kris
/
boringssl
1
0
Vork 0
Code Kwesties 0 Pull-aanvragen 0 Publicaties 0 Wiki Activiteit
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3578 Commits
12 Branches
38 MiB
Tree: 8a55ce4954
Branches Labels
${ item.name }
Maak branch ${ searchTerm }
van '8a55ce4954'
${ noResults }
boringssl/crypto/rsa/blinding.c

blinding.c 9.7 KiB
Ruw Normale weergave Geschiedenis

Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 jaren geleden
Remove string.h from base.h. Including string.h in base.h causes any file that includes a BoringSSL header to include string.h. Generally this wouldn't be a problem, although string.h might slow down the compile if it wasn't otherwise needed. However, it also causes problems for ipsec-tools in Android because OpenSSL didn't have this behaviour. This change removes string.h from base.h and, instead, adds it to each .c file that requires it. Change-Id: I5968e50b0e230fd3adf9b72dd2836e6f52d6fb37 Reviewed-on: https://boringssl-review.googlesource.com/3200 Reviewed-by: David Benjamin <davidben@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
9 jaren geleden
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 jaren geleden
Remove string.h from base.h. Including string.h in base.h causes any file that includes a BoringSSL header to include string.h. Generally this wouldn't be a problem, although string.h might slow down the compile if it wasn't otherwise needed. However, it also causes problems for ipsec-tools in Android because OpenSSL didn't have this behaviour. This change removes string.h from base.h and, instead, adds it to each .c file that requires it. Change-Id: I5968e50b0e230fd3adf9b72dd2836e6f52d6fb37 Reviewed-on: https://boringssl-review.googlesource.com/3200 Reviewed-by: David Benjamin <davidben@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
9 jaren geleden
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 jaren geleden
Convert RSA blinding to use Montgomery multiplication. |BN_mod_mul_montgomery| has better constant-time behavior (usually) than |BN_mod_mul| and |BN_mod_sqr| and on platforms where we have assembly language optimizations (when |OPENSSL_BN_ASM_MONT| is set in crypto/bn/montgomery.c) it is faster. While doing so, reorder and rename the |BN_MONT_CTX| parameters of the blinding functions to match the order normally used in Montgomery math functions. As a bonus, remove a redundant copy of the RSA public modulus from the |BN_BLINDING| structure, which reduces memory usage. Change-Id: I70597e40246429c7964947a1dc46d0d81c7530ef Reviewed-on: https://boringssl-review.googlesource.com/7524 Reviewed-by: David Benjamin <davidben@google.com>
8 jaren geleden
Clarify lifecycle of |BN_BLINDING|. In |bn_blinding_update| the condition |b->e != NULL| would never be true (probably), but the test made reasoning about the correctness of the code confusing. That confusion was amplified by the circuitous and unusual way in which |BN_BLINDING|s are constructed. Clarify all this by simplifying the construction of |BN_BLINDING|s, making it more like the construction of other structures. Also, make counter unsigned as it is no longer ever negative. Change-Id: I6161dcfeae19a80c780ccc6762314079fca1088b Reviewed-on: https://boringssl-review.googlesource.com/7530 Reviewed-by: David Benjamin <davidben@google.com>
8 jaren geleden
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 jaren geleden
Require the public exponent to be available in RSA blinding. Require the public exponent to be available unless |RSA_FLAG_NO_BLINDING| is set on the key. Also, document this. If the public exponent |e| is not available, then we could compute it from |p|, |q|, and |d|. However, there's no reasonable situation in which we'd have |p| or |q| but not |e|; either we have all the CRT parameters, or we have (e, d, n), or we have only (d, n). The calculation to compute |e| exposes the private key to risk of side channel attacks. Also, it was particularly wasteful to compute |e| for each |BN_BLINDING| created, instead of just once before the first |BN_BLINDING| was created. |BN_BLINDING| now no longer needs to contain a duplicate copy of |e|, so it is now more space-efficient. Note that the condition |b->e != NULL| in |bn_blinding_update| was always true since commit cbf56a5683ddda831ff91c46ea48d1fba545db66. Change-Id: Ic2fd6980e0d359dcd53772a7c31bdd0267e316b4 Reviewed-on: https://boringssl-review.googlesource.com/7594 Reviewed-by: David Benjamin <davidben@google.com>
8 jaren geleden
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 jaren geleden
Require the public exponent to be available in RSA blinding. Require the public exponent to be available unless |RSA_FLAG_NO_BLINDING| is set on the key. Also, document this. If the public exponent |e| is not available, then we could compute it from |p|, |q|, and |d|. However, there's no reasonable situation in which we'd have |p| or |q| but not |e|; either we have all the CRT parameters, or we have (e, d, n), or we have only (d, n). The calculation to compute |e| exposes the private key to risk of side channel attacks. Also, it was particularly wasteful to compute |e| for each |BN_BLINDING| created, instead of just once before the first |BN_BLINDING| was created. |BN_BLINDING| now no longer needs to contain a duplicate copy of |e|, so it is now more space-efficient. Note that the condition |b->e != NULL| in |bn_blinding_update| was always true since commit cbf56a5683ddda831ff91c46ea48d1fba545db66. Change-Id: Ic2fd6980e0d359dcd53772a7c31bdd0267e316b4 Reviewed-on: https://boringssl-review.googlesource.com/7594 Reviewed-by: David Benjamin <davidben@google.com>
