fix BIGNUM flag handling

CHANGES

@@ -610,6 +610,10 @@
 
  Changes between 0.9.8g and 0.9.8h  [xx XXX xxxx]
 
+  *) Fix BN flag handling in RSA_eay_mod_exp() and BN_MONT_CTX_set()
+     to get the expected BN_FLG_CONSTTIME behavior.
+     [Bodo Moeller (Google)]
+  
   *) Netware support:
 
      - fixed wrong usage of ioctlsocket() when build for LIBC BSD sockets

crypto/bn/bn_mont.c

@@ -425,6 +425,7 @@ int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx)
 		BIGNUM tmod;
 		BN_ULONG buf[2];
 
+		BN_init(&tmod);
 		tmod.d=buf;
 		tmod.dmax=2;
 		tmod.neg=0;

crypto/rsa/rsa_eay.c

@@ -151,13 +151,13 @@ const RSA_METHOD *RSA_PKCS1_SSLeay(void)
 	}
 
 /* Usage example;
- *    MONT_HELPER(rsa, bn_ctx, p, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
+ *    MONT_HELPER(rsa->_method_mod_p, bn_ctx, rsa->p, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
  */
-#define MONT_HELPER(rsa, ctx, m, pre_cond, err_instr) \
+#define MONT_HELPER(method_mod, ctx, m, pre_cond, err_instr) \
-	if((pre_cond) && ((rsa)->_method_mod_##m == NULL) && \
+	if ((pre_cond) && ((method_mod) == NULL) && \
-			!BN_MONT_CTX_set_locked(&((rsa)->_method_mod_##m), \
+			!BN_MONT_CTX_set_locked(&(method_mod), \
 				CRYPTO_LOCK_RSA, \
-				(rsa)->m, (ctx))) \
+				(m), (ctx))) \
 		err_instr
 
 static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
@@ -227,13 +227,13 @@ static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
 	if (BN_bin2bn(buf,num,f) == NULL) goto err;
 	
 	if (BN_ucmp(f, rsa->n) >= 0)
-		{	
+		{
 		/* usually the padding functions would catch this */
 		RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
 		goto err;
 		}
 
-	MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
+	MONT_HELPER(rsa->_method_mod_n, ctx, rsa->n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
 
 	if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx,
 		rsa->_method_mod_n)) goto err;
@@ -436,9 +436,9 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
 			BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
 			}
 		else
-			d = rsa->d;
+			d= rsa->d;
 
-		MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
+		MONT_HELPER(rsa->_method_mod_n, ctx, rsa->n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
 
 		if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx,
 				rsa->_method_mod_n)) goto err;
@@ -559,7 +559,7 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
 		else
 			d = rsa->d;
 
-		MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
+		MONT_HELPER(rsa->_method_mod_n, ctx, rsa->n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
 		if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx,
 				rsa->_method_mod_n))
 		  goto err;
@@ -669,7 +669,7 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
 		goto err;
 		}
 
-	MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
+	MONT_HELPER(rsa->_method_mod_n, ctx, rsa->n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
 
 	if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx,
 		rsa->_method_mod_n)) goto err;
@@ -717,7 +717,6 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
 	BIGNUM *r1,*m1,*vrfy;
 	BIGNUM local_dmp1,local_dmq1,local_c,local_r1;
 	BIGNUM *dmp1,*dmq1,*c,*pr1;
-	int bn_flags;
 	int ret=0;
 
 	BN_CTX_start(ctx);
@@ -725,31 +724,34 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
 	m1 = BN_CTX_get(ctx);
 	vrfy = BN_CTX_get(ctx);
 
-	/* Make sure mod_inverse in montgomerey intialization use correct 
+	{
-	 * BN_FLG_CONSTTIME flag.
+		BIGNUM local_p, local_q;
-	 */
+		BIGNUM *p = NULL, *q = NULL;
-	bn_flags = rsa->p->flags;
-	if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
-		{
-		rsa->p->flags |= BN_FLG_CONSTTIME;
-		}
-	MONT_HELPER(rsa, ctx, p, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
-	/* We restore bn_flags back */
-	rsa->p->flags = bn_flags;
 
-        /* Make sure mod_inverse in montgomerey intialization use correct
+		/* Make sure BN_mod_inverse in Montgomery intialization uses the
-         * BN_FLG_CONSTTIME flag.
+		 * BN_FLG_CONSTTIME flag (unless RSA_FLAG_NO_CONSTTIME is set)
-         */
+		 */
-	bn_flags = rsa->q->flags;
+		if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
-	if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
+			{
-		{
+			BN_init(&local_p);
-		rsa->q->flags |= BN_FLG_CONSTTIME;
+			p = &local_p;
-		}
+			BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
-	MONT_HELPER(rsa, ctx, q, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
-	/* We restore bn_flags back */
-	rsa->q->flags = bn_flags;	
 
-	MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
+			BN_init(&local_q);
+			q = &local_q;
+			BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME);
+			}
+		else
+			{
+			p = rsa->p;
+			q = rsa->q;
+			}
+
+		MONT_HELPER(rsa->_method_mod_p, ctx, p, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
+		MONT_HELPER(rsa->_method_mod_q, ctx, q, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
+	}
+
+	MONT_HELPER(rsa->_method_mod_n, ctx, rsa->n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
 
 	/* compute I mod q */
 	if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))