Merge OpenSSL 1.0.2p.

This commit is contained in:
Jung-uk Kim 2018-08-14 17:48:02 +00:00
commit dea77ea6fc
500 changed files with 2966 additions and 2104 deletions

View File

@ -7,6 +7,64 @@
https://github.com/openssl/openssl/commits/ and pick the appropriate https://github.com/openssl/openssl/commits/ and pick the appropriate
release branch. release branch.
Changes between 1.0.2o and 1.0.2p [14 Aug 2018]
*) Client DoS due to large DH parameter
During key agreement in a TLS handshake using a DH(E) based ciphersuite a
malicious server can send a very large prime value to the client. This will
cause the client to spend an unreasonably long period of time generating a
key for this prime resulting in a hang until the client has finished. This
could be exploited in a Denial Of Service attack.
This issue was reported to OpenSSL on 5th June 2018 by Guido Vranken
(CVE-2018-0732)
[Guido Vranken]
*) Cache timing vulnerability in RSA Key Generation
The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to
a cache timing side channel attack. An attacker with sufficient access to
mount cache timing attacks during the RSA key generation process could
recover the private key.
This issue was reported to OpenSSL on 4th April 2018 by Alejandro Cabrera
Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia.
(CVE-2018-0737)
[Billy Brumley]
*) Make EVP_PKEY_asn1_new() a bit stricter about its input. A NULL pem_str
parameter is no longer accepted, as it leads to a corrupt table. NULL
pem_str is reserved for alias entries only.
[Richard Levitte]
*) Revert blinding in ECDSA sign and instead make problematic addition
length-invariant. Switch even to fixed-length Montgomery multiplication.
[Andy Polyakov]
*) Change generating and checking of primes so that the error rate of not
being prime depends on the intended use based on the size of the input.
For larger primes this will result in more rounds of Miller-Rabin.
The maximal error rate for primes with more than 1080 bits is lowered
to 2^-128.
[Kurt Roeckx, Annie Yousar]
*) Increase the number of Miller-Rabin rounds for DSA key generating to 64.
[Kurt Roeckx]
*) Add blinding to ECDSA and DSA signatures to protect against side channel
attacks discovered by Keegan Ryan (NCC Group).
[Matt Caswell]
*) When unlocking a pass phrase protected PEM file or PKCS#8 container, we
now allow empty (zero character) pass phrases.
[Richard Levitte]
*) Certificate time validation (X509_cmp_time) enforces stricter
compliance with RFC 5280. Fractional seconds and timezone offsets
are no longer allowed.
[Emilia Käsper]
Changes between 1.0.2n and 1.0.2o [27 Mar 2018] Changes between 1.0.2n and 1.0.2o [27 Mar 2018]
*) Constructed ASN.1 types with a recursive definition could exceed the stack *) Constructed ASN.1 types with a recursive definition could exceed the stack

