sync code with last improvements from OpenBSD

lib/libcrypto/bn/bn_exp.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_exp.c,v 1.47 2023/07/08 12:21:58 beck Exp $ */
+/* $OpenBSD: bn_exp.c,v 1.50 2023/10/19 10:27:27 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -180,11 +180,12 @@ int
 BN_mod_exp_simple(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
     BN_CTX *ctx)
 {
-	int i, j, bits, ret = 0, wstart, wend, window, wvalue;
+	int i, j, bits, wstart, wend, window, wvalue;
 	int start = 1;
-	BIGNUM *d;
+	BIGNUM *d, *q;
 	/* Table of variables obtained from 'ctx' */
 	BIGNUM *val[TABLE_SIZE];
+	int ret = 0;
 
 	if (BN_get_flags(p, BN_FLG_CONSTTIME) != 0) {
 		/* BN_FLG_CONSTTIME only supported by BN_mod_exp_mont() */
@@ -192,6 +193,11 @@ BN_mod_exp_simple(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
 		return -1;
 	}
 
+	if (r == m) {
+		BNerror(BN_R_INVALID_ARGUMENT);
+		return 0;
+	}
+
 	bits = BN_num_bits(p);
 	if (bits == 0) {
 		/* x**0 mod 1 is still zero. */
@@ -206,21 +212,24 @@ BN_mod_exp_simple(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
 	BN_CTX_start(ctx);
 	if ((d = BN_CTX_get(ctx)) == NULL)
 		goto err;
+	if ((q = BN_CTX_get(ctx)) == NULL)
+		goto err;
 	if ((val[0] = BN_CTX_get(ctx)) == NULL)
 		goto err;
 
-	if (!BN_nnmod(val[0],a,m,ctx))
-		goto err;		/* 1 */
+	if (!BN_nnmod(val[0], a, m, ctx))
+		goto err;
 	if (BN_is_zero(val[0])) {
 		BN_zero(r);
-		ret = 1;
-		goto err;
+		goto done;
 	}
+	if (!bn_copy(q, p))
+		goto err;
 
 	window = BN_window_bits_for_exponent_size(bits);
 	if (window > 1) {
 		if (!BN_mod_mul(d, val[0], val[0], m, ctx))
-			goto err;				/* 2 */
+			goto err;
 		j = 1 << (window - 1);
 		for (i = 1; i < j; i++) {
 			if (((val[i] = BN_CTX_get(ctx)) == NULL) ||
@@ -240,7 +249,7 @@ BN_mod_exp_simple(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
 		goto err;
 
 	for (;;) {
-		if (BN_is_bit_set(p, wstart) == 0) {
+		if (BN_is_bit_set(q, wstart) == 0) {
 			if (!start)
 				if (!BN_mod_mul(r, r, r, m, ctx))
 					goto err;
@@ -259,7 +268,7 @@ BN_mod_exp_simple(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
 		for (i = 1; i < window; i++) {
 			if (wstart - i < 0)
 				break;
-			if (BN_is_bit_set(p, wstart - i)) {
+			if (BN_is_bit_set(q, wstart - i)) {
 				wvalue <<= (i - wend);
 				wvalue |= 1;
 				wend = i;
@@ -286,11 +295,14 @@ BN_mod_exp_simple(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
 		if (wstart < 0)
 			break;
 	}
+
+ done:
 	ret = 1;
 
-err:
+ err:
 	BN_CTX_end(ctx);
-	return (ret);
+
+	return ret;
 }
 LCRYPTO_ALIAS(BN_mod_exp_simple);
 
