Hi Brent and Bob,
Sorry for the delayed response.
I believe the patch is good. Please proceed at your own convenience.
Thanks for the support.
Regards,
On Wed, Jun 29, 2016 at 10:40 AM Brent Cook <bust...@gmail.com> wrote:
>
>
> On Sun, Jun 26, 2016 at 12:22 PM, Brent Cook <bust...@gmail.com> wrote:
>
>> On Sun, Jun 26, 2016 at 06:26:36AM +0000, César Pereida wrote:
>> >
>> > On Sun, Jun 26, 2016, 8:19 AM Brent Cook <bust...@gmail.com> wrote:
>> >
>>
> > > Hmm, on second review, something seems odd.
>> > >
>> > > César, why does this patch also replace all of the stack-allocated
>> > > BIGNUM's with heap ones? Why add a new set of failure cases?
>> > >
>>
> > Hi Brent,
>> >
>> > As far as I remember this is what I did for the RSA patch so I
>> maintained
>> > consistency with that one.
>> >
>> > Are there any problems with that approach?
>> >
>> > Regards,
>>
>> Hi César,
>>
>> Yeah, I think the original stack variables are preferable, since all we
>> are doing is cloning the fields from the original BIGNUM and adding a
>> flag. Here's a revised patch with regress tests fixed as well:
>>
>> ok?
>>
>
> Is it too late in the 6.0 cycle to get this one in? Feels like I need to
> get it in soon if not...
>
>
>
>> Index: lib/libssl/src/crypto/dh/dh.h
>
>
>> ===================================================================
>> RCS file: /cvs/src/lib/libssl/src/crypto/dh/dh.h,v
>> retrieving revision 1.16
>> diff -u -p -u -p -r1.16 dh.h
>>
> --- lib/libssl/src/crypto/dh/dh.h 12 Jun 2014 15:49:28 -0000
>> 1.16
>>
> +++ lib/libssl/src/crypto/dh/dh.h 26 Jun 2016 17:19:39 -0000
>
>
>> @@ -78,13 +78,6 @@
>> #endif
>>
>> #define DH_FLAG_CACHE_MONT_P 0x01
>> -#define DH_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DH
>> - * implementation now uses
>> constant time
>> - * modular exponentiation for
>> secret exponents
>> - * by default. This flag causes the
>> - * faster variable sliding window
>> method to
>> - * be used for all exponents.
>> - */
>>
>> /* If this flag is set the DH method is FIPS compliant and can be used
>> * in FIPS mode. This is set in the validated module method. If an
>>
> Index: lib/libssl/src/crypto/dh/dh_key.c
>
>
>> ===================================================================
>> RCS file: /cvs/src/lib/libssl/src/crypto/dh/dh_key.c,v
>> retrieving revision 1.23
>> diff -u -p -u -p -r1.23 dh_key.c
>>
> --- lib/libssl/src/crypto/dh/dh_key.c 9 Feb 2015 15:49:22 -0000
>> 1.23
>> +++ lib/libssl/src/crypto/dh/dh_key.c 26 Jun 2016 17:19:39 -0000
>>
> @@ -147,21 +147,16 @@ generate_key(DH *dh)
>
>
>> }
>>
>> {
>> - BIGNUM local_prk;
>> - BIGNUM *prk;
>>
> + BIGNUM prk;
>
>
>>
>> - if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) {
>> - BN_init(&local_prk);
>> - prk = &local_prk;
>> - BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
>> - } else
>> - prk = priv_key;
>>
> + BN_with_flags(&prk, priv_key, BN_FLG_CONSTTIME);
>>
>> - if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, prk, dh->p,
>> ctx,
>> - mont))
>
>
>> + if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, &prk,
>> dh->p, ctx,
>> + mont)) {
>> goto err;
>> + }
>>
> }
>
>
>> -
>> +
>> dh->pub_key = pub_key;
>> dh->priv_key = priv_key;
>> ok = 1;
>>
> @@ -206,10 +201,9 @@ compute_key(unsigned char *key, const BI
>
>
>> if (dh->flags & DH_FLAG_CACHE_MONT_P) {
>> mont = BN_MONT_CTX_set_locked(&dh->method_mont_p,
>> CRYPTO_LOCK_DH, dh->p, ctx);
>> - if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) {
>> - /* XXX */
>> - BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME);
>> - }
>> +
>> + BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME);
>> +
>> if (!mont)
>> goto err;
>> }
>>
> @@ -238,16 +232,7 @@ static int
>
>
>> dh_bn_mod_exp(const DH *dh, BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
>> const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
>> {
>> - /*
>> - * If a is only one word long and constant time is false, use the
>> faster
>> - * exponenentiation function.
>> - */
>> - if (a->top == 1 && (dh->flags & DH_FLAG_NO_EXP_CONSTTIME) != 0) {
>> - BN_ULONG A = a->d[0];
>> -
>> - return BN_mod_exp_mont_word(r, A, p, m, ctx, m_ctx);
>> - } else
>> - return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
>> + return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
>> }
>>
>> static int
>>
> Index: lib/libssl/src/crypto/dsa/dsa.h
>
>
>> ===================================================================
>> RCS file: /cvs/src/lib/libssl/src/crypto/dsa/dsa.h,v
>> retrieving revision 1.20
>> diff -u -p -u -p -r1.20 dsa.h
>>
> --- lib/libssl/src/crypto/dsa/dsa.h 21 Jun 2016 04:16:53 -0000
>> 1.20
>>
> +++ lib/libssl/src/crypto/dsa/dsa.h 26 Jun 2016 17:19:40 -0000
>
>
>> @@ -89,9 +89,6 @@
>> #endif
>>
>> #define DSA_FLAG_CACHE_MONT_P 0x01
>> -#define DSA_FLAG_NO_EXP_CONSTTIME 0x00 /* Does nothing. Previously
>> this switched off
>> - * constant time behaviour.
>> - */
>>
>> /* If this flag is set the DSA method is FIPS compliant and can be used
>> * in FIPS mode. This is set in the validated module method. If an
>>
> Index: lib/libssl/src/crypto/dsa/dsa_key.c
>> ===================================================================
>> RCS file: /cvs/src/lib/libssl/src/crypto/dsa/dsa_key.c,v
>> retrieving revision 1.21
>> diff -u -p -u -p -r1.21 dsa_key.c
>> --- lib/libssl/src/crypto/dsa/dsa_key.c 21 Jun 2016 04:16:53 -0000
>> 1.21
>> +++ lib/libssl/src/crypto/dsa/dsa_key.c 26 Jun 2016 17:19:40 -0000
>> @@ -104,18 +104,13 @@ dsa_builtin_keygen(DSA *dsa)
>> pub_key=dsa->pub_key;
>>
>> {
>> - BIGNUM *prk = BN_new();
>> + BIGNUM prk;
>>
>> - if (prk == NULL)
>> - goto err;
>> -
>> - BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
>> + BN_with_flags(&prk, priv_key, BN_FLG_CONSTTIME);
>>
>> - if (!BN_mod_exp(pub_key, dsa->g, prk, dsa->p, ctx)) {
>> - BN_free(prk);
>> + if (!BN_mod_exp(pub_key, dsa->g, &prk, dsa->p, ctx)) {
>> goto err;
>> }
>> - BN_free(prk);
>> }
>>
>> dsa->priv_key = priv_key;
>> Index: lib/libssl/src/crypto/rsa/rsa.h
>>
> ===================================================================
>> RCS file: /cvs/src/lib/libssl/src/crypto/rsa/rsa.h,v
>> retrieving revision 1.27
>> diff -u -p -u -p -r1.27 rsa.h
>>
> --- lib/libssl/src/crypto/rsa/rsa.h 14 Feb 2015 15:10:39 -0000
>> 1.27
>>
> +++ lib/libssl/src/crypto/rsa/rsa.h 26 Jun 2016 17:19:43 -0000
>
>
>> @@ -194,16 +194,6 @@ struct rsa_st {
>> */
>> #define RSA_FLAG_NO_BLINDING 0x0080
>>
>> -/*
>> - * The built-in RSA implementation uses constant time operations by
>> default
>> - * in private key operations, e.g., constant time modular exponentiation,
>> - * modular inverse without leaking branches, division without leaking
>> branches.
>> - * This flag disables these constant time operations and results in
>> faster RSA
>> - * private key operations.
>> - */
>> -#define RSA_FLAG_NO_CONSTTIME 0x0100
>> -
>> -
>> #define EVP_PKEY_CTX_set_rsa_padding(ctx, pad) \
>> EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, -1,
>> EVP_PKEY_CTRL_RSA_PADDING, \
>> pad, NULL)
>>
> Index: lib/libssl/src/crypto/rsa/rsa_crpt.c
>
>
>> ===================================================================
>> RCS file: /cvs/src/lib/libssl/src/crypto/rsa/rsa_crpt.c,v
>> retrieving revision 1.14
>> diff -u -p -u -p -r1.14 rsa_crpt.c
>>
> --- lib/libssl/src/crypto/rsa/rsa_crpt.c 11 Feb 2015 03:19:37
>> -0000 1.14
>>
> +++ lib/libssl/src/crypto/rsa/rsa_crpt.c 26 Jun 2016 17:19:43 -0000
>
>
>> @@ -169,8 +169,8 @@ err:
>> BN_BLINDING *
>> RSA_setup_blinding(RSA *rsa, BN_CTX *in_ctx)
>> {
>> - BIGNUM local_n;
>> - BIGNUM *e, *n;
>> + BIGNUM *e;
>>
> + BIGNUM n;
>
>
>> BN_CTX *ctx;
>> BN_BLINDING *ret = NULL;
>>
>> @@ -192,15 +192,11 @@ RSA_setup_blinding(RSA *rsa, BN_CTX *in_
>
>
>> } else
>> e = rsa->e;
>>
>> - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
>> - /* Set BN_FLG_CONSTTIME flag */
>> - n = &local_n;
>> - BN_with_flags(n, rsa->n, BN_FLG_CONSTTIME);
>> - } else
>> - n = rsa->n;
>>
> + BN_with_flags(&n, rsa->n, BN_FLG_CONSTTIME);
>>
>> - ret = BN_BLINDING_create_param(NULL, e, n, ctx,
>> rsa->meth->bn_mod_exp,
>>
> + ret = BN_BLINDING_create_param(NULL, e, &n, ctx,
>> rsa->meth->bn_mod_exp,
>> rsa->_method_mod_n);
>> +
>
>
>> if (ret == NULL) {
>> RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_BN_LIB);
>> goto err;
>>
> Index: lib/libssl/src/crypto/rsa/rsa_eay.c
>
>
>> ===================================================================
>> RCS file: /cvs/src/lib/libssl/src/crypto/rsa/rsa_eay.c,v
>> retrieving revision 1.40
>> diff -u -p -u -p -r1.40 rsa_eay.c
>>
> --- lib/libssl/src/crypto/rsa/rsa_eay.c 10 Sep 2015 15:56:25 -0000
>> 1.40
>> +++ lib/libssl/src/crypto/rsa/rsa_eay.c 26 Jun 2016 17:19:45 -0000
>>
> @@ -426,24 +426,20 @@ RSA_eay_private_encrypt(int flen, const
>
>
>> if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx))
>> goto err;
>> } else {
>> - BIGNUM local_d;
>> - BIGNUM *d = NULL;
>>
> + BIGNUM d;
>
>
>>
>> - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
>> - BN_init(&local_d);
>> - d = &local_d;
>> - BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
>> - } else
>> - d = rsa->d;
>>
> + BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME);
>
>
>>
>> if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
>> if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
>> - CRYPTO_LOCK_RSA, rsa->n, ctx))
>> + CRYPTO_LOCK_RSA, rsa->n, ctx)) {
>>
> goto err;
>> + }
>>
>> - if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,
>> - rsa->_method_mod_n))
>
>
>> + if (!rsa->meth->bn_mod_exp(ret, f, &d, rsa->n, ctx,
>> + rsa->_method_mod_n)) {
>> goto err;
>> + }
>> }
>>
>> if (blinding)
>>
> @@ -553,22 +549,20 @@ RSA_eay_private_decrypt(int flen, const
>
>
>> if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx))
>> goto err;
>> } else {
>> - BIGNUM local_d;
>> - BIGNUM *d = NULL;
>>
> + BIGNUM d;
>
>
>>
>> - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
>> - d = &local_d;
>> - BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
>> - } else
>> - d = rsa->d;
>>
> + BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME);
>
>
>>
>> if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
>> if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
>> - CRYPTO_LOCK_RSA, rsa->n, ctx))
>> + CRYPTO_LOCK_RSA, rsa->n, ctx)) {
>>
> goto err;
>> - if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,
>> - rsa->_method_mod_n))
>> + }
>> +
>
>
>> + if (!rsa->meth->bn_mod_exp(ret, f, &d, rsa->n, ctx,
>> + rsa->_method_mod_n)) {
>> goto err;
>> + }
>> }
>>
>> if (blinding)
>>
> @@ -723,8 +717,7 @@ static int
>
>
>> RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
>> {
>> BIGNUM *r1, *m1, *vrfy;
>> - BIGNUM local_dmp1, local_dmq1, local_c, local_r1;
>> - BIGNUM *dmp1, *dmq1, *c, *pr1;
>>
> + BIGNUM dmp1, dmq1, c, pr1;
>
>
>> int ret = 0;
>>
>> BN_CTX_start(ctx);
>>
> @@ -737,33 +730,23 @@ RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM
>
>
>> }
>>
>> {
>> - BIGNUM local_p, local_q;
>> - BIGNUM *p = NULL, *q = NULL;
>>
> + BIGNUM p, q;
>
>
>>
>> /*
>> * Make sure BN_mod_inverse in Montgomery intialization
>> uses the
>> - * BN_FLG_CONSTTIME flag (unless RSA_FLAG_NO_CONSTTIME is
>> set)
>> + * BN_FLG_CONSTTIME flag
>> */
>> - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
>> - BN_init(&local_p);
>> - p = &local_p;
>> - BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
>> -
>> - BN_init(&local_q);
>> - q = &local_q;
>> - BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME);
>> - } else {
>> - p = rsa->p;
>> - q = rsa->q;
>>
> - }
>> +
>> + BN_with_flags(&p, rsa->p, BN_FLG_CONSTTIME);
>>
> + BN_with_flags(&q, rsa->q, BN_FLG_CONSTTIME);
>
>
>>
>> if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) {
>>
> if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p,
>> - CRYPTO_LOCK_RSA, p, ctx))
>> - goto err;
>> - if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q,
>> - CRYPTO_LOCK_RSA, q, ctx))
>>
> + CRYPTO_LOCK_RSA, &p, ctx) ||
>> + !BN_MONT_CTX_set_locked(&rsa->_method_mod_q,
>
>
>> + CRYPTO_LOCK_RSA, &q, ctx)) {
>> goto err;
>> + }
>> }
>> }
>>
>> @@ -773,46 +756,34 @@ RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM
>
>
>> goto err;
>>
>> /* compute I mod q */
>> - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
>> - c = &local_c;
>> - BN_with_flags(c, I, BN_FLG_CONSTTIME);
>> - if (!BN_mod(r1, c, rsa->q, ctx))
>> - goto err;
>> - } else {
>> - if (!BN_mod(r1, I, rsa->q, ctx))
>> - goto err;
>>
> + BN_with_flags(&c, I, BN_FLG_CONSTTIME);
>> +
>> + if (!BN_mod(r1, &c, rsa->q, ctx)) {
>
>
>> + goto err;
>> }
>>
>> /* compute r1^dmq1 mod q */
>> - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
>> - dmq1 = &local_dmq1;
>> - BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
>> - } else
>> - dmq1 = rsa->dmq1;
>>
> - if (!rsa->meth->bn_mod_exp(m1, r1, dmq1, rsa->q, ctx,
>> - rsa->_method_mod_q))
>> + BN_with_flags(&dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
>> +
>
>
>> + if (!rsa->meth->bn_mod_exp(m1, r1, &dmq1, rsa->q, ctx,
>> + rsa->_method_mod_q)) {
>> goto err;
>> + }
>>
> /* compute I mod p */
>> - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
>> - c = &local_c;
>> - BN_with_flags(c, I, BN_FLG_CONSTTIME);
>> - if (!BN_mod(r1, c, rsa->p, ctx))
>> - goto err;
>> - } else {
>> - if (!BN_mod(r1, I, rsa->p, ctx))
>> - goto err;
>>
> + BN_with_flags(&c, I, BN_FLG_CONSTTIME);
>> +
>> + if (!BN_mod(r1, &c, rsa->p, ctx)) {
>> + goto err;
>> }
>>
>> /* compute r1^dmp1 mod p */
>> - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
>> - dmp1 = &local_dmp1;
>> - BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
>> - } else
>> - dmp1 = rsa->dmp1;
>>
> - if (!rsa->meth->bn_mod_exp(r0, r1, dmp1, rsa->p, ctx,
>> - rsa->_method_mod_p))
>> + BN_with_flags(&dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
>> +
>
>
>> + if (!rsa->meth->bn_mod_exp(r0, r1, &dmp1, rsa->p, ctx,
>> + rsa->_method_mod_p)) {
>> goto err;
>> + }
>>
> if (!BN_sub(r0, r0, m1))
>> goto err;
>>
> @@ -828,13 +799,11 @@ RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM
>
>
>> goto err;
>>
>> /* Turn BN_FLG_CONSTTIME flag on before division operation */
>> - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
>> - pr1 = &local_r1;
>> - BN_with_flags(pr1, r1, BN_FLG_CONSTTIME);
>> - } else
>> - pr1 = r1;
>> - if (!BN_mod(r0, pr1, rsa->p, ctx))
>>
> + BN_with_flags(&pr1, r1, BN_FLG_CONSTTIME);
>> +
>
>
>> + if (!BN_mod(r0, &pr1, rsa->p, ctx)) {
>> goto err;
>>
> + }
>>
>> /*
>> * If p < q it is occasionally possible for the correction of
>>
> @@ -875,18 +844,14 @@ RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM
>> * miscalculated CRT output, just do a raw
>> (slower)
>>
> * mod_exp and return that instead.
>> */
>>
> + BIGNUM d;
>
>
>>
>> - BIGNUM local_d;
>> - BIGNUM *d = NULL;
>>
> + BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME);
>
>
>>
>> - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
>> - d = &local_d;
>> - BN_with_flags(d, rsa->d,
>> BN_FLG_CONSTTIME);
>> - } else
>> - d = rsa->d;
>>
> - if (!rsa->meth->bn_mod_exp(r0, I, d, rsa->n, ctx,
>> - rsa->_method_mod_n))
>
>
>> + if (!rsa->meth->bn_mod_exp(r0, I, &d, rsa->n, ctx,
>> + rsa->_method_mod_n)) {
>> goto err;
>> + }
>> }
>> }
>> ret = 1;
>> Index: lib/libssl/src/crypto/rsa/rsa_gen.c
>>
> ===================================================================
>> RCS file: /cvs/src/lib/libssl/src/crypto/rsa/rsa_gen.c,v
>> retrieving revision 1.17
>> diff -u -p -u -p -r1.17 rsa_gen.c
>>
> --- lib/libssl/src/crypto/rsa/rsa_gen.c 9 Feb 2015 15:49:22 -0000
>> 1.17
>> +++ lib/libssl/src/crypto/rsa/rsa_gen.c 26 Jun 2016 17:19:45 -0000
>>
> @@ -90,8 +90,7 @@ static int
>
>
>> rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
>> {
>> BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *r3 = NULL, *tmp;
>> - BIGNUM local_r0, local_d, local_p;
>> - BIGNUM *pr0, *d, *p;
>>
> + BIGNUM pr0, d, p;
>
>
>> int bitsp, bitsq, ok = -1, n = 0;
>> BN_CTX *ctx = NULL;
>>
>> @@ -193,37 +192,31 @@ rsa_builtin_keygen(RSA *rsa, int bits, B
>
>
>> goto err;
>> if (!BN_mul(r0, r1, r2, ctx)) /* (p-1)(q-1) */
>> goto err;
>> - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
>> - pr0 = &local_r0;
>> - BN_with_flags(pr0, r0, BN_FLG_CONSTTIME);
>> - } else
>> - pr0 = r0;
>> - if (!BN_mod_inverse(rsa->d, rsa->e, pr0, ctx)) /* d */
>> +
>>
> + BN_with_flags(&pr0, r0, BN_FLG_CONSTTIME);
>> +
>> + if (!BN_mod_inverse(rsa->d, rsa->e, &pr0, ctx)) { /* d */
>>
> goto err;
>> + }
>>
>> /* set up d for correct BN_FLG_CONSTTIME flag */
>> - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
>> - d = &local_d;
>> - BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
>> - } else
>> - d = rsa->d;
>>
> + BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME);
>
>
>>
>> /* calculate d mod (p-1) */
>> - if (!BN_mod(rsa->dmp1, d, r1, ctx))
>>
> + if (!BN_mod(rsa->dmp1, &d, r1, ctx)) {
>
>
>> goto err;
>> + }
>>
>> /* calculate d mod (q-1) */
>> - if (!BN_mod(rsa->dmq1, d, r2, ctx))
>>
> + if (!BN_mod(rsa->dmq1, &d, r2, ctx))
>>
> goto err;
>>
>> /* calculate inverse of q mod p */
>> - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
>> - p = &local_p;
>> - BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
>> - } else
>> - p = rsa->p;
>> - if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx))
>>
> + BN_with_flags(&p, rsa->p, BN_FLG_CONSTTIME);
>> + if (!BN_mod_inverse(rsa->iqmp, rsa->q, &p, ctx)) {
>
>
>> goto err;
>> + }
>>
>> ok = 1;
>> err:
>>
> Index: regress/lib/libcrypto/dh/dhtest.c
>> ===================================================================
>> RCS file: /cvs/src/regress/lib/libcrypto/dh/dhtest.c,v
>> retrieving revision 1.3
>> diff -u -p -u -p -r1.3 dhtest.c
>> --- regress/lib/libcrypto/dh/dhtest.c 22 Oct 2014 13:18:16 -0000
>> 1.3
>> +++ regress/lib/libcrypto/dh/dhtest.c 26 Jun 2016 17:19:51 -0000
>> @@ -73,16 +73,30 @@
>>
>> #include <openssl/dh.h>
>>
>> -static int cb(int p, int n, BN_GENCB *arg);
>> +static int cb(int p, int n, BN_GENCB *arg)
>> +{
>> + char c='*';
>> +
>> + if (p == 0)
>> + c='.';
>> + if (p == 1)
>> + c='+';
>> + if (p == 2)
>> + c='*';
>> + if (p == 3)
>> + c='\n';
>> + BIO_write(arg->arg,&c,1);
>> + (void)BIO_flush(arg->arg);
>> + return 1;
>> +}
>>
>> int main(int argc, char *argv[])
>> - {
>> +{
>> BN_GENCB _cb;
>> DH *a;
>> - DH *b=NULL;
>> char buf[12];
>> - unsigned char *abuf=NULL,*bbuf=NULL;
>> - int i,alen,blen,aout,bout,ret=1;
>> + unsigned char *abuf=NULL;
>> + int i,alen,aout,ret=1;
>> BIO *out;
>>
>> out=BIO_new(BIO_s_file());
>> @@ -90,11 +104,12 @@ int main(int argc, char *argv[])
>> BIO_set_fp(out,stdout,BIO_NOCLOSE);
>>
>> BN_GENCB_set(&_cb, &cb, out);
>> - if(((a = DH_new()) == NULL) || !DH_generate_parameters_ex(a, 64,
>> - DH_GENERATOR_5, &_cb))
>> + if (((a = DH_new()) == NULL) ||
>> + !DH_generate_parameters_ex(a, 64, DH_GENERATOR_5, &_cb))
>> goto err;
>>
>> - if (!DH_check(a, &i)) goto err;
>> + if (!DH_check(a, &i))
>> + goto err;
>> if (i & DH_CHECK_P_NOT_PRIME)
