diff options
| author |   ho <ho@openbsd.org> | 2003-03-15 16:35:53 +0000 |
|---|---|---|
| committer | ho <ho@openbsd.org> | 2003-03-15 16:35:53 +0000 |
| commit | 51060a0254e73346f8b3e0873a0894b39f7297f4 (patch) | |
| tree | 9eb82547f743dd7e894d507a9c5989250d86b6b5 /lib/libssl/src | |
| parent | missing ap_server_strip_chroot() (diff) | |
| download | wireguard-openbsd-51060a0254e73346f8b3e0873a0894b39f7297f4.tar.xz wireguard-openbsd-51060a0254e73346f8b3e0873a0894b39f7297f4.zip | |
Enforce blinding on RSA operations involving private keys.
From http://www.openssl.org/~geoff, modified to be enabled at all times.
Diffstat (limited to 'lib/libssl/src')
| -rw-r--r-- | lib/libssl/src/crypto/rsa/rsa_eay.c | 27 | ||||
| -rw-r--r-- | lib/libssl/src/crypto/rsa/rsa_lib.c | 4 |
2 files changed, 27 insertions, 4 deletions
diff --git a/lib/libssl/src/crypto/rsa/rsa_eay.c b/lib/libssl/src/crypto/rsa/rsa_eay.c index 0eda816081d..3fe1cd6540e 100644 --- a/lib/libssl/src/crypto/rsa/rsa_eay.c +++ b/lib/libssl/src/crypto/rsa/rsa_eay.c @@ -97,6 +97,21 @@ const RSA_METHOD *RSA_PKCS1_SSLeay(void) return(&rsa_pkcs1_eay_meth); } +static void rsa_eay_blinding(RSA *rsa, BN_CTX *ctx) + { + CRYPTO_w_lock(CRYPTO_LOCK_RSA); + /* Check again inside the lock - the macro's check is racey */ + if(rsa->blinding == NULL) + RSA_blinding_on(rsa, ctx); + CRYPTO_w_unlock(CRYPTO_LOCK_RSA); + } +#define BLINDING_HELPER(rsa, ctx) \ + do { \ + if(((rsa)->flags & RSA_FLAG_BLINDING) && \ + ((rsa)->blinding == NULL)) \ + rsa_eay_blinding(rsa, ctx); \ + } while(0) + static int RSA_eay_public_encrypt(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding) { @@ -237,8 +252,8 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from, goto err; } - if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL)) - RSA_blinding_on(rsa,ctx); + BLINDING_HELPER(rsa, ctx); + if (rsa->flags & RSA_FLAG_BLINDING) if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err; @@ -316,8 +331,8 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from, goto err; } - if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL)) - RSA_blinding_on(rsa,ctx); + BLINDING_HELPER(rsa, ctx); + if (rsa->flags & RSA_FLAG_BLINDING) if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err; @@ -592,6 +607,10 @@ err: static int RSA_eay_init(RSA *rsa) { rsa->flags|=RSA_FLAG_CACHE_PUBLIC|RSA_FLAG_CACHE_PRIVATE; + + /* Enforce blinding. */ + rsa->flags|=RSA_FLAG_BLINDING; + return(1); } diff --git a/lib/libssl/src/crypto/rsa/rsa_lib.c b/lib/libssl/src/crypto/rsa/rsa_lib.c index 93235744f7a..f71870a3387 100644 --- a/lib/libssl/src/crypto/rsa/rsa_lib.c +++ b/lib/libssl/src/crypto/rsa/rsa_lib.c @@ -181,6 +181,10 @@ RSA *RSA_new_method(ENGINE *engine) OPENSSL_free(ret); ret=NULL; } + + /* Enforce blinding. */ + ret->flags |= RSA_FLAG_BLINDING; + return(ret); } |