On Sun, Jun 26, 2016 at 12:22 PM, Brent Cook <bust...@gmail.com> wrote:
> On Sun, Jun 26, 2016 at 06:26:36AM +0000, César Pereida wrote:
> >
> > On Sun, Jun 26, 2016, 8:19 AM Brent Cook <bust...@gmail.com> wrote:
> >
> > > Hmm, on second review, something seems odd.
> > >
> > > César, why does this patch also replace all of the stack-allocated
> > > BIGNUM's with heap ones? Why add a new set of failure cases?
> > >
> > Hi Brent,
> >
> > As far as I remember this is what I did for the RSA patch so I maintained
> > consistency with that one.
> >
> > Are there any problems with that approach?
> >
> > Regards,
>
> Hi César,
>
> Yeah, I think the original stack variables are preferable, since all we
> are doing is cloning the fields from the original BIGNUM and adding a
> flag. Here's a revised patch with regress tests fixed as well:
>
> ok?
>
Is it too late in the 6.0 cycle to get this one in? Feels like I need to
get it in soon if not...
> Index: lib/libssl/src/crypto/dh/dh.h
> ===================================================================
> RCS file: /cvs/src/lib/libssl/src/crypto/dh/dh.h,v
> retrieving revision 1.16
> diff -u -p -u -p -r1.16 dh.h
> --- lib/libssl/src/crypto/dh/dh.h 12 Jun 2014 15:49:28 -0000
> 1.16
> +++ lib/libssl/src/crypto/dh/dh.h 26 Jun 2016 17:19:39 -0000
> @@ -78,13 +78,6 @@
> #endif
>
> #define DH_FLAG_CACHE_MONT_P 0x01
> -#define DH_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DH
> - * implementation now uses constant
> time
> - * modular exponentiation for
> secret exponents
> - * by default. This flag causes the
> - * faster variable sliding window
> method to
> - * be used for all exponents.
> - */
>
> /* If this flag is set the DH method is FIPS compliant and can be used
> * in FIPS mode. This is set in the validated module method. If an
> Index: lib/libssl/src/crypto/dh/dh_key.c
> ===================================================================
> RCS file: /cvs/src/lib/libssl/src/crypto/dh/dh_key.c,v
> retrieving revision 1.23
> diff -u -p -u -p -r1.23 dh_key.c
> --- lib/libssl/src/crypto/dh/dh_key.c 9 Feb 2015 15:49:22 -0000
> 1.23
> +++ lib/libssl/src/crypto/dh/dh_key.c 26 Jun 2016 17:19:39 -0000
> @@ -147,21 +147,16 @@ generate_key(DH *dh)
> }
>
> {
> - BIGNUM local_prk;
> - BIGNUM *prk;
> + BIGNUM prk;
>
> - if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) {
> - BN_init(&local_prk);
> - prk = &local_prk;
> - BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
> - } else
> - prk = priv_key;
> + BN_with_flags(&prk, priv_key, BN_FLG_CONSTTIME);
>
> - if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, prk, dh->p,
> ctx,
> - mont))
> + if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, &prk, dh->p,
> ctx,
> + mont)) {
> goto err;
> + }
> }
> -
> +
> dh->pub_key = pub_key;
> dh->priv_key = priv_key;
> ok = 1;
> @@ -206,10 +201,9 @@ compute_key(unsigned char *key, const BI
> if (dh->flags & DH_FLAG_CACHE_MONT_P) {
> mont = BN_MONT_CTX_set_locked(&dh->method_mont_p,
> CRYPTO_LOCK_DH, dh->p, ctx);
> - if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) {
> - /* XXX */
> - BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME);
> - }
> +
> + BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME);
> +
> if (!mont)
> goto err;
> }
> @@ -238,16 +232,7 @@ static int
> dh_bn_mod_exp(const DH *dh, BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
> const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
> {
> - /*
> - * If a is only one word long and constant time is false, use the
> faster
> - * exponenentiation function.
