Skip to content

T
Third Party Openssl

OpenHarmony / Third Party Openssl
1 年多 前同步成功

通知 10
Star 18
Fork 1
T
Third Party Openssl
提交 fd7d2520 编写于 作者: M Matt Caswell
浏览文件
操作

Tighten up BN_with_flags usage and avoid a reachable assert 

The function rsa_ossl_mod_exp uses the function BN_with_flags to create a
temporary copy (local_r1) of a BIGNUM (r1) with modified flags. This
temporary copy shares some state with the original r1. If the state of r1
gets updated then local_r1's state will be stale. This was occurring in the
function so that when local_r1 was freed a call to bn_check_top was made
which failed an assert due to the stale state. To resolve this we must free
local_r1 immediately after we have finished using it and not wait until the
end of the function.

This problem prompted a review of all BN_with_flag usage within the
codebase. All other usage appears to be correct, although often not
obviously so. This commit refactors things to make it much clearer for
these other uses.
Reviewed-by: NEmilia Käsper <emilia@openssl.org>
上级 6938c954
隐藏空白更改
内联 并排
Showing with 194 addition and 129 deletion
crypto/bn/bn_gcd.c
浏览文件 @ fd7d2520
...@@ -559,8 +559,6 @@ static BIGNUM *BN_mod_inverse_no_branch(BIGNUM *in, ...@@ -559,8 +559,6 @@ static BIGNUM *BN_mod_inverse_no_branch(BIGNUM *in,
BN_CTX *ctx) BN_CTX *ctx)
{ {
BIGNUM *A, *B, *X, *Y, *M, *D, *T, *R = NULL; BIGNUM *A, *B, *X, *Y, *M, *D, *T, *R = NULL;
BIGNUM local_A, local_B;
BIGNUM *pA, *pB;
BIGNUM *ret = NULL; BIGNUM *ret = NULL;
int sign; int sign;
...@@ -598,11 +596,14 @@ static BIGNUM *BN_mod_inverse_no_branch(BIGNUM *in, ...@@ -598,11 +596,14 @@ static BIGNUM *BN_mod_inverse_no_branch(BIGNUM *in,
* Turn BN_FLG_CONSTTIME flag on, so that when BN_div is invoked, * Turn BN_FLG_CONSTTIME flag on, so that when BN_div is invoked,
* BN_div_no_branch will be called eventually. * BN_div_no_branch will be called eventually.
*/ */
pB = &local_B; {
local_B.flags = 0; BIGNUM local_B;
BN_with_flags(pB, B, BN_FLG_CONSTTIME); BN_init(&local_B);
if (!BN_nnmod(B, pB, A, ctx)) BN_with_flags(&local_B, B, BN_FLG_CONSTTIME);
goto err; if (!BN_nnmod(B, &local_B, A, ctx))
goto err;
/* Ensure local_B goes out of scope before any further use of B */
}
} }
sign = -1; sign = -1;
/*- /*-
...@@ -626,13 +627,16 @@ static BIGNUM *BN_mod_inverse_no_branch(BIGNUM *in, ...@@ -626,13 +627,16 @@ static BIGNUM *BN_mod_inverse_no_branch(BIGNUM *in,
* Turn BN_FLG_CONSTTIME flag on, so that when BN_div is invoked, * Turn BN_FLG_CONSTTIME flag on, so that when BN_div is invoked,
* BN_div_no_branch will be called eventually. * BN_div_no_branch will be called eventually.
*/ */
pA = &local_A; {
local_A.flags = 0; BIGNUM local_A;
BN_with_flags(pA, A, BN_FLG_CONSTTIME); BN_init(&local_A);
BN_with_flags(&local_A, A, BN_FLG_CONSTTIME);
/* (D, M) := (A/B, A%B) ... */ /* (D, M) := (A/B, A%B) ... */
if (!BN_div(D, M, pA, B, ctx)) if (!BN_div(D, M, &local_A, B, ctx))
goto err; goto err;
/* Ensure local_A goes out of scope before any further use of A */
}
/*- /*-
* Now * Now
......
