Adjust various bignum functions to use BN_CTX for variables instead of

locally initialising their own.

NB: I've removed the "BN_clear_free()" loops for the exit-paths in some of
these functions, and that may be a major part of the performance
improvements we're seeing. The "free" part can be removed because we're
using BN_CTX. The "clear" part OTOH can be removed because BN_CTX
destruction automatically performs this task, so performing it inside
functions that may be called repeatedly is wasteful. This is currently safe
within openssl due to the fact that BN_CTX objects are never created for
longer than a single high-level operation. However, that is only because
there's currently no mechanism in openssl for thread-local storage. Beyond
that, this might be an issue for applications using the bignum API directly
and caching their own BN_CTX objects. The solution is to introduce a flag
to BN_CTX_start() that allows its variables to be automatically sanitised
on release during BN_CTX_end(). This way any higher-level function (and
perhaps the application) can specify this flag in its own
BN_CTX_start()/BN_CTX_end() pair, and this will cause inner-loop functions
specifying the flag to be ignored so that sanitisation is handled only once
back out at the higher level. I will be implementing this in the near
future.

1 files changed, 18 insertions, 17 deletions

diff --git a/crypto/bn/bn_mont.c b/crypto/bn/bn_mont.c
index 14650ab9d5..287392db0f 100644
--- a/crypto/bn/bn_mont.c
+++ b/crypto/bn/bn_mont.c
@@ -271,9 +271,11 @@ void BN_MONT_CTX_free(BN_MONT_CTX *mont)
 
 int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx)
 	{
-	BIGNUM Ri,*R;
+	int ret = 0;
+	BIGNUM *Ri,*R;
 
-	BN_init(&Ri);
+	BN_CTX_start(ctx);
+	if((Ri = BN_CTX_get(ctx)) == NULL) goto err;
 	R= &(mont->RR);					/* grab RR as a temp */
 	BN_copy(&(mont->N),mod);			/* Set N */
 	mont->N.neg = 0;
@@ -294,22 +296,21 @@ int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx)
 		tmod.dmax=2;
 		tmod.neg=0;
 							/* Ri = R^-1 mod N*/
-		if ((BN_mod_inverse(&Ri,R,&tmod,ctx)) == NULL)
+		if ((BN_mod_inverse(Ri,R,&tmod,ctx)) == NULL)
 			goto err;
-		if (!BN_lshift(&Ri,&Ri,BN_BITS2)) goto err; /* R*Ri */
-		if (!BN_is_zero(&Ri))
+		if (!BN_lshift(Ri,Ri,BN_BITS2)) goto err; /* R*Ri */
+		if (!BN_is_zero(Ri))
 			{
-			if (!BN_sub_word(&Ri,1)) goto err;
+			if (!BN_sub_word(Ri,1)) goto err;
 			}
 		else /* if N mod word size == 1 */
 			{
-			if (!BN_set_word(&Ri,BN_MASK2)) goto err;  /* Ri-- (mod word size) */
+			if (!BN_set_word(Ri,BN_MASK2)) goto err;  /* Ri-- (mod word size) */
 			}
-		if (!BN_div(&Ri,NULL,&Ri,&tmod,ctx)) goto err;
+		if (!BN_div(Ri,NULL,Ri,&tmod,ctx)) goto err;
 		/* Ni = (R*Ri-1)/N,
 		 * keep only least significant word: */
-		mont->n0 = (Ri.top > 0) ? Ri.d[0] : 0;
-		BN_free(&Ri);
+		mont->n0 = (Ri->top > 0) ? Ri->d[0] : 0;
 		}
 #else /* !MONT_WORD */
 		{ /* bignum version */
@@ -317,13 +318,12 @@ int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx)
 		BN_zero(R);
 		if (!BN_set_bit(R,mont->ri)) goto err;  /* R = 2^ri */
 		                                        /* Ri = R^-1 mod N*/
-		if ((BN_mod_inverse(&Ri,R,&mont->N,ctx)) == NULL)
+		if ((BN_mod_inverse(Ri,R,&mont->N,ctx)) == NULL)
 			goto err;
-		if (!BN_lshift(&Ri,&Ri,mont->ri)) goto err; /* R*Ri */
-		if (!BN_sub_word(&Ri,1)) goto err;
+		if (!BN_lshift(Ri,Ri,mont->ri)) goto err; /* R*Ri */
+		if (!BN_sub_word(Ri,1)) goto err;
 							/* Ni = (R*Ri-1) / N */
-		if (!BN_div(&(mont->Ni),NULL,&Ri,&mont->N,ctx)) goto err;
-		BN_free(&Ri);
+		if (!BN_div(&(mont->Ni),NULL,Ri,&mont->N,ctx)) goto err;
 		}
 #endif
 
@@ -332,9 +332,10 @@ int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx)
 	if (!BN_set_bit(&(mont->RR),mont->ri*2)) goto err;
 	if (!BN_mod(&(mont->RR),&(mont->RR),&(mont->N),ctx)) goto err;
 
-	return(1);
+	ret = 1;
 err:
-	return(0);
+	BN_CTX_end(ctx);
+	return ret;
 	}
 
 BN_MONT_CTX *BN_MONT_CTX_copy(BN_MONT_CTX *to, BN_MONT_CTX *from)