View File

@ -1,26 +1,26 @@
HOW TO CONTRIBUTE PATCHES TO OpenSSL HOW TO CONTRIBUTE TO OpenSSL
------------------------------------ ----------------------------
(Please visit https://www.openssl.org/community/getting-started.html for (Please visit https://www.openssl.org/community/getting-started.html for
other ideas about how to contribute.) other ideas about how to contribute.)
Development is coordinated on the openssl-dev mailing list (see the Development is done on GitHub, https://github.com/openssl/openssl.
above link or https://mta.openssl.org for information on subscribing).
If you are unsure as to whether a feature will be useful for the general
OpenSSL community you might want to discuss it on the openssl-dev mailing
list first. Someone may be already working on the same thing or there
may be a good reason as to why that feature isn't implemented.
To submit a patch, make a pull request on GitHub. If you think the patch To request new features or report bugs, please open an issue on GitHub
could use feedback from the community, please start a thread on openssl-dev
to discuss it.
Having addressed the following items before the PR will help make the To submit a patch, please open a pull request on GitHub. If you are thinking
acceptance and review process faster: of making a large contribution, open an issue for it before starting work,
to get comments from the community. Someone may be already working on
the same thing or there may be reasons why that feature isn't implemented.
1. Anything other than trivial contributions will require a contributor To make it easier to review and accept your pull request, please follow these
licensing agreement, giving us permission to use your code. See guidelines:
https://www.openssl.org/policies/cla.html for details.
1. Anything other than a trivial contribution requires a Contributor
License Agreement (CLA), giving us permission to use your code. See
https://www.openssl.org/policies/cla.html for details. If your
contribution is too small to require a CLA, put "CLA: trivial" on a
line by itself in your commit message body.
2. All source files should start with the following text (with 2. All source files should start with the following text (with
appropriate comment characters at the start of each line and the appropriate comment characters at the start of each line and the
@ -34,21 +34,21 @@ acceptance and review process faster:
https://www.openssl.org/source/license.html https://www.openssl.org/source/license.html
3. Patches should be as current as possible; expect to have to rebase 3. Patches should be as current as possible; expect to have to rebase
often. We do not accept merge commits; You will be asked to remove often. We do not accept merge commits, you will have to remove them
them before a patch is considered acceptable. (usually by rebasing) before it will be acceptable.
4. Patches should follow our coding style (see 4. Patches should follow our coding style (see
https://www.openssl.org/policies/codingstyle.html) and compile without https://www.openssl.org/policies/codingstyle.html) and compile
warnings. Where gcc or clang is availble you should use the without warnings. Where gcc or clang is available you should use the
--strict-warnings Configure option. OpenSSL compiles on many varied --strict-warnings Configure option. OpenSSL compiles on many varied
platforms: try to ensure you only use portable features. platforms: try to ensure you only use portable features. Clean builds
Clean builds via Travis and AppVeyor are expected, and done whenever via Travis and AppVeyor are required, and they are started automatically
a PR is created or updated. whenever a PR is created or updated.
5. When at all possible, patches should include tests. These can 5. When at all possible, patches should include tests. These can
either be added to an existing test, or completely new. Please see either be added to an existing test, or completely new. Please see
test/README for information on the test framework. test/README for information on the test framework.
6. New features or changed functionality must include 6. New features or changed functionality must include
documentation. Please look at the "pod" files in doc/apps, doc/crypto documentation. Please look at the "pod" files in doc for
and doc/ssl for examples of our style. examples of our style.

View File

@ -1173,6 +1173,7 @@ foreach (sort (keys %disabled))
$depflags .= " -DOPENSSL_NO_$ALGO"; $depflags .= " -DOPENSSL_NO_$ALGO";
} }
} }
if (/^comp$/) { $zlib = 0; }
} }
print "\n"; print "\n";
@ -1671,6 +1672,13 @@ while (<PIPE>) {
} }
close(PIPE); close(PIPE);
# Xcode did not handle $cc -M before clang support
my $cc_as_makedepend = 0;
if ($predefined{__GNUC__} >= 3 && !(defined($predefined{__APPLE_CC__})
&& !defined($predefined{__clang__}))) {
$cc_as_makedepend = 1;
}
if ($strict_warnings) if ($strict_warnings)
{ {
my $wopt; my $wopt;
@ -1730,14 +1738,14 @@ while (<IN>)
s/^NM=\s*/NM= \$\(CROSS_COMPILE\)/; s/^NM=\s*/NM= \$\(CROSS_COMPILE\)/;
s/^RANLIB=\s*/RANLIB= \$\(CROSS_COMPILE\)/; s/^RANLIB=\s*/RANLIB= \$\(CROSS_COMPILE\)/;
s/^RC=\s*/RC= \$\(CROSS_COMPILE\)/; s/^RC=\s*/RC= \$\(CROSS_COMPILE\)/;
s/^MAKEDEPPROG=.*$/MAKEDEPPROG= \$\(CROSS_COMPILE\)$cc/ if $predefined{__GNUC__} >= 3; s/^MAKEDEPPROG=.*$/MAKEDEPPROG= \$\(CROSS_COMPILE\)$cc/ if $cc_as_makedepend;
} }
else { else {
s/^CC=.*$/CC= $cc/; s/^CC=.*$/CC= $cc/;
s/^AR=\s*ar/AR= $ar/; s/^AR=\s*ar/AR= $ar/;
s/^RANLIB=.*/RANLIB= $ranlib/; s/^RANLIB=.*/RANLIB= $ranlib/;
s/^RC=.*/RC= $windres/; s/^RC=.*/RC= $windres/;
s/^MAKEDEPPROG=.*$/MAKEDEPPROG= $cc/ if $predefined{__GNUC__} >= 3; s/^MAKEDEPPROG=.*$/MAKEDEPPROG= $cc/ if $cc_as_makedepend;
} }
s/^CFLAG=.*$/CFLAG= $cflags/; s/^CFLAG=.*$/CFLAG= $cflags/;
s/^DEPFLAG=.*$/DEPFLAG=$depflags/; s/^DEPFLAG=.*$/DEPFLAG=$depflags/;