crypto/bn/bn_lib.c
浏览文件 @ fd7d2520
...@@ -924,7 +924,7 @@ int BN_to_montgomery(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont, ...@@ -924,7 +924,7 @@ int BN_to_montgomery(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont,
return BN_mod_mul_montgomery(r, a, &(mont->RR), mont, ctx); return BN_mod_mul_montgomery(r, a, &(mont->RR), mont, ctx);
} }
void BN_with_flags(BIGNUM *dest, const BIGNUM *b, int n) void BN_with_flags(BIGNUM *dest, const BIGNUM *b, int flags)
{ {
dest->d = b->d; dest->d = b->d;
dest->top = b->top; dest->top = b->top;
...@@ -932,7 +932,7 @@ void BN_with_flags(BIGNUM *dest, const BIGNUM *b, int n) ...@@ -932,7 +932,7 @@ void BN_with_flags(BIGNUM *dest, const BIGNUM *b, int n)
dest->neg = b->neg; dest->neg = b->neg;
dest->flags = ((dest->flags & BN_FLG_MALLOCED) dest->flags = ((dest->flags & BN_FLG_MALLOCED)
| (b->flags & ~BN_FLG_MALLOCED) | (b->flags & ~BN_FLG_MALLOCED)
| BN_FLG_STATIC_DATA | n); | BN_FLG_STATIC_DATA | flags);
} }
BN_GENCB *BN_GENCB_new(void) BN_GENCB *BN_GENCB_new(void)
......
crypto/dh/dh_key.c
浏览文件 @ fd7d2520
...@@ -170,13 +170,15 @@ static int generate_key(DH *dh) ...@@ -170,13 +170,15 @@ static int generate_key(DH *dh)
if (local_prk == NULL) if (local_prk == NULL)
goto err; goto err;
BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME); BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
} else } else {
prk = priv_key; prk = priv_key;
}
if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, prk, dh->p, ctx, mont)) { if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, prk, dh->p, ctx, mont)) {
BN_free(local_prk); BN_free(local_prk);
goto err; goto err;
} }
/* We MUST free local_prk before any further use of priv_key */
BN_free(local_prk); BN_free(local_prk);
} }
......
crypto/dsa/dsa_key.c
浏览文件 @ fd7d2520
...@@ -107,13 +107,15 @@ static int dsa_builtin_keygen(DSA *dsa) ...@@ -107,13 +107,15 @@ static int dsa_builtin_keygen(DSA *dsa)
if (local_prk == NULL) if (local_prk == NULL)
goto err; goto err;
BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME); BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
} else } else {
prk = priv_key; prk = priv_key;
}
if (!BN_mod_exp(pub_key, dsa->g, prk, dsa->p, ctx)) { if (!BN_mod_exp(pub_key, dsa->g, prk, dsa->p, ctx)) {
BN_free(local_prk); BN_free(local_prk);
goto err; goto err;
} }
/* We MUST free local_prk before any further use of priv_key */
BN_free(local_prk); BN_free(local_prk);
} }
......
crypto/rsa/rsa_crpt.c
浏览文件 @ fd7d2520
...@@ -159,8 +159,7 @@ static BIGNUM *rsa_get_public_exp(const BIGNUM *d, const BIGNUM *p, ...@@ -159,8 +159,7 @@ static BIGNUM *rsa_get_public_exp(const BIGNUM *d, const BIGNUM *p,
BN_BLINDING *RSA_setup_blinding(RSA *rsa, BN_CTX *in_ctx) BN_BLINDING *RSA_setup_blinding(RSA *rsa, BN_CTX *in_ctx)
{ {
BIGNUM *local_n = NULL; BIGNUM *e;
BIGNUM *e, *n;
BN_CTX *ctx; BN_CTX *ctx;
BN_BLINDING *ret = NULL; BN_BLINDING *ret = NULL;
...@@ -196,19 +195,25 @@ BN_BLINDING *RSA_setup_blinding(RSA *rsa, BN_CTX *in_ctx) ...@@ -196,19 +195,25 @@ BN_BLINDING *RSA_setup_blinding(RSA *rsa, BN_CTX *in_ctx)
0.0); 0.0);
} }
if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { {
/* Set BN_FLG_CONSTTIME flag */ BIGNUM *local_n = NULL, *n;
local_n = n = BN_new(); if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
if (local_n == NULL) { /* Set BN_FLG_CONSTTIME flag */
RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_MALLOC_FAILURE); local_n = n = BN_new();
goto err; if (local_n == NULL) {
RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_MALLOC_FAILURE);
goto err;
}
BN_with_flags(n, rsa->n, BN_FLG_CONSTTIME);
} else {
n = rsa->n;
} }
BN_with_flags(n, rsa->n, BN_FLG_CONSTTIME);
} else
n = rsa->n;
ret = BN_BLINDING_create_param(NULL, e, n, ctx, ret = BN_BLINDING_create_param(NULL, e, n, ctx, rsa->meth->bn_mod_exp,
rsa->meth->bn_mod_exp, rsa->_method_mod_n); rsa->_method_mod_n);
/* We MUST free local_n before any further use of rsa->n */
