On Sun, Jun 26, 2016 at 12:22 PM, Brent Cook <bust...@gmail.com> wrote:
> On Sun, Jun 26, 2016 at 06:26:36AM +0000, César Pereida wrote: > > > > On Sun, Jun 26, 2016, 8:19 AM Brent Cook <bust...@gmail.com> wrote: > > > > > Hmm, on second review, something seems odd. > > > > > > César, why does this patch also replace all of the stack-allocated > > > BIGNUM's with heap ones? Why add a new set of failure cases? > > > > > Hi Brent, > > > > As far as I remember this is what I did for the RSA patch so I maintained > > consistency with that one. > > > > Are there any problems with that approach? > > > > Regards, > > Hi César, > > Yeah, I think the original stack variables are preferable, since all we > are doing is cloning the fields from the original BIGNUM and adding a > flag. Here's a revised patch with regress tests fixed as well: > > ok? > Is it too late in the 6.0 cycle to get this one in? Feels like I need to get it in soon if not... > Index: lib/libssl/src/crypto/dh/dh.h > =================================================================== > RCS file: /cvs/src/lib/libssl/src/crypto/dh/dh.h,v > retrieving revision 1.16 > diff -u -p -u -p -r1.16 dh.h > --- lib/libssl/src/crypto/dh/dh.h 12 Jun 2014 15:49:28 -0000 > 1.16 > +++ lib/libssl/src/crypto/dh/dh.h 26 Jun 2016 17:19:39 -0000 > @@ -78,13 +78,6 @@ > #endif > > #define DH_FLAG_CACHE_MONT_P 0x01 > -#define DH_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DH > - * implementation now uses constant > time > - * modular exponentiation for > secret exponents > - * by default. This flag causes the > - * faster variable sliding window > method to > - * be used for all exponents. > - */ > > /* If this flag is set the DH method is FIPS compliant and can be used > * in FIPS mode. This is set in the validated module method. If an > Index: lib/libssl/src/crypto/dh/dh_key.c > =================================================================== > RCS file: /cvs/src/lib/libssl/src/crypto/dh/dh_key.c,v > retrieving revision 1.23 > diff -u -p -u -p -r1.23 dh_key.c > --- lib/libssl/src/crypto/dh/dh_key.c 9 Feb 2015 15:49:22 -0000 > 1.23 > +++ lib/libssl/src/crypto/dh/dh_key.c 26 Jun 2016 17:19:39 -0000 > @@ -147,21 +147,16 @@ generate_key(DH *dh) > } > > { > - BIGNUM local_prk; > - BIGNUM *prk; > + BIGNUM prk; > > - if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) { > - BN_init(&local_prk); > - prk = &local_prk; > - BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME); > - } else > - prk = priv_key; > + BN_with_flags(&prk, priv_key, BN_FLG_CONSTTIME); > > - if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, prk, dh->p, > ctx, > - mont)) > + if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, &prk, dh->p, > ctx, > + mont)) { > goto err; > + } > } > - > + > dh->pub_key = pub_key; > dh->priv_key = priv_key; > ok = 1; > @@ -206,10 +201,9 @@ compute_key(unsigned char *key, const BI > if (dh->flags & DH_FLAG_CACHE_MONT_P) { > mont = BN_MONT_CTX_set_locked(&dh->method_mont_p, > CRYPTO_LOCK_DH, dh->p, ctx); > - if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) { > - /* XXX */ > - BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME); > - } > + > + BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME); > + > if (!mont) > goto err; > } > @@ -238,16 +232,7 @@ static int > dh_bn_mod_exp(const DH *dh, BIGNUM *r, const BIGNUM *a, const BIGNUM *p, > const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx) > { > - /* > - * If