2
0

bn_blind.c 7.9 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312
  1. /*
  2. * Copyright 1998-2018 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the OpenSSL license (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <openssl/opensslconf.h>
  10. #include "internal/cryptlib.h"
  11. #include "bn_local.h"
  12. #define BN_BLINDING_COUNTER 32
  13. struct bn_blinding_st {
  14. BIGNUM *A;
  15. BIGNUM *Ai;
  16. BIGNUM *e;
  17. BIGNUM *mod; /* just a reference */
  18. CRYPTO_THREAD_ID tid;
  19. int counter;
  20. unsigned long flags;
  21. BN_MONT_CTX *m_ctx;
  22. int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
  23. const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
  24. CRYPTO_RWLOCK *lock;
  25. };
  26. BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod)
  27. {
  28. BN_BLINDING *ret = NULL;
  29. bn_check_top(mod);
  30. if ((ret = OPENSSL_zalloc(sizeof(*ret))) == NULL) {
  31. BNerr(BN_F_BN_BLINDING_NEW, ERR_R_MALLOC_FAILURE);
  32. return NULL;
  33. }
  34. ret->lock = CRYPTO_THREAD_lock_new();
  35. if (ret->lock == NULL) {
  36. BNerr(BN_F_BN_BLINDING_NEW, ERR_R_MALLOC_FAILURE);
  37. OPENSSL_free(ret);
  38. return NULL;
  39. }
  40. BN_BLINDING_set_current_thread(ret);
  41. if (A != NULL) {
  42. if ((ret->A = BN_dup(A)) == NULL)
  43. goto err;
  44. }
  45. if (Ai != NULL) {
  46. if ((ret->Ai = BN_dup(Ai)) == NULL)
  47. goto err;
  48. }
  49. /* save a copy of mod in the BN_BLINDING structure */
  50. if ((ret->mod = BN_dup(mod)) == NULL)
  51. goto err;
  52. if (BN_get_flags(mod, BN_FLG_CONSTTIME) != 0)
  53. BN_set_flags(ret->mod, BN_FLG_CONSTTIME);
  54. /*
  55. * Set the counter to the special value -1 to indicate that this is
  56. * never-used fresh blinding that does not need updating before first
  57. * use.
  58. */
  59. ret->counter = -1;
  60. return ret;
  61. err:
  62. BN_BLINDING_free(ret);
  63. return NULL;
  64. }
  65. void BN_BLINDING_free(BN_BLINDING *r)
  66. {
  67. if (r == NULL)
  68. return;
  69. BN_free(r->A);
  70. BN_free(r->Ai);
  71. BN_free(r->e);
  72. BN_free(r->mod);
  73. CRYPTO_THREAD_lock_free(r->lock);
  74. OPENSSL_free(r);
  75. }
  76. int BN_BLINDING_update(BN_BLINDING *b, BN_CTX *ctx)
  77. {
  78. int ret = 0;
  79. if ((b->A == NULL) || (b->Ai == NULL)) {
  80. BNerr(BN_F_BN_BLINDING_UPDATE, BN_R_NOT_INITIALIZED);
  81. goto err;
  82. }
  83. if (b->counter == -1)
  84. b->counter = 0;
  85. if (++b->counter == BN_BLINDING_COUNTER && b->e != NULL &&
  86. !(b->flags & BN_BLINDING_NO_RECREATE)) {
  87. /* re-create blinding parameters */
  88. if (!BN_BLINDING_create_param(b, NULL, NULL, ctx, NULL, NULL))
  89. goto err;
  90. } else if (!(b->flags & BN_BLINDING_NO_UPDATE)) {
  91. if (b->m_ctx != NULL) {
  92. if (!bn_mul_mont_fixed_top(b->Ai, b->Ai, b->Ai, b->m_ctx, ctx)
  93. || !bn_mul_mont_fixed_top(b->A, b->A, b->A, b->m_ctx, ctx))
  94. goto err;
  95. } else {
  96. if (!BN_mod_mul(b->Ai, b->Ai, b->Ai, b->mod, ctx)
  97. || !BN_mod_mul(b->A, b->A, b->A, b->mod, ctx))
  98. goto err;
  99. }
  100. }
  101. ret = 1;
  102. err:
  103. if (b->counter == BN_BLINDING_COUNTER)
  104. b->counter = 0;
  105. return ret;
  106. }
  107. int BN_BLINDING_convert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx)
  108. {
  109. return BN_BLINDING_convert_ex(n, NULL, b, ctx);
  110. }
  111. int BN_BLINDING_convert_ex(BIGNUM *n, BIGNUM *r, BN_BLINDING *b, BN_CTX *ctx)
  112. {
  113. int ret = 1;
  114. bn_check_top(n);
  115. if ((b->A == NULL) || (b->Ai == NULL)) {
  116. BNerr(BN_F_BN_BLINDING_CONVERT_EX, BN_R_NOT_INITIALIZED);
  117. return 0;
  118. }
  119. if (b->counter == -1)
  120. /* Fresh blinding, doesn't need updating. */
  121. b->counter = 0;
  122. else if (!BN_BLINDING_update(b, ctx))
  123. return 0;
  124. if (r != NULL && (BN_copy(r, b->Ai) == NULL))
  125. return 0;
  126. if (b->m_ctx != NULL)
  127. ret = BN_mod_mul_montgomery(n, n, b->A, b->m_ctx, ctx);