> - */
> - if (a->top == 1 && (dh->flags & DH_FLAG_NO_EXP_CONSTTIME) != 0) {
> - BN_ULONG A = a->d[0];
> -
> - return BN_mod_exp_mont_word(r, A, p, m, ctx, m_ctx);
> - } else
> - return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
> + return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
> }
>
> static int
> Index: lib/libssl/src/crypto/dsa/dsa.h
> ===================================================================
> RCS file: /cvs/src/lib/libssl/src/crypto/dsa/dsa.h,v
> retrieving revision 1.20
> diff -u -p -u -p -r1.20 dsa.h
> --- lib/libssl/src/crypto/dsa/dsa.h 21 Jun 2016 04:16:53 -0000
> 1.20
> +++ lib/libssl/src/crypto/dsa/dsa.h 26 Jun 2016 17:19:40 -0000
> @@ -89,9 +89,6 @@
> #endif
>
> #define DSA_FLAG_CACHE_MONT_P 0x01
> -#define DSA_FLAG_NO_EXP_CONSTTIME 0x00 /* Does nothing. Previously
> this switched off
> - * constant time behaviour.
> - */
>
> /* If this flag is set the DSA method is FIPS compliant and can be used
> * in FIPS mode. This is set in the validated module method. If an
> Index: lib/libssl/src/crypto/dsa/dsa_key.c
> ===================================================================
> RCS file: /cvs/src/lib/libssl/src/crypto/dsa/dsa_key.c,v
> retrieving revision 1.21
> diff -u -p -u -p -r1.21 dsa_key.c
> --- lib/libssl/src/crypto/dsa/dsa_key.c 21 Jun 2016 04:16:53 -0000
> 1.21
> +++ lib/libssl/src/crypto/dsa/dsa_key.c 26 Jun 2016 17:19:40 -0000
> @@ -104,18 +104,13 @@ dsa_builtin_keygen(DSA *dsa)
> pub_key=dsa->pub_key;
>
> {
> - BIGNUM *prk = BN_new();
> + BIGNUM prk;
>
> - if (prk == NULL)
> - goto err;
> -
> - BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
> + BN_with_flags(&prk, priv_key, BN_FLG_CONSTTIME);
>
> - if (!BN_mod_exp(pub_key, dsa->g, prk, dsa->p, ctx)) {
> - BN_free(prk);
> + if (!BN_mod_exp(pub_key, dsa->g, &prk, dsa->p, ctx)) {
> goto err;
> }
> - BN_free(prk);
> }
>
> dsa->priv_key = priv_key;
> Index: lib/libssl/src/crypto/rsa/rsa.h
> ===================================================================
> RCS file: /cvs/src/lib/libssl/src/crypto/rsa/rsa.h,v
> retrieving revision 1.27
> diff -u -p -u -p -r1.27 rsa.h
> --- lib/libssl/src/crypto/rsa/rsa.h 14 Feb 2015 15:10:39 -0000
> 1.27
> +++ lib/libssl/src/crypto/rsa/rsa.h 26 Jun 2016 17:19:43 -0000
> @@ -194,16 +194,6 @@ struct rsa_st {
> */
> #define RSA_FLAG_NO_BLINDING 0x0080
>
> -/*
> - * The built-in RSA implementation uses constant time operations by
> default
> - * in private key operations, e.g., constant time modular exponentiation,
> - * modular inverse without leaking branches, division without leaking
> branches.
> - * This flag disables these constant time operations and results in
> faster RSA
> - * private key operations.
> - */
> -#define RSA_FLAG_NO_CONSTTIME 0x0100
> -
> -
> #define EVP_PKEY_CTX_set_rsa_padding(ctx, pad) \
> EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, -1,
> EVP_PKEY_CTRL_RSA_PADDING, \
> pad, NULL)
> Index: lib/libssl/src/crypto/rsa/rsa_crpt.c
> ===================================================================
> RCS file: /cvs/src/lib/libssl/src/crypto/rsa/rsa_crpt.c,v
> retrieving revision 1.14
> diff -u -p -u -p -r1.14 rsa_crpt.c
> --- lib/libssl/src/crypto/rsa/rsa_crpt.c 11 Feb 2015 03:19:37
> -0000 1.14
> +++ lib/libssl/src/crypto/rsa/rsa_crpt.c 26 Jun 2016 17:19:43 -0000
> @@ -169,8 +169,8 @@ err:
> BN_BLINDING *
> RSA_setup_blinding(RSA *rsa, BN_CTX *in_ctx)
