bn_blind.c 7.0 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289
  1. /*
  2. * Copyright 1998-2016 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the OpenSSL license (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <openssl/opensslconf.h>
  10. #include "internal/cryptlib.h"
  11. #include "bn_lcl.h"
  12. #define BN_BLINDING_COUNTER 32
  13. struct bn_blinding_st {
  14. BIGNUM *A;
  15. BIGNUM *Ai;
  16. BIGNUM *e;
  17. BIGNUM *mod; /* just a reference */
  18. CRYPTO_THREAD_ID tid;
  19. int counter;
  20. unsigned long flags;
  21. BN_MONT_CTX *m_ctx;
  22. int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
  23. const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
  24. CRYPTO_RWLOCK *lock;
  25. };
  26. BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod)
  27. {
  28. BN_BLINDING *ret = NULL;
  29. bn_check_top(mod);
  30. if ((ret = OPENSSL_zalloc(sizeof(*ret))) == NULL) {
  31. BNerr(BN_F_BN_BLINDING_NEW, ERR_R_MALLOC_FAILURE);
  32. return NULL;
  33. }
  34. ret->lock = CRYPTO_THREAD_lock_new();
  35. if (ret->lock == NULL) {
  36. BNerr(BN_F_BN_BLINDING_NEW, ERR_R_MALLOC_FAILURE);
  37. OPENSSL_free(ret);
  38. return NULL;
  39. }
  40. BN_BLINDING_set_current_thread(ret);
  41. if (A != NULL) {
  42. if ((ret->A = BN_dup(A)) == NULL)
  43. goto err;
  44. }
  45. if (Ai != NULL) {
  46. if ((ret->Ai = BN_dup(Ai)) == NULL)
  47. goto err;
  48. }
  49. /* save a copy of mod in the BN_BLINDING structure */
  50. if ((ret->mod = BN_dup(mod)) == NULL)
  51. goto err;
  52. if (BN_get_flags(mod, BN_FLG_CONSTTIME) != 0)
  53. BN_set_flags(ret->mod, BN_FLG_CONSTTIME);
  54. /*
  55. * Set the counter to the special value -1 to indicate that this is
  56. * never-used fresh blinding that does not need updating before first
  57. * use.
  58. */
  59. ret->counter = -1;
  60. return ret;
  61. err:
  62. BN_BLINDING_free(ret);
  63. return NULL;
  64. }
  65. void BN_BLINDING_free(BN_BLINDING *r)
  66. {
  67. if (r == NULL)
  68. return;
  69. BN_free(r->A);
  70. BN_free(r->Ai);
  71. BN_free(r->e);
  72. BN_free(r->mod);
  73. CRYPTO_THREAD_lock_free(r->lock);
  74. OPENSSL_free(r);
  75. }
  76. int BN_BLINDING_update(BN_BLINDING *b, BN_CTX *ctx)
  77. {
  78. int ret = 0;
  79. if ((b->A == NULL) || (b->Ai == NULL)) {
  80. BNerr(BN_F_BN_BLINDING_UPDATE, BN_R_NOT_INITIALIZED);
  81. goto err;
  82. }
  83. if (b->counter == -1)
  84. b->counter = 0;
  85. if (++b->counter == BN_BLINDING_COUNTER && b->e != NULL &&
  86. !(b->flags & BN_BLINDING_NO_RECREATE)) {
  87. /* re-create blinding parameters */
  88. if (!BN_BLINDING_create_param(b, NULL, NULL, ctx, NULL, NULL))
  89. goto err;
  90. } else if (!(b->flags & BN_BLINDING_NO_UPDATE)) {
  91. if (!BN_mod_mul(b->A, b->A, b->A, b->mod, ctx))
  92. goto err;
  93. if (!BN_mod_mul(b->Ai, b->Ai, b->Ai, b->mod, ctx))
  94. goto err;
  95. }
  96. ret = 1;
  97. err:
  98. if (b->counter == BN_BLINDING_COUNTER)
  99. b->counter = 0;
  100. return (ret);
  101. }
  102. int BN_BLINDING_convert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx)
  103. {
  104. return BN_BLINDING_convert_ex(n, NULL, b, ctx);
  105. }
  106. int BN_BLINDING_convert_ex(BIGNUM *n, BIGNUM *r, BN_BLINDING *b, BN_CTX *ctx)
  107. {
  108. int ret = 1;
  109. bn_check_top(n);
  110. if ((b->A == NULL) || (b->Ai == NULL)) {
  111. BNerr(BN_F_BN_BLINDING_CONVERT_EX, BN_R_NOT_INITIALIZED);
  112. return (0);
  113. }