BN_free(local_n);
}
if (ret == NULL) { if (ret == NULL) {
RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_BN_LIB); RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_BN_LIB);
goto err; goto err;
...@@ -220,7 +225,6 @@ BN_BLINDING *RSA_setup_blinding(RSA *rsa, BN_CTX *in_ctx) ...@@ -220,7 +225,6 @@ BN_BLINDING *RSA_setup_blinding(RSA *rsa, BN_CTX *in_ctx)
BN_CTX_free(ctx); BN_CTX_free(ctx);
if (e != rsa->e) if (e != rsa->e)
BN_free(e); BN_free(e);
BN_free(local_n);
return ret; return ret;
} }
crypto/rsa/rsa_gen.c
浏览文件 @ fd7d2520
...@@ -89,17 +89,9 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, ...@@ -89,17 +89,9 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value,
BN_GENCB *cb) BN_GENCB *cb)
{ {
BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *r3 = NULL, *tmp; BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *r3 = NULL, *tmp;
BIGNUM *local_r0, *local_d, *local_p;
BIGNUM *pr0, *d, *p;
int bitsp, bitsq, ok = -1, n = 0; int bitsp, bitsq, ok = -1, n = 0;
BN_CTX *ctx = NULL; BN_CTX *ctx = NULL;
local_r0 = BN_new();
local_d = BN_new();
local_p = BN_new();
if (local_r0 == NULL || local_d == NULL || local_p == NULL)
goto err;
ctx = BN_CTX_new(); ctx = BN_CTX_new();
if (ctx == NULL) if (ctx == NULL)
goto err; goto err;
...@@ -193,43 +185,69 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, ...@@ -193,43 +185,69 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value,
goto err; /* q-1 */ goto err; /* q-1 */
if (!BN_mul(r0, r1, r2, ctx)) if (!BN_mul(r0, r1, r2, ctx))
goto err; /* (p-1)(q-1) */ goto err; /* (p-1)(q-1) */
if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { {
pr0 = local_r0; BIGNUM *local_r0 = NULL, *pr0;
BN_with_flags(pr0, r0, BN_FLG_CONSTTIME); if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
} else pr0 = local_r0 = BN_new();
pr0 = r0; if (local_r0 == NULL)
if (!BN_mod_inverse(rsa->d, rsa->e, pr0, ctx)) goto err;
goto err; /* d */ BN_with_flags(pr0, r0, BN_FLG_CONSTTIME);
} else {
/* set up d for correct BN_FLG_CONSTTIME flag */ pr0 = r0;
if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { }
d = local_d; if (!BN_mod_inverse(rsa->d, rsa->e, pr0, ctx)) {
BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); BN_free(local_r0);
} else goto err; /* d */
d = rsa->d; }
/* We MUST free local_r0 before any further use of r0 */
/* calculate d mod (p-1) */ BN_free(local_r0);
if (!BN_mod(rsa->dmp1, d, r1, ctx)) }
goto err;
/* calculate d mod (q-1) */ {
if (!BN_mod(rsa->dmq1, d, r2, ctx)) BIGNUM *local_d = NULL, *d;
goto err; /* set up d for correct BN_FLG_CONSTTIME flag */
if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
d = local_d = BN_new();
if (local_d == NULL)
goto err;
BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
} else {
d = rsa->d;
}
/* calculate inverse of q mod p */ if ( /* calculate d mod (p-1) */
if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { !BN_mod(rsa->dmp1, d, r1, ctx)
p = local_p; /* calculate d mod (q-1) */
BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME); || !BN_mod(rsa->dmq1, d, r2, ctx)) {
} else BN_free(local_d);
p = rsa->p; goto err;
if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx)) }
goto err; /* We MUST free local_d before any further use of rsa->d */
BN_free(local_d);
}
{
BIGNUM *local_p = NULL, *p;
/* calculate inverse of q mod p */
if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
p = local_p = BN_new();
if (local_p == NULL)
goto err;
BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
} else {
p = rsa->p;
}
if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx)) {
BN_free(local_p);
goto err;
}
/* We MUST free local_p before any further use of rsa->p */
BN_free(local_p);
}
ok = 1; ok = 1;
err: err:
BN_free(local_r0);
BN_free(local_d);
BN_free(local_p);
if (ok == -1) { if (ok == -1) {
RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, ERR_LIB_BN); RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, ERR_LIB_BN);
ok = 0; ok = 0;
......