8 jaren geleden
Clarify lifecycle of |BN_BLINDING|. In |bn_blinding_update| the condition |b->e != NULL| would never be true (probably), but the test made reasoning about the correctness of the code confusing. That confusion was amplified by the circuitous and unusual way in which |BN_BLINDING|s are constructed. Clarify all this by simplifying the construction of |BN_BLINDING|s, making it more like the construction of other structures. Also, make counter unsigned as it is no longer ever negative. Change-Id: I6161dcfeae19a80c780ccc6762314079fca1088b Reviewed-on: https://boringssl-review.googlesource.com/7530 Reviewed-by: David Benjamin <davidben@google.com>
8 jaren geleden
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 jaren geleden
Remove the func parameter to OPENSSL_PUT_ERROR. Much of this was done automatically with find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' BUG=468039 Change-Id: I4c75fd95dff85ab1d4a546b05e6aed1aeeb499d8 Reviewed-on: https://boringssl-review.googlesource.com/5276 Reviewed-by: Adam Langley <agl@google.com>
9 jaren geleden
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 jaren geleden
Clarify lifecycle of |BN_BLINDING|. In |bn_blinding_update| the condition |b->e != NULL| would never be true (probably), but the test made reasoning about the correctness of the code confusing. That confusion was amplified by the circuitous and unusual way in which |BN_BLINDING|s are constructed. Clarify all this by simplifying the construction of |BN_BLINDING|s, making it more like the construction of other structures. Also, make counter unsigned as it is no longer ever negative. Change-Id: I6161dcfeae19a80c780ccc6762314079fca1088b Reviewed-on: https://boringssl-review.googlesource.com/7530 Reviewed-by: David Benjamin <davidben@google.com>
8 jaren geleden
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 jaren geleden
Remove unnecessary NULL checks, part 4. Finish up crypto, minus the legacy modules we haven't been touching much. Change-Id: I0e9e1999a627aed5fb14841f8a2a7d0b68398e85 Reviewed-on: https://boringssl-review.googlesource.com/4517 Reviewed-by: Adam Langley <agl@google.com>
9 jaren geleden
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 jaren geleden
Remove unnecessary NULL checks, part 4. Finish up crypto, minus the legacy modules we haven't been touching much. Change-Id: I0e9e1999a627aed5fb14841f8a2a7d0b68398e85 Reviewed-on: https://boringssl-review.googlesource.com/4517 Reviewed-by: Adam Langley <agl@google.com>
9 jaren geleden
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 jaren geleden
Require the public exponent to be available in RSA blinding. Require the public exponent to be available unless |RSA_FLAG_NO_BLINDING| is set on the key. Also, document this. If the public exponent |e| is not available, then we could compute it from |p|, |q|, and |d|. However, there's no reasonable situation in which we'd have |p| or |q| but not |e|; either we have all the CRT parameters, or we have (e, d, n), or we have only (d, n). The calculation to compute |e| exposes the private key to risk of side channel attacks. Also, it was particularly wasteful to compute |e| for each |BN_BLINDING| created, instead of just once before the first |BN_BLINDING| was created. |BN_BLINDING| now no longer needs to contain a duplicate copy of |e|, so it is now more space-efficient. Note that the condition |b->e != NULL| in |bn_blinding_update| was always true since commit cbf56a5683ddda831ff91c46ea48d1fba545db66. Change-Id: Ic2fd6980e0d359dcd53772a7c31bdd0267e316b4 Reviewed-on: https://boringssl-review.googlesource.com/7594 Reviewed-by: David Benjamin <davidben@google.com>
8 jaren geleden
Fix error handling in |bn_blinding_update|. The fields of the |bn_blinding_st| are not updated atomically. Consequently, one field (|A| or |Ai|) might get updated while the other field (|Ai| or |A|) doesn't get updated, if an error occurs in the middle of updating. Deal with this by reseting the counter so that |A| and |Ai| will both get recreated the next time the blinding is used. Fix a separate but related issue by resetting the counter to zero after calling |bn_blinding_create_param| only if |bn_blinding_create_param| succeeded. Previously, regardless of whether an error occured in |bn_blinding_create_param|, |b->counter| would get reset to zero. The consequence of this was that potentially-bad blinding values would get used 32 times instead of (32 - |b->counter|) times. Change-Id: I236cdb6120870ef06cba129ed86619f593cbcf3d Reviewed-on: https://boringssl-review.googlesource.com/7520 Reviewed-by: David Benjamin <davidben@google.com>
8 jaren geleden
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 jaren geleden
