Well, it introduces a different failure mode - Not necessarily a bad
thing although this will behave differently.
On OpenBSD, malloc() is pretty random as is stack addresses, so while
the predictability of the location of BN object
will still be otherwise unpredictable.. On operatiing systems with
some amount of randomness to the stack but
with a predicatable malloc this will mean the BN is likely located in
a more predictable place from call to call than before.
I am pretty sure none of that matters in any consequential way, but
this *will* be different behaviour.. anyone got
a strong opinion?
-Bob
On Sun, Jun 26, 2016 at 12:26 AM, César Pereida <cesar.pere...@aalto.fi> wrote:
> Hi Brent,
>
> As far as I remember this is what I did for the RSA patch so I maintained
> consistency with that one.
>
> Are there any problems with that approach?
>
> Regards,
>
>
> On Sun, Jun 26, 2016, 8:19 AM Brent Cook <bust...@gmail.com> wrote:
>>
>> On Sun, Jun 26, 2016 at 12:00:51AM -0500, Brent Cook wrote:
>> > On Sat, Jun 25, 2016 at 07:19:09PM -0600, Bob Beck wrote:
>> > > If we are going to delete it, lets just do so
>> > >
>> > > IMO we can commit this removing the define. bets are we see nothing in
>> > > ports for fallout so lets just blow it away
>> > >
>> >
>> > Sounds good, I'll commit this:
>> >
>> > Index: src/crypto/dh/dh.h
>> > ===================================================================
>> > RCS file: /cvs/src/lib/libssl/src/crypto/dh/dh.h,v
>> > retrieving revision 1.16
>> > diff -u -p -u -p -r1.16 dh.h
>> > --- src/crypto/dh/dh.h 12 Jun 2014 15:49:28 -0000 1.16
>> > +++ src/crypto/dh/dh.h 26 Jun 2016 04:51:19 -0000
>> > @@ -78,13 +78,6 @@
>> > #endif
>> >
>> > #define DH_FLAG_CACHE_MONT_P 0x01
>> > -#define DH_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in
>> > DH
>> > - * implementation now uses
>> > constant time
>> > - * modular exponentiation for
>> > secret exponents
>> > - * by default. This flag causes
>> > the
>> > - * faster variable sliding window
>> > method to
>> > - * be used for all exponents.
>> > - */
>> >
>> > /* If this flag is set the DH method is FIPS compliant and can be used
>> > * in FIPS mode. This is set in the validated module method. If an
>> > Index: src/crypto/dh/dh_key.c
>> > ===================================================================
>> > RCS file: /cvs/src/lib/libssl/src/crypto/dh/dh_key.c,v
>> > retrieving revision 1.23
>> > diff -u -p -u -p -r1.23 dh_key.c
>> > --- src/crypto/dh/dh_key.c 9 Feb 2015 15:49:22 -0000 1.23
>> > +++ src/crypto/dh/dh_key.c 26 Jun 2016 04:51:19 -0000
>> > @@ -147,21 +147,21 @@ generate_key(DH *dh)
>> > }
>> >
>> > {
>> > - BIGNUM local_prk;
>> > - BIGNUM *prk;
>> > + BIGNUM *prk = BN_new();
>>
>> Hmm, on second review, something seems odd.
>>
>> César, why does this patch also replace all of the stack-allocated
>> BIGNUM's with heap ones? Why add a new set of failure cases?
>>
>> >
>> > - if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) {
>> > - BN_init(&local_prk);
>> > - prk = &local_prk;
>> > - BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
>> > - } else
>> > - prk = priv_key;
>> > + if (prk == NULL)
>> > + goto err;
>> > +
>> > + BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
>> >
>> > if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, prk, dh->p,
>> > ctx,
>> > - mont))
>> > + mont)) {
>> > + BN_free(prk);
>> > goto err;
>> > + }
>> > + BN_free(prk);
>> > }
>> > -
>> > +
>> > dh->pub_key = pub_key;
>> > dh->priv_key = priv_key;
>> > ok = 1;
>> > @@ -206,10 +206,9 @@ compute_key(unsigned char *key, const BI
>> > if (dh->flags & DH_FLAG_CACHE_MONT_P) {
>> > mont = BN_MONT_CTX_set_locked(&dh->method_mont_p,
>> > CRYPTO_LOCK_DH, dh->p, ctx);
>> > - if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) {
>> > - /* XXX */
>> > - BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME);
>> > - }
>> > +
>> > + BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME);
>> > +
>> > if (!mont)
>> > goto err;
>> > }
>> > @@ -238,16 +237,7 @@ static int
>> > dh_bn_mod_exp(const DH *dh, BIGNUM *r, const BIGNUM *a, const BIGNUM
>> > *p,
>> > const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
>> > {
>> > - /*
>> > - * If a is only one word long and constant time is false, use the
>> > faster
>> > - * exponenentiation function.
