xref: /dragonfly/crypto/libressl/crypto/bn/bn_blind.c (revision 72c3367655e64985522b7a48ddfab613e869dc68)
1 /* $OpenBSD: bn_blind.c,v 1.17 2017/01/29 17:49:22 beck Exp $ */
2 /* ====================================================================
3  * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  *
9  * 1. Redistributions of source code must retain the above copyright
10  *    notice, this list of conditions and the following disclaimer.
11  *
12  * 2. Redistributions in binary form must reproduce the above copyright
13  *    notice, this list of conditions and the following disclaimer in
14  *    the documentation and/or other materials provided with the
15  *    distribution.
16  *
17  * 3. All advertising materials mentioning features or use of this
18  *    software must display the following acknowledgment:
19  *    "This product includes software developed by the OpenSSL Project
20  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
21  *
22  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23  *    endorse or promote products derived from this software without
24  *    prior written permission. For written permission, please contact
25  *    openssl-core@openssl.org.
26  *
27  * 5. Products derived from this software may not be called "OpenSSL"
28  *    nor may "OpenSSL" appear in their names without prior written
29  *    permission of the OpenSSL Project.
30  *
31  * 6. Redistributions of any form whatsoever must retain the following
32  *    acknowledgment:
33  *    "This product includes software developed by the OpenSSL Project
34  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
35  *
36  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
40  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47  * OF THE POSSIBILITY OF SUCH DAMAGE.
48  * ====================================================================
49  *
50  * This product includes cryptographic software written by Eric Young
51  * (eay@cryptsoft.com).  This product includes software written by Tim
52  * Hudson (tjh@cryptsoft.com).
53  *
54  */
55 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
56  * All rights reserved.
57  *
58  * This package is an SSL implementation written
59  * by Eric Young (eay@cryptsoft.com).
60  * The implementation was written so as to conform with Netscapes SSL.
61  *
62  * This library is free for commercial and non-commercial use as long as
63  * the following conditions are aheared to.  The following conditions
64  * apply to all code found in this distribution, be it the RC4, RSA,
65  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
66  * included with this distribution is covered by the same copyright terms
67  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
68  *
69  * Copyright remains Eric Young's, and as such any Copyright notices in
70  * the code are not to be removed.
71  * If this package is used in a product, Eric Young should be given attribution
72  * as the author of the parts of the library used.
73  * This can be in the form of a textual message at program startup or
74  * in documentation (online or textual) provided with the package.
75  *
76  * Redistribution and use in source and binary forms, with or without
77  * modification, are permitted provided that the following conditions
78  * are met:
79  * 1. Redistributions of source code must retain the copyright
80  *    notice, this list of conditions and the following disclaimer.
81  * 2. Redistributions in binary form must reproduce the above copyright
82  *    notice, this list of conditions and the following disclaimer in the
83  *    documentation and/or other materials provided with the distribution.
84  * 3. All advertising materials mentioning features or use of this software
85  *    must display the following acknowledgement:
86  *    "This product includes cryptographic software written by
87  *     Eric Young (eay@cryptsoft.com)"
88  *    The word 'cryptographic' can be left out if the rouines from the library
89  *    being used are not cryptographic related :-).
90  * 4. If you include any Windows specific code (or a derivative thereof) from
91  *    the apps directory (application code) you must include an acknowledgement:
92  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
93  *
94  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
95  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
96  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
97  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
98  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
99  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
100  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
101  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
102  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
103  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
104  * SUCH DAMAGE.
105  *
106  * The licence and distribution terms for any publically available version or
107  * derivative of this code cannot be changed.  i.e. this code cannot simply be
108  * copied and put under another distribution licence
109  * [including the GNU Public Licence.]