a is only one word long and constant time is false, use the > faster > - * exponenentiation function. > - */ > - if (a->top == 1 && (dh->flags & DH_FLAG_NO_EXP_CONSTTIME) != 0) { > - BN_ULONG A = a->d[0]; > - > - return BN_mod_exp_mont_word(r, A, p, m, ctx, m_ctx); > - } else > - return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx); > + return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx); > } > > static int > Index: lib/libssl/src/crypto/dsa/dsa.h > =================================================================== > RCS file: /cvs/src/lib/libssl/src/crypto/dsa/dsa.h,v > retrieving revision 1.20 > diff -u -p -u -p -r1.20 dsa.h > --- lib/libssl/src/crypto/dsa/dsa.h 21 Jun 2016 04:16:53 -0000 > 1.20 > +++ lib/libssl/src/crypto/dsa/dsa.h 26 Jun 2016 17:19:40 -0000 > @@ -89,9 +89,6 @@ > #endif > > #define DSA_FLAG_CACHE_MONT_P 0x01 > -#define DSA_FLAG_NO_EXP_CONSTTIME 0x00 /* Does nothing. Previously > this switched off > - * constant time behaviour. > - */ > > /* If this flag is set the DSA method is FIPS compliant and can be used > * in FIPS mode. This is set in the validated module method. If an > Index: lib/libssl/src/crypto/dsa/dsa_key.c > =================================================================== > RCS file: /cvs/src/lib/libssl/src/crypto/dsa/dsa_key.c,v > retrieving revision 1.21 > diff -u -p -u -p -r1.21 dsa_key.c > --- lib/libssl/src/crypto/dsa/dsa_key.c 21 Jun 2016 04:16:53 -0000 > 1.21 > +++ lib/libssl/src/crypto/dsa/dsa_key.c 26 Jun 2016 17:19:40 -0000 > @@ -104,18 +104,13 @@ dsa_builtin_keygen(DSA *dsa) > pub_key=dsa->pub_key; > > { > - BIGNUM *prk = BN_new(); > + BIGNUM prk; > > - if (prk == NULL) > - goto err; > - > - BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME); > + BN_with_flags(&prk, priv_key, BN_FLG_CONSTTIME); > > - if (!BN_mod_exp(pub_key, dsa->g, prk, dsa->p, ctx)) { > - BN_free(prk); > + if (!BN_mod_exp(pub_key, dsa->g, &prk, dsa->p, ctx)) { > goto err; > } > - BN_free(prk); > } > > dsa->priv_key = priv_key; > Index: lib/libssl/src/crypto/rsa/rsa.h > =================================================================== > RCS file: /cvs/src/lib/libssl/src/crypto/rsa/rsa.h,v > retrieving revision 1.27 > diff -u -p -u -p -r1.27 rsa.h > --- lib/libssl/src/crypto/rsa/rsa.h 14 Feb 2015 15:10:39 -0000 > 1.27 > +++ lib/libssl/src/crypto/rsa/rsa.h 26 Jun 2016 17:19:43 -0000 > @@ -194,16 +194,6 @@ struct rsa_st { > */ > #define RSA_FLAG_NO_BLINDING 0x0080 > > -/* > - * The built-in RSA implementation uses constant time operations by > default > - * in private key operations, e.g., constant time modular exponentiation, > - * modular inverse without leaking branches, division without leaking > branches. > - * This flag disables these constant time operations and results in > faster RSA > - * private key operations. > - */ > -#define RSA_FLAG_NO_CONSTTIME 0x0100 > - > - > #define EVP_PKEY_CTX_set_rsa_padding(ctx, pad) \ > EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, -1, > EVP_PKEY_CTRL_RSA_PADDING, \ > pad, NULL) > Index: lib/libssl/src/crypto/rsa/rsa_crpt.c > =================================================================== > RCS file: /cvs/src/lib/libssl/src/crypto/rsa/rsa_crpt.c,v > retrieving revision 1.14 > diff -u -p -u -p -r1.14 rsa_crpt.c > --- lib/libssl/src/crypto/rsa/rsa_crpt.c 11 Feb 2015 03:19:37 > -0000 1.14 > +++ lib/libssl/src/crypto/rsa/rsa_crpt.c 26 Jun 2016 17:19:43 -0000 > @@ -169,8 +169,8 @@ err: > BN_BLINDING * > RSA_setup_blinding(RSA *rsa, BN_CTX *in_ctx) > { > - BIGNUM local_n; > - BIGNUM *e, *n; > + BIGNUM *e; > + BIGNUM n; > BN_CTX *ctx; > BN_BLINDING *ret = NULL; > > @@ -192,15 +192,11 @@ RSA_setup_blinding(RSA *rsa, BN_CTX *in_ > } else > e = rsa->e; > > - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { > - /* Set BN_FLG_CONSTTIME flag */ > - n = &local_n; > - BN_with_flags(n, rsa->n, BN_FLG_CONSTTIME); > - } else > - n = rsa->n; > + BN_with_flags(&n, rsa->n, BN_FLG_CONSTTIME); > > - ret = BN_BLINDING_create_param(NULL, e, n, ctx, > rsa->meth->bn_mod_exp, > + ret = BN_BLINDING_create_param(NULL, e, &n, ctx, > rsa->meth->bn_mod_exp, > rsa->_method_mod_n); > + > if (ret == NULL) { > RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_BN_LIB); > goto err; > Index: lib/libssl/src/crypto/rsa/rsa_eay.c > =================================================================== > RCS file: /cvs/src/lib/libssl/src/crypto/rsa/rsa_eay.c,v > retrieving revision 1.40 > diff -u -p -u -p -r1.40 rsa_eay.c > --- lib/libssl/src/crypto/rsa/rsa_eay.c 10 Sep 2015 15:56:25 -0000 > 1.40 > +++ lib/libssl/src/crypto/rsa/rsa_eay.c 26 Jun 2016 17:19:45 -0000 > @@ -426,24 +426,20 @@ RSA_eay_private_encrypt(int flen, const > if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) > goto err; > } else { > - BIGNUM local_d; > - BIGNUM *d = NULL; > + BIGNUM d; > > - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { > - BN_init(&local_d); > - d = &local_d; > - BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); > - } else > - d = rsa->d; > + BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME); > > if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) > if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, > - CRYPTO_LOCK_RSA, rsa->n, ctx)) > + CRYPTO_LOCK_RSA, rsa->n, ctx)) { > goto err; > + } > > - if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx, > - rsa->_method_mod_n)) > + if (!rsa->meth->bn_mod_exp(ret, f, &d, rsa->n, ctx, > + rsa->_method_mod_n)) { > goto err; > + } > } > > if (blinding) > @@ -553,22 +549,20 @@ RSA_eay_private_decrypt(int flen, const > if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) > goto err; > } else { > - BIGNUM local_d; > - BIGNUM *d = NULL; > + BIGNUM d; > > - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { > - d = &local_d; > - BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); > - } else > - d = rsa->d; > + BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME); > > if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) > if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, > - CRYPTO_LOCK_RSA, rsa->n, ctx)) > + CRYPTO_LOCK_RSA, rsa->n, ctx)) { > goto err; > - if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx, > - rsa->_method_mod_n)) > + } > + > + if (!rsa->meth->bn_mod_exp(ret, f, &d, rsa->n, ctx, > + rsa->_method_mod_n)) { > goto err; > + } > } > > if (blinding) > @@ -723,8 +717,7 @@ static int > RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) > { > BIGNUM *r1, *m1, *vrfy; > - BIGNUM local_dmp1, local_dmq1, local_c, local_r1; > - BIGNUM *dmp1, *dmq1, *c, *pr1; > + BIGNUM dmp1, dmq1, c, pr1; > int ret = 0; > > BN_CTX_start(ctx); > @@ -737,33 +730,23 @@ RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM > } > > { > - BIGNUM local_p, local_q; > - BIGNUM *p = NULL, *q = NULL; > + BIGNUM p, q; > > /* > * Make sure BN_mod_inverse in Montgomery intialization > uses the > - * BN_FLG_CONSTTIME flag (unless RSA_FLAG_NO_CONSTTIME is > set) > + * BN_FLG_CONSTTIME flag > */ > - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { > - BN_init(&local_p); > - p = &local_p; > - BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME); > - > - BN_init(&local_q); > - q = &local_q; > - BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME); > - } else { > - p = rsa->p; > - q = rsa->q; > - } > + > + BN_with_flags(&p, rsa->p, BN_FLG_CONSTTIME); > + BN_with_flags(&q, rsa->q, BN_FLG_CONSTTIME); > > if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) { > if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p, > - CRYPTO_LOCK_RSA, p, ctx)) > - goto err; > - if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q, > - CRYPTO_LOCK_RSA, q, ctx)) > + CRYPTO_LOCK_RSA, &p, ctx) || > + !BN_MONT_CTX_set_locked(&rsa->_method_mod_q, > + CRYPTO_LOCK_RSA, &q, ctx)) { > goto err; > + } > } > } > > @@ -773,46 +756,34 @@ RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM > goto err; > > /* compute I mod q */ > - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { > - c = &local_c; > - BN_with_flags(c, I, BN_FLG_CONSTTIME); > - if (!BN_mod(r1, c, rsa->q, ctx)) > - goto err; > - } else { > - if (!BN_mod(r1, I, rsa->q, ctx)) > - goto err; > + BN_with_flags(&c, I, BN_FLG_CONSTTIME); > + > + if (!BN_mod(r1, &c, rsa->q, ctx)) { > + goto err; > } > > /* compute r1^dmq1 mod q */ > - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { > - dmq1 = &local_dmq1; > - BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME); > - } else > - dmq1 = rsa->dmq1; > - if (!rsa->meth->bn_mod_exp(m1, r1, dmq1, rsa->q, ctx, > - rsa->_method_mod_q)) > + BN_with_flags(&dmq1, rsa->dmq1, BN_FLG_CONSTTIME); > + > + if (!rsa->meth->bn_mod_exp(m1, r1, &dmq1, rsa->q, ctx, > + rsa->_method_mod_q)) { > goto err; > + } > > /* compute I mod p */ > - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { > - c = &local_c; > - BN_with_flags(c, I, BN_FLG_CONSTTIME); > - if (!BN_mod(r1, c, rsa->p, ctx)) > - goto err; > - } else { > - if (!BN_mod(r1, I, rsa->p, ctx)) > - goto err; > + BN_with_flags(&c, I, BN_FLG_CONSTTIME); > + > + if (!BN_mod(r1, &c, rsa->p, ctx)) { > + goto err; > } > > /* compute r1^dmp1 mod p */ > - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { > - dmp1 = &local_dmp1; > - BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME); > - } else > - dmp1 = rsa->dmp1; > - if (!rsa->meth->bn_mod_exp(r0, r1, dmp1, rsa->p, ctx, > - rsa->_method_mod_p)) > + BN_with_flags(&dmp1, rsa->dmp1, BN_FLG_CONSTTIME); > + > + if (!rsa->meth->bn_mod_exp(r0, r1, &dmp1, rsa->p, ctx, > + rsa->_method_mod_p)) { > goto err; > + } > > if (!BN_sub(r0, r0, m1)) > goto err; > @@ -828,13 +799,11 @@ RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM > goto err; > > /* Turn BN_FLG_CONSTTIME flag on before division operation */ > - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { > - pr1 = &local_r1; > - BN_with_flags(pr1, r1, BN_FLG_CONSTTIME); > - } else > - pr1 = r1; > - if (!BN_mod(r0, pr1, rsa->p, ctx)) > + BN_with_flags(&pr1, r1, BN_FLG_CONSTTIME); > + > + if (!BN_mod(r0, &pr1, rsa->p, ctx)) { > goto err; > + } > > /* > * If p < q it is occasionally possible for the correction of > @@ -875,18 +844,14 @@ RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM > * miscalculated CRT output, just do a raw (slower) > * mod_exp and return that instead. > */ > + BIGNUM d; > > - BIGNUM local_d; > - BIGNUM *d = NULL; > + BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME); > > - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { > - d = &local_d; > - BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); > - } else > - d = rsa->d; > - if (!rsa->meth->bn_mod_exp(r0, I, d, rsa->n, ctx, > - rsa->_method_mod_n)) > + if (!rsa->meth->bn_mod_exp(r0, I, &d, rsa->n, ctx, > + rsa->_method_mod_n)) { > goto err; > + } > } > } > ret = 1; > Index: lib/libssl/src/crypto/rsa/rsa_gen.c > =================================================================== > RCS file: /cvs/src/lib/libssl/src/crypto/rsa/rsa_gen.c,v > retrieving revision 1.17 > diff -u -p -u -p -r1.17 rsa_gen.c > --- lib/libssl/src/crypto/rsa/rsa_gen.c 9 Feb 2015 15:49:22 -0000 > 1.17 > +++ lib/libssl/src/crypto/rsa/rsa_gen.c 26 Jun 2016 17:19:45 -0000 > @@ -90,8 +90,7 @@ static int > rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) > { > BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *r3 = NULL, *tmp; > - BIGNUM local_r0, local_d, local_p; > - BIGNUM *pr0, *d, *p; > + BIGNUM pr0, d, p; > int bitsp, bitsq, ok = -1, n = 0; > BN_CTX *ctx = NULL; > > @@ -193,37 +192,31 @@ rsa_builtin_keygen(RSA *rsa, int bits, B > goto err; > if (!BN_mul(r0, r1, r2, ctx)) /* (p-1)(q-1) */ > goto err; > - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { > - pr0 = &local_r0; > - BN_with_flags(pr0, r0, BN_FLG_CONSTTIME); > - } else > - pr0 = r0; > - if (!BN_mod_inverse(rsa->d, rsa->e, pr0, ctx)) /* d */ > + > + BN_with_flags(&pr0, r0, BN_FLG_CONSTTIME); > + > + if (!BN_mod_inverse(rsa->d, rsa->e, &pr0, ctx)) { /* d */ > goto err; > + } > > /* set up d for correct BN_FLG_CONSTTIME flag */ > - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { > - d = &local_d; > - BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); > - } else > - d = rsa->d; > + BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME); > > /* calculate d mod (p-1) */ > - if (!BN_mod(rsa->dmp1, d, r1, ctx)) > + if (!BN_mod(rsa->dmp1, &d, r1, ctx)) { > goto err; > + } > > /* calculate d mod (q-1) */ > - if (!BN_mod(rsa->dmq1, d, r2, ctx)) > + if (!BN_mod(rsa->dmq1, &d, r2, ctx)) > goto err; > > /* calculate inverse of q mod p */ > - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { > - p = &local_p; > - BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME); > - } else > - p = rsa->p; > - if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx)) > + BN_with_flags(&p, rsa->p, BN_FLG_CONSTTIME); > + if (!BN_mod_inverse(rsa->iqmp, rsa->q, &p, ctx)) { > goto err; > + } > > ok = 1; > err: > Index: regress/lib/libcrypto/dh/dhtest.c > =================================================================== > RCS file: /cvs/src/regress/lib/libcrypto/dh/dhtest.c,v > retrieving revision 1.3 > diff -u -p -u -p -r1.3 dhtest.c > --- regress/lib/libcrypto/dh/dhtest.c 22 Oct 2014 13:18:16 -0000 1.3 > +++ regress/lib/libcrypto/dh/dhtest.c 26 Jun 2016 17:19:51 -0000 > @@ -73,16 +73,30 @@ > > #include <openssl/dh.h> > > -static int cb(int p, int n, BN_GENCB *arg); > +static int cb(int p, int n, BN_GENCB *arg) > +{ > + char c='*'; > + > + if (p == 0) > + c='.'; > + if (p == 1) > + c='+'; > + if (p == 2) > + c='*'; > + if (p == 3) > + c='\n'; > + BIO_write(arg->arg,&c,1); > + (void)BIO_flush(arg->arg); > + return 1; > +} > > int main(int argc, char *argv[]) > - { > +{ > BN_GENCB _cb; > DH *a; > - DH *b=NULL; > char buf[12]; > - unsigned char *abuf=NULL,*bbuf=NULL; > - int i,alen,blen,aout,bout,ret=1; > + unsigned