>> > - */
>> > - if (a->top == 1 && (dh->flags & DH_FLAG_NO_EXP_CONSTTIME) != 0) {
>> > - BN_ULONG A = a->d[0];
>> > -
>> > - return BN_mod_exp_mont_word(r, A, p, m, ctx, m_ctx);
>> > - } else
>> > - return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
>> > + return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
>> > }
>> >
>> > static int
>> > Index: src/crypto/dsa/dsa.h
>> > ===================================================================
>> > RCS file: /cvs/src/lib/libssl/src/crypto/dsa/dsa.h,v
>> > retrieving revision 1.20
>> > diff -u -p -u -p -r1.20 dsa.h
>> > --- src/crypto/dsa/dsa.h 21 Jun 2016 04:16:53 -0000 1.20
>> > +++ src/crypto/dsa/dsa.h 26 Jun 2016 04:51:19 -0000
>> > @@ -89,9 +89,6 @@
>> > #endif
>> >
>> > #define DSA_FLAG_CACHE_MONT_P 0x01
>> > -#define DSA_FLAG_NO_EXP_CONSTTIME 0x00 /* Does nothing.
>> > Previously this switched off
>> > - * constant time
>> > behaviour.
>> > - */
>> >
>> > /* If this flag is set the DSA method is FIPS compliant and can be used
>> > * in FIPS mode. This is set in the validated module method. If an
>> > Index: src/crypto/rsa/rsa.h
>> > ===================================================================
>> > RCS file: /cvs/src/lib/libssl/src/crypto/rsa/rsa.h,v
>> > retrieving revision 1.27
>> > diff -u -p -u -p -r1.27 rsa.h
>> > --- src/crypto/rsa/rsa.h 14 Feb 2015 15:10:39 -0000 1.27
>> > +++ src/crypto/rsa/rsa.h 26 Jun 2016 04:51:20 -0000
>> > @@ -194,16 +194,6 @@ struct rsa_st {
>> > */
>> > #define RSA_FLAG_NO_BLINDING 0x0080
>> >
>> > -/*
>> > - * The built-in RSA implementation uses constant time operations by
>> > default
>> > - * in private key operations, e.g., constant time modular
>> > exponentiation,
>> > - * modular inverse without leaking branches, division without leaking
>> > branches.
>> > - * This flag disables these constant time operations and results in
>> > faster RSA
>> > - * private key operations.
>> > - */
>> > -#define RSA_FLAG_NO_CONSTTIME 0x0100
>> > -
>> > -
>> > #define EVP_PKEY_CTX_set_rsa_padding(ctx, pad) \
>> > EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, -1,
>> > EVP_PKEY_CTRL_RSA_PADDING, \
>> > pad, NULL)
>> > Index: src/crypto/rsa/rsa_crpt.c
>> > ===================================================================
>> > RCS file: /cvs/src/lib/libssl/src/crypto/rsa/rsa_crpt.c,v
>> > retrieving revision 1.14
>> > diff -u -p -u -p -r1.14 rsa_crpt.c
>> > --- src/crypto/rsa/rsa_crpt.c 11 Feb 2015 03:19:37 -0000 1.14
>> > +++ src/crypto/rsa/rsa_crpt.c 26 Jun 2016 04:51:20 -0000
>> > @@ -169,8 +169,8 @@ err:
>> > BN_BLINDING *
>> > RSA_setup_blinding(RSA *rsa, BN_CTX *in_ctx)
>> > {
>> > - BIGNUM local_n;
>> > - BIGNUM *e, *n;
>> > + BIGNUM *e;
>> > + BIGNUM *n = BN_new();
>> > BN_CTX *ctx;
>> > BN_BLINDING *ret = NULL;
>> >
>> > @@ -192,15 +192,16 @@ RSA_setup_blinding(RSA *rsa, BN_CTX *in_
>> > } else
>> > e = rsa->e;
>> >
>> > - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
>> > - /* Set BN_FLG_CONSTTIME flag */
>> > - n = &local_n;
>> > - BN_with_flags(n, rsa->n, BN_FLG_CONSTTIME);
>> > - } else
>> > - n = rsa->n;
>> > + if (n == NULL)
>> > + goto err;
>> > +
>> > + BN_with_flags(n, rsa->n, BN_FLG_CONSTTIME);
>> >
>> > ret = BN_BLINDING_create_param(NULL, e, n, ctx,
>> > rsa->meth->bn_mod_exp,
>> > rsa->_method_mod_n);
>> > +
>> > + BN_free(n);
>> > +
>> > if (ret == NULL) {
>> > RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_BN_LIB);
>> > goto err;
>> > Index: src/crypto/rsa/rsa_eay.c
>> > ===================================================================
>> > RCS file: /cvs/src/lib/libssl/src/crypto/rsa/rsa_eay.c,v
>> > retrieving revision 1.40