Require the public exponent to be available in RSA blinding. Require the public exponent to be available unless |RSA_FLAG_NO_BLINDING| is set on the key. Also, document this. If the public exponent |e| is not available, then we could compute it from |p|, |q|, and |d|. However, there's no reasonable situation in which we'd have |p| or |q| but not |e|; either we have all the CRT parameters, or we have (e, d, n), or we have only (d, n). The calculation to compute |e| exposes the private key to risk of side channel attacks. Also, it was particularly wasteful to compute |e| for each |BN_BLINDING| created, instead of just once before the first |BN_BLINDING| was created. |BN_BLINDING| now no longer needs to contain a duplicate copy of |e|, so it is now more space-efficient. Note that the condition |b->e != NULL| in |bn_blinding_update| was always true since commit cbf56a5683ddda831ff91c46ea48d1fba545db66. Change-Id: Ic2fd6980e0d359dcd53772a7c31bdd0267e316b4 Reviewed-on: https://boringssl-review.googlesource.com/7594 Reviewed-by: David Benjamin <davidben@google.com>
8 jaren geleden
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 jaren geleden
Fix error handling in |bn_blinding_update|. The fields of the |bn_blinding_st| are not updated atomically. Consequently, one field (|A| or |Ai|) might get updated while the other field (|Ai| or |A|) doesn't get updated, if an error occurs in the middle of updating. Deal with this by reseting the counter so that |A| and |Ai| will both get recreated the next time the blinding is used. Fix a separate but related issue by resetting the counter to zero after calling |bn_blinding_create_param| only if |bn_blinding_create_param| succeeded. Previously, regardless of whether an error occured in |bn_blinding_create_param|, |b->counter| would get reset to zero. The consequence of this was that potentially-bad blinding values would get used 32 times instead of (32 - |b->counter|) times. Change-Id: I236cdb6120870ef06cba129ed86619f593cbcf3d Reviewed-on: https://boringssl-review.googlesource.com/7520 Reviewed-by: David Benjamin <davidben@google.com>
8 jaren geleden
Remove unused bits of RSA blinding code. The |_ex| versions of these functions are unnecessary because when they are used, they are always passed |NULL| for |r|, which is what the non-|_ex| versions do. Just use the non-|_ex| versions instead and remove the |_ex| versions. Also, drop the unused flags mechanism. Change-Id: Ida4cb5a2d4c89d9cd318e06f71867aea98408d0d Reviewed-on: https://boringssl-review.googlesource.com/7110 Reviewed-by: David Benjamin <davidben@google.com>
8 jaren geleden
Convert RSA blinding to use Montgomery multiplication. |BN_mod_mul_montgomery| has better constant-time behavior (usually) than |BN_mod_mul| and |BN_mod_sqr| and on platforms where we have assembly language optimizations (when |OPENSSL_BN_ASM_MONT| is set in crypto/bn/montgomery.c) it is faster. While doing so, reorder and rename the |BN_MONT_CTX| parameters of the blinding functions to match the order normally used in Montgomery math functions. As a bonus, remove a redundant copy of the RSA public modulus from the |BN_BLINDING| structure, which reduces memory usage. Change-Id: I70597e40246429c7964947a1dc46d0d81c7530ef Reviewed-on: https://boringssl-review.googlesource.com/7524 Reviewed-by: David Benjamin <davidben@google.com>
8 jaren geleden
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 jaren geleden
Fix error handling in |bn_blinding_update|. The fields of the |bn_blinding_st| are not updated atomically. Consequently, one field (|A| or |Ai|) might get updated while the other field (|Ai| or |A|) doesn't get updated, if an error occurs in the middle of updating. Deal with this by reseting the counter so that |A| and |Ai| will both get recreated the next time the blinding is used. Fix a separate but related issue by resetting the counter to zero after calling |bn_blinding_create_param| only if |bn_blinding_create_param| succeeded. Previously, regardless of whether an error occured in |bn_blinding_create_param|, |b->counter| would get reset to zero. The consequence of this was that potentially-bad blinding values would get used 32 times instead of (32 - |b->counter|) times. Change-Id: I236cdb6120870ef06cba129ed86619f593cbcf3d Reviewed-on: https://boringssl-review.googlesource.com/7520 Reviewed-by: David Benjamin <davidben@google.com>
8 jaren geleden
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 jaren geleden
Fix error handling in |bn_blinding_update|. The fields of the |bn_blinding_st| are not updated atomically. Consequently, one field (|A| or |Ai|) might get updated while the other field (|Ai| or |A|) doesn't get updated, if an error occurs in the middle of updating. Deal with this by reseting the counter so that |A| and |Ai| will both get recreated the next time the blinding is used. Fix a separate but related issue by resetting the counter to zero after calling |bn_blinding_create_param| only if |bn_blinding_create_param| succeeded. Previously, regardless of whether an error occured in |bn_blinding_create_param|, |b->counter| would get reset to zero. The consequence of this was that potentially-bad blinding values would get used 32 times instead of (32 - |b->counter|) times. Change-Id: I236cdb6120870ef06cba129ed86619f593cbcf3d Reviewed-on: https://boringssl-review.googlesource.com/7520 Reviewed-by: David Benjamin <davidben@google.com>
