openssl/sme8/openssl-fips-0.9.8e-bn-fixes.patch

Fix BN flag handling in RSA_eay_mod_exp() and BN_MONT_CTX_set()
to get the expected BN_FLG_CONSTTIME behavior.
[Bodo Moeller (Google)]

openssl/crypto/bn/bn_mont.c 1.36.2.8 -> 1.36.2.9

--- openssl/crypto/bn/bn_mont.c 2007/11/11 20:43:23 1.36.2.8
+++ openssl/crypto/bn/bn_mont.c 2008/02/27 06:01:59 1.36.2.9
@@ -413,6 +413,8 @@
 
                buf[0]=mod->d[0]; /* tmod = N mod word size */
                buf[1]=0;
+
+               BN_init(&tmod);
                tmod.d=buf;
                tmod.top = buf[0] != 0 ? 1 : 0;
                tmod.dmax=2;

openssl/crypto/rsa/rsa_eay.c 1.46.2.8 -> 1.46.2.9

--- openssl/crypto/rsa/rsa_eay.c 2007/03/28 00:14:21 1.46.2.8
+++ openssl/crypto/rsa/rsa_eay.c 2008/02/27 06:02:00 1.46.2.9
@@ -151,13 +151,13 @@
        }
 
 /* Usage example;
- *    MONT_HELPER(rsa, bn_ctx, p, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
+ *    MONT_HELPER(rsa->_method_mod_p, bn_ctx, rsa->p, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
  */
-#define MONT_HELPER(rsa, ctx, m, pre_cond, err_instr) \
-       if((pre_cond) && ((rsa)->_method_mod_##m == NULL) && \
-                       !BN_MONT_CTX_set_locked(&((rsa)->_method_mod_##m), \
+#define MONT_HELPER(method_mod, ctx, m, pre_cond, err_instr) \
+       if ((pre_cond) && ((method_mod) == NULL) && \
+                       !BN_MONT_CTX_set_locked(&(method_mod), \
                                CRYPTO_LOCK_RSA, \
-                               (rsa)->m, (ctx))) \
+                               (m), (ctx))) \
                err_instr
 
 static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
@@ -227,13 +227,13 @@
        if (BN_bin2bn(buf,num,f) == NULL) goto err;
        
        if (BN_ucmp(f, rsa->n) >= 0)
-               {       
+               {
                /* usually the padding functions would catch this */
                RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
                goto err;
                }
 
-       MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
+       MONT_HELPER(rsa->_method_mod_n, ctx, rsa->n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
 
        if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx,
                rsa->_method_mod_n)) goto err;
@@ -436,9 +436,9 @@
                        BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
                        }
                else
-                       d = rsa->d;
+                       d= rsa->d;
 
-               MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
+               MONT_HELPER(rsa->_method_mod_n, ctx, rsa->n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
 
                if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx,
                                rsa->_method_mod_n)) goto err;
@@ -559,7 +559,7 @@
                else
                        d = rsa->d;
 
-               MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
+               MONT_HELPER(rsa->_method_mod_n, ctx, rsa->n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
                if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx,
                                rsa->_method_mod_n))
                  goto err;
@@ -669,7 +669,7 @@
                goto err;
                }
 
-       MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
+       MONT_HELPER(rsa->_method_mod_n, ctx, rsa->n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
 
        if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx,
                rsa->_method_mod_n)) goto err;
@@ -717,7 +717,6 @@
        BIGNUM *r1,*m1,*vrfy;
        BIGNUM local_dmp1,local_dmq1,local_c,local_r1;
        BIGNUM *dmp1,*dmq1,*c,*pr1;
-       int bn_flags;
        int ret=0;
 
        BN_CTX_start(ctx);
@@ -725,31 +724,34 @@
        m1 = BN_CTX_get(ctx);
        vrfy = BN_CTX_get(ctx);
 
-       /* Make sure mod_inverse in montgomerey intialization use correct 
-        * BN_FLG_CONSTTIME flag.
-        */
-       bn_flags = rsa->p->flags;
-       if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
-               {
-               rsa->p->flags |= BN_FLG_CONSTTIME;
-               }
-       MONT_HELPER(rsa, ctx, p, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
-       /* We restore bn_flags back */
-       rsa->p->flags = bn_flags;
+       {
+               BIGNUM local_p, local_q;
+               BIGNUM *p = NULL, *q = NULL;
 