>> > diff -u -p -u -p -r1.40 rsa_eay.c
>> > --- src/crypto/rsa/rsa_eay.c 10 Sep 2015 15:56:25 -0000 1.40
>> > +++ src/crypto/rsa/rsa_eay.c 26 Jun 2016 04:51:20 -0000
>> > @@ -426,24 +426,26 @@ RSA_eay_private_encrypt(int flen, const
>> > if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx))
>> > goto err;
>> > } else {
>> > - BIGNUM local_d;
>> > - BIGNUM *d = NULL;
>> > + BIGNUM *d = BN_new();
>> >
>> > - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
>> > - BN_init(&local_d);
>> > - d = &local_d;
>> > - BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
>> > - } else
>> > - d = rsa->d;
>> > + if (d == NULL)
>> > + goto err;
>> > +
>> > + BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
>> >
>> > if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
>> > if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
>> > - CRYPTO_LOCK_RSA, rsa->n, ctx))
>> > + CRYPTO_LOCK_RSA, rsa->n, ctx)) {
>> > + BN_free(d);
>> > goto err;
>> > + }
>> >
>> > if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,
>> > - rsa->_method_mod_n))
>> > + rsa->_method_mod_n)) {
>> > + BN_free(d);
>> > goto err;
>> > + }
>> > + BN_free(d);
>> > }
>> >
>> > if (blinding)
>> > @@ -553,22 +555,26 @@ RSA_eay_private_decrypt(int flen, const
>> > if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx))
>> > goto err;
>> > } else {
>> > - BIGNUM local_d;
>> > - BIGNUM *d = NULL;
>> > + BIGNUM *d = BN_new();
>> >
>> > - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
>> > - d = &local_d;
>> > - BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
>> > - } else
>> > - d = rsa->d;
>> > + if (d == NULL)
>> > + goto err;
>> > +
>> > + BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
>> >
>> > if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
>> > if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
>> > - CRYPTO_LOCK_RSA, rsa->n, ctx))
>> > + CRYPTO_LOCK_RSA, rsa->n, ctx)) {
>> > + BN_free(d);
>> > goto err;
>> > + }
>> > +
>> > if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,
>> > - rsa->_method_mod_n))
>> > + rsa->_method_mod_n)) {
>> > + BN_free(d);
>> > goto err;
>> > + }
>> > + BN_free(d);
>> > }
>> >
>> > if (blinding)
>> > @@ -723,8 +729,10 @@ static int
>> > RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
>> > {
>> > BIGNUM *r1, *m1, *vrfy;
>> > - BIGNUM local_dmp1, local_dmq1, local_c, local_r1;
>> > - BIGNUM *dmp1, *dmq1, *c, *pr1;
>> > + BIGNUM *dmp1 = BN_new();
>> > + BIGNUM *dmq1 = BN_new();
>> > + BIGNUM *pr1 = BN_new();
>> > + BIGNUM *c = BN_new();
>> > int ret = 0;
>> >
>> > BN_CTX_start(ctx);
>> > @@ -737,34 +745,33 @@ RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM
>> > }
>> >
>> > {
>> > - BIGNUM local_p, local_q;
>> > - BIGNUM *p = NULL, *q = NULL;
>> > + BIGNUM *p = BN_new();
>> > + BIGNUM *q = BN_new();
>> >
>> > /*
>> > * Make sure BN_mod_inverse in Montgomery intialization
>> > uses the
>> > - * BN_FLG_CONSTTIME flag (unless RSA_FLAG_NO_CONSTTIME is
>> > set)
>> > + * BN_FLG_CONSTTIME flag
>> > */
>> > - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
>> > - BN_init(&local_p);
>> > - p = &local_p;
>> > - BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
>> > -
>> > - BN_init(&local_q);
>> > - q = &local_q;
>> > - BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME);
>> > - } else {
>> > - p = rsa->p;
>> > - q = rsa->q;
>> > + if (p == NULL || q == NULL) {
>> > + BN_free(p);
>> > + BN_free(q);
>> > + goto err;
>> > }
>> > + BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
>> > + BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME);
>> >
>> > if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) {