> {
> - BIGNUM local_n;
> - BIGNUM *e, *n;
> + BIGNUM *e;
> + BIGNUM n;
> BN_CTX *ctx;
> BN_BLINDING *ret = NULL;
>
> @@ -192,15 +192,11 @@ RSA_setup_blinding(RSA *rsa, BN_CTX *in_
> } else
> e = rsa->e;
>
> - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
> - /* Set BN_FLG_CONSTTIME flag */
> - n = &local_n;
> - BN_with_flags(n, rsa->n, BN_FLG_CONSTTIME);
> - } else
> - n = rsa->n;
> + BN_with_flags(&n, rsa->n, BN_FLG_CONSTTIME);
>
> - ret = BN_BLINDING_create_param(NULL, e, n, ctx,
> rsa->meth->bn_mod_exp,
> + ret = BN_BLINDING_create_param(NULL, e, &n, ctx,
> rsa->meth->bn_mod_exp,
> rsa->_method_mod_n);
> +
> if (ret == NULL) {
> RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_BN_LIB);
> goto err;
> Index: lib/libssl/src/crypto/rsa/rsa_eay.c
> ===================================================================
> RCS file: /cvs/src/lib/libssl/src/crypto/rsa/rsa_eay.c,v
> retrieving revision 1.40
> diff -u -p -u -p -r1.40 rsa_eay.c
> --- lib/libssl/src/crypto/rsa/rsa_eay.c 10 Sep 2015 15:56:25 -0000
> 1.40
> +++ lib/libssl/src/crypto/rsa/rsa_eay.c 26 Jun 2016 17:19:45 -0000
> @@ -426,24 +426,20 @@ RSA_eay_private_encrypt(int flen, const
> if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx))
> goto err;
> } else {
> - BIGNUM local_d;
> - BIGNUM *d = NULL;
> + BIGNUM d;
>
> - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
> - BN_init(&local_d);
> - d = &local_d;
> - BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
> - } else
> - d = rsa->d;
> + BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME);
>
> if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
> if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
> - CRYPTO_LOCK_RSA, rsa->n, ctx))
> + CRYPTO_LOCK_RSA, rsa->n, ctx)) {
> goto err;
> + }
>
> - if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,
> - rsa->_method_mod_n))
> + if (!rsa->meth->bn_mod_exp(ret, f, &d, rsa->n, ctx,
> + rsa->_method_mod_n)) {
> goto err;
> + }
> }
>
> if (blinding)
> @@ -553,22 +549,20 @@ RSA_eay_private_decrypt(int flen, const
> if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx))
> goto err;
> } else {
> - BIGNUM local_d;
> - BIGNUM *d = NULL;
> + BIGNUM d;
>
> - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
> - d = &local_d;
> - BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
> - } else
> - d = rsa->d;
> + BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME);
>
> if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
> if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
> - CRYPTO_LOCK_RSA, rsa->n, ctx))
> + CRYPTO_LOCK_RSA, rsa->n, ctx)) {
> goto err;
> - if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,
> - rsa->_method_mod_n))
> + }
> +
> + if (!rsa->meth->bn_mod_exp(ret, f, &d, rsa->n, ctx,
> + rsa->_method_mod_n)) {
> goto err;
> + }
> }
>
> if (blinding)
> @@ -723,8 +717,7 @@ static int
> RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
> {
> BIGNUM *r1, *m1, *vrfy;
> - BIGNUM local_dmp1, local_dmq1, local_c, local_r1;
> - BIGNUM *dmp1, *dmq1, *c, *pr1;
> + BIGNUM dmp1, dmq1, c, pr1;
> int ret = 0;
>
> BN_CTX_start(ctx);
> @@ -737,33 +730,23 @@ RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM
> }
>
> {
> - BIGNUM local_p, local_q;
> - BIGNUM *p = NULL, *q = NULL;
> + BIGNUM p, q;
>
> /*
> * Make sure BN_mod_inverse in Montgomery intialization
> uses the
> - * BN_FLG_CONSTTIME flag (unless RSA_FLAG_NO_CONSTTIME is