@@ -698,12 +710,12 @@ BN_mod_exp_mont_internal(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, const BIG
 		goto err;
 	}
 	if (!BN_to_montgomery(val[0], aa, mont, ctx))
-		goto err; /* 1 */
+		goto err;
 
 	window = BN_window_bits_for_exponent_size(bits);
 	if (window > 1) {
 		if (!BN_mod_mul_montgomery(d, val[0], val[0], mont, ctx))
-			goto err; /* 2 */
+			goto err;
 		j = 1 << (window - 1);
 		for (i = 1; i < j; i++) {
 			if (((val[i] = BN_CTX_get(ctx)) == NULL) ||
@@ -956,12 +968,13 @@ int
 BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
     BN_CTX *ctx)
 {
-	int i, j, bits, ret = 0, wstart, wend, window, wvalue;
+	int i, j, bits, wstart, wend, window, wvalue;
 	int start = 1;
-	BIGNUM *aa;
+	BIGNUM *aa, *q;
 	/* Table of variables obtained from 'ctx' */
 	BIGNUM *val[TABLE_SIZE];
 	BN_RECP_CTX recp;
+	int ret = 0;
 
 	if (BN_get_flags(p, BN_FLG_CONSTTIME) != 0) {
 		/* BN_FLG_CONSTTIME only supported by BN_mod_exp_mont() */
@@ -985,6 +998,8 @@ BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
 	BN_CTX_start(ctx);
 	if ((aa = BN_CTX_get(ctx)) == NULL)
 		goto err;
+	if ((q = BN_CTX_get(ctx)) == NULL)
+		goto err;
 	if ((val[0] = BN_CTX_get(ctx)) == NULL)
 		goto err;
 
@@ -1001,17 +1016,18 @@ BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
 	}
 
 	if (!BN_nnmod(val[0], a, m, ctx))
-		goto err;		/* 1 */
+		goto err;
 	if (BN_is_zero(val[0])) {
 		BN_zero(r);
-		ret = 1;
-		goto err;
+		goto done;
 	}
+	if (!bn_copy(q, p))
+		goto err;
 
 	window = BN_window_bits_for_exponent_size(bits);
 	if (window > 1) {
 		if (!BN_mod_mul_reciprocal(aa, val[0], val[0], &recp, ctx))
-			goto err;				/* 2 */
+			goto err;
 		j = 1 << (window - 1);
 		for (i = 1; i < j; i++) {
 			if (((val[i] = BN_CTX_get(ctx)) == NULL) ||
@@ -1032,9 +1048,9 @@ BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
 		goto err;
 
 	for (;;) {
-		if (BN_is_bit_set(p, wstart) == 0) {
+		if (BN_is_bit_set(q, wstart) == 0) {
 			if (!start)
-				if (!BN_mod_mul_reciprocal(r, r,r, &recp, ctx))
+				if (!BN_mod_mul_reciprocal(r, r, r, &recp, ctx))
 					goto err;
 			if (wstart == 0)
 				break;
@@ -1051,7 +1067,7 @@ BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
 		for (i = 1; i < window; i++) {
 			if (wstart - i < 0)
 				break;
-			if (BN_is_bit_set(p, wstart - i)) {
+			if (BN_is_bit_set(q, wstart - i)) {
 				wvalue <<= (i - wend);
 				wvalue |= 1;
 				wend = i;
@@ -1063,12 +1079,12 @@ BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
 		/* add the 'bytes above' */
 		if (!start)
 			for (i = 0; i < j; i++) {
-				if (!BN_mod_mul_reciprocal(r, r,r, &recp, ctx))
+				if (!BN_mod_mul_reciprocal(r, r, r, &recp, ctx))
 					goto err;
 			}
 
 		/* wvalue will be an odd number < 2^window */
-		if (!BN_mod_mul_reciprocal(r, r,val[wvalue >> 1], &recp, ctx))
+		if (!BN_mod_mul_reciprocal(r, r, val[wvalue >> 1], &recp, ctx))
 			goto err;
 
 		/* move the 'window' down further */
@@ -1078,12 +1094,15 @@ BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
 		if (wstart < 0)
 			break;
 	}
+
+ done:
 	ret = 1;
 
-err:
+ err:
 	BN_CTX_end(ctx);
 	BN_RECP_CTX_free(&recp);
-	return (ret);
+
+	return ret;
 }
 
 static int