Skip to content

Commit f92b0ae

Browse files
author
tb
committed
Factor the actual setup step for the blinding into a helper
ok jsing
1 parent 915f071 commit f92b0ae

File tree

1 file changed

+43
-30
lines changed

1 file changed

+43
-30
lines changed

src/lib/libcrypto/bn/bn_blind.c

Lines changed: 43 additions & 30 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
/* $OpenBSD: bn_blind.c,v 1.33 2023/08/08 13:59:04 tb Exp $ */
1+
/* $OpenBSD: bn_blind.c,v 1.34 2023/08/08 14:40:56 tb Exp $ */
22
/* ====================================================================
33
* Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
44
*
@@ -178,6 +178,45 @@ BN_BLINDING_free(BN_BLINDING *r)
178178
free(r);
179179
}
180180

181+
static int
182+
BN_BLINDING_setup(BN_BLINDING *ret, BN_CTX *ctx)
183+
{
184+
int retry_counter = 32;
185+
186+
/*
187+
* XXX - remove this loop. If we happen to find a non-invertible A,
188+
* we have basically factored mod = (p-1)(q-1)...
189+
*/
190+
do {
191+
if (!BN_rand_range(ret->A, ret->mod))
192+
return 0;
193+
if (BN_mod_inverse_ct(ret->Ai, ret->A, ret->mod, ctx) == NULL) {
194+
/* this should almost never happen for good RSA keys */
195+
unsigned long error = ERR_peek_last_error();
196+
if (ERR_GET_REASON(error) == BN_R_NO_INVERSE) {
197+
if (retry_counter-- == 0) {
198+
BNerror(BN_R_TOO_MANY_ITERATIONS);
199+
return 0;
200+
}
201+
ERR_clear_error();
202+
} else
203+
return 0;
204+
} else
205+
break;
206+
} while (1);
207+
208+
if (ret->bn_mod_exp != NULL && ret->m_ctx != NULL) {
209+
if (!ret->bn_mod_exp(ret->A, ret->A, ret->e, ret->mod,
210+
ctx, ret->m_ctx))
211+
return 0;
212+
} else {
213+
if (!BN_mod_exp_ct(ret->A, ret->A, ret->e, ret->mod, ctx))
214+
return 0;
215+
}
216+
217+
return 1;
218+
}
219+
181220
static int
182221
BN_BLINDING_update(BN_BLINDING *b, BN_CTX *ctx)
183222
{
@@ -187,8 +226,7 @@ BN_BLINDING_update(BN_BLINDING *b, BN_CTX *ctx)
187226
b->counter = 0;
188227

189228
if (++b->counter == BN_BLINDING_COUNTER) {
190-
/* re-create blinding parameters */
191-
if (!BN_BLINDING_create_param(b, NULL, NULL, ctx, NULL, NULL))
229+
if (!BN_BLINDING_setup(b, ctx))
192230
goto err;
193231
} else {
194232
if (!BN_mod_mul(b->A, b->A, b->A, b->mod, ctx))
@@ -258,7 +296,6 @@ BN_BLINDING_create_param(BN_BLINDING *b, const BIGNUM *e, BIGNUM *m, BN_CTX *ctx
258296
const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx), BN_MONT_CTX *m_ctx)
259297
{
260298
BN_BLINDING *ret = NULL;
261-
int retry_counter = 32;
262299

263300
if ((ret = b) == NULL)
264301
ret = BN_BLINDING_new(e, m);
@@ -270,32 +307,8 @@ BN_BLINDING_create_param(BN_BLINDING *b, const BIGNUM *e, BIGNUM *m, BN_CTX *ctx
270307
if (m_ctx != NULL)
271308
ret->m_ctx = m_ctx;
272309

273-
do {
274-
if (!BN_rand_range(ret->A, ret->mod))
275-
goto err;
276-
if (BN_mod_inverse_ct(ret->Ai, ret->A, ret->mod, ctx) == NULL) {
277-
/* this should almost never happen for good RSA keys */
278-
unsigned long error = ERR_peek_last_error();
279-
if (ERR_GET_REASON(error) == BN_R_NO_INVERSE) {
280-
if (retry_counter-- == 0) {
281-
BNerror(BN_R_TOO_MANY_ITERATIONS);
282-
goto err;
283-
}
284-
ERR_clear_error();
285-
} else
286-
goto err;
287-
} else
288-
break;
289-
} while (1);
290-
291-
if (ret->bn_mod_exp != NULL && ret->m_ctx != NULL) {
292-
if (!ret->bn_mod_exp(ret->A, ret->A, ret->e, ret->mod,
293-
ctx, ret->m_ctx))
294-
goto err;
295-
} else {
296-
if (!BN_mod_exp_ct(ret->A, ret->A, ret->e, ret->mod, ctx))
297-
goto err;
298-
}
310+
if (!BN_BLINDING_setup(ret, ctx))
311+
goto err;
299312

300313
return ret;
301314

0 commit comments

Comments
 (0)