  128. else
  129. ret = BN_mod_mul(n, n, b->A, b->mod, ctx);
  130. return ret;
  131. }
  132. int BN_BLINDING_invert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx)
  133. {
  134. return BN_BLINDING_invert_ex(n, NULL, b, ctx);
  135. }
  136. int BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b,
  137. BN_CTX *ctx)
  138. {
  139. int ret;
  140. bn_check_top(n);
  141. if (r == NULL && (r = b->Ai) == NULL) {
  142. BNerr(BN_F_BN_BLINDING_INVERT_EX, BN_R_NOT_INITIALIZED);
  143. return 0;
  144. }
  145. if (b->m_ctx != NULL) {
  146. /* ensure that BN_mod_mul_montgomery takes pre-defined path */
  147. if (n->dmax >= r->top) {
  148. size_t i, rtop = r->top, ntop = n->top;
  149. BN_ULONG mask;
  150. for (i = 0; i < rtop; i++) {
  151. mask = (BN_ULONG)0 - ((i - ntop) >> (8 * sizeof(i) - 1));
  152. n->d[i] &= mask;
  153. }
  154. mask = (BN_ULONG)0 - ((rtop - ntop) >> (8 * sizeof(ntop) - 1));
  155. /* always true, if (rtop >= ntop) n->top = r->top; */
  156. n->top = (int)(rtop & ~mask) | (ntop & mask);
  157. n->flags |= (BN_FLG_FIXED_TOP & ~mask);
  158. }
  159. ret = BN_mod_mul_montgomery(n, n, r, b->m_ctx, ctx);
  160. } else {
  161. ret = BN_mod_mul(n, n, r, b->mod, ctx);
  162. }
  163. bn_check_top(n);
  164. return ret;
  165. }
  166. int BN_BLINDING_is_current_thread(BN_BLINDING *b)
  167. {
  168. return CRYPTO_THREAD_compare_id(CRYPTO_THREAD_get_current_id(), b->tid);
  169. }
  170. void BN_BLINDING_set_current_thread(BN_BLINDING *b)
  171. {
  172. b->tid = CRYPTO_THREAD_get_current_id();
  173. }
  174. int BN_BLINDING_lock(BN_BLINDING *b)
  175. {
  176. return CRYPTO_THREAD_write_lock(b->lock);
  177. }
  178. int BN_BLINDING_unlock(BN_BLINDING *b)
  179. {
  180. return CRYPTO_THREAD_unlock(b->lock);
  181. }
  182. unsigned long BN_BLINDING_get_flags(const BN_BLINDING *b)
  183. {
  184. return b->flags;
  185. }
  186. void BN_BLINDING_set_flags(BN_BLINDING *b, unsigned long flags)
  187. {
  188. b->flags = flags;
  189. }
  190. BN_BLINDING *BN_BLINDING_create_param(BN_BLINDING *b,
  191. const BIGNUM *e, BIGNUM *m, BN_CTX *ctx,
  192. int (*bn_mod_exp) (BIGNUM *r,
  193. const BIGNUM *a,
  194. const BIGNUM *p,
  195. const BIGNUM *m,
  196. BN_CTX *ctx,
  197. BN_MONT_CTX *m_ctx),
  198. BN_MONT_CTX *m_ctx)
  199. {
  200. int retry_counter = 32;
  201. BN_BLINDING *ret = NULL;
  202. if (b == NULL)
  203. ret = BN_BLINDING_new(NULL, NULL, m);
  204. else
  205. ret = b;
  206. if (ret == NULL)
  207. goto err;
  208. if (ret->A == NULL && (ret->A = BN_new()) == NULL)
  209. goto err;
  210. if (ret->Ai == NULL && (ret->Ai = BN_new()) == NULL)
  211. goto err;
  212. if (e != NULL) {
  213. BN_free(ret->e);
  214. ret->e = BN_dup(e);
  215. }
  216. if (ret->e == NULL)
  217. goto err;
  218. if (bn_mod_exp != NULL)
  219. ret->bn_mod_exp = bn_mod_exp;
  220. if (m_ctx != NULL)
  221. ret->m_ctx = m_ctx;
  222. do {
  223. int rv;
  224. if (!BN_priv_rand_range(ret->A, ret->mod))
  225. goto err;
  226. if (int_bn_mod_inverse(ret->Ai, ret->A, ret->mod, ctx, &rv))
  227. break;
  228. /*
  229. * this should almost never happen for good RSA keys
  230. */
  231. if (!rv)
  232. goto err;
  233. if (retry_counter-- == 0) {
  234. BNerr(BN_F_BN_BLINDING_CREATE_PARAM, BN_R_TOO_MANY_ITERATIONS);
  235. goto err;
  236. }
  237. } while (1);
  238. if (ret->bn_mod_exp != NULL && ret->m_ctx != NULL) {
  239. if (!ret->bn_mod_exp(ret->A, ret->A, ret->e, ret->mod, ctx, ret->m_ctx))
  240. goto err;
  241. } else {
  242. if (!BN_mod_exp(ret->A, ret->A, ret->e, ret->mod, ctx))
  243. goto err;
  244. }
  245. if (ret->m_ctx != NULL) {
  246. if (!bn_to_mont_fixed_top(ret->Ai, ret->Ai, ret->m_ctx, ctx)
  247. || !bn_to_mont_fixed_top(ret->A, ret->A, ret->m_ctx, ctx))
  248. goto err;
  249. }
  250. return ret;
  251. err:
  252. if (b == NULL) {
  253. BN_BLINDING_free(ret);
  254. ret = NULL;
  255. }
  256. return ret;
  257. }