crypto/rsa/rsa_ossl.c
浏览文件 @ fd7d2520
...@@ -426,8 +426,9 @@ static int rsa_ossl_private_encrypt(int flen, const unsigned char *from, ...@@ -426,8 +426,9 @@ static int rsa_ossl_private_encrypt(int flen, const unsigned char *from,
goto err; goto err;
} }
BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
} else } else {
d = rsa->d; d = rsa->d;
}
if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
if (!BN_MONT_CTX_set_locked if (!BN_MONT_CTX_set_locked
...@@ -441,6 +442,7 @@ static int rsa_ossl_private_encrypt(int flen, const unsigned char *from, ...@@ -441,6 +442,7 @@ static int rsa_ossl_private_encrypt(int flen, const unsigned char *from,
BN_free(local_d); BN_free(local_d);
goto err; goto err;
} }
/* We MUST free local_d before any further use of rsa->d */
BN_free(local_d); BN_free(local_d);
} }
...@@ -558,8 +560,9 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, ...@@ -558,8 +560,9 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
goto err; goto err;
} }
BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
} else } else {
d = rsa->d; d = rsa->d;
}
if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
if (!BN_MONT_CTX_set_locked if (!BN_MONT_CTX_set_locked
...@@ -572,6 +575,7 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, ...@@ -572,6 +575,7 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
BN_free(local_d); BN_free(local_d);
goto err; goto err;
} }
/* We MUST free local_d before any further use of rsa->d */
BN_free(local_d); BN_free(local_d);
} }
...@@ -712,20 +716,10 @@ static int rsa_ossl_public_decrypt(int flen, const unsigned char *from, ...@@ -712,20 +716,10 @@ static int rsa_ossl_public_decrypt(int flen, const unsigned char *from,
static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
{ {
BIGNUM *r1, *m1, *vrfy; BIGNUM *r1, *m1, *vrfy;
BIGNUM *local_dmp1, *local_dmq1, *local_c, *local_r1;
BIGNUM *dmp1, *dmq1, *c, *pr1;
int ret = 0; int ret = 0;
BN_CTX_start(ctx); BN_CTX_start(ctx);
local_dmp1 = BN_new();
local_dmq1 = BN_new();
local_c = BN_new();
local_r1 = BN_new();
if (local_dmp1 == NULL
|| local_dmq1 == NULL || local_c == NULL || local_r1 == NULL)
goto err;
r1 = BN_CTX_get(ctx); r1 = BN_CTX_get(ctx);
m1 = BN_CTX_get(ctx); m1 = BN_CTX_get(ctx);
vrfy = BN_CTX_get(ctx); vrfy = BN_CTX_get(ctx);
...@@ -765,6 +759,10 @@ static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) ...@@ -765,6 +759,10 @@ static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
goto err; goto err;
} }
} }
/*
* We MUST free local_p and local_q before any further use of rsa->p and
* rsa->q
*/
BN_free(local_p); BN_free(local_p);
BN_free(local_q); BN_free(local_q);
} }
...@@ -775,44 +773,74 @@ static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) ...@@ -775,44 +773,74 @@ static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
goto err; goto err;
/* compute I mod q */ /* compute I mod q */
if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { {
c = local_c; BIGNUM *local_c = NULL;
BN_with_flags(c, I, BN_FLG_CONSTTIME); const BIGNUM *c;
if (!BN_mod(r1, c, rsa->q, ctx)) if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
goto err; local_c = BN_new();
} else { if (local_c == NULL)
if (!BN_mod(r1, I, rsa->q, ctx)) goto err;
BN_with_flags(local_c, I, BN_FLG_CONSTTIME);
c = local_c;
} else {
c = I;
}
if (!BN_mod(r1, c, rsa->q, ctx)) {
BN_free(local_c);
goto err; goto err;
} }
/* compute r1^dmq1 mod q */ {
if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { BIGNUM *local_dmq1 = NULL, *dmq1;
dmq1 = local_dmq1; /* compute r1^dmq1 mod q */
BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME); if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