-        /* Make sure mod_inverse in montgomerey intialization use correct
-         * BN_FLG_CONSTTIME flag.
-         */
-       bn_flags = rsa->q->flags;
-       if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
-               {
-               rsa->q->flags |= BN_FLG_CONSTTIME;
-               }
-       MONT_HELPER(rsa, ctx, q, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
-       /* We restore bn_flags back */
-       rsa->q->flags = bn_flags;       
+               /* Make sure BN_mod_inverse in Montgomery intialization uses the
+                * BN_FLG_CONSTTIME flag (unless RSA_FLAG_NO_CONSTTIME is set)
+                */
+               if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
+                       {
+                       BN_init(&local_p);
+                       p = &local_p;
+                       BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
+
+                       BN_init(&local_q);
+                       q = &local_q;
+                       BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME);
+                       }
+               else
+                       {
+                       p = rsa->p;
+                       q = rsa->q;
+                       }
+
+               MONT_HELPER(rsa->_method_mod_p, ctx, p, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
+               MONT_HELPER(rsa->_method_mod_q, ctx, q, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
+       }
 
-       MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
+       MONT_HELPER(rsa->_method_mod_n, ctx, rsa->n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
 
        /* compute I mod q */
        if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))

Fix DH with certain moduli.

openssl/crypto/bn/bn_mul.c 1.36.4.1 -> 1.36.4.2

--- openssl/crypto/bn/bn_mul.c 2007/07/08 18:55:51 1.36.4.1
+++ openssl/crypto/bn/bn_mul.c 2007/11/03 20:10:10 1.36.4.2
@@ -389,6 +389,7 @@
  * a[0]*b[0]+a[1]*b[1]+(a[0]-a[1])*(b[1]-b[0])
  * a[1]*b[1]
  */
+/* dnX may not be positive, but n2/2+dnX has to be */
 void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
        int dna, int dnb, BN_ULONG *t)
        {
@@ -398,7 +399,7 @@
        BN_ULONG ln,lo,*p;
 
 # ifdef BN_COUNT
-       fprintf(stderr," bn_mul_recursive %d * %d\n",n2,n2);
+       fprintf(stderr," bn_mul_recursive %d%+d * %d%+d\n",n2,dna,n2,dnb);
 # endif
 # ifdef BN_MUL_COMBA
 #  if 0
@@ -545,6 +546,7 @@
 
 /* n+tn is the word length
  * t needs to be n*4 is size, as does r */
+/* tnX may not be negative but less than n */
 void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n,
             int tna, int tnb, BN_ULONG *t)
        {
@@ -553,8 +555,8 @@
        BN_ULONG ln,lo,*p;
 