8 jaren geleden
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 jaren geleden
Require the public exponent to be available in RSA blinding. Require the public exponent to be available unless |RSA_FLAG_NO_BLINDING| is set on the key. Also, document this. If the public exponent |e| is not available, then we could compute it from |p|, |q|, and |d|. However, there's no reasonable situation in which we'd have |p| or |q| but not |e|; either we have all the CRT parameters, or we have (e, d, n), or we have only (d, n). The calculation to compute |e| exposes the private key to risk of side channel attacks. Also, it was particularly wasteful to compute |e| for each |BN_BLINDING| created, instead of just once before the first |BN_BLINDING| was created. |BN_BLINDING| now no longer needs to contain a duplicate copy of |e|, so it is now more space-efficient. Note that the condition |b->e != NULL| in |bn_blinding_update| was always true since commit cbf56a5683ddda831ff91c46ea48d1fba545db66. Change-Id: Ic2fd6980e0d359dcd53772a7c31bdd0267e316b4 Reviewed-on: https://boringssl-review.googlesource.com/7594 Reviewed-by: David Benjamin <davidben@google.com>
8 jaren geleden
Convert RSA blinding to use Montgomery multiplication. |BN_mod_mul_montgomery| has better constant-time behavior (usually) than |BN_mod_mul| and |BN_mod_sqr| and on platforms where we have assembly language optimizations (when |OPENSSL_BN_ASM_MONT| is set in crypto/bn/montgomery.c) it is faster. While doing so, reorder and rename the |BN_MONT_CTX| parameters of the blinding functions to match the order normally used in Montgomery math functions. As a bonus, remove a redundant copy of the RSA public modulus from the |BN_BLINDING| structure, which reduces memory usage. Change-Id: I70597e40246429c7964947a1dc46d0d81c7530ef Reviewed-on: https://boringssl-review.googlesource.com/7524 Reviewed-by: David Benjamin <davidben@google.com>
8 jaren geleden
Require the public exponent to be available in RSA blinding. Require the public exponent to be available unless |RSA_FLAG_NO_BLINDING| is set on the key. Also, document this. If the public exponent |e| is not available, then we could compute it from |p|, |q|, and |d|. However, there's no reasonable situation in which we'd have |p| or |q| but not |e|; either we have all the CRT parameters, or we have (e, d, n), or we have only (d, n). The calculation to compute |e| exposes the private key to risk of side channel attacks. Also, it was particularly wasteful to compute |e| for each |BN_BLINDING| created, instead of just once before the first |BN_BLINDING| was created. |BN_BLINDING| now no longer needs to contain a duplicate copy of |e|, so it is now more space-efficient. Note that the condition |b->e != NULL| in |bn_blinding_update| was always true since commit cbf56a5683ddda831ff91c46ea48d1fba545db66. Change-Id: Ic2fd6980e0d359dcd53772a7c31bdd0267e316b4 Reviewed-on: https://boringssl-review.googlesource.com/7594 Reviewed-by: David Benjamin <davidben@google.com>
8 jaren geleden
Convert RSA blinding to use Montgomery multiplication. |BN_mod_mul_montgomery| has better constant-time behavior (usually) than |BN_mod_mul| and |BN_mod_sqr| and on platforms where we have assembly language optimizations (when |OPENSSL_BN_ASM_MONT| is set in crypto/bn/montgomery.c) it is faster. While doing so, reorder and rename the |BN_MONT_CTX| parameters of the blinding functions to match the order normally used in Montgomery math functions. As a bonus, remove a redundant copy of the RSA public modulus from the |BN_BLINDING| structure, which reduces memory usage. Change-Id: I70597e40246429c7964947a1dc46d0d81c7530ef Reviewed-on: https://boringssl-review.googlesource.com/7524 Reviewed-by: David Benjamin <davidben@google.com>
8 jaren geleden
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 jaren geleden
Clarify lifecycle of |BN_BLINDING|. In |bn_blinding_update| the condition |b->e != NULL| would never be true (probably), but the test made reasoning about the correctness of the code confusing. That confusion was amplified by the circuitous and unusual way in which |BN_BLINDING|s are constructed. Clarify all this by simplifying the construction of |BN_BLINDING|s, making it more like the construction of other structures. Also, make counter unsigned as it is no longer ever negative. Change-Id: I6161dcfeae19a80c780ccc6762314079fca1088b Reviewed-on: https://boringssl-review.googlesource.com/7530 Reviewed-by: David Benjamin <davidben@google.com>
8 jaren geleden
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 jaren geleden
Convert RSA blinding to use Montgomery multiplication. |BN_mod_mul_montgomery| has better constant-time behavior (usually) than |BN_mod_mul| and |BN_mod_sqr| and on platforms where we have assembly language optimizations (when |OPENSSL_BN_ASM_MONT| is set in crypto/bn/montgomery.c) it is faster. While doing so, reorder and rename the |BN_MONT_CTX| parameters of the blinding functions to match the order normally used in Montgomery math functions. As a bonus, remove a redundant copy of the RSA public modulus from the |BN_BLINDING| structure, which reduces memory usage. Change-Id: I70597e40246429c7964947a1dc46d0d81c7530ef Reviewed-on: https://boringssl-review.googlesource.com/7524 Reviewed-by: David Benjamin <davidben@google.com>
