]>
Commit | Line | Data |
---|---|---|
800e400d | 1 | /* ==================================================================== |
48fc582f | 2 | * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. |
800e400d NL |
3 | * |
4 | * Redistribution and use in source and binary forms, with or without | |
5 | * modification, are permitted provided that the following conditions | |
6 | * are met: | |
7 | * | |
8 | * 1. Redistributions of source code must retain the above copyright | |
0f113f3e | 9 | * notice, this list of conditions and the following disclaimer. |
800e400d NL |
10 | * |
11 | * 2. Redistributions in binary form must reproduce the above copyright | |
12 | * notice, this list of conditions and the following disclaimer in | |
13 | * the documentation and/or other materials provided with the | |
14 | * distribution. | |
15 | * | |
16 | * 3. All advertising materials mentioning features or use of this | |
17 | * software must display the following acknowledgment: | |
18 | * "This product includes software developed by the OpenSSL Project | |
19 | * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" | |
20 | * | |
21 | * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to | |
22 | * endorse or promote products derived from this software without | |
23 | * prior written permission. For written permission, please contact | |
24 | * openssl-core@openssl.org. | |
25 | * | |
26 | * 5. Products derived from this software may not be called "OpenSSL" | |
27 | * nor may "OpenSSL" appear in their names without prior written | |
28 | * permission of the OpenSSL Project. | |
29 | * | |
30 | * 6. Redistributions of any form whatsoever must retain the following | |
31 | * acknowledgment: | |
32 | * "This product includes software developed by the OpenSSL Project | |
33 | * for use in the OpenSSL Toolkit (http://www.openssl.org/)" | |
34 | * | |
35 | * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY | |
36 | * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
37 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | |
38 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR | |
39 | * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | |
40 | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | |
41 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | |
42 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
43 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, | |
44 | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | |
45 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED | |
46 | * OF THE POSSIBILITY OF SUCH DAMAGE. | |
47 | * ==================================================================== | |
48 | * | |
49 | * This product includes cryptographic software written by Eric Young | |
50 | * (eay@cryptsoft.com). This product includes software written by Tim | |
51 | * Hudson (tjh@cryptsoft.com). | |
52 | * | |
53 | */ | |
58964a49 RE |
54 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
55 | * All rights reserved. | |
56 | * | |
57 | * This package is an SSL implementation written | |
58 | * by Eric Young (eay@cryptsoft.com). | |
59 | * The implementation was written so as to conform with Netscapes SSL. | |
0f113f3e | 60 | * |
58964a49 RE |
61 | * This library is free for commercial and non-commercial use as long as |
62 | * the following conditions are aheared to. The following conditions | |
63 | * apply to all code found in this distribution, be it the RC4, RSA, | |
64 | * lhash, DES, etc., code; not just the SSL code. The SSL documentation | |
65 | * included with this distribution is covered by the same copyright terms | |
66 | * except that the holder is Tim Hudson (tjh@cryptsoft.com). | |