} else dmq1 = local_dmq1 = BN_new();
dmq1 = rsa->dmq1; if (local_dmq1 == NULL) {
if (!rsa->meth->bn_mod_exp(m1, r1, dmq1, rsa->q, ctx, rsa->_method_mod_q)) BN_free(local_c);
goto err; goto err;
}
BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
} else {
dmq1 = rsa->dmq1;
}
if (!rsa->meth->bn_mod_exp(m1, r1, dmq1, rsa->q, ctx,
rsa->_method_mod_q)) {
BN_free(local_c);
BN_free(local_dmq1);
goto err;
}
/* We MUST free local_dmq1 before any further use of rsa->dmq1 */
BN_free(local_dmq1);
}
/* compute I mod p */ /* compute I mod p */
if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { if (!BN_mod(r1, c, rsa->p, ctx)) {
c = local_c; BN_free(local_c);
BN_with_flags(c, I, BN_FLG_CONSTTIME);
if (!BN_mod(r1, c, rsa->p, ctx))
goto err;
} else {
if (!BN_mod(r1, I, rsa->p, ctx))
goto err; goto err;
}
/* We MUST free local_c before any further use of I */
BN_free(local_c);
} }
/* compute r1^dmp1 mod p */ {
if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { BIGNUM *local_dmp1 = NULL, *dmp1;
dmp1 = local_dmp1; /* compute r1^dmp1 mod p */
BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME); if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
} else dmp1 = local_dmp1 = BN_new();
dmp1 = rsa->dmp1; if (local_dmp1 == NULL)
if (!rsa->meth->bn_mod_exp(r0, r1, dmp1, rsa->p, ctx, rsa->_method_mod_p)) goto err;
goto err; BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
} else {
dmp1 = rsa->dmp1;
}
if (!rsa->meth->bn_mod_exp(r0, r1, dmp1, rsa->p, ctx,
rsa->_method_mod_p)) {
BN_free(local_dmp1);
goto err;
}
/* We MUST free local_dmp1 before any further use of rsa->dmp1 */
BN_free(local_dmp1);
}
if (!BN_sub(r0, r0, m1)) if (!BN_sub(r0, r0, m1))
goto err; goto err;
...@@ -827,14 +855,24 @@ static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) ...@@ -827,14 +855,24 @@ static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
if (!BN_mul(r1, r0, rsa->iqmp, ctx)) if (!BN_mul(r1, r0, rsa->iqmp, ctx))
goto err; goto err;
/* Turn BN_FLG_CONSTTIME flag on before division operation */ {
if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { BIGNUM *local_r1 = NULL, *pr1;
pr1 = local_r1; /* Turn BN_FLG_CONSTTIME flag on before division operation */
BN_with_flags(pr1, r1, BN_FLG_CONSTTIME); if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
} else pr1 = local_r1 = BN_new();
pr1 = r1; if (local_r1 == NULL)
if (!BN_mod(r0, pr1, rsa->p, ctx)) goto err;
goto err; BN_with_flags(pr1, r1, BN_FLG_CONSTTIME);
} else {
pr1 = r1;
}
if (!BN_mod(r0, pr1, rsa->p, ctx)) {
BN_free(local_r1);
goto err;
}
/* We MUST free local_r1 before any further use of r1 */
BN_free(local_r1);
}
/* /*
* If p < q it is occasionally possible for the correction of adding 'p' * If p < q it is occasionally possible for the correction of adding 'p'
...@@ -883,23 +921,20 @@ static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) ...@@ -883,23 +921,20 @@ static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
if (d == NULL) if (d == NULL)
goto err; goto err;
BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
} else } else {
d = rsa->d; d = rsa->d;
}
if (!rsa->meth->bn_mod_exp(r0, I, d, rsa->n, ctx, if (!rsa->meth->bn_mod_exp(r0, I, d, rsa->n, ctx,
rsa->_method_mod_n)) { rsa->_method_mod_n)) {
BN_free(local_d); BN_free(local_d);
goto err; goto err;
} }
/* We MUST free local_d before any further use of rsa->d */
BN_free(local_d); BN_free(local_d);
} }
} }
ret = 1; ret = 1;
err: err:
BN_free(local_dmp1);
BN_free(local_dmq1);
BN_free(local_c);
BN_free(local_r1);
BN_CTX_end(ctx); BN_CTX_end(ctx);
return (ret); return (ret);
} }
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册