8 jaren geleden
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 jaren geleden
Require the public exponent to be available in RSA blinding. Require the public exponent to be available unless |RSA_FLAG_NO_BLINDING| is set on the key. Also, document this. If the public exponent |e| is not available, then we could compute it from |p|, |q|, and |d|. However, there's no reasonable situation in which we'd have |p| or |q| but not |e|; either we have all the CRT parameters, or we have (e, d, n), or we have only (d, n). The calculation to compute |e| exposes the private key to risk of side channel attacks. Also, it was particularly wasteful to compute |e| for each |BN_BLINDING| created, instead of just once before the first |BN_BLINDING| was created. |BN_BLINDING| now no longer needs to contain a duplicate copy of |e|, so it is now more space-efficient. Note that the condition |b->e != NULL| in |bn_blinding_update| was always true since commit cbf56a5683ddda831ff91c46ea48d1fba545db66. Change-Id: Ic2fd6980e0d359dcd53772a7c31bdd0267e316b4 Reviewed-on: https://boringssl-review.googlesource.com/7594 Reviewed-by: David Benjamin <davidben@google.com>
8 jaren geleden
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 jaren geleden
Add BN_rand_range_ex and use internally. There are many cases where we need |BN_rand_range| but with a minimum value other than 0. |BN_rand_range_ex| provides that. Change-Id: I564326c9206bf4e20a37414bdbce16a951c148ce Reviewed-on: https://boringssl-review.googlesource.com/8921 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
8 jaren geleden
Clarify lifecycle of |BN_BLINDING|. In |bn_blinding_update| the condition |b->e != NULL| would never be true (probably), but the test made reasoning about the correctness of the code confusing. That confusion was amplified by the circuitous and unusual way in which |BN_BLINDING|s are constructed. Clarify all this by simplifying the construction of |BN_BLINDING|s, making it more like the construction of other structures. Also, make counter unsigned as it is no longer ever negative. Change-Id: I6161dcfeae19a80c780ccc6762314079fca1088b Reviewed-on: https://boringssl-review.googlesource.com/7530 Reviewed-by: David Benjamin <davidben@google.com>
8 jaren geleden
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 jaren geleden
Stop using |ERR_peek_last_error| in RSA blinding. History has shown there are bugs in not setting the error code appropriately, which makes any decision making based on |ERR_peek_last_error|, etc. suspect. Also, this call was interfering with the link-time optimizer's ability to discard the implementations of many functions in crypto/err during dead code elimination. Change-Id: Iba9e553bf0a72a1370ceb17ff275f5a20fca31ec Reviewed-on: https://boringssl-review.googlesource.com/5748 Reviewed-by: Adam Langley <agl@google.com>
9 jaren geleden
Add |BN_mod_inverse_blinded| and use it in RSA blinding. Yo dawg I herd you like blinding so I put inversion blinding in your RSA blinding so you can randomly mask your random mask. This improves upon the current situation where we pretend that |BN_mod_inverse_no_branch| is constant-time, and it avoids the need to exert a lot of effort to make a actually-constant-time modular inversion function just for RSA blinding. Note that if the random number generator weren't working correctly then the blinding of the inversion wouldn't be very effective, but in that case the RSA blinding itself would probably be completely busted, so we're not really losing anything by relying on blinding to blind the blinding. Change-Id: I771100f0ad8ed3c24e80dd859ec22463ef2a194f Reviewed-on: https://boringssl-review.googlesource.com/8923 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
8 jaren geleden
Further optimize Montgomery math in RSA blinding. Change-Id: I830c6115ce2515a7b9d1dcb153c4cd8928fb978f Reviewed-on: https://boringssl-review.googlesource.com/7591 Reviewed-by: David Benjamin <davidben@google.com>
8 jaren geleden
Stop using |ERR_peek_last_error| in RSA blinding. History has shown there are bugs in not setting the error code appropriately, which makes any decision making based on |ERR_peek_last_error|, etc. suspect. Also, this call was interfering with the link-time optimizer's ability to discard the implementations of many functions in crypto/err during dead code elimination. Change-Id: Iba9e553bf0a72a1370ceb17ff275f5a20fca31ec Reviewed-on: https://boringssl-review.googlesource.com/5748 Reviewed-by: Adam Langley <agl@google.com>
9 jaren geleden
