ -275,9 +311,38 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
}
BLINDING_HELPER
(
rsa
,
ctx
,
goto
err
;);
blinding
=
rsa
->
blinding
;
/* Now unless blinding is disabled, 'blinding' is non-NULL.
* But the BN_BLINDING object may be owned by some other thread
* (we don't want to keep it constant and we don't want to use
* lots of locking to avoid race conditions, so only a single
* thread can use it; other threads have to use local blinding
* factors) */
if
(
!
(
rsa
->
flags
&
RSA_FLAG_NO_BLINDING
))
if
(
!
BN_BLINDING_convert
(
&
f
,
rsa
->
blinding
,
ctx
))
goto
err
;
{
if
(
blinding
==
NULL
)
{
RSAerr
(
RSA_F_RSA_EAY_PRIVATE_ENCRYPT
,
ERR_R_INTERNAL_ERROR
);
goto
err
;
}
}
if
(
blinding
!=
NULL
)
{
if
(
blinding
->
thread_id
!=
CRYPTO_thread_id
())
{
/* we need a local one-time blinding factor */
blinding
=
setup_blinding
(
rsa
,
ctx
);
if
(
blinding
==
NULL
)
goto
err
;
local_blinding
=
1
;
}
}
if
(
blinding
)
if
(
!
BN_BLINDING_convert
(
&
f
,
blinding
,
ctx
))
goto
err
;
if
(
(
rsa
->
flags
&
RSA_FLAG_EXT_PKEY
)
||
((
rsa
->
p
!=
NULL
)
&&
...
...
@@ -293,8 +358,8 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
rsa
->
_method_mod_n
))
goto
err
;
}
if
(
!
(
rsa
->
flags
&
RSA_FLAG_NO_BLINDING
)
)
if
(
!
BN_BLINDING_invert
(
&
ret
,
rsa
->
blinding
,
ctx
))
goto
err
;
if
(
blinding
)
if
(
!
BN_BLINDING_invert
(
&
ret
,
blinding
,
ctx
))
goto
err
;
/* put in leading 0 bytes if the number is less than the
* length of the modulus */
...
...
@@ -308,6 +373,8 @@ err:
if
(
ctx
!=
NULL
)
BN_CTX_free
(
ctx
);
BN_clear_free
(
&
ret
);
BN_clear_free
(
&
f
);
if
(
local_blinding
)
BN_BLINDING_free
(
blinding
);
if
(
buf
!=
NULL
)
{
OPENSSL_cleanse
(
buf
,
num
);
...
...
@@ -324,6 +391,8 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
unsigned
char
*
p
;
unsigned
char
*
buf
=
NULL
;
BN_CTX
*
ctx
=
NULL
;
int
local_blinding
=
0
;
BN_BLINDING
*
blinding
=
NULL
;
BN_init
(
&
f
);
BN_init
(
&
ret
);
...
...
@@ -356,9 +425,38 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
}
BLINDING_HELPER
(
rsa
,
ctx
,
goto
err
;);
blinding
=
rsa
->
blinding
;
/* Now unless blinding is disabled, 'blinding' is non-NULL.
* But the BN_BLINDING object may be owned by some other thread
* (we don't want to keep it constant and we don't want to use
* lots of locking to avoid race conditions, so only a single
* thread can use it; other threads have to use local blinding
* factors) */
if
(
!
(
rsa
->
flags
&
RSA_FLAG_NO_BLINDING
))
if
(
!
BN_BLINDING_convert
(
&
f
,
rsa
->
blinding
,
ctx
))
goto
err
;
{
if
(
blinding
==
NULL
)
{
RSAerr
(
RSA_F_RSA_EAY_PRIVATE_DECRYPT
,
ERR_R_INTERNAL_ERROR
);
goto
err
;
}
}
if
(
blinding
!=
NULL
)
{
if
(
blinding
->
thread_id
!=
CRYPTO_thread_id
())
{
/* we need a local one-time blinding factor */
blinding
=
setup_blinding
(
rsa
,
ctx
);
if
(
blinding
==
NULL
)
goto
err
;
local_blinding
=
1
;
}
}
if
(
blinding
)
if
(
!
BN_BLINDING_convert
(
&
f
,
blinding
,
ctx
))
goto
err
;
/* do the decrypt */
if
(
(
rsa
->
flags
&
RSA_FLAG_EXT_PKEY
)
||
...
...
@@ -376,8 +474,8 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
goto
err
;
}
if
(
!
(
rsa
->
flags
&
RSA_FLAG_NO_BLINDING
)
)
if
(
!
BN_BLINDING_invert
(
&
ret
,
rsa
->
blinding
,
ctx
))
goto
err
;
if
(
blinding
)
if
(
!
BN_BLINDING_invert
(
&
ret
,
blinding
,
ctx
))
goto
err
;
p
=
buf
;
j
=
BN_bn2bin
(
&
ret
,
p
);
/* j is only used with no-padding mode */
...
...
crypto/rsa/rsa_lib.c
浏览文件 @
5679bcce
...
...
@@ -329,6 +329,10 @@ int RSA_blinding_on(RSA *rsa, BN_CTX *p_ctx)
if
(
rsa
->
blinding
!=
NULL
)
BN_BLINDING_free
(
rsa
->
blinding
);
/* NB: similar code appears in setup_blinding (rsa_eay.c);
* this should be placed in a new function of its own, but for reasons
* of binary compatibility can't */
BN_CTX_start
(
ctx
);
A
=
BN_CTX_get
(
ctx
);
if
((
RAND_status
()
==
0
)
&&
rsa
->
d
!=
NULL
&&
rsa
->
d
->
d
!=
NULL
)
...
...
@@ -344,8 +348,11 @@ int RSA_blinding_on(RSA *rsa, BN_CTX *p_ctx)
if
((
Ai
=
BN_mod_inverse
(
NULL
,
A
,
rsa
->
n
,
ctx
))
==
NULL
)
goto
err
;
if
(
!
rsa
->
meth
->
bn_mod_exp
(
A
,
A
,
rsa
->
e
,
rsa
->
n
,
ctx
,
rsa
->
_method_mod_n
))
goto
err
;
rsa
->
blinding
=
BN_BLINDING_new
(
A
,
Ai
,
rsa
->
n
);
goto
err
;
if
((
rsa
->
blinding
=
BN_BLINDING_new
(
A
,
Ai
,
rsa
->
n
))
==
NULL
)
goto
err
;
/* to make things thread-safe without excessive locking,
* rsa->blinding will be used just by the current thread: */
rsa
->
blinding
->
thread_id
=
CRYPTO_thread_id
();
rsa
->
flags
|=
RSA_FLAG_BLINDING
;
rsa
->
flags
&=
~
RSA_FLAG_NO_BLINDING
;
BN_free
(
Ai
);
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录