> set)
> + * BN_FLG_CONSTTIME flag
> */
> - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
> - BN_init(&local_p);
> - p = &local_p;
> - BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
> -
> - BN_init(&local_q);
> - q = &local_q;
> - BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME);
> - } else {
> - p = rsa->p;
> - q = rsa->q;
> - }
> +
> + BN_with_flags(&p, rsa->p, BN_FLG_CONSTTIME);
> + BN_with_flags(&q, rsa->q, BN_FLG_CONSTTIME);
>
> if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) {
> if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p,
> - CRYPTO_LOCK_RSA, p, ctx))
> - goto err;
> - if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q,
> - CRYPTO_LOCK_RSA, q, ctx))
> + CRYPTO_LOCK_RSA, &p, ctx) ||
> + !BN_MONT_CTX_set_locked(&rsa->_method_mod_q,
> + CRYPTO_LOCK_RSA, &q, ctx)) {
> goto err;
> + }
> }
> }
>
> @@ -773,46 +756,34 @@ RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM
> goto err;
>
> /* compute I mod q */
> - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
> - c = &local_c;
> - BN_with_flags(c, I, BN_FLG_CONSTTIME);
> - if (!BN_mod(r1, c, rsa->q, ctx))
> - goto err;
> - } else {
> - if (!BN_mod(r1, I, rsa->q, ctx))
> - goto err;
> + BN_with_flags(&c, I, BN_FLG_CONSTTIME);
> +
> + if (!BN_mod(r1, &c, rsa->q, ctx)) {
> + goto err;
> }
>
> /* compute r1^dmq1 mod q */
> - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
> - dmq1 = &local_dmq1;
> - BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
> - } else
> - dmq1 = rsa->dmq1;
> - if (!rsa->meth->bn_mod_exp(m1, r1, dmq1, rsa->q, ctx,
> - rsa->_method_mod_q))
> + BN_with_flags(&dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
> +
> + if (!rsa->meth->bn_mod_exp(m1, r1, &dmq1, rsa->q, ctx,
> + rsa->_method_mod_q)) {
> goto err;
> + }
>
> /* compute I mod p */
> - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
> - c = &local_c;
> - BN_with_flags(c, I, BN_FLG_CONSTTIME);
> - if (!BN_mod(r1, c, rsa->p, ctx))
> - goto err;
> - } else {
> - if (!BN_mod(r1, I, rsa->p, ctx))
> - goto err;
> + BN_with_flags(&c, I, BN_FLG_CONSTTIME);
> +
> + if (!BN_mod(r1, &c, rsa->p, ctx)) {
> + goto err;
> }
>
> /* compute r1^dmp1 mod p */
> - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
> - dmp1 = &local_dmp1;
> - BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
> - } else
> - dmp1 = rsa->dmp1;
> - if (!rsa->meth->bn_mod_exp(r0, r1, dmp1, rsa->p, ctx,
> - rsa->_method_mod_p))
> + BN_with_flags(&dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
> +
> + if (!rsa->meth->bn_mod_exp(r0, r1, &dmp1, rsa->p, ctx,
> + rsa->_method_mod_p)) {
> goto err;
> + }
>
> if (!BN_sub(r0, r0, m1))
> goto err;
> @@ -828,13 +799,11 @@ RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM
> goto err;
>
> /* Turn BN_FLG_CONSTTIME flag on before division operation */
> - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
> - pr1 = &local_r1;
> - BN_with_flags(pr1, r1, BN_FLG_CONSTTIME);
> - } else
> - pr1 = r1;
> - if (!BN_mod(r0, pr1, rsa->p, ctx))
> + BN_with_flags(&pr1, r1, BN_FLG_CONSTTIME);
> +
> + if (!BN_mod(r0, &pr1, rsa->p, ctx)) {
> goto err;
> + }
>
> /*
> * If p < q it is occasionally possible for the correction of
> @@ -875,18 +844,14 @@ RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM
> * miscalculated CRT output, just do a raw (slower)
> * mod_exp and return that instead.