Add |BN_mod_inverse_blinded| and use it in RSA blinding. Yo dawg I herd you like blinding so I put inversion blinding in your RSA blinding so you can randomly mask your random mask. This improves upon the current situation where we pretend that |BN_mod_inverse_no_branch| is constant-time, and it avoids the need to exert a lot of effort to make a actually-constant-time modular inversion function just for RSA blinding. Note that if the random number generator weren't working correctly then the blinding of the inversion wouldn't be very effective, but in that case the RSA blinding itself would probably be completely busted, so we're not really losing anything by relying on blinding to blind the blinding. Change-Id: I771100f0ad8ed3c24e80dd859ec22463ef2a194f Reviewed-on: https://boringssl-review.googlesource.com/8923 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
8 jaren geleden
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 jaren geleden
Add |BN_mod_inverse_blinded| and use it in RSA blinding. Yo dawg I herd you like blinding so I put inversion blinding in your RSA blinding so you can randomly mask your random mask. This improves upon the current situation where we pretend that |BN_mod_inverse_no_branch| is constant-time, and it avoids the need to exert a lot of effort to make a actually-constant-time modular inversion function just for RSA blinding. Note that if the random number generator weren't working correctly then the blinding of the inversion wouldn't be very effective, but in that case the RSA blinding itself would probably be completely busted, so we're not really losing anything by relying on blinding to blind the blinding. Change-Id: I771100f0ad8ed3c24e80dd859ec22463ef2a194f Reviewed-on: https://boringssl-review.googlesource.com/8923 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
8 jaren geleden
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 jaren geleden
Require the public exponent to be available in RSA blinding. Require the public exponent to be available unless |RSA_FLAG_NO_BLINDING| is set on the key. Also, document this. If the public exponent |e| is not available, then we could compute it from |p|, |q|, and |d|. However, there's no reasonable situation in which we'd have |p| or |q| but not |e|; either we have all the CRT parameters, or we have (e, d, n), or we have only (d, n). The calculation to compute |e| exposes the private key to risk of side channel attacks. Also, it was particularly wasteful to compute |e| for each |BN_BLINDING| created, instead of just once before the first |BN_BLINDING| was created. |BN_BLINDING| now no longer needs to contain a duplicate copy of |e|, so it is now more space-efficient. Note that the condition |b->e != NULL| in |bn_blinding_update| was always true since commit cbf56a5683ddda831ff91c46ea48d1fba545db66. Change-Id: Ic2fd6980e0d359dcd53772a7c31bdd0267e316b4 Reviewed-on: https://boringssl-review.googlesource.com/7594 Reviewed-by: David Benjamin <davidben@google.com>
8 jaren geleden
Convert RSA blinding to use Montgomery multiplication. |BN_mod_mul_montgomery| has better constant-time behavior (usually) than |BN_mod_mul| and |BN_mod_sqr| and on platforms where we have assembly language optimizations (when |OPENSSL_BN_ASM_MONT| is set in crypto/bn/montgomery.c) it is faster. While doing so, reorder and rename the |BN_MONT_CTX| parameters of the blinding functions to match the order normally used in Montgomery math functions. As a bonus, remove a redundant copy of the RSA public modulus from the |BN_BLINDING| structure, which reduces memory usage. Change-Id: I70597e40246429c7964947a1dc46d0d81c7530ef Reviewed-on: https://boringssl-review.googlesource.com/7524 Reviewed-by: David Benjamin <davidben@google.com>
8 jaren geleden
Further optimize Montgomery math in RSA blinding. Change-Id: I830c6115ce2515a7b9d1dcb153c4cd8928fb978f Reviewed-on: https://boringssl-review.googlesource.com/7591 Reviewed-by: David Benjamin <davidben@google.com>
8 jaren geleden
Clarify lifecycle of |BN_BLINDING|. In |bn_blinding_update| the condition |b->e != NULL| would never be true (probably), but the test made reasoning about the correctness of the code confusing. That confusion was amplified by the circuitous and unusual way in which |BN_BLINDING|s are constructed. Clarify all this by simplifying the construction of |BN_BLINDING|s, making it more like the construction of other structures. Also, make counter unsigned as it is no longer ever negative. Change-Id: I6161dcfeae19a80c780ccc6762314079fca1088b Reviewed-on: https://boringssl-review.googlesource.com/7530 Reviewed-by: David Benjamin <davidben@google.com>
8 jaren geleden
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 jaren geleden
Clarify lifecycle of |BN_BLINDING|. In |bn_blinding_update| the condition |b->e != NULL| would never be true (probably), but the test made reasoning about the correctness of the code confusing. That confusion was amplified by the circuitous and unusual way in which |BN_BLINDING|s are constructed. Clarify all this by simplifying the construction of |BN_BLINDING|s, making it more like the construction of other structures. Also, make counter unsigned as it is no longer ever negative. Change-Id: I6161dcfeae19a80c780ccc6762314079fca1088b Reviewed-on: https://boringssl-review.googlesource.com/7530 Reviewed-by: David Benjamin <davidben@google.com>
8 jaren geleden
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 jaren geleden
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264 
  1. /* ====================================================================