>> > - if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p,
>> > - CRYPTO_LOCK_RSA, p, ctx))
>> > - goto err;
>> > - if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q,
>> > - CRYPTO_LOCK_RSA, q, ctx))
>> > + if (!BN_MONT_CTX_set_locked
>> > + (&rsa->_method_mod_p,CRYPTO_LOCK_RSA, p,
>> > ctx)
>> > + ||
>> > !BN_MONT_CTX_set_locked(&rsa->_method_mod_q,
>> > + CRYPTO_LOCK_RSA, q, ctx)) {
>> > + BN_free(p);
>> > + BN_free(q);
>> > goto err;
>> > + }
>> > }
>> > + BN_free(p);
>> > + BN_free(q);
>> > }
>> >
>> > if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
>> > @@ -773,46 +780,55 @@ RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM
>> > goto err;
>> >
>> > /* compute I mod q */
>> > - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
>> > - c = &local_c;
>> > - BN_with_flags(c, I, BN_FLG_CONSTTIME);
>> > - if (!BN_mod(r1, c, rsa->q, ctx))
>> > - goto err;
>> > - } else {
>> > - if (!BN_mod(r1, I, rsa->q, ctx))
>> > - goto err;
>> > + if (c == NULL)
>> > + goto err;
>> > +
>> > + BN_with_flags(c, I, BN_FLG_CONSTTIME);
>> > +
>> > + if (!BN_mod(r1, c, rsa->q, ctx)) {
>> > + BN_free(c);
>> > + goto err;
>> > }
>> >
>> > /* compute r1^dmq1 mod q */
>> > - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
>> > - dmq1 = &local_dmq1;
>> > - BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
>> > - } else
>> > - dmq1 = rsa->dmq1;
>> > + if (dmq1 == NULL) {
>> > + BN_free(c);
>> > + goto err;
>> > + }
>> > + BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
>> > +
>> > if (!rsa->meth->bn_mod_exp(m1, r1, dmq1, rsa->q, ctx,
>> > - rsa->_method_mod_q))
>> > + rsa->_method_mod_q)) {
>> > + BN_free(c);
>> > + BN_free(dmq1);
>> > goto err;
>> > + }
>> > + BN_free(dmq1);
>> >
>> > /* compute I mod p */
>> > - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
>> > - c = &local_c;
>> > - BN_with_flags(c, I, BN_FLG_CONSTTIME);
>> > - if (!BN_mod(r1, c, rsa->p, ctx))
>> > - goto err;
>> > - } else {
>> > - if (!BN_mod(r1, I, rsa->p, ctx))
>> > - goto err;
>> > + if (c == NULL)
>> > + goto err;
>> > +
>> > + BN_with_flags(c, I, BN_FLG_CONSTTIME);
>> > +
>> > + if (!BN_mod(r1, c, rsa->p, ctx)) {
>> > + BN_free(c);
>> > + goto err;
>> > }
>> > + BN_free(c);
>> >
>> > /* compute r1^dmp1 mod p */
>> > - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
>> > - dmp1 = &local_dmp1;
>> > - BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
>> > - } else
>> > - dmp1 = rsa->dmp1;
>> > + if (dmp1 == NULL)
>> > + goto err;
>> > +
>> > + BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
>> > +
>> > if (!rsa->meth->bn_mod_exp(r0, r1, dmp1, rsa->p, ctx,
>> > - rsa->_method_mod_p))
>> > + rsa->_method_mod_p)) {
>> > + BN_free(dmp1);
>> > goto err;
>> > + }
>> > + BN_free(dmp1);
>> >
>> > if (!BN_sub(r0, r0, m1))
>> > goto err;
>> > @@ -828,14 +844,17 @@ RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM
>> > goto err;
>> >
>> > /* Turn BN_FLG_CONSTTIME flag on before division operation */
>> > - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
>> > - pr1 = &local_r1;
>> > - BN_with_flags(pr1, r1, BN_FLG_CONSTTIME);
>> > - } else
>> > - pr1 = r1;
>> > - if (!BN_mod(r0, pr1, rsa->p, ctx))
>> > + if (pr1 == NULL)
>> > goto err;
>> >
>> > + BN_with_flags(pr1, r1, BN_FLG_CONSTTIME);
>> > +
>> > + if (!BN_mod(r0, pr1, rsa->p, ctx)) {
>> > + BN_free(pr1);
>> > + goto err;
>> > + }
>> > + BN_free(pr1);
>> > +
>> > /*
>> > * If p < q it is occasionally possible for the correction of
>> > * adding 'p' if r0 is negative above to leave the result still
>> > @@ -876,17 +895,19 @@ RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM
>> > * mod_exp and return that instead.