0f113f3e | 67 | * |
58964a49 RE |
68 | * Copyright remains Eric Young's, and as such any Copyright notices in |
69 | * the code are not to be removed. | |
70 | * If this package is used in a product, Eric Young should be given attribution | |
71 | * as the author of the parts of the library used. | |
72 | * This can be in the form of a textual message at program startup or | |
73 | * in documentation (online or textual) provided with the package. | |
0f113f3e | 74 | * |
58964a49 RE |
75 | * Redistribution and use in source and binary forms, with or without |
76 | * modification, are permitted provided that the following conditions | |
77 | * are met: | |
78 | * 1. Redistributions of source code must retain the copyright | |
79 | * notice, this list of conditions and the following disclaimer. | |
80 | * 2. Redistributions in binary form must reproduce the above copyright | |
81 | * notice, this list of conditions and the following disclaimer in the | |
82 | * documentation and/or other materials provided with the distribution. | |
83 | * 3. All advertising materials mentioning features or use of this software | |
84 | * must display the following acknowledgement: | |
85 | * "This product includes cryptographic software written by | |
86 | * Eric Young (eay@cryptsoft.com)" | |
87 | * The word 'cryptographic' can be left out if the rouines from the library | |
88 | * being used are not cryptographic related :-). | |
0f113f3e | 89 | * 4. If you include any Windows specific code (or a derivative thereof) from |
58964a49 RE |
90 | * the apps directory (application code) you must include an acknowledgement: |
91 | * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" | |
0f113f3e | 92 | * |
58964a49 RE |
93 | * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND |
94 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
95 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | |
96 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE | |
97 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
98 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | |
99 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
100 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | |
101 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | |
102 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | |
103 | * SUCH DAMAGE. | |
0f113f3e | 104 | * |
58964a49 RE |
105 | * The licence and distribution terms for any publically available version or |
106 | * derivative of this code cannot be changed. i.e. this code cannot simply be | |
107 | * copied and put under another distribution licence | |
108 | * [including the GNU Public Licence.] | |
109 | */ | |
110 | ||
98186eb4 | 111 | #include <openssl/opensslconf.h> |
b39fc560 | 112 | #include "internal/cryptlib.h" |
58964a49 RE |
113 | #include "bn_lcl.h" |
114 | ||
0f113f3e | 115 | #define BN_BLINDING_COUNTER 32 |
800e400d | 116 | |
0f113f3e MC |
117 | struct bn_blinding_st { |
118 | BIGNUM *A; | |
119 | BIGNUM *Ai; | |
120 | BIGNUM *e; | |
121 | BIGNUM *mod; /* just a reference */ | |
98186eb4 | 122 | #if OPENSSL_API_COMPAT < 0x10000000L |
0f113f3e MC |
123 | unsigned long thread_id; /* added in OpenSSL 0.9.6j and 0.9.7b; used |
124 | * only by crypto/rsa/rsa_eay.c, rsa_lib.c */ | |
4c329696 | 125 | #endif |
0f113f3e MC |
126 | CRYPTO_THREADID tid; |
127 | int counter; | |
128 | unsigned long flags; | |
129 | BN_MONT_CTX *m_ctx; | |
130 | int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p, | |
131 | const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); | |
132 | }; | |
800e400d NL |
133 | |
134 | BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod) | |
0f113f3e MC |
135 | { |
136 | BN_BLINDING *ret = NULL; | |
137 | ||
138 | bn_check_top(mod); | |
139 | ||
b51bce94 | 140 | if ((ret = OPENSSL_zalloc(sizeof(*ret))) == NULL) { |
0f113f3e MC |
141 | BNerr(BN_F_BN_BLINDING_NEW, ERR_R_MALLOC_FAILURE); |
142 | return (NULL); | |
143 | } | |
0f113f3e MC |
144 | if (A != NULL) { |
145 | if ((ret->A = BN_dup(A)) == NULL) | |
146 | goto err; | |
147 | } | |
148 | if (Ai != NULL) { | |
149 | if ((ret->Ai = BN_dup(Ai)) == NULL) | |
150 | goto err; | |
151 | } | |
152 | ||
153 | /* save a copy of mod in the BN_BLINDING structure */ | |
154 | if ((ret->mod = BN_dup(mod)) == NULL) | |
155 | goto err; | |
156 | if (BN_get_flags(mod, BN_FLG_CONSTTIME) != 0) | |
157 | BN_set_flags(ret->mod, BN_FLG_CONSTTIME); | |
158 | ||
159 | /* | |
160 | * Set the counter to the special value -1 to indicate that this is | |
161 | * never-used fresh blinding that does not need updating before first | |
162 | * use. | |
163 | */ | |
164 | ret->counter = -1; | |
165 | CRYPTO_THREADID_current(&ret->tid); | |
166 | return (ret); | |
167 | err: | |
23a1d5e9 | 168 | BN_BLINDING_free(ret); |
0f113f3e MC |
169 | return (NULL); |
170 | } | |
58964a49 | 171 | |
6b691a5c | 172 | void BN_BLINDING_free(BN_BLINDING *r) |
0f113f3e MC |
173 | { |
174 | if (r == NULL) | |
175 | return; | |
176 | ||
23a1d5e9 RS |
177 | BN_free(r->A); |
178 | BN_free(r->Ai); | |
179 | BN_free(r->e); | |
180 | BN_free(r->mod); | |
0f113f3e MC |
181 | OPENSSL_free(r); |
182 | } | |
58964a49 | 183 | |
6b691a5c | 184 | int BN_BLINDING_update(BN_BLINDING *b, BN_CTX *ctx) |
0f113f3e MC |
185 | { |
186 | int ret = 0; | |
187 | ||
188 | if ((b->A == NULL) || (b->Ai == NULL)) { | |
189 | BNerr(BN_F_BN_BLINDING_UPDATE, BN_R_NOT_INITIALIZED); | |
190 | goto err; | |
191 | } | |
192 | ||
193 | if (b->counter == -1) | |
194 | b->counter = 0; | |
195 | ||
196 | if (++b->counter == BN_BLINDING_COUNTER && b->e != NULL && | |
197 | !(b->flags & BN_BLINDING_NO_RECREATE)) { | |
198 | /* re-create blinding parameters */ | |
199 | if (!BN_BLINDING_create_param(b, NULL, NULL, ctx, NULL, NULL)) | |
200 | goto err; | |
201 | } else if (!(b->flags & BN_BLINDING_NO_UPDATE)) { | |
202 | if (!BN_mod_mul(b->A, b->A, b->A, b->mod, ctx)) | |
203 | goto err; | |
204 | if (!BN_mod_mul(b->Ai, b->Ai, b->Ai, b->mod, ctx)) | |
205 | goto err; | |
206 | } | |
207 | ||
208 | ret = 1; | |
209 | err: | |
210 | if (b->counter == BN_BLINDING_COUNTER) | |
211 | b->counter = 0; | |
212 | return (ret); | |
213 | } | |
58964a49 | 214 | |
6b691a5c | 215 | int BN_BLINDING_convert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx) |
0f113f3e MC |
216 | { |
217 | return BN_BLINDING_convert_ex(n, NULL, b, ctx); | |
218 | } | |
800e400d NL |
219 | |
220 | int BN_BLINDING_convert_ex(BIGNUM *n, BIGNUM *r, BN_BLINDING *b, BN_CTX *ctx) | |
0f113f3e MC |
221 | { |
222 | int ret = 1; | |
c61f571c | 223 | |
0f113f3e | 224 | bn_check_top(n); |
dfeab068 | 225 | |
0f113f3e MC |
226 | if ((b->A == NULL) || (b->Ai == NULL)) { |
227 | BNerr(BN_F_BN_BLINDING_CONVERT_EX, BN_R_NOT_INITIALIZED); | |
228 | return (0); | |
229 | } | |
800e400d | 230 | |
0f113f3e MC |
231 | if (b->counter == -1) |
232 | /* Fresh blinding, doesn't need updating. */ | |
233 | b->counter = 0; | |
234 | else if (!BN_BLINDING_update(b, ctx)) | |
235 | return (0); | |
e5641d7f | 236 | |
0f113f3e MC |
237 | if (r != NULL) { |
238 | if (!BN_copy(r, b->Ai)) | |
239 | ret = 0; | |
240 | } | |
800e400d | 241 | |
0f113f3e MC |
242 | if (!BN_mod_mul(n, n, b->A, b->mod, ctx)) |
243 | ret = 0; | |
244 | ||
245 | return ret; | |
246 | } | |
58964a49 | 247 | |
6b691a5c | 248 | int BN_BLINDING_invert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx) |