  114. if (b->counter == -1)
  115. /* Fresh blinding, doesn't need updating. */
  116. b->counter = 0;
  117. else if (!BN_BLINDING_update(b, ctx))
  118. return (0);
  119. if (r != NULL) {
  120. if (!BN_copy(r, b->Ai))
  121. ret = 0;
  122. }
  123. if (!BN_mod_mul(n, n, b->A, b->mod, ctx))
  124. ret = 0;
  125. return ret;
  126. }
  127. int BN_BLINDING_invert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx)
  128. {
  129. return BN_BLINDING_invert_ex(n, NULL, b, ctx);
  130. }
  131. int BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b,
  132. BN_CTX *ctx)
  133. {
  134. int ret;
  135. bn_check_top(n);
  136. if (r != NULL)
  137. ret = BN_mod_mul(n, n, r, b->mod, ctx);
  138. else {
  139. if (b->Ai == NULL) {
  140. BNerr(BN_F_BN_BLINDING_INVERT_EX, BN_R_NOT_INITIALIZED);
  141. return (0);
  142. }
  143. ret = BN_mod_mul(n, n, b->Ai, b->mod, ctx);
  144. }
  145. bn_check_top(n);
  146. return (ret);
  147. }
  148. int BN_BLINDING_is_current_thread(BN_BLINDING *b)
  149. {
  150. return CRYPTO_THREAD_compare_id(CRYPTO_THREAD_get_current_id(), b->tid);
  151. }
  152. void BN_BLINDING_set_current_thread(BN_BLINDING *b)
  153. {
  154. b->tid = CRYPTO_THREAD_get_current_id();
  155. }
  156. int BN_BLINDING_lock(BN_BLINDING *b)
  157. {
  158. return CRYPTO_THREAD_write_lock(b->lock);
  159. }
  160. int BN_BLINDING_unlock(BN_BLINDING *b)
  161. {
  162. return CRYPTO_THREAD_unlock(b->lock);
  163. }
  164. unsigned long BN_BLINDING_get_flags(const BN_BLINDING *b)
  165. {
  166. return b->flags;
  167. }
  168. void BN_BLINDING_set_flags(BN_BLINDING *b, unsigned long flags)
  169. {
  170. b->flags = flags;
  171. }
  172. BN_BLINDING *BN_BLINDING_create_param(BN_BLINDING *b,
  173. const BIGNUM *e, BIGNUM *m, BN_CTX *ctx,
  174. int (*bn_mod_exp) (BIGNUM *r,
  175. const BIGNUM *a,
  176. const BIGNUM *p,
  177. const BIGNUM *m,
  178. BN_CTX *ctx,
  179. BN_MONT_CTX *m_ctx),
  180. BN_MONT_CTX *m_ctx)
  181. {
  182. int retry_counter = 32;
  183. BN_BLINDING *ret = NULL;
  184. if (b == NULL)
  185. ret = BN_BLINDING_new(NULL, NULL, m);
  186. else
  187. ret = b;
  188. if (ret == NULL)
  189. goto err;
  190. if (ret->A == NULL && (ret->A = BN_new()) == NULL)
  191. goto err;
  192. if (ret->Ai == NULL && (ret->Ai = BN_new()) == NULL)
  193. goto err;
  194. if (e != NULL) {
  195. BN_free(ret->e);
  196. ret->e = BN_dup(e);
  197. }
  198. if (ret->e == NULL)
  199. goto err;
  200. if (bn_mod_exp != NULL)
  201. ret->bn_mod_exp = bn_mod_exp;
  202. if (m_ctx != NULL)
  203. ret->m_ctx = m_ctx;
  204. do {
  205. int rv;
  206. if (!BN_rand_range(ret->A, ret->mod))
  207. goto err;
  208. if (!int_bn_mod_inverse(ret->Ai, ret->A, ret->mod, ctx, &rv)) {
  209. /*
  210. * this should almost never happen for good RSA keys
  211. */
  212. if (rv) {
  213. if (retry_counter-- == 0) {
  214. BNerr(BN_F_BN_BLINDING_CREATE_PARAM,
  215. BN_R_TOO_MANY_ITERATIONS);
  216. goto err;
  217. }
  218. } else
  219. goto err;
  220. } else
  221. break;
  222. } while (1);
  223. if (ret->bn_mod_exp != NULL && ret->m_ctx != NULL) {
  224. if (!ret->bn_mod_exp
  225. (ret->A, ret->A, ret->e, ret->mod, ctx, ret->m_ctx))
  226. goto err;
  227. } else {
  228. if (!BN_mod_exp(ret->A, ret->A, ret->e, ret->mod, ctx))
  229. goto err;
  230. }
  231. return ret;
  232. err:
  233. if (b == NULL) {
  234. BN_BLINDING_free(ret);
  235. ret = NULL;
  236. }
  237. return ret;
  238. }