Free BN_MONT_CTX in generic code.
Although those are only created by code owned by RSA_METHOD, custom RSA_METHODs
shouldn't be allowed to squat our internal fields and then change how you free
things.
Remove 'method' from their names now that they're not method-specific.
Change-Id: I9494ef9a7754ad59ac9fba7fd463b3336d826e0b
Reviewed-on: https://boringssl-review.googlesource.com/6423
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/crypto/rsa/blinding.c b/crypto/rsa/blinding.c
index c93cee1..b6a06c8 100644
--- a/crypto/rsa/blinding.c
+++ b/crypto/rsa/blinding.c
@@ -434,8 +434,7 @@
BN_with_flags(n, rsa->n, BN_FLG_CONSTTIME);
if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) {
- mont_ctx =
- BN_MONT_CTX_set_locked(&rsa->_method_mod_n, &rsa->lock, rsa->n, ctx);
+ mont_ctx = BN_MONT_CTX_set_locked(&rsa->mont_n, &rsa->lock, rsa->n, ctx);
if (mont_ctx == NULL) {
goto err;
}
diff --git a/crypto/rsa/internal.h b/crypto/rsa/internal.h
index b5b9c89..24eab90 100644
--- a/crypto/rsa/internal.h
+++ b/crypto/rsa/internal.h
@@ -69,7 +69,6 @@
extern const RSA_METHOD RSA_default_method;
-int rsa_default_finish(RSA *rsa);
size_t rsa_default_size(const RSA *rsa);
int rsa_default_encrypt(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
const uint8_t *in, size_t in_len, int padding);
@@ -151,8 +150,8 @@
/* r is the product of all primes (including p and q) prior to this one. */
BIGNUM *r;
- /* method_mod is managed by the |RSA_METHOD|. */
- BN_MONT_CTX *method_mod;
+ /* mont is a |BN_MONT_CTX| modulo |prime|. */
+ BN_MONT_CTX *mont;
} RSA_additional_prime;
void RSA_additional_prime_free(RSA_additional_prime *ap);
diff --git a/crypto/rsa/rsa.c b/crypto/rsa/rsa.c
index 2589c14..49ab27b 100644
--- a/crypto/rsa/rsa.c
+++ b/crypto/rsa/rsa.c
@@ -124,6 +124,7 @@
BN_clear_free(ap->exp);
BN_clear_free(ap->coeff);
BN_clear_free(ap->r);
+ BN_MONT_CTX_free(ap->mont);
OPENSSL_free(ap);
}
@@ -138,9 +139,7 @@
return;
}
- if (rsa->meth == &RSA_default_method) {
- rsa_default_finish(rsa);
- } else if (rsa->meth->finish) {
+ if (rsa->meth->finish) {
rsa->meth->finish(rsa);
}
METHOD_unref(rsa->meth);
@@ -155,6 +154,9 @@
BN_clear_free(rsa->dmp1);
BN_clear_free(rsa->dmq1);
BN_clear_free(rsa->iqmp);
+ BN_MONT_CTX_free(rsa->mont_n);
+ BN_MONT_CTX_free(rsa->mont_p);
+ BN_MONT_CTX_free(rsa->mont_q);
for (u = 0; u < rsa->num_blindings; u++) {
BN_BLINDING_free(rsa->blindings[u]);
}
diff --git a/crypto/rsa/rsa_asn1.c b/crypto/rsa/rsa_asn1.c
index 5d2a2b7..6144e74 100644
--- a/crypto/rsa/rsa_asn1.c
+++ b/crypto/rsa/rsa_asn1.c
@@ -168,8 +168,8 @@
/* rsa_parse_additional_prime parses a DER-encoded OtherPrimeInfo from |cbs| and
* advances |cbs|. It returns a newly-allocated |RSA_additional_prime| on
- * success or NULL on error. The |r| and |method_mod| fields of the result are
- * set to NULL. */
+ * success or NULL on error. The |r| and |mont| fields of the result are set to
+ * NULL. */
static RSA_additional_prime *rsa_parse_additional_prime(CBS *cbs) {
RSA_additional_prime *ret = OPENSSL_malloc(sizeof(RSA_additional_prime));
if (ret == NULL) {
diff --git a/crypto/rsa/rsa_impl.c b/crypto/rsa/rsa_impl.c
index 6bb2214..bee7f22 100644
--- a/crypto/rsa/rsa_impl.c
+++ b/crypto/rsa/rsa_impl.c
@@ -73,23 +73,6 @@
64 /* exponent limit enforced for "large" modulus only */
-int rsa_default_finish(RSA *rsa) {
- BN_MONT_CTX_free(rsa->_method_mod_n);
- BN_MONT_CTX_free(rsa->_method_mod_p);
- BN_MONT_CTX_free(rsa->_method_mod_q);
-
- if (rsa->additional_primes != NULL) {
- size_t i;
- for (i = 0; i < sk_RSA_additional_prime_num(rsa->additional_primes); i++) {
- RSA_additional_prime *ap =
- sk_RSA_additional_prime_value(rsa->additional_primes, i);
- BN_MONT_CTX_free(ap->method_mod);
- }
- }
-
- return 1;
-}
-
size_t rsa_default_size(const RSA *rsa) {
return BN_num_bytes(rsa->n);
}
@@ -170,14 +153,12 @@
}
if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) {
- if (BN_MONT_CTX_set_locked(&rsa->_method_mod_n, &rsa->lock, rsa->n, ctx) ==