>> > */
>> >
>> > - BIGNUM local_d;
>> > - BIGNUM *d = NULL;
>> > + BIGNUM *d = BN_new();
>> > +
>> > + if (d == NULL)
>> > + goto err;
>> > +
>> > + BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
>> >
>> > - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
>> > - d = &local_d;
>> > - BN_with_flags(d, rsa->d,
>> > BN_FLG_CONSTTIME);
>> > - } else
>> > - d = rsa->d;
>> > if (!rsa->meth->bn_mod_exp(r0, I, d, rsa->n, ctx,
>> > - rsa->_method_mod_n))
>> > + rsa->_method_mod_n)) {
>> > + BN_free(d);
>> > goto err;
>> > + }
>> > + BN_free(d);
>> > }
>> > }
>> > ret = 1;
>> > Index: src/crypto/rsa/rsa_gen.c
>> > ===================================================================
>> > RCS file: /cvs/src/lib/libssl/src/crypto/rsa/rsa_gen.c,v
>> > retrieving revision 1.17
>> > diff -u -p -u -p -r1.17 rsa_gen.c
>> > --- src/crypto/rsa/rsa_gen.c 9 Feb 2015 15:49:22 -0000 1.17
>> > +++ src/crypto/rsa/rsa_gen.c 26 Jun 2016 04:51:20 -0000
>> > @@ -90,8 +90,9 @@ static int
>> > rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
>> > {
>> > BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *r3 = NULL, *tmp;
>> > - BIGNUM local_r0, local_d, local_p;
>> > - BIGNUM *pr0, *d, *p;
>> > + BIGNUM *pr0 = BN_new();
>> > + BIGNUM *d = BN_new();
>> > + BIGNUM *p = BN_new();
>> > int bitsp, bitsq, ok = -1, n = 0;
>> > BN_CTX *ctx = NULL;
>> >
>> > @@ -193,37 +194,39 @@ rsa_builtin_keygen(RSA *rsa, int bits, B
>> > goto err;
>> > if (!BN_mul(r0, r1, r2, ctx)) /* (p-1)(q-1) */
>> > goto err;
>> > - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
>> > - pr0 = &local_r0;
>> > - BN_with_flags(pr0, r0, BN_FLG_CONSTTIME);
>> > - } else
>> > - pr0 = r0;
>> > - if (!BN_mod_inverse(rsa->d, rsa->e, pr0, ctx)) /* d */
>> > + if (pr0 == NULL)
>> > goto err;
>> > + BN_with_flags(pr0, r0, BN_FLG_CONSTTIME);
>> > + if (!BN_mod_inverse(rsa->d, rsa->e, pr0, ctx)) { /* d */
>> > + BN_free(pr0);
>> > + goto err;
>> > + }
>> >
>> > /* set up d for correct BN_FLG_CONSTTIME flag */
>> > - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
>> > - d = &local_d;
>> > - BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
>> > - } else
>> > - d = rsa->d;
>> > + if (d == NULL)
>> > + goto err;
>> > + BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
>> >
>> > /* calculate d mod (p-1) */
>> > - if (!BN_mod(rsa->dmp1, d, r1, ctx))
>> > + if (!BN_mod(rsa->dmp1, d, r1, ctx)) {
>> > + BN_free(d);
>> > goto err;
>> > + }
>> >
>> > /* calculate d mod (q-1) */
>> > - if (!BN_mod(rsa->dmq1, d, r2, ctx))
>> > + if (!BN_mod(rsa->dmq1, d, r2, ctx)) {
>> > + BN_free(d);
>> > goto err;
>> > + }
>> >
>> > /* calculate inverse of q mod p */
>> > - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
>> > - p = &local_p;
>> > - BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
>> > - } else
>> > - p = rsa->p;
>> > - if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx))
>> > + if (p == NULL)
>> > + goto err;
>> > + BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
>> > + if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx)) {
>> > + BN_free(p);
>> > goto err;
>> > + }
>> >
>> > ok = 1;
>> > err:
