Hi Brent and Bob, Sorry for the delayed response.
I believe the patch is good. Please proceed at your own convenience. Thanks for the support. Regards, On Wed, Jun 29, 2016 at 10:40 AM Brent Cook <bust...@gmail.com> wrote: > > > On Sun, Jun 26, 2016 at 12:22 PM, Brent Cook <bust...@gmail.com> wrote: > >> On Sun, Jun 26, 2016 at 06:26:36AM +0000, César Pereida wrote: >> > >> > On Sun, Jun 26, 2016, 8:19 AM Brent Cook <bust...@gmail.com> wrote: >> > >> > > > Hmm, on second review, something seems odd. >> > > >> > > César, why does this patch also replace all of the stack-allocated >> > > BIGNUM's with heap ones? Why add a new set of failure cases? >> > > >> > > Hi Brent, >> > >> > As far as I remember this is what I did for the RSA patch so I >> maintained >> > consistency with that one. >> > >> > Are there any problems with that approach? >> > >> > Regards, >> >> Hi César, >> >> Yeah, I think the original stack variables are preferable, since all we >> are doing is cloning the fields from the original BIGNUM and adding a >> flag. Here's a revised patch with regress tests fixed as well: >> >> ok? >> > > Is it too late in the 6.0 cycle to get this one in? Feels like I need to > get it in soon if not... > > > >> Index: lib/libssl/src/crypto/dh/dh.h > > >> =================================================================== >> RCS file: /cvs/src/lib/libssl/src/crypto/dh/dh.h,v >> retrieving revision 1.16 >> diff -u -p -u -p -r1.16 dh.h >> > --- lib/libssl/src/crypto/dh/dh.h 12 Jun 2014 15:49:28 -0000 >> 1.16 >> > +++ lib/libssl/src/crypto/dh/dh.h 26 Jun 2016 17:19:39 -0000 > > >> @@ -78,13 +78,6 @@ >> #endif >> >> #define DH_FLAG_CACHE_MONT_P 0x01 >> -#define DH_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DH >> - * implementation now uses >> constant time >> - * modular exponentiation for >> secret exponents >> - * by default. This flag causes the >> - * faster variable sliding window >> method to >> - * be used for all exponents. >> - */ >> >> /* If this flag is set the DH method is FIPS compliant and can be used >> * in FIPS mode. This is set in the validated module method. If an >> > Index: lib/libssl/src/crypto/dh/dh_key.c > > >> =================================================================== >> RCS file: /cvs/src/lib/libssl/src/crypto/dh/dh_key.c,v >> retrieving revision 1.23 >> diff -u -p -u -p -r1.23 dh_key.c >> > --- lib/libssl/src/crypto/dh/dh_key.c 9 Feb 2015 15:49:22 -0000 >> 1.23 >> +++ lib/libssl/src/crypto/dh/dh_key.c 26 Jun 2016 17:19:39 -0000 >> > @@ -147,21 +147,16 @@ generate_key(DH *dh) > > >> } >> >> { >> - BIGNUM local_prk; >> - BIGNUM *prk; >> > + BIGNUM prk; > > >> >> - if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) { >> - BN_init(&local_prk); >> - prk = &local_prk; >> - BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME); >> - } else >> - prk = priv_key; >> > + BN_with_flags(&prk, priv_key, BN_FLG_CONSTTIME); >> >> - if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, prk, dh->p, >> ctx, >> - mont)) > > >> + if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, &prk, >> dh->p, ctx, >> + mont)) { >> goto err; >> + } >> > } > > >> - >> + >> dh->pub_key = pub_key; >> dh->priv_key = priv_key; >> ok = 1; >> > @@ -206,10 +201,9 @@ compute_key(unsigned char *key, const BI > > >> if (dh->flags & DH_FLAG_CACHE_MONT_P) { >> mont = BN_MONT_CTX_set_locked(&dh->method_mont_p, >> CRYPTO_LOCK_DH, dh->p, ctx); >> - if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) { >> - /* XXX */ >> - BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME); >> - } >> + >> + BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME); >> + >> if (!mont) >> goto err; >> } >> > @@ -238,16 +232,7 @@ static int > > >> dh_bn_mod_exp(const DH *dh, BIGNUM *r, const BIGNUM *a, const BIGNUM *p, >> const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx) >> { >> - /* >> - * If a is only one word long and constant time is false, use the >> faster >> - * exponenentiation function. >> - */ >> - if (a->top == 1 && (dh->flags & DH_FLAG_NO_EXP_CONSTTIME) != 0) { >> - BN_ULONG A = a->d[0]; >> - >> - return BN_mod_exp_mont_word(r, A, p, m, ctx, m_ctx); >> - } else >> - return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx); >> + return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx); >> } >> >> static int >> > Index: lib/libssl/src/crypto/dsa/dsa.h > > >> =================================================================== >> RCS file: /cvs/src/lib/libssl/src/crypto/dsa/dsa.h,v >> retrieving revision 1.20 >> diff -u -p -u -p -r1.20 dsa.h >> > --- lib/libssl/src/crypto/dsa/dsa.h 21 Jun 2016 04:16:53 -0000 >> 1.20 >> > +++ lib/libssl/src/crypto/dsa/dsa.h 26 Jun 2016 17:19:40 -0000 > > >> @@ -89,9 +89,6 @@ >> #endif >> >> #define DSA_FLAG_CACHE_MONT_P 0x01 >> -#define DSA_FLAG_NO_EXP_CONSTTIME 0x00 /* Does nothing. Previously >> this switched off >> - * constant time behaviour. >> - */ >> >> /* If this flag is set the DSA method is FIPS compliant and can be used >> * in FIPS mode. This is set in the validated module method. If an >> > Index: lib/libssl/src/crypto/dsa/dsa_key.c >> =================================================================== >> RCS file: /cvs/src/lib/libssl/src/crypto/dsa/dsa_key.c,v >> retrieving revision 1.21 >> diff -u -p -u -p -r1.21 dsa_key.c >> --- lib/libssl/src/crypto/dsa/dsa_key.c 21 Jun 2016 04:16:53 -0000 >> 1.21 >> +++ lib/libssl/src/crypto/dsa/dsa_key.c 26 Jun 2016 17:19:40 -0000 >> @@ -104,18 +104,13 @@ dsa_builtin_keygen(DSA *dsa) >> pub_key=dsa->pub_key; >> >> { >> - BIGNUM *prk = BN_new(); >> + BIGNUM prk; >> >> - if (prk == NULL) >> - goto err; >> - >> - BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME); >> + BN_with_flags(&prk, priv_key, BN_FLG_CONSTTIME); >> >> - if (!BN_mod_exp(pub_key, dsa->g, prk, dsa->p, ctx)) { >> - BN_free(prk); >> + if (!BN_mod_exp(pub_key, dsa->g, &prk, dsa->p, ctx)) { >> goto err; >> } >> - BN_free(prk); >> } >> >> dsa->priv_key = priv_key; >> Index: lib/libssl/src/crypto/rsa/rsa.h >> > =================================================================== >> RCS file: /cvs/src/lib/libssl/src/crypto/rsa/rsa.h,v >> retrieving revision 1.27 >> diff -u -p -u -p -r1.27 rsa.h >> > --- lib/libssl/src/crypto/rsa/rsa.h 14 Feb 2015 15:10:39 -0000 >> 1.27 >> > +++ lib/libssl/src/crypto/rsa/rsa.h 26 Jun 2016 17:19:43 -0000 > > >> @@ -194,16 +194,6 @@ struct rsa_st { >> */ >> #define RSA_FLAG_NO_BLINDING 0x0080 >> >> -/* >> - * The built-in RSA implementation uses constant time operations by >> default >> - * in private key operations, e.g., constant time modular exponentiation, >> - * modular inverse without leaking branches, division without leaking >> branches. >> - * This flag disables these constant time operations and results in >> faster RSA >> - * private key operations. >> - */ >> -#define RSA_FLAG_NO_CONSTTIME 0x0100 >> - >> - >> #define EVP_PKEY_CTX_set_rsa_padding(ctx, pad) \ >> EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, -1, >> EVP_PKEY_CTRL_RSA_PADDING, \ >> pad, NULL) >> > Index: lib/libssl/src/crypto/rsa/rsa_crpt.c > > >> =================================================================== >> RCS file: /cvs/src/lib/libssl/src/crypto/rsa/rsa_crpt.c,v >> retrieving revision 1.14 >> diff -u -p -u -p -r1.14 rsa_crpt.c >> > --- lib/libssl/src/crypto/rsa/rsa_crpt.c 11 Feb 2015 03:19:37 >> -0000 1.14 >> > +++ lib/libssl/src/crypto/rsa/rsa_crpt.c 26 Jun 2016 17:19:43 -0000 > > >> @@ -169,8 +169,8 @@ err: >> BN_BLINDING * >> RSA_setup_blinding(RSA *rsa, BN_CTX *in_ctx) >> { >> - BIGNUM local_n; >> - BIGNUM *e, *n; >> + BIGNUM *e; >> > + BIGNUM n; > > >> BN_CTX *ctx; >> BN_BLINDING *ret = NULL; >> >> @@ -192,15 +192,11 @@ RSA_setup_blinding(RSA *rsa, BN_CTX *in_ > > >> } else >> e = rsa->e; >> >> - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { >> - /* Set BN_FLG_CONSTTIME flag */ >> - n = &local_n; >> - BN_with_flags(n, rsa->n, BN_FLG_CONSTTIME); >> - } else >> - n = rsa->n; >> > + BN_with_flags(&n, rsa->n, BN_FLG_CONSTTIME); >> >> - ret = BN_BLINDING_create_param(NULL, e, n, ctx, >> rsa->meth->bn_mod_exp, >> > + ret = BN_BLINDING_create_param(NULL, e, &n, ctx, >> rsa->meth->bn_mod_exp, >> rsa->_method_mod_n); >> + > > >> if (ret == NULL) { >> RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_BN_LIB); >> goto err; >> > Index: lib/libssl/src/crypto/rsa/rsa_eay.c > > >> =================================================================== >> RCS file: /cvs/src/lib/libssl/src/crypto/rsa/rsa_eay.c,v >> retrieving revision 1.40 >> diff -u -p -u -p -r1.40 rsa_eay.c >> > --- lib/libssl/src/crypto/rsa/rsa_eay.c 10 Sep 2015 15:56:25 -0000 >> 1.40 >> +++ lib/libssl/src/crypto/rsa/rsa_eay.c 26 Jun 2016 17:19:45 -0000 >> > @@ -426,24 +426,20 @@ RSA_eay_private_encrypt(int flen, const > > >> if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) >> goto err; >> } else { >> - BIGNUM local_d; >> - BIGNUM *d = NULL; >> > + BIGNUM d; > > >> >> - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { >> - BN_init(&local_d); >> - d = &local_d; >> - BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); >> - } else >> - d = rsa->d; >> > + BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME); > > >> >> if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) >> if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, >> - CRYPTO_LOCK_RSA, rsa->n, ctx)) >> + CRYPTO_LOCK_RSA, rsa->n, ctx)) { >> > goto err; >> + } >> >> - if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx, >> - rsa->_method_mod_n)) > > >> + if (!rsa->meth->bn_mod_exp(ret, f, &d, rsa->n, ctx, >> + rsa->_method_mod_n)) { >> goto err; >> + } >> } >> >> if (blinding) >> > @@ -553,22 +549,20 @@ RSA_eay_private_decrypt(int flen, const > > >> if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) >> goto err; >> } else { >> - BIGNUM local_d; >> - BIGNUM *d = NULL; >> > + BIGNUM d; > > >> >> - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { >> - d = &local_d; >> - BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); >> - } else >> - d = rsa->d; >> > + BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME); > > >> >> if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) >> if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, >> - CRYPTO_LOCK_RSA, rsa->n, ctx)) >> + CRYPTO_LOCK_RSA, rsa->n, ctx)) { >> > goto err; >> - if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx, >> - rsa->_method_mod_n)) >> + } >> + > > >> + if (!rsa->meth->bn_mod_exp(ret, f, &d, rsa->n, ctx, >> + rsa->_method_mod_n)) { >> goto err; >> + } >> } >> >> if (blinding) >> > @@ -723,8 +717,7 @@ static int > > >> RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) >> { >> BIGNUM *r1, *m1, *vrfy; >> - BIGNUM local_dmp1, local_dmq1, local_c, local_r1; >> - BIGNUM *dmp1, *dmq1, *c, *pr1; >> > + BIGNUM dmp1, dmq1, c, pr1; > > >> int ret = 0; >> >> BN_CTX_start(ctx); >> > @@ -737,33 +730,23 @@ RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM > > >> } >> >> { >> - BIGNUM local_p, local_q; >> - BIGNUM *p = NULL, *q = NULL; >> > + BIGNUM p, q; > > >> >> /* >> * Make sure BN_mod_inverse in Montgomery intialization >> uses the >> - * BN_FLG_CONSTTIME flag (unless RSA_FLAG_NO_CONSTTIME is >> set) >> + * BN_FLG_CONSTTIME flag >> */ >> - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { >> - BN_init(&local_p); >> - p = &local_p; >> - BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME); >> - >> - BN_init(&local_q); >> - q = &local_q; >> - BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME); >> - } else { >> - p = rsa->p; >> - q = rsa->q; >> > - } >> + >> + BN_with_flags(&p, rsa->p, BN_FLG_CONSTTIME); >> > + BN_with_flags(&q, rsa->q, BN_FLG_CONSTTIME); > > >> >> if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) { >> > if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p, >> - CRYPTO_LOCK_RSA, p, ctx)) >> - goto err; >> - if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q, >> - CRYPTO_LOCK_RSA, q, ctx)) >> > + CRYPTO_LOCK_RSA, &p, ctx) || >> + !BN_MONT_CTX_set_locked(&rsa->_method_mod_q, > > >> + CRYPTO_LOCK_RSA, &q, ctx)) { >> goto err; >> + } >> } >> } >> >> @@ -773,46 +756,34 @@ RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM > > >> goto err; >> >> /* compute I mod q */ >> - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { >> - c = &local_c; >> - BN_with_flags(c, I, BN_FLG_CONSTTIME); >> - if (!BN_mod(r1, c, rsa->q, ctx)) >> - goto err; >> - } else { >> - if (!BN_mod(r1, I, rsa->q, ctx)) >> - goto err; >> > + BN_with_flags(&c, I, BN_FLG_CONSTTIME); >> + >> + if (!BN_mod(r1, &c, rsa->q, ctx)) { > > >> + goto err; >> } >> >> /* compute r1^dmq1 mod q */ >> - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { >> - dmq1 = &local_dmq1; >> - BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME); >> - } else >> - dmq1 = rsa->dmq1; >> > - if (!rsa->meth->bn_mod_exp(m1, r1, dmq1, rsa->q, ctx, >> - rsa->_method_mod_q)) >> + BN_with_flags(&dmq1, rsa->dmq1, BN_FLG_CONSTTIME); >> + > > >> + if (!rsa->meth->bn_mod_exp(m1, r1, &dmq1, rsa->q, ctx, >> + rsa->_method_mod_q)) { >> goto err; >> + } >> > /* compute I mod p */ >> - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { >> - c = &local_c; >> - BN_with_flags(c, I, BN_FLG_CONSTTIME); >> - if (!BN_mod(r1, c, rsa->p, ctx)) >> - goto err; >> - } else { >> - if (!BN_mod(r1, I, rsa->p, ctx)) >> - goto err; >> > + BN_with_flags(&c, I, BN_FLG_CONSTTIME); >> + >> + if (!BN_mod(r1, &c, rsa->p, ctx)) { >> + goto err; >> } >> >> /* compute r1^dmp1 mod p */ >> - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { >> - dmp1 = &local_dmp1; >> - BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME); >> - } else >> - dmp1 = rsa->dmp1; >> > - if (!rsa->meth->bn_mod_exp(r0, r1, dmp1, rsa->p, ctx, >> - rsa->_method_mod_p)) >> + BN_with_flags(&dmp1, rsa->dmp1, BN_FLG_CONSTTIME); >> + > > >> + if (!rsa->meth->bn_mod_exp(r0, r1, &dmp1, rsa->p, ctx, >> + rsa->_method_mod_p)) { >> goto err; >> + } >> > if (!BN_sub(r0, r0, m1)) >> goto err; >> > @@ -828,13 +799,11 @@ RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM > > >> goto err; >> >> /* Turn BN_FLG_CONSTTIME flag on before division operation */ >> - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { >> - pr1 = &local_r1; >> - BN_with_flags(pr1, r1, BN_FLG_CONSTTIME); >> - } else >> - pr1 = r1; >> - if (!BN_mod(r0, pr1, rsa->p, ctx)) >> > + BN_with_flags(&pr1, r1, BN_FLG_CONSTTIME); >> + > > >> + if (!BN_mod(r0, &pr1, rsa->p, ctx)) { >> goto err; >> > + } >> >> /* >> * If p < q it is occasionally possible for the correction of >> > @@ -875,18 +844,14 @@ RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM >> * miscalculated CRT output, just do a raw >> (slower) >> > * mod_exp and return that instead. >> */ >> > + BIGNUM d; > > >> >> - BIGNUM local_d; >> - BIGNUM *d = NULL; >> > + BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME); > > >> >> - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { >> - d = &local_d; >> - BN_with_flags(d, rsa->d, >> BN_FLG_CONSTTIME); >> - } else >> - d = rsa->d; >> > - if (!rsa->meth->bn_mod_exp(r0, I, d, rsa->n, ctx, >> - rsa->_method_mod_n)) > > >> + if (!rsa->meth->bn_mod_exp(r0, I, &d, rsa->n, ctx, >> + rsa->_method_mod_n)) { >> goto err; >> + } >> } >> } >> ret = 1; >> Index: lib/libssl/src/crypto/rsa/rsa_gen.c >> > =================================================================== >> RCS file: /cvs/src/lib/libssl/src/crypto/rsa/rsa_gen.c,v >> retrieving revision 1.17 >> diff -u -p -u -p -r1.17 rsa_gen.c >> > --- lib/libssl/src/crypto/rsa/rsa_gen.c 9 Feb 2015 15:49:22 -0000 >> 1.17 >> +++ lib/libssl/src/crypto/rsa/rsa_gen.c 26 Jun 2016 17:19:45 -0000 >> > @@ -90,8 +90,7 @@ static int > > >> rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) >> { >> BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *r3 = NULL, *tmp; >> - BIGNUM local_r0, local_d, local_p; >> - BIGNUM *pr0, *d, *p; >> > + BIGNUM pr0, d, p; > > >> int bitsp, bitsq, ok = -1, n = 0; >> BN_CTX *ctx = NULL; >> >> @@ -193,37 +192,31 @@ rsa_builtin_keygen(RSA *rsa, int bits, B > > >> goto err; >> if (!BN_mul(r0, r1, r2, ctx)) /* (p-1)(q-1) */ >> goto err; >> - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { >> - pr0 = &local_r0; >> - BN_with_flags(pr0, r0, BN_FLG_CONSTTIME); >> - } else >> - pr0 = r0; >> - if (!BN_mod_inverse(rsa->d, rsa->e, pr0, ctx)) /* d */ >> + >> > + BN_with_flags(&pr0, r0, BN_FLG_CONSTTIME); >> + >> + if (!BN_mod_inverse(rsa->d, rsa->e, &pr0, ctx)) { /* d */ >> > goto err; >> + } >> >> /* set up d for correct BN_FLG_CONSTTIME flag */ >> - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { >> - d = &local_d; >> - BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); >> - } else >> - d = rsa->d; >> > + BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME); > > >> >> /* calculate d mod (p-1) */ >> - if (!BN_mod(rsa->dmp1, d, r1, ctx)) >> > + if (!BN_mod(rsa->dmp1, &d, r1, ctx)) { > > >> goto err; >> + } >> >> /* calculate d mod (q-1) */ >> - if (!BN_mod(rsa->dmq1, d, r2, ctx)) >> > + if (!BN_mod(rsa->dmq1, &d, r2, ctx)) >> > goto err; >> >> /* calculate inverse of q mod p */ >> - if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) { >> - p = &local_p; >> - BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME); >> - } else >> - p = rsa->p; >> - if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx)) >> > + BN_with_flags(&p, rsa->p, BN_FLG_CONSTTIME); >> + if (!BN_mod_inverse(rsa->iqmp, rsa->q, &p, ctx)) { > > >> goto err; >> + } >> >> ok = 1; >> err: >> > Index: regress/lib/libcrypto/dh/dhtest.c >> =================================================================== >> RCS file: /cvs/src/regress/lib/libcrypto/dh/dhtest.c,v >> retrieving revision 1.3 >> diff -u -p -u -p -r1.3 dhtest.c >> --- regress/lib/libcrypto/dh/dhtest.c 22 Oct 2014 13:18:16 -0000 >> 1.3 >> +++ regress/lib/libcrypto/dh/dhtest.c 26 Jun 2016 17:19:51 -0000 >> @@ -73,16 +73,30 @@ >> >> #include <openssl/dh.h> >> >> -static int cb(int p, int n, BN_GENCB *arg); >> +static int cb(int p, int n, BN_GENCB *arg) >> +{ >> + char c='*'; >> + >> + if (p == 0) >> + c='.'; >> + if (p == 1) >> + c='+'; >> + if (p == 2) >> + c='*'; >> + if (p == 3) >> + c='\n'; >> + BIO_write(arg->arg,&c,1); >> + (void)BIO_flush(arg->arg); >> + return 1; >> +} >> >> int main(int argc, char *argv[]) >> - { >> +{ >> BN_GENCB _cb; >> DH *a; >> - DH *b=NULL; >> char buf[12]; >> - unsigned char *abuf=NULL,*bbuf=NULL; >> - int i,alen,blen,aout,bout,ret=1; >> + unsigned char *abuf=NULL; >> + int i,alen,aout,ret=1; >> BIO *out; >> >> out=BIO_new(BIO_s_file()); >> @@ -90,11 +104,12 @@ int main(int argc, char *argv[]) >> BIO_set_fp(out,stdout,BIO_NOCLOSE); >> >> BN_GENCB_set(&_cb, &cb, out); >> - if(((a = DH_new()) == NULL) || !DH_generate_parameters_ex(a, 64, >> - DH_GENERATOR_5, &_cb)) >> + if (((a = DH_new()) == NULL) || >> + !DH_generate_parameters_ex(a, 64, DH_GENERATOR_5, &_cb)) >> goto err; >> >> - if (!DH_check(a, &i)) goto err; >> + if (!DH_check(a, &i)) >> + goto err; >> if (i & DH_CHECK_P_NOT_PRIME) >> BIO_puts(out, "p value is not prime\n"); >> if (i & DH_CHECK_P_NOT_SAFE_PRIME) >> @@ -110,81 +125,36 @@ int main(int argc, char *argv[]) >> BN_print(out,a->g); >> BIO_puts(out,"\n"); >> >> - b=DH_new(); >> - if (b == NULL) goto err; >> - >> - b->p=BN_dup(a->p); >> - b->g=BN_dup(a->g); >> - if ((b->p == NULL) || (b->g == NULL)) goto err; >> - >> - /* Set a to run with normal modexp and b to use constant time */ >> - a->flags &= ~DH_FLAG_NO_EXP_CONSTTIME; >> - b->flags |= DH_FLAG_NO_EXP_CONSTTIME; >> - >> - if (!DH_generate_key(a)) goto err; >> + if (!DH_generate_key(a)) >> + goto err; >> BIO_puts(out,"pri 1="); >> BN_print(out,a->priv_key); >> BIO_puts(out,"\npub 1="); >> BN_print(out,a->pub_key); >> BIO_puts(out,"\n"); >> >> - if (!DH_generate_key(b)) goto err; >> - BIO_puts(out,"pri 2="); >> - BN_print(out,b->priv_key); >> - BIO_puts(out,"\npub 2="); >> - BN_print(out,b->pub_key); >> - BIO_puts(out,"\n"); >> - >> alen=DH_size(a); >> abuf=malloc(alen); >> - aout=DH_compute_key(abuf,b->pub_key,a); >> + aout=DH_compute_key(abuf,a->pub_key,a); >> >> BIO_puts(out,"key1 ="); >> - for (i=0; i<aout; i++) >> - { >> + for (i=0; i<aout; i++) { >> snprintf(buf,sizeof buf,"%02X",abuf[i]); >> BIO_puts(out,buf); >> - } >> + } >> BIO_puts(out,"\n"); >> >> - blen=DH_size(b); >> - bbuf=malloc(blen); >> - bout=DH_compute_key(bbuf,a->pub_key,b); >> - >> - BIO_puts(out,"key2 ="); >> - for (i=0; i<bout; i++) >> - { >> - snprintf(buf,sizeof buf,"%02X",bbuf[i]); >> - BIO_puts(out,buf); >> - } >> - BIO_puts(out,"\n"); >> - if ((aout < 4) || (bout != aout) || (memcmp(abuf,bbuf,aout) != 0)) >> - { >> + if (aout < 4) { >> fprintf(stderr,"Error in DH routines\n"); >> ret=1; >> - } >> - else >> + } else >> ret=0; >> err: >> ERR_print_errors_fp(stderr); >> >> free(abuf); >> - free(bbuf); >> - if(b != NULL) DH_free(b); >> - if(a != NULL) DH_free(a); >> + if (a != NULL) >> + DH_free(a); >> BIO_free(out); >> exit(ret); >> - } >> - >> -static int cb(int p, int n, BN_GENCB *arg) >> - { >> - char c='*'; >> - >> - if (p == 0) c='.'; >> - if (p == 1) c='+'; >> - if (p == 2) c='*'; >> - if (p == 3) c='\n'; >> - BIO_write(arg->arg,&c,1); >> - (void)BIO_flush(arg->arg); >> - return 1; >> - } >> +} >> Index: regress/lib/libcrypto/dsa/dsatest.c >> =================================================================== >> RCS file: /cvs/src/regress/lib/libcrypto/dsa/dsatest.c,v >> retrieving revision 1.3 >> diff -u -p -u -p -r1.3 dsatest.c >> --- regress/lib/libcrypto/dsa/dsatest.c 22 Oct 2014 13:18:16 -0000 >> 1.3 >> +++ regress/lib/libcrypto/dsa/dsatest.c 26 Jun 2016 17:19:51 -0000 >> @@ -182,13 +182,6 @@ int main(int argc, char **argv) >> goto end; >> } >> >> - dsa->flags |= DSA_FLAG_NO_EXP_CONSTTIME; >> - DSA_generate_key(dsa); >> - DSA_sign(0, str1, 20, sig, &siglen, dsa); >> - if (DSA_verify(0, str1, 20, sig, siglen, dsa) == 1) >> - ret=1; >> - >> - dsa->flags &= ~DSA_FLAG_NO_EXP_CONSTTIME; >> DSA_generate_key(dsa); >> DSA_sign(0, str1, 20, sig, &siglen, dsa); >> if (DSA_verify(0, str1, 20, sig, siglen, dsa) == 1) >> >