0f113f3e MC |
249 | { |
250 | return BN_BLINDING_invert_ex(n, NULL, b, ctx); | |
251 | } | |
252 | ||
253 | int BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b, | |
254 | BN_CTX *ctx) | |
255 | { | |
256 | int ret; | |
257 | ||
258 | bn_check_top(n); | |
259 | ||
260 | if (r != NULL) | |
261 | ret = BN_mod_mul(n, n, r, b->mod, ctx); | |
262 | else { | |
263 | if (b->Ai == NULL) { | |
264 | BNerr(BN_F_BN_BLINDING_INVERT_EX, BN_R_NOT_INITIALIZED); | |
265 | return (0); | |
266 | } | |
267 | ret = BN_mod_mul(n, n, b->Ai, b->mod, ctx); | |
268 | } | |
269 | ||
270 | bn_check_top(n); | |
271 | return (ret); | |
272 | } | |
58964a49 | 273 | |
98186eb4 | 274 | #if OPENSSL_API_COMPAT < 0x10000000L |
800e400d | 275 | unsigned long BN_BLINDING_get_thread_id(const BN_BLINDING *b) |
0f113f3e MC |
276 | { |
277 | return b->thread_id; | |
278 | } | |
800e400d NL |
279 | |
280 | void BN_BLINDING_set_thread_id(BN_BLINDING *b, unsigned long n) | |
0f113f3e MC |
281 | { |
282 | b->thread_id = n; | |
283 | } | |
4c329696 | 284 | #endif |
800e400d | 285 | |
4c329696 | 286 | CRYPTO_THREADID *BN_BLINDING_thread_id(BN_BLINDING *b) |
0f113f3e MC |
287 | { |
288 | return &b->tid; | |
289 | } | |
48fc582f | 290 | |
800e400d | 291 | unsigned long BN_BLINDING_get_flags(const BN_BLINDING *b) |
0f113f3e MC |
292 | { |
293 | return b->flags; | |
294 | } | |
800e400d NL |
295 | |
296 | void BN_BLINDING_set_flags(BN_BLINDING *b, unsigned long flags) | |
0f113f3e MC |
297 | { |
298 | b->flags = flags; | |
299 | } | |
800e400d NL |
300 | |
301 | BN_BLINDING *BN_BLINDING_create_param(BN_BLINDING *b, | |
0f113f3e MC |
302 | const BIGNUM *e, BIGNUM *m, BN_CTX *ctx, |
303 | int (*bn_mod_exp) (BIGNUM *r, | |
304 | const BIGNUM *a, | |
305 | const BIGNUM *p, | |
306 | const BIGNUM *m, | |
307 | BN_CTX *ctx, | |
308 | BN_MONT_CTX *m_ctx), | |
309 | BN_MONT_CTX *m_ctx) | |
800e400d | 310 | { |
0f113f3e MC |
311 | int retry_counter = 32; |
312 | BN_BLINDING *ret = NULL; | |
313 | ||
314 | if (b == NULL) | |
315 | ret = BN_BLINDING_new(NULL, NULL, m); | |
316 | else | |
317 | ret = b; | |
318 | ||
319 | if (ret == NULL) | |
320 | goto err; | |
321 | ||
322 | if (ret->A == NULL && (ret->A = BN_new()) == NULL) | |
323 | goto err; | |
324 | if (ret->Ai == NULL && (ret->Ai = BN_new()) == NULL) | |
325 | goto err; | |
326 | ||
327 | if (e != NULL) { | |
23a1d5e9 | 328 | BN_free(ret->e); |
0f113f3e MC |
329 | ret->e = BN_dup(e); |
330 | } | |
331 | if (ret->e == NULL) | |
332 | goto err; | |
333 | ||
334 | if (bn_mod_exp != NULL) | |
335 | ret->bn_mod_exp = bn_mod_exp; | |
336 | if (m_ctx != NULL) | |
337 | ret->m_ctx = m_ctx; | |
338 | ||
339 | do { | |
340 | int rv; | |
341 | if (!BN_rand_range(ret->A, ret->mod)) | |
342 | goto err; | |
343 | if (!int_bn_mod_inverse(ret->Ai, ret->A, ret->mod, ctx, &rv)) { | |
344 | /* | |
345 | * this should almost never happen for good RSA keys | |
346 | */ | |
347 | if (rv) { | |
348 | if (retry_counter-- == 0) { | |
349 | BNerr(BN_F_BN_BLINDING_CREATE_PARAM, | |
350 | BN_R_TOO_MANY_ITERATIONS); | |
351 | goto err; | |
352 | } | |
353 | } else | |
354 | goto err; | |
355 | } else | |
356 | break; | |
357 | } while (1); | |
358 | ||
359 | if (ret->bn_mod_exp != NULL && ret->m_ctx != NULL) { | |
360 | if (!ret->bn_mod_exp | |
361 | (ret->A, ret->A, ret->e, ret->mod, ctx, ret->m_ctx)) | |
362 | goto err; | |
363 | } else { | |
364 | if (!BN_mod_exp(ret->A, ret->A, ret->e, ret->mod, ctx)) | |
365 | goto err; | |
366 | } | |
367 | ||
368 | return ret; | |
369 | err: | |
23a1d5e9 | 370 | if (b == NULL) { |
0f113f3e MC |
371 | BN_BLINDING_free(ret); |
372 | ret = NULL; | |
373 | } | |
374 | ||
375 | return ret; | |
800e400d | 376 | } |