110  */
111 
112 #include <stdio.h>
113 
114 #include <openssl/opensslconf.h>
115 
116 #include <openssl/err.h>
117 
118 #include "bn_lcl.h"
119 
120 #define BN_BLINDING_COUNTER   32
121 
122 struct bn_blinding_st {
123           BIGNUM *A;
124           BIGNUM *Ai;
125           BIGNUM *e;
126           BIGNUM *mod; /* just a reference */
127 #ifndef OPENSSL_NO_DEPRECATED
128           unsigned long thread_id; /* added in OpenSSL 0.9.6j and 0.9.7b;
129                                           * used only by crypto/rsa/rsa_eay.c, rsa_lib.c */
130 #endif
131           CRYPTO_THREADID tid;
132           int counter;
133           unsigned long flags;
134           BN_MONT_CTX *m_ctx;
135           int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
136               const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
137 };
138 
139 BN_BLINDING *
BN_BLINDING_new(const BIGNUM * A,const BIGNUM * Ai,BIGNUM * mod)140 BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod)
141 {
142           BN_BLINDING *ret = NULL;
143 
144           bn_check_top(mod);
145 
146           if ((ret = calloc(1, sizeof(BN_BLINDING))) == NULL) {
147                     BNerror(ERR_R_MALLOC_FAILURE);
148                     return (NULL);
149           }
150           if (A != NULL) {
151                     if ((ret->A = BN_dup(A))  == NULL)
152                               goto err;
153           }
154           if (Ai != NULL) {
155                     if ((ret->Ai = BN_dup(Ai)) == NULL)
156                               goto err;
157           }
158 
159           /* save a copy of mod in the BN_BLINDING structure */
160           if ((ret->mod = BN_dup(mod)) == NULL)
161                     goto err;
162           if (BN_get_flags(mod, BN_FLG_CONSTTIME) != 0)
163                     BN_set_flags(ret->mod, BN_FLG_CONSTTIME);
164 
165           /* Set the counter to the special value -1
166            * to indicate that this is never-used fresh blinding
167            * that does not need updating before first use. */
168           ret->counter = -1;
169           CRYPTO_THREADID_current(&ret->tid);
170           return (ret);
171 
172 err:
173           if (ret != NULL)
174                     BN_BLINDING_free(ret);
175           return (NULL);
176 }
177 
178 void
BN_BLINDING_free(BN_BLINDING * r)179 BN_BLINDING_free(BN_BLINDING *r)
180 {
181           if (r == NULL)
182                     return;
183 
184           BN_clear_free(r->A);
185           BN_clear_free(r->Ai);
186           BN_clear_free(r->e);
187           BN_clear_free(r->mod);
188           free(r);
189 }
190 
191 int
BN_BLINDING_update(BN_BLINDING * b,BN_CTX * ctx)192 BN_BLINDING_update(BN_BLINDING *b, BN_CTX *ctx)
193 {
194           int ret = 0;
195 
196           if ((b->A == NULL) || (b->Ai == NULL)) {
197                     BNerror(BN_R_NOT_INITIALIZED);
198                     goto err;
199           }
200 
201           if (b->counter == -1)
202                     b->counter = 0;
203 
204           if (++b->counter == BN_BLINDING_COUNTER && b->e != NULL &&
205               !(b->flags & BN_BLINDING_NO_RECREATE)) {
206                     /* re-create blinding parameters */
207                     if (!BN_BLINDING_create_param(b, NULL, NULL, ctx, NULL, NULL))
208                               goto err;
209           } else if (!(b->flags & BN_BLINDING_NO_UPDATE)) {
210                     if (!BN_mod_mul(b->A, b->A, b->A, b->mod, ctx))
211                               goto err;
212                     if (!BN_mod_mul(b->Ai, b->Ai, b->Ai, b->mod, ctx))
213                               goto err;
214           }
215 
216           ret = 1;
217 
218 err:
219           if (b->counter == BN_BLINDING_COUNTER)
220                     b->counter = 0;
221           return (ret);
222 }
223 
224 int
BN_BLINDING_convert(BIGNUM * n,BN_BLINDING * b,BN_CTX * ctx)225 BN_BLINDING_convert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx)
226 {
227           return BN_BLINDING_convert_ex(n, NULL, b, ctx);
228 }
229 
230 int
BN_BLINDING_convert_ex(BIGNUM * n,BIGNUM * r,BN_BLINDING * b,BN_CTX * ctx)231 BN_BLINDING_convert_ex(BIGNUM *n, BIGNUM *r, BN_BLINDING *b, BN_CTX *ctx)
232 {
233           int ret = 1;
234 
235           bn_check_top(n);
236 
237           if ((b->A == NULL) || (b->Ai == NULL)) {
238                     BNerror(BN_R_NOT_INITIALIZED);
239                     return (0);
240           }
241 
242           if (b->counter == -1)
243                     /* Fresh blinding, doesn't need updating. */
244                     b->counter = 0;
245           else if (!BN_BLINDING_update(b, ctx))
246                     return (0);
247 
248           if (r != NULL) {
249                     if (!BN_copy(r, b->Ai))
250                               ret = 0;
251           }
252 
253           if (!BN_mod_mul(n, n,b->A, b->mod, ctx))