View File

@ -4,7 +4,7 @@
## Makefile for OpenSSL ## Makefile for OpenSSL
## ##
VERSION=1.0.2o VERSION=1.0.2p
MAJOR=1 MAJOR=1
MINOR=0.2 MINOR=0.2
SHLIB_VERSION_NUMBER=1.0.0 SHLIB_VERSION_NUMBER=1.0.0

View File

@ -5,6 +5,11 @@
This file gives a brief overview of the major changes between each OpenSSL This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file. release. For more details please read the CHANGES file.
Major changes between OpenSSL 1.0.2o and OpenSSL 1.0.2p [14 Aug 2018]
o Client DoS due to large DH parameter (CVE-2018-0732)
o Cache timing vulnerability in RSA Key Generation (CVE-2018-0737)
Major changes between OpenSSL 1.0.2n and OpenSSL 1.0.2o [27 Mar 2018] Major changes between OpenSSL 1.0.2n and OpenSSL 1.0.2o [27 Mar 2018]
o Constructed ASN.1 types with a recursive definition could exceed the o Constructed ASN.1 types with a recursive definition could exceed the

View File

@ -1,7 +1,7 @@
OpenSSL 1.0.2o 27 Mar 2018 OpenSSL 1.0.2p 14 Aug 2018
Copyright (c) 1998-2015 The OpenSSL Project Copyright (c) 1998-2018 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
All rights reserved. All rights reserved.

View File

@ -56,7 +56,7 @@
* [including the GNU Public Licence.] * [including the GNU Public Licence.]
*/ */
/* ==================================================================== /* ====================================================================
* Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. * Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved.
* *
* Redistribution and use in source and binary forms, with or without * Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions * modification, are permitted provided that the following conditions
@ -1359,7 +1359,8 @@ int set_name_ex(unsigned long *flags, const char *arg)
}; };
if (set_multi_opts(flags, arg, ex_tbl) == 0) if (set_multi_opts(flags, arg, ex_tbl) == 0)
return 0; return 0;
if ((*flags & XN_FLAG_SEP_MASK) == 0) if (*flags != XN_FLAG_COMPAT
&& (*flags & XN_FLAG_SEP_MASK) == 0)
*flags |= XN_FLAG_SEP_CPLUS_SPC; *flags |= XN_FLAG_SEP_CPLUS_SPC;
return 1; return 1;
} }

View File

@ -295,7 +295,7 @@ int MAIN(int argc, char **argv)
ASN1_TYPE *atmp; ASN1_TYPE *atmp;
int typ; int typ;
j = atoi(sk_OPENSSL_STRING_value(osk, i)); j = atoi(sk_OPENSSL_STRING_value(osk, i));
if (j == 0) { if (j <= 0 || j >= tmplen) {
BIO_printf(bio_err, "'%s' is an invalid number\n", BIO_printf(bio_err, "'%s' is an invalid number\n",
sk_OPENSSL_STRING_value(osk, i)); sk_OPENSSL_STRING_value(osk, i));
continue; continue;
@ -327,14 +327,14 @@ int MAIN(int argc, char **argv)
num = tmplen; num = tmplen;
} }
if (offset >= num) { if (offset < 0 || offset >= num) {
BIO_printf(bio_err, "Error: offset too large\n"); BIO_printf(bio_err, "Error: offset out of range\n");
goto end; goto end;
} }
num -= offset; num -= offset;
if ((length == 0) || ((long)length > num)) if (length == 0 || length > (unsigned int)num)
length = (unsigned int)num; length = (unsigned int)num;
if (derout) { if (derout) {
if (BIO_write(derout, str + offset, length) != (int)length) { if (BIO_write(derout, str + offset, length) != (int)length) {