 # ifdef BN_COUNT
-       fprintf(stderr," bn_mul_part_recursive (%d+%d) * (%d+%d)\n",
-               tna, n, tnb, n);
+       fprintf(stderr," bn_mul_part_recursive (%d%+d) * (%d%+d)\n",
+               n, tna, n, tnb);
 # endif
        if (n < 8)
                {
@@ -655,16 +657,19 @@
                                for (;;)
                                        {
                                        i/=2;
-                                       if (i <= tna && tna == tnb)
+                                       /* these simplified conditions work
+                                        * exclusively because difference
+                                        * between tna and tnb is 1 or 0 */
+                                       if (i < tna || i < tnb)
                                                {
-                                               bn_mul_recursive(&(r[n2]),
+                                               bn_mul_part_recursive(&(r[n2]),
                                                        &(a[n]),&(b[n]),
                                                        i,tna-i,tnb-i,p);
                                                break;
                                                }
-                                       else if (i < tna || i < tnb)
+                                       else if (i == tna || i == tnb)
                                                {
-                                               bn_mul_part_recursive(&(r[n2]),
+                                               bn_mul_recursive(&(r[n2]),
                                                        &(a[n]),&(b[n]),
                                                        i,tna-i,tnb-i,p);
                                                break;
1	wellsi	1.1	Fix BN flag handling in RSA_eay_mod_exp() and BN_MONT_CTX_set()
2			to get the expected BN_FLG_CONSTTIME behavior.
3			[Bodo Moeller (Google)]
4
5			openssl/crypto/bn/bn_mont.c 1.36.2.8 -> 1.36.2.9
6
7			--- openssl/crypto/bn/bn_mont.c 2007/11/11 20:43:23 1.36.2.8
8			+++ openssl/crypto/bn/bn_mont.c 2008/02/27 06:01:59 1.36.2.9
9			@@ -413,6 +413,8 @@
10
11			buf[0]=mod->d[0]; /* tmod = N mod word size */
12			buf[1]=0;
13			+
14			+ BN_init(&tmod);
15			tmod.d=buf;
16			tmod.top = buf[0] != 0 ? 1 : 0;
17			tmod.dmax=2;
18
19			openssl/crypto/rsa/rsa_eay.c 1.46.2.8 -> 1.46.2.9
20
21			--- openssl/crypto/rsa/rsa_eay.c 2007/03/28 00:14:21 1.46.2.8
22			+++ openssl/crypto/rsa/rsa_eay.c 2008/02/27 06:02:00 1.46.2.9
23			@@ -151,13 +151,13 @@
24			}
25
26			/* Usage example;
27			- * MONT_HELPER(rsa, bn_ctx, p, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
28			+ * MONT_HELPER(rsa->_method_mod_p, bn_ctx, rsa->p, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
29			*/
30			-#define MONT_HELPER(rsa, ctx, m, pre_cond, err_instr) \
31			- if((pre_cond) && ((rsa)->_method_mod_##m == NULL) && \
32			- !BN_MONT_CTX_set_locked(&((rsa)->_method_mod_##m), \
33			+#define MONT_HELPER(method_mod, ctx, m, pre_cond, err_instr) \
34			+ if ((pre_cond) && ((method_mod) == NULL) && \
35			+ !BN_MONT_CTX_set_locked(&(method_mod), \
36			CRYPTO_LOCK_RSA, \
37			- (rsa)->m, (ctx))) \
38			+ (m), (ctx))) \
39			err_instr
40
41			static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
42			@@ -227,13 +227,13 @@
43			if (BN_bin2bn(buf,num,f) == NULL) goto err;
44
45			if (BN_ucmp(f, rsa->n) >= 0)
46			- {
47			+ {
48			/* usually the padding functions would catch this */
49			RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
50			goto err;
51			}
52
53			- MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
54			+ MONT_HELPER(rsa->_method_mod_n, ctx, rsa->n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
55
56			if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx,
57			rsa->_method_mod_n)) goto err;
58			@@ -436,9 +436,9 @@
59			BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
60			}
61			else
62			- d = rsa->d;
63			+ d= rsa->d;
64
65			- MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
66			+ MONT_HELPER(rsa->_method_mod_n, ctx, rsa->n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
67
68			if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx,
69			rsa->_method_mod_n)) goto err;
70			@@ -559,7 +559,7 @@
71			else
72			d = rsa->d;
73
74			- MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
75			+ MONT_HELPER(rsa->_method_mod_n, ctx, rsa->n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
76			if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx,
77			rsa->_method_mod_n))
78			goto err;
79			@@ -669,7 +669,7 @@