>> BIO_puts(out, "p value is not prime\n");
>> if (i & DH_CHECK_P_NOT_SAFE_PRIME)
>> @@ -110,81 +125,36 @@ int main(int argc, char *argv[])
>> BN_print(out,a->g);
>> BIO_puts(out,"\n");
>>
>> - b=DH_new();
>> - if (b == NULL) goto err;
>> -
>> - b->p=BN_dup(a->p);
>> - b->g=BN_dup(a->g);
>> - if ((b->p == NULL) || (b->g == NULL)) goto err;
>> -
>> - /* Set a to run with normal modexp and b to use constant time */
>> - a->flags &= ~DH_FLAG_NO_EXP_CONSTTIME;
>> - b->flags |= DH_FLAG_NO_EXP_CONSTTIME;
>> -
>> - if (!DH_generate_key(a)) goto err;
>> + if (!DH_generate_key(a))
>> + goto err;
>> BIO_puts(out,"pri 1=");
>> BN_print(out,a->priv_key);
>> BIO_puts(out,"\npub 1=");
>> BN_print(out,a->pub_key);
>> BIO_puts(out,"\n");
>>
>> - if (!DH_generate_key(b)) goto err;
>> - BIO_puts(out,"pri 2=");
>> - BN_print(out,b->priv_key);
>> - BIO_puts(out,"\npub 2=");
>> - BN_print(out,b->pub_key);
>> - BIO_puts(out,"\n");
>> -
>> alen=DH_size(a);
>> abuf=malloc(alen);
>> - aout=DH_compute_key(abuf,b->pub_key,a);
>> + aout=DH_compute_key(abuf,a->pub_key,a);
>>
>> BIO_puts(out,"key1 =");
>> - for (i=0; i<aout; i++)
>> - {
>> + for (i=0; i<aout; i++) {
>> snprintf(buf,sizeof buf,"%02X",abuf[i]);
>> BIO_puts(out,buf);
>> - }
>> + }
>> BIO_puts(out,"\n");
>>
>> - blen=DH_size(b);
>> - bbuf=malloc(blen);
>> - bout=DH_compute_key(bbuf,a->pub_key,b);
>> -
>> - BIO_puts(out,"key2 =");
>> - for (i=0; i<bout; i++)
>> - {
>> - snprintf(buf,sizeof buf,"%02X",bbuf[i]);
>> - BIO_puts(out,buf);
>> - }
>> - BIO_puts(out,"\n");
>> - if ((aout < 4) || (bout != aout) || (memcmp(abuf,bbuf,aout) != 0))
>> - {
>> + if (aout < 4) {
>> fprintf(stderr,"Error in DH routines\n");
>> ret=1;
>> - }
>> - else
>> + } else
>> ret=0;
>> err:
>> ERR_print_errors_fp(stderr);
>>
>> free(abuf);
>> - free(bbuf);
>> - if(b != NULL) DH_free(b);
>> - if(a != NULL) DH_free(a);
>> + if (a != NULL)
>> + DH_free(a);
>> BIO_free(out);
>> exit(ret);
>> - }
>> -
>> -static int cb(int p, int n, BN_GENCB *arg)
>> - {
>> - char c='*';
>> -
>> - if (p == 0) c='.';
>> - if (p == 1) c='+';
>> - if (p == 2) c='*';
>> - if (p == 3) c='\n';
>> - BIO_write(arg->arg,&c,1);
>> - (void)BIO_flush(arg->arg);
>> - return 1;
>> - }
>> +}
>> Index: regress/lib/libcrypto/dsa/dsatest.c
>> ===================================================================
>> RCS file: /cvs/src/regress/lib/libcrypto/dsa/dsatest.c,v
>> retrieving revision 1.3
>> diff -u -p -u -p -r1.3 dsatest.c
>> --- regress/lib/libcrypto/dsa/dsatest.c 22 Oct 2014 13:18:16 -0000
>> 1.3
>> +++ regress/lib/libcrypto/dsa/dsatest.c 26 Jun 2016 17:19:51 -0000
>> @@ -182,13 +182,6 @@ int main(int argc, char **argv)
>> goto end;
>> }
>>
>> - dsa->flags |= DSA_FLAG_NO_EXP_CONSTTIME;
>> - DSA_generate_key(dsa);
>> - DSA_sign(0, str1, 20, sig, &siglen, dsa);
>> - if (DSA_verify(0, str1, 20, sig, siglen, dsa) == 1)
>> - ret=1;
>> -
>> - dsa->flags &= ~DSA_FLAG_NO_EXP_CONSTTIME;
>> DSA_generate_key(dsa);
>> DSA_sign(0, str1, 20, sig, &siglen, dsa);
>> if (DSA_verify(0, str1, 20, sig, siglen, dsa) == 1)
>>
>