254                     ret = 0;
255 
256           return ret;
257 }
258 
259 int
BN_BLINDING_invert(BIGNUM * n,BN_BLINDING * b,BN_CTX * ctx)260 BN_BLINDING_invert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx)
261 {
262           return BN_BLINDING_invert_ex(n, NULL, b, ctx);
263 }
264 
265 int
BN_BLINDING_invert_ex(BIGNUM * n,const BIGNUM * r,BN_BLINDING * b,BN_CTX * ctx)266 BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b, BN_CTX *ctx)
267 {
268           int ret;
269 
270           bn_check_top(n);
271 
272           if (r != NULL)
273                     ret = BN_mod_mul(n, n, r, b->mod, ctx);
274           else {
275                     if (b->Ai == NULL) {
276                               BNerror(BN_R_NOT_INITIALIZED);
277                               return (0);
278                     }
279                     ret = BN_mod_mul(n, n, b->Ai, b->mod, ctx);
280           }
281 
282           bn_check_top(n);
283           return (ret);
284 }
285 
286 #ifndef OPENSSL_NO_DEPRECATED
287 unsigned long
BN_BLINDING_get_thread_id(const BN_BLINDING * b)288 BN_BLINDING_get_thread_id(const BN_BLINDING *b)
289 {
290           return b->thread_id;
291 }
292 
293 void
BN_BLINDING_set_thread_id(BN_BLINDING * b,unsigned long n)294 BN_BLINDING_set_thread_id(BN_BLINDING *b, unsigned long n)
295 {
296           b->thread_id = n;
297 }
298 #endif
299 
300 CRYPTO_THREADID *
BN_BLINDING_thread_id(BN_BLINDING * b)301 BN_BLINDING_thread_id(BN_BLINDING *b)
302 {
303           return &b->tid;
304 }
305 
306 unsigned long
BN_BLINDING_get_flags(const BN_BLINDING * b)307 BN_BLINDING_get_flags(const BN_BLINDING *b)
308 {
309           return b->flags;
310 }
311 
312 void
BN_BLINDING_set_flags(BN_BLINDING * b,unsigned long flags)313 BN_BLINDING_set_flags(BN_BLINDING *b, unsigned long flags)
314 {
315           b->flags = flags;
316 }
317 
318 BN_BLINDING *
BN_BLINDING_create_param(BN_BLINDING * b,const BIGNUM * e,BIGNUM * m,BN_CTX * ctx,int (* bn_mod_exp)(BIGNUM * r,const BIGNUM * a,const BIGNUM * p,const BIGNUM * m,BN_CTX * ctx,BN_MONT_CTX * m_ctx),BN_MONT_CTX * m_ctx)319 BN_BLINDING_create_param(BN_BLINDING *b, const BIGNUM *e, BIGNUM *m,
320     BN_CTX *ctx, int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
321     const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx), BN_MONT_CTX *m_ctx)
322 {
323           int    retry_counter = 32;
324           BN_BLINDING *ret = NULL;
325 
326           if (b == NULL)
327                     ret = BN_BLINDING_new(NULL, NULL, m);
328           else
329                     ret = b;
330 
331           if (ret == NULL)
332                     goto err;
333 
334           if (ret->A  == NULL && (ret->A = BN_new()) == NULL)
335                     goto err;
336           if (ret->Ai == NULL && (ret->Ai = BN_new()) == NULL)
337                     goto err;
338 
339           if (e != NULL) {
340                     BN_free(ret->e);
341                     ret->e = BN_dup(e);
342           }
343           if (ret->e == NULL)
344                     goto err;
345 
346           if (bn_mod_exp != NULL)
347                     ret->bn_mod_exp = bn_mod_exp;
348           if (m_ctx != NULL)
349                     ret->m_ctx = m_ctx;
350 
351           do {
352                     if (!BN_rand_range(ret->A, ret->mod))
353                               goto err;
354                     if (BN_mod_inverse_ct(ret->Ai, ret->A, ret->mod, ctx) == NULL) {
355                               /* this should almost never happen for good RSA keys */
356                               unsigned long error = ERR_peek_last_error();
357                               if (ERR_GET_REASON(error) == BN_R_NO_INVERSE) {
358                                         if (retry_counter-- == 0) {
359                                                   BNerror(BN_R_TOO_MANY_ITERATIONS);
360                                                   goto err;
361                                         }
362                                         ERR_clear_error();
363                               } else
364                                         goto err;
365                     } else
366                               break;
367           } while (1);
368 
369           if (ret->bn_mod_exp != NULL && ret->m_ctx != NULL) {
370                     if (!ret->bn_mod_exp(ret->A, ret->A, ret->e, ret->mod,
371                         ctx, ret->m_ctx))
372                               goto err;
373           } else {
374                     if (!BN_mod_exp_ct(ret->A, ret->A, ret->e, ret->mod, ctx))
375                               goto err;
376           }
377 
378           return ret;
379 
380 err:
381           if (b == NULL && ret != NULL) {
382                     BN_BLINDING_free(ret);
383                     ret = NULL;
384           }
385 
386           return ret;
387 }
388