char *abuf=NULL; > + int i,alen,aout,ret=1; > BIO *out; > > out=BIO_new(BIO_s_file()); > @@ -90,11 +104,12 @@ int main(int argc, char *argv[]) > BIO_set_fp(out,stdout,BIO_NOCLOSE); > > BN_GENCB_set(&_cb, &cb, out); > - if(((a = DH_new()) == NULL) || !DH_generate_parameters_ex(a, 64, > - DH_GENERATOR_5, &_cb)) > + if (((a = DH_new()) == NULL) || > + !DH_generate_parameters_ex(a, 64, DH_GENERATOR_5, &_cb)) > goto err; > > - if (!DH_check(a, &i)) goto err; > + if (!DH_check(a, &i)) > + goto err; > if (i & DH_CHECK_P_NOT_PRIME) > BIO_puts(out, "p value is not prime\n"); > if (i & DH_CHECK_P_NOT_SAFE_PRIME) > @@ -110,81 +125,36 @@ int main(int argc, char *argv[]) > BN_print(out,a->g); > BIO_puts(out,"\n"); > > - b=DH_new(); > - if (b == NULL) goto err; > - > - b->p=BN_dup(a->p); > - b->g=BN_dup(a->g); > - if ((b->p == NULL) || (b->g == NULL)) goto err; > - > - /* Set a to run with normal modexp and b to use constant time */ > - a->flags &= ~DH_FLAG_NO_EXP_CONSTTIME; > - b->flags |= DH_FLAG_NO_EXP_CONSTTIME; > - > - if (!DH_generate_key(a)) goto err; > + if (!DH_generate_key(a)) > + goto err; > BIO_puts(out,"pri 1="); > BN_print(out,a->priv_key); > BIO_puts(out,"\npub 1="); > BN_print(out,a->pub_key); > BIO_puts(out,"\n"); > > - if (!DH_generate_key(b)) goto err; > - BIO_puts(out,"pri 2="); > - BN_print(out,b->priv_key); > - BIO_puts(out,"\npub 2="); > - BN_print(out,b->pub_key); > - BIO_puts(out,"\n"); > - > alen=DH_size(a); > abuf=malloc(alen); > - aout=DH_compute_key(abuf,b->pub_key,a); > + aout=DH_compute_key(abuf,a->pub_key,a); > > BIO_puts(out,"key1 ="); > - for (i=0; i<aout; i++) > - { > + for (i=0; i<aout; i++) { > snprintf(buf,sizeof buf,"%02X",abuf[i]); > BIO_puts(out,buf); > - } > + } > BIO_puts(out,"\n"); > > - blen=DH_size(b); > - bbuf=malloc(blen); > - bout=DH_compute_key(bbuf,a->pub_key,b); > - > - BIO_puts(out,"key2 ="); > - for (i=0; i<bout; i++) > - { > - snprintf(buf,sizeof buf,"%02X",bbuf[i]); > - BIO_puts(out,buf); > - } > - BIO_puts(out,"\n"); > - if ((aout < 4) || (bout != aout) || (memcmp(abuf,bbuf,aout) != 0)) > - { > + if (aout < 4) { > fprintf(stderr,"Error in DH routines\n"); > ret=1; > - } > - else > + } else > ret=0; > err: > ERR_print_errors_fp(stderr); > > free(abuf); > - free(bbuf); > - if(b != NULL) DH_free(b); > - if(a != NULL) DH_free(a); > + if (a != NULL) > + DH_free(a); > BIO_free(out); > exit(ret); > - } > - > -static int cb(int p, int n, BN_GENCB *arg) > - { > - char c='*'; > - > - if (p == 0) c='.'; > - if (p == 1) c='+'; > - if (p == 2) c='*'; > - if (p == 3) c='\n'; > - BIO_write(arg->arg,&c,1); > - (void)BIO_flush(arg->arg); > - return 1; > - } > +} > Index: regress/lib/libcrypto/dsa/dsatest.c > =================================================================== > RCS file: /cvs/src/regress/lib/libcrypto/dsa/dsatest.c,v > retrieving revision 1.3 > diff -u -p -u -p -r1.3 dsatest.c > --- regress/lib/libcrypto/dsa/dsatest.c 22 Oct 2014 13:18:16 -0000 1.3 > +++ regress/lib/libcrypto/dsa/dsatest.c 26 Jun 2016 17:19:51 -0000 > @@ -182,13 +182,6 @@ int main(int argc, char **argv) > goto end; > } > > - dsa->flags |= DSA_FLAG_NO_EXP_CONSTTIME; > - DSA_generate_key(dsa); > - DSA_sign(0, str1, 20, sig, &siglen, dsa); > - if (DSA_verify(0, str1, 20, sig, siglen, dsa) == 1) > - ret=1; > - > - dsa->flags &= ~DSA_FLAG_NO_EXP_CONSTTIME; > DSA_generate_key(dsa); > DSA_sign(0, str1, 20, sig, &siglen, dsa); > if (DSA_verify(0, str1, 20, sig, siglen, dsa) == 1) >