  2.  * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.

  3.  *

  4.  * Redistribution and use in source and binary forms, with or without

  5.  * modification, are permitted provided that the following conditions

  6.  * are met:

  7.  *

  8.  * 1. Redistributions of source code must retain the above copyright

  9.  *    notice, this list of conditions and the following disclaimer.

  10.  *

  11.  * 2. Redistributions in binary form must reproduce the above copyright

  12.  *    notice, this list of conditions and the following disclaimer in

  13.  *    the documentation and/or other materials provided with the

  14.  *    distribution.

  15.  *

  16.  * 3. All advertising materials mentioning features or use of this

  17.  *    software must display the following acknowledgment:

  18.  *    "This product includes software developed by the OpenSSL Project

  19.  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"

  20.  *

  21.  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to

  22.  *    endorse or promote products derived from this software without

  23.  *    prior written permission. For written permission, please contact

  24.  *    openssl-core@openssl.org.

  25.  *

  26.  * 5. Products derived from this software may not be called "OpenSSL"

  27.  *    nor may "OpenSSL" appear in their names without prior written

  28.  *    permission of the OpenSSL Project.

  29.  *

  30.  * 6. Redistributions of any form whatsoever must retain the following

  31.  *    acknowledgment:

  32.  *    "This product includes software developed by the OpenSSL Project

  33.  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"

  34.  *

  35.  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY

  36.  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  37.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

  38.  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR

  39.  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

  40.  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

  41.  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

  42.  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  43.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

  44.  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

  45.  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

  46.  * OF THE POSSIBILITY OF SUCH DAMAGE.

  47.  * ====================================================================

  48.  *

  49.  * This product includes cryptographic software written by Eric Young

  50.  * (eay@cryptsoft.com).  This product includes software written by Tim

  51.  * Hudson (tjh@cryptsoft.com).

  52.  *

  53.  * Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)

  54.  * All rights reserved.

  55.  *

  56.  * This package is an SSL implementation written

  57.  * by Eric Young (eay@cryptsoft.com).

  58.  * The implementation was written so as to conform with Netscapes SSL.

  59.  *

  60.  * This library is free for commercial and non-commercial use as long as

  61.  * the following conditions are aheared to.  The following conditions

  62.  * apply to all code found in this distribution, be it the RC4, RSA,

  63.  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation

  64.  * included with this distribution is covered by the same copyright terms

  65.  * except that the holder is Tim Hudson (tjh@cryptsoft.com).

  66.  *

  67.  * Copyright remains Eric Young's, and as such any Copyright notices in

  68.  * the code are not to be removed.

  69.  * If this package is used in a product, Eric Young should be given attribution

  70.  * as the author of the parts of the library used.

  71.  * This can be in the form of a textual message at program startup or

  72.  * in documentation (online or textual) provided with the package.

  73.  *

  74.  * Redistribution and use in source and binary forms, with or without

  75.  * modification, are permitted provided that the following conditions

  76.  * are met:

  77.  * 1. Redistributions of source code must retain the copyright

  78.  *    notice, this list of conditions and the following disclaimer.

  79.  * 2. Redistributions in binary form must reproduce the above copyright

  80.  *    notice, this list of conditions and the following disclaimer in the

  81.  *    documentation and/or other materials provided with the distribution.

  82.  * 3. All advertising materials mentioning features or use of this software

  83.  *    must display the following acknowledgement:

  84.  *    "This product includes cryptographic software written by

  85.  *     Eric Young (eay@cryptsoft.com)"

  86.  *    The word 'cryptographic' can be left out if the rouines from the library

  87.  *    being used are not cryptographic related :-).

  88.  * 4. If you include any Windows specific code (or a derivative thereof) from

  89.  *    the apps directory (application code) you must include an acknowledgement:

  90.  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"

  91.  *

  92.  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND

  93.  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  94.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

  95.  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

  96.  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

  97.  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

  98.  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  99.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

  100.  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

  101.  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

  102.  * SUCH DAMAGE.

  103.  *

  104.  * The licence and distribution terms for any publically available version or

  105.  * derivative of this code cannot be changed.  i.e. this code cannot simply be

  106.  * copied and put under another distribution licence

  107.  * [including the GNU Public Licence.] */

  108. 

  109. #include <openssl/rsa.h>

  110. 

  111. #include <string.h>

  112. 

  113. #include <openssl/bn.h>

  114. #include <openssl/mem.h>

  115. #include <openssl/err.h>

  116. 

  117. #include "internal.h"

  118. 

  119. 

  120. #define BN_BLINDING_COUNTER 32

  121. 

  122. struct bn_blinding_st {

  123.   BIGNUM *A; /* The base blinding factor, Montgomery-encoded. */

  124.   BIGNUM *Ai; /* The inverse of the blinding factor, Montgomery-encoded. */

  125.   unsigned counter;

  126. };

  127. 

  128. static int bn_blinding_create_param(BN_BLINDING *b, const BIGNUM *e,

  129.                                     const BN_MONT_CTX *mont, BN_CTX *ctx);

  130. 

  131. BN_BLINDING *BN_BLINDING_new(void) {

  132.   BN_BLINDING *ret = OPENSSL_malloc(sizeof(BN_BLINDING));

  133.   if (ret == NULL) {

  134.     OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);

  135.     return NULL;

  136.   }

  137.   memset(ret, 0, sizeof(BN_BLINDING));

  138. 

  139.   ret->A = BN_new();

  140.   if (ret->A == NULL) {

  141.     goto err;

  142.   }

  143. 