> */
> + BIGNUM d;
>
> - BIGNUM local_d;
> - BIGNUM *d = NULL;
> + BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME);
>
> - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
> - d = &local_d;
> - BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
> - } else
> - d = rsa->d;
> - if (!rsa->meth->bn_mod_exp(r0, I, d, rsa->n, ctx,
> - rsa->_method_mod_n))
> + if (!rsa->meth->bn_mod_exp(r0, I, &d, rsa->n, ctx,
> + rsa->_method_mod_n)) {
> goto err;
> + }
> }
> }
> ret = 1;
> Index: lib/libssl/src/crypto/rsa/rsa_gen.c
> ===================================================================
> RCS file: /cvs/src/lib/libssl/src/crypto/rsa/rsa_gen.c,v
> retrieving revision 1.17
> diff -u -p -u -p -r1.17 rsa_gen.c
> --- lib/libssl/src/crypto/rsa/rsa_gen.c 9 Feb 2015 15:49:22 -0000
> 1.17
> +++ lib/libssl/src/crypto/rsa/rsa_gen.c 26 Jun 2016 17:19:45 -0000
> @@ -90,8 +90,7 @@ static int
> rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
> {
> BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *r3 = NULL, *tmp;
> - BIGNUM local_r0, local_d, local_p;
> - BIGNUM *pr0, *d, *p;
> + BIGNUM pr0, d, p;
> int bitsp, bitsq, ok = -1, n = 0;
> BN_CTX *ctx = NULL;
>
> @@ -193,37 +192,31 @@ rsa_builtin_keygen(RSA *rsa, int bits, B
> goto err;
> if (!BN_mul(r0, r1, r2, ctx)) /* (p-1)(q-1) */
> goto err;
> - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
> - pr0 = &local_r0;
> - BN_with_flags(pr0, r0, BN_FLG_CONSTTIME);
> - } else
> - pr0 = r0;
> - if (!BN_mod_inverse(rsa->d, rsa->e, pr0, ctx)) /* d */
> +
> + BN_with_flags(&pr0, r0, BN_FLG_CONSTTIME);
> +
> + if (!BN_mod_inverse(rsa->d, rsa->e, &pr0, ctx)) { /* d */
> goto err;
> + }
>
> /* set up d for correct BN_FLG_CONSTTIME flag */
> - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
> - d = &local_d;
> - BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
> - } else
> - d = rsa->d;
> + BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME);
>
> /* calculate d mod (p-1) */
> - if (!BN_mod(rsa->dmp1, d, r1, ctx))
> + if (!BN_mod(rsa->dmp1, &d, r1, ctx)) {
> goto err;
> + }
>
> /* calculate d mod (q-1) */
> - if (!BN_mod(rsa->dmq1, d, r2, ctx))
> + if (!BN_mod(rsa->dmq1, &d, r2, ctx))
> goto err;
>
> /* calculate inverse of q mod p */
> - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
> - p = &local_p;
> - BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
> - } else
> - p = rsa->p;
> - if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx))
> + BN_with_flags(&p, rsa->p, BN_FLG_CONSTTIME);
> + if (!BN_mod_inverse(rsa->iqmp, rsa->q, &p, ctx)) {
> goto err;
> + }
>
> ok = 1;
> err:
> Index: regress/lib/libcrypto/dh/dhtest.c
> ===================================================================
> RCS file: /cvs/src/regress/lib/libcrypto/dh/dhtest.c,v
> retrieving revision 1.3
> diff -u -p -u -p -r1.3 dhtest.c
> --- regress/lib/libcrypto/dh/dhtest.c 22 Oct 2014 13:18:16 -0000 1.3
> +++ regress/lib/libcrypto/dh/dhtest.c 26 Jun 2016 17:19:51 -0000
> @@ -73,16 +73,30 @@
>
> #include <openssl/dh.h>
>
> -static int cb(int p, int n, BN_GENCB *arg);
> +static int cb(int p, int n, BN_GENCB *arg)
> +{
> + char c='*';
> +
> + if (p == 0)
> + c='.';
> + if (p == 1)
> + c='+';
> + if (p == 2)
> + c='*';
> + if (p == 3)
> + c='\n';
> + BIO_write(arg->arg,&c,1);
> + (void)BIO_flush(arg->arg);
> + return 1;
> +}
>
> int main(int argc, char *argv[])
> - {
> +{
> BN_GENCB _cb;
> DH *a;
> - DH *b=NULL;
> char buf[12];
> - unsigned char *abuf=NULL,*bbuf=NULL;