- NULL) {
+ if (BN_MONT_CTX_set_locked(&rsa->mont_n, &rsa->lock, rsa->n, ctx) == NULL) {
goto err;
}
}
- if (!rsa->meth->bn_mod_exp(result, f, rsa->e, rsa->n, ctx,
- rsa->_method_mod_n)) {
+ if (!rsa->meth->bn_mod_exp(result, f, rsa->e, rsa->n, ctx, rsa->mont_n)) {
goto err;
}
@@ -496,14 +477,12 @@
}
if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) {
- if (BN_MONT_CTX_set_locked(&rsa->_method_mod_n, &rsa->lock, rsa->n, ctx) ==
- NULL) {
+ if (BN_MONT_CTX_set_locked(&rsa->mont_n, &rsa->lock, rsa->n, ctx) == NULL) {
goto err;
}
}
- if (!rsa->meth->bn_mod_exp(result, f, rsa->e, rsa->n, ctx,
- rsa->_method_mod_n)) {
+ if (!rsa->meth->bn_mod_exp(result, f, rsa->e, rsa->n, ctx, rsa->mont_n)) {
goto err;
}
@@ -600,13 +579,13 @@
BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) {
- if (BN_MONT_CTX_set_locked(&rsa->_method_mod_n, &rsa->lock, rsa->n,
- ctx) == NULL) {
+ if (BN_MONT_CTX_set_locked(&rsa->mont_n, &rsa->lock, rsa->n, ctx) ==
+ NULL) {
goto err;
}
}
- if (!rsa->meth->bn_mod_exp(result, f, d, rsa->n, ctx, rsa->_method_mod_n)) {
+ if (!rsa->meth->bn_mod_exp(result, f, d, rsa->n, ctx, rsa->mont_n)) {
goto err;
}
}
@@ -667,20 +646,17 @@
BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME);
if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) {
- if (BN_MONT_CTX_set_locked(&rsa->_method_mod_p, &rsa->lock, p, ctx) ==
- NULL) {
+ if (BN_MONT_CTX_set_locked(&rsa->mont_p, &rsa->lock, p, ctx) == NULL) {
goto err;
}
- if (BN_MONT_CTX_set_locked(&rsa->_method_mod_q, &rsa->lock, q, ctx) ==
- NULL) {
+ if (BN_MONT_CTX_set_locked(&rsa->mont_q, &rsa->lock, q, ctx) == NULL) {
goto err;
}
}
}
if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) {
- if (BN_MONT_CTX_set_locked(&rsa->_method_mod_n, &rsa->lock, rsa->n, ctx) ==
- NULL) {
+ if (BN_MONT_CTX_set_locked(&rsa->mont_n, &rsa->lock, rsa->n, ctx) == NULL) {
goto err;
}
}
@@ -695,7 +671,7 @@
/* compute r1^dmq1 mod q */
dmq1 = &local_dmq1;
BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
- if (!rsa->meth->bn_mod_exp(m1, r1, dmq1, rsa->q, ctx, rsa->_method_mod_q)) {
+ if (!rsa->meth->bn_mod_exp(m1, r1, dmq1, rsa->q, ctx, rsa->mont_q)) {
goto err;
}
@@ -709,7 +685,7 @@
/* compute r1^dmp1 mod p */
dmp1 = &local_dmp1;
BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
- if (!rsa->meth->bn_mod_exp(r0, r1, dmp1, rsa->p, ctx, rsa->_method_mod_p)) {
+ if (!rsa->meth->bn_mod_exp(r0, r1, dmp1, rsa->p, ctx, rsa->mont_p)) {
goto err;
}
@@ -770,11 +746,11 @@
}
if ((rsa->flags & RSA_FLAG_CACHE_PRIVATE) &&
- !BN_MONT_CTX_set_locked(&ap->method_mod, &rsa->lock, prime, ctx)) {
+ !BN_MONT_CTX_set_locked(&ap->mont, &rsa->lock, prime, ctx)) {
goto err;
}
- if (!rsa->meth->bn_mod_exp(m1, r1, exp, prime, ctx, ap->method_mod)) {
+ if (!rsa->meth->bn_mod_exp(m1, r1, exp, prime, ctx, ap->mont)) {
goto err;
}
@@ -791,8 +767,7 @@
}
if (rsa->e && rsa->n) {
- if (!rsa->meth->bn_mod_exp(vrfy, r0, rsa->e, rsa->n, ctx,
- rsa->_method_mod_n)) {
+ if (!rsa->meth->bn_mod_exp(vrfy, r0, rsa->e, rsa->n, ctx, rsa->mont_n)) {
goto err;
}
/* If 'I' was greater than (or equal to) rsa->n, the operation
@@ -820,7 +795,7 @@
d = &local_d;
BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
- if (!rsa->meth->bn_mod_exp(r0, I, d, rsa->n, ctx, rsa->_method_mod_n)) {
+ if (!rsa->meth->bn_mod_exp(r0, I, d, rsa->n, ctx, rsa->mont_n)) {
goto err;
}
}
diff --git a/include/openssl/rsa.h b/include/openssl/rsa.h
index e0c4368..c970751 100644
--- a/include/openssl/rsa.h
+++ b/include/openssl/rsa.h
@@ -567,9 +567,9 @@
/* Used to cache montgomery values. The creation of these values is protected
* by |lock|. */
- BN_MONT_CTX *_method_mod_n;
- BN_MONT_CTX *_method_mod_p;
- BN_MONT_CTX *_method_mod_q;
+ BN_MONT_CTX *mont_n;
+ BN_MONT_CTX *mont_p;
+ BN_MONT_CTX *mont_q;
/* num_blindings contains the size of the |blindings| and |blindings_inuse|
* arrays. This member and the |blindings_inuse| array are protected by