  144.   ret->Ai = BN_new();

  145.   if (ret->Ai == NULL) {

  146.     goto err;

  147.   }

  148. 

  149.   /* The blinding values need to be created before this blinding can be used. */

  150.   ret->counter = BN_BLINDING_COUNTER - 1;

  151. 

  152.   return ret;

  153. 

  154. err:

  155.   BN_BLINDING_free(ret);

  156.   return NULL;

  157. }

  158. 

  159. void BN_BLINDING_free(BN_BLINDING *r) {

  160.   if (r == NULL) {

  161.     return;

  162.   }

  163. 

  164.   BN_free(r->A);

  165.   BN_free(r->Ai);

  166.   OPENSSL_free(r);

  167. }

  168. 

  169. static int bn_blinding_update(BN_BLINDING *b, const BIGNUM *e,

  170.                               const BN_MONT_CTX *mont, BN_CTX *ctx) {

  171.   if (++b->counter == BN_BLINDING_COUNTER) {

  172.     /* re-create blinding parameters */

  173.     if (!bn_blinding_create_param(b, e, mont, ctx)) {

  174.       goto err;

  175.     }

  176.     b->counter = 0;

  177.   } else {

  178.     if (!BN_mod_mul_montgomery(b->A, b->A, b->A, mont, ctx) ||

  179.         !BN_mod_mul_montgomery(b->Ai, b->Ai, b->Ai, mont, ctx)) {

  180.       goto err;

  181.     }

  182.   }

  183. 

  184.   return 1;

  185. 

  186. err:

  187.   /* |A| and |Ai| may be in an inconsistent state so they both need to be

  188.    * replaced the next time this blinding is used. Note that this is only

  189.    * sufficient because support for |BN_BLINDING_NO_UPDATE| and

  190.    * |BN_BLINDING_NO_RECREATE| was previously dropped. */

  191.   b->counter = BN_BLINDING_COUNTER - 1;

  192. 

  193.   return 0;

  194. }

  195. 

  196. int BN_BLINDING_convert(BIGNUM *n, BN_BLINDING *b, const BIGNUM *e,

  197.                         const BN_MONT_CTX *mont, BN_CTX *ctx) {

  198.   /* |n| is not Montgomery-encoded and |b->A| is. |BN_mod_mul_montgomery|

  199.    * cancels one Montgomery factor, so the resulting value of |n| is unencoded.

  200.    */

  201.   if (!bn_blinding_update(b, e, mont, ctx) ||

  202.       !BN_mod_mul_montgomery(n, n, b->A, mont, ctx)) {

  203.     return 0;

  204.   }

  205. 

  206.   return 1;

  207. }

  208. 

  209. int BN_BLINDING_invert(BIGNUM *n, const BN_BLINDING *b, BN_MONT_CTX *mont,

  210.                        BN_CTX *ctx) {

  211.   /* |n| is not Montgomery-encoded and |b->A| is. |BN_mod_mul_montgomery|

  212.    * cancels one Montgomery factor, so the resulting value of |n| is unencoded.

  213.    */

  214.   return BN_mod_mul_montgomery(n, n, b->Ai, mont, ctx);

  215. }

  216. 

  217. static int bn_blinding_create_param(BN_BLINDING *b, const BIGNUM *e,

  218.                                     const BN_MONT_CTX *mont, BN_CTX *ctx) {

  219.   int retry_counter = 32;

  220. 

  221.   do {

  222.     if (!BN_rand_range_ex(b->A, 1, &mont->N)) {

  223.       OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);

  224.       return 0;

  225.     }

  226. 

  227.     /* |BN_from_montgomery| + |BN_mod_inverse_blinded| is equivalent to, but

  228.      * more efficient than, |BN_mod_inverse_blinded| + |BN_to_montgomery|. */

  229.     if (!BN_from_montgomery(b->Ai, b->A, mont, ctx)) {

  230.       OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);

  231.       return 0;

  232.     }

  233. 

  234.     int no_inverse;

  235.     if (BN_mod_inverse_blinded(b->Ai, &no_inverse, b->Ai, mont, ctx)) {

  236.       break;

  237.     }

  238. 

  239.     if (!no_inverse) {

  240.       OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);

  241.       return 0;

  242.     }

  243. 

  244.     /* For reasonably-sized RSA keys, it should almost never be the case that a

  245.      * random value doesn't have an inverse. */

  246.     if (retry_counter-- == 0) {

  247.       OPENSSL_PUT_ERROR(RSA, RSA_R_TOO_MANY_ITERATIONS);

  248.       return 0;

  249.     }

  250.     ERR_clear_error();

  251.   } while (1);

  252. 

  253.   if (!BN_mod_exp_mont(b->A, b->A, e, &mont->N, ctx, mont)) {

  254.     OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);

  255.     return 0;

  256.   }

  257. 

  258.   if (!BN_to_montgomery(b->A, b->A, mont, ctx)) {

  259.     OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);

  260.     return 0;

  261.   }

  262. 

  263.   return 1;

  264. }