View File

@ -1176,10 +1176,13 @@ int MAIN(int argc, char **argv)
if (j > 0) { if (j > 0) {
total_done++; total_done++;
BIO_printf(bio_err, "\n"); BIO_printf(bio_err, "\n");
if (!BN_add_word(serial, 1)) if (!BN_add_word(serial, 1)) {
X509_free(x);
goto err; goto err;
}
if (!sk_X509_push(cert_sk, x)) { if (!sk_X509_push(cert_sk, x)) {
BIO_printf(bio_err, "Memory allocation failure\n"); BIO_printf(bio_err, "Memory allocation failure\n");
X509_free(x);
goto err; goto err;
} }
} }

View File

@ -4,7 +4,7 @@
* 2000. * 2000.
*/ */
/* ==================================================================== /* ====================================================================
* Copyright (c) 1999 The OpenSSL Project. All rights reserved. * Copyright (c) 1999-2018 The OpenSSL Project. All rights reserved.
* *
* Redistribution and use in source and binary forms, with or without * Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions * modification, are permitted provided that the following conditions
@ -787,7 +787,6 @@ int MAIN(int argc, char **argv)
OCSP_response_status_str(i), i); OCSP_response_status_str(i), i);
if (ignore_err) if (ignore_err)
goto redo_accept; goto redo_accept;
ret = 0;
goto end; goto end;
} }

View File

@ -306,9 +306,9 @@ static char *md5crypt(const char *passwd, const char *magic, const char *salt)
out_buf[0] = '$'; out_buf[0] = '$';
out_buf[1] = 0; out_buf[1] = 0;
assert(strlen(magic) <= 4); /* "1" or "apr1" */ assert(strlen(magic) <= 4); /* "1" or "apr1" */
strncat(out_buf, magic, 4); BUF_strlcat(out_buf, magic, sizeof(out_buf));
strncat(out_buf, "$", 1); BUF_strlcat(out_buf, "$", sizeof(out_buf));
strncat(out_buf, salt, 8); BUF_strlcat(out_buf, salt, sizeof(out_buf));
assert(strlen(out_buf) <= 6 + 8); /* "$apr1$..salt.." */ assert(strlen(out_buf) <= 6 + 8); /* "$apr1$..salt.." */
salt_out = out_buf + 2 + strlen(magic); salt_out = out_buf + 2 + strlen(magic);
salt_len = strlen(salt_out); salt_len = strlen(salt_out);

View File

@ -56,7 +56,7 @@
* [including the GNU Public Licence.] * [including the GNU Public Licence.]
*/ */
/* ==================================================================== /* ====================================================================
* Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. * Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved.
* *
* Redistribution and use in source and binary forms, with or without * Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions * modification, are permitted provided that the following conditions
@ -152,9 +152,8 @@ typedef fd_mask fd_set;
#define PROTOCOL "tcp" #define PROTOCOL "tcp"
int do_server(int port, int type, int *ret, int do_server(int port, int type, int *ret,
int (*cb) (char *hostname, int s, int stype, int (*cb) (int s, int stype, unsigned char *context),
unsigned char *context), unsigned char *context, unsigned char *context, int naccept);
int naccept);
#ifdef HEADER_X509_H #ifdef HEADER_X509_H
int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx); int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx);
#endif #endif

View File

@ -56,7 +56,7 @@
* [including the GNU Public Licence.] * [including the GNU Public Licence.]
*/ */
/* ==================================================================== /* ====================================================================
* Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. * Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved.
* *
* Redistribution and use in source and binary forms, with or without * Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions * modification, are permitted provided that the following conditions
@ -337,7 +337,7 @@ static void sc_usage(void)
BIO_printf(bio_err, BIO_printf(bio_err,
" -prexit - print session information even on connection failure\n"); " -prexit - print session information even on connection failure\n");
BIO_printf(bio_err, BIO_printf(bio_err,
" -showcerts - show all certificates in the chain\n"); " -showcerts - Show all certificates sent by the server\n");
BIO_printf(bio_err, " -debug - extra output\n"); BIO_printf(bio_err, " -debug - extra output\n");
#ifdef WATT32 #ifdef WATT32
BIO_printf(bio_err, " -wdebug - WATT-32 tcp debugging\n"); BIO_printf(bio_err, " -wdebug - WATT-32 tcp debugging\n");