80			goto err;
81			}
82
83			- MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
84			+ MONT_HELPER(rsa->_method_mod_n, ctx, rsa->n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
85
86			if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx,
87			rsa->_method_mod_n)) goto err;
88			@@ -717,7 +717,6 @@
89			BIGNUM r1,m1,*vrfy;
90			BIGNUM local_dmp1,local_dmq1,local_c,local_r1;
91			BIGNUM dmp1,dmq1,c,pr1;
92			- int bn_flags;
93			int ret=0;
94
95			BN_CTX_start(ctx);
96			@@ -725,31 +724,34 @@
97			m1 = BN_CTX_get(ctx);
98			vrfy = BN_CTX_get(ctx);
99
100			- /* Make sure mod_inverse in montgomerey intialization use correct
101			- * BN_FLG_CONSTTIME flag.
102			- */
103			- bn_flags = rsa->p->flags;
104			- if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
105			- {
106			- rsa->p->flags \|= BN_FLG_CONSTTIME;
107			- }
108			- MONT_HELPER(rsa, ctx, p, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
109			- /* We restore bn_flags back */
110			- rsa->p->flags = bn_flags;
111			+ {
112			+ BIGNUM local_p, local_q;
113			+ BIGNUM p = NULL, q = NULL;
114
115			- /* Make sure mod_inverse in montgomerey intialization use correct
116			- * BN_FLG_CONSTTIME flag.
117			- */
118			- bn_flags = rsa->q->flags;
119			- if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
120			- {
121			- rsa->q->flags \|= BN_FLG_CONSTTIME;
122			- }
123			- MONT_HELPER(rsa, ctx, q, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
124			- /* We restore bn_flags back */
125			- rsa->q->flags = bn_flags;
126			+ /* Make sure BN_mod_inverse in Montgomery intialization uses the
127			+ * BN_FLG_CONSTTIME flag (unless RSA_FLAG_NO_CONSTTIME is set)
128			+ */
129			+ if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
130			+ {
131			+ BN_init(&local_p);
132			+ p = &local_p;
133			+ BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
134			+
135			+ BN_init(&local_q);
136			+ q = &local_q;
137			+ BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME);
138			+ }
139			+ else
140			+ {
141			+ p = rsa->p;
142			+ q = rsa->q;
143			+ }
144			+
145			+ MONT_HELPER(rsa->_method_mod_p, ctx, p, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
146			+ MONT_HELPER(rsa->_method_mod_q, ctx, q, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
147			+ }
148
149			- MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
150			+ MONT_HELPER(rsa->_method_mod_n, ctx, rsa->n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
151
152			/* compute I mod q */
153			if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
154
155			Fix DH with certain moduli.
156
157			openssl/crypto/bn/bn_mul.c 1.36.4.1 -> 1.36.4.2
158
159			--- openssl/crypto/bn/bn_mul.c 2007/07/08 18:55:51 1.36.4.1
160			+++ openssl/crypto/bn/bn_mul.c 2007/11/03 20:10:10 1.36.4.2
161			@@ -389,6 +389,7 @@
162			* a[0]b[0]+a[1]b[1]+(a[0]-a[1])*(b[1]-b[0])
163			* a[1]*b[1]
164			*/
165			+/* dnX may not be positive, but n2/2+dnX has to be */
166			void bn_mul_recursive(BN_ULONG r, BN_ULONG a, BN_ULONG *b, int n2,
167			int dna, int dnb, BN_ULONG *t)
168			{
169			@@ -398,7 +399,7 @@
170			BN_ULONG ln,lo,*p;
171
172			# ifdef BN_COUNT
173			- fprintf(stderr," bn_mul_recursive %d * %d\n",n2,n2);
174			+ fprintf(stderr," bn_mul_recursive %d%+d * %d%+d\n",n2,dna,n2,dnb);
175			# endif
176			# ifdef BN_MUL_COMBA
177			# if 0
178			@@ -545,6 +546,7 @@
179
180			/* n+tn is the word length
181			* t needs to be n4 is size, as does r /
182			+/* tnX may not be negative but less than n */
183			void bn_mul_part_recursive(BN_ULONG r, BN_ULONG a, BN_ULONG *b, int n,
184			int tna, int tnb, BN_ULONG *t)
185			{
186			@@ -553,8 +555,8 @@
187			BN_ULONG ln,lo,*p;
188
189			# ifdef BN_COUNT
190			- fprintf(stderr," bn_mul_part_recursive (%d+%d) * (%d+%d)\n",
191			- tna, n, tnb, n);
192			+ fprintf(stderr," bn_mul_part_recursive (%d%+d) * (%d%+d)\n",
193			+ n, tna, n, tnb);
194			# endif
195			if (n < 8)
196			{
197			@@ -655,16 +657,19 @@
198			for (;;)
199			{
200			i/=2;
201			- if (i <= tna && tna == tnb)
202			+ /* these simplified conditions work
203			+ * exclusively because difference
204			+ * between tna and tnb is 1 or 0 */
205			+ if (i < tna \|\| i < tnb)
206			{
207			- bn_mul_recursive(&(r[n2]),
208			+ bn_mul_part_recursive(&(r[n2]),
209			&(a[n]),&(b[n]),
210			i,tna-i,tnb-i,p);
211			break;
212			}
213			- else if (i < tna \|\| i < tnb)
214			+ else if (i == tna \|\| i == tnb)
215			{
216			- bn_mul_part_recursive(&(r[n2]),
217			+ bn_mul_recursive(&(r[n2]),
218			&(a[n]),&(b[n]),
219			i,tna-i,tnb-i,p);
220			break;