> - int i,alen,blen,aout,bout,ret=1;
> + unsigned char *abuf=NULL;
> + int i,alen,aout,ret=1;
> BIO *out;
>
> out=BIO_new(BIO_s_file());
> @@ -90,11 +104,12 @@ int main(int argc, char *argv[])
> BIO_set_fp(out,stdout,BIO_NOCLOSE);
>
> BN_GENCB_set(&_cb, &cb, out);
> - if(((a = DH_new()) == NULL) || !DH_generate_parameters_ex(a, 64,
> - DH_GENERATOR_5, &_cb))
> + if (((a = DH_new()) == NULL) ||
> + !DH_generate_parameters_ex(a, 64, DH_GENERATOR_5, &_cb))
> goto err;
>
> - if (!DH_check(a, &i)) goto err;
> + if (!DH_check(a, &i))
> + goto err;
> if (i & DH_CHECK_P_NOT_PRIME)
> BIO_puts(out, "p value is not prime\n");
> if (i & DH_CHECK_P_NOT_SAFE_PRIME)
> @@ -110,81 +125,36 @@ int main(int argc, char *argv[])
> BN_print(out,a->g);
> BIO_puts(out,"\n");
>
> - b=DH_new();
> - if (b == NULL) goto err;
> -
> - b->p=BN_dup(a->p);
> - b->g=BN_dup(a->g);
> - if ((b->p == NULL) || (b->g == NULL)) goto err;
> -
> - /* Set a to run with normal modexp and b to use constant time */
> - a->flags &= ~DH_FLAG_NO_EXP_CONSTTIME;
> - b->flags |= DH_FLAG_NO_EXP_CONSTTIME;
> -
> - if (!DH_generate_key(a)) goto err;
> + if (!DH_generate_key(a))
> + goto err;
> BIO_puts(out,"pri 1=");
> BN_print(out,a->priv_key);
> BIO_puts(out,"\npub 1=");
> BN_print(out,a->pub_key);
> BIO_puts(out,"\n");
>
> - if (!DH_generate_key(b)) goto err;
> - BIO_puts(out,"pri 2=");
> - BN_print(out,b->priv_key);
> - BIO_puts(out,"\npub 2=");
> - BN_print(out,b->pub_key);
> - BIO_puts(out,"\n");
> -
> alen=DH_size(a);
> abuf=malloc(alen);
> - aout=DH_compute_key(abuf,b->pub_key,a);
> + aout=DH_compute_key(abuf,a->pub_key,a);
>
> BIO_puts(out,"key1 =");
> - for (i=0; i<aout; i++)
> - {
> + for (i=0; i<aout; i++) {
> snprintf(buf,sizeof buf,"%02X",abuf[i]);
> BIO_puts(out,buf);
> - }
> + }
> BIO_puts(out,"\n");
>
> - blen=DH_size(b);
> - bbuf=malloc(blen);
> - bout=DH_compute_key(bbuf,a->pub_key,b);
> -
> - BIO_puts(out,"key2 =");
> - for (i=0; i<bout; i++)
> - {
> - snprintf(buf,sizeof buf,"%02X",bbuf[i]);
> - BIO_puts(out,buf);
> - }
> - BIO_puts(out,"\n");
> - if ((aout < 4) || (bout != aout) || (memcmp(abuf,bbuf,aout) != 0))
> - {
> + if (aout < 4) {
> fprintf(stderr,"Error in DH routines\n");
> ret=1;
> - }
> - else
> + } else
> ret=0;
> err:
> ERR_print_errors_fp(stderr);
>
> free(abuf);
> - free(bbuf);
> - if(b != NULL) DH_free(b);
> - if(a != NULL) DH_free(a);
> + if (a != NULL)
> + DH_free(a);
> BIO_free(out);
> exit(ret);
> - }
> -
> -static int cb(int p, int n, BN_GENCB *arg)
> - {
> - char c='*';
> -
> - if (p == 0) c='.';
> - if (p == 1) c='+';
> - if (p == 2) c='*';
> - if (p == 3) c='\n';
> - BIO_write(arg->arg,&c,1);
> - (void)BIO_flush(arg->arg);
> - return 1;
> - }
> +}
> Index: regress/lib/libcrypto/dsa/dsatest.c
> ===================================================================
> RCS file: /cvs/src/regress/lib/libcrypto/dsa/dsatest.c,v
> retrieving revision 1.3
> diff -u -p -u -p -r1.3 dsatest.c
> --- regress/lib/libcrypto/dsa/dsatest.c 22 Oct 2014 13:18:16 -0000 1.3
> +++ regress/lib/libcrypto/dsa/dsatest.c 26 Jun 2016 17:19:51 -0000
> @@ -182,13 +182,6 @@ int main(int argc, char **argv)
> goto end;
> }
>
> - dsa->flags |= DSA_FLAG_NO_EXP_CONSTTIME;
> - DSA_generate_key(dsa);
> - DSA_sign(0, str1, 20, sig, &siglen, dsa);
> - if (DSA_verify(0, str1, 20, sig, siglen, dsa) == 1)
> - ret=1;
> -
> - dsa->flags &= ~DSA_FLAG_NO_EXP_CONSTTIME;
> DSA_generate_key(dsa);
> DSA_sign(0, str1, 20, sig, &siglen, dsa);
> if (DSA_verify(0, str1, 20, sig, siglen, dsa) == 1)
>