View File

@ -56,7 +56,7 @@
* [including the GNU Public Licence.] * [including the GNU Public Licence.]
*/ */
/* ==================================================================== /* ====================================================================
* Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. * Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved.
* *
* Redistribution and use in source and binary forms, with or without * Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions * modification, are permitted provided that the following conditions
@ -209,9 +209,9 @@ typedef unsigned int u_int;
#ifndef OPENSSL_NO_RSA #ifndef OPENSSL_NO_RSA
static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength); static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength);
#endif #endif
static int sv_body(char *hostname, int s, int stype, unsigned char *context); static int sv_body(int s, int stype, unsigned char *context);
static int www_body(char *hostname, int s, int stype, unsigned char *context); static int www_body(int s, int stype, unsigned char *context);
static int rev_body(char *hostname, int s, int stype, unsigned char *context); static int rev_body(int s, int stype, unsigned char *context);
static void close_accept_socket(void); static void close_accept_socket(void);
static void sv_usage(void); static void sv_usage(void);
static int init_ssl_connection(SSL *s); static int init_ssl_connection(SSL *s);
@ -1087,11 +1087,14 @@ int MAIN(int argc, char *argv[])
char *chCApath = NULL, *chCAfile = NULL; char *chCApath = NULL, *chCAfile = NULL;
char *vfyCApath = NULL, *vfyCAfile = NULL; char *vfyCApath = NULL, *vfyCAfile = NULL;
unsigned char *context = NULL; unsigned char *context = NULL;
#ifndef OPENSSL_NO_DH
char *dhfile = NULL; char *dhfile = NULL;
int no_dhe = 0;
#endif
int badop = 0; int badop = 0;
int ret = 1; int ret = 1;
int build_chain = 0; int build_chain = 0;
int no_tmp_rsa = 0, no_dhe = 0, no_ecdhe = 0, nocert = 0; int no_tmp_rsa = 0, no_ecdhe = 0, nocert = 0;
int state = 0; int state = 0;
const SSL_METHOD *meth = NULL; const SSL_METHOD *meth = NULL;
int socket_type = SOCK_STREAM; int socket_type = SOCK_STREAM;
@ -1239,11 +1242,15 @@ int MAIN(int argc, char *argv[])
if (--argc < 1) if (--argc < 1)
goto bad; goto bad;
s_chain_file = *(++argv); s_chain_file = *(++argv);
} else if (strcmp(*argv, "-dhparam") == 0) { }
#ifndef OPENSSL_NO_DH
else if (strcmp(*argv, "-dhparam") == 0) {
if (--argc < 1) if (--argc < 1)
goto bad; goto bad;
dhfile = *(++argv); dhfile = *(++argv);
} else if (strcmp(*argv, "-dcertform") == 0) { }
#endif
else if (strcmp(*argv, "-dcertform") == 0) {
if (--argc < 1) if (--argc < 1)
goto bad; goto bad;
s_dcert_format = str2fmt(*(++argv)); s_dcert_format = str2fmt(*(++argv));
@ -1390,9 +1397,13 @@ int MAIN(int argc, char *argv[])
verify_quiet = 1; verify_quiet = 1;
} else if (strcmp(*argv, "-no_tmp_rsa") == 0) { } else if (strcmp(*argv, "-no_tmp_rsa") == 0) {
no_tmp_rsa = 1; no_tmp_rsa = 1;
} else if (strcmp(*argv, "-no_dhe") == 0) { }
#ifndef OPENSSL_NO_DH
else if (strcmp(*argv, "-no_dhe") == 0) {
no_dhe = 1; no_dhe = 1;
} else if (strcmp(*argv, "-no_ecdhe") == 0) { }
#endif
else if (strcmp(*argv, "-no_ecdhe") == 0) {
no_ecdhe = 1; no_ecdhe = 1;
} else if (strcmp(*argv, "-no_resume_ephemeral") == 0) { } else if (strcmp(*argv, "-no_resume_ephemeral") == 0) {
no_resume_ephemeral = 1; no_resume_ephemeral = 1;
@ -2165,7 +2176,7 @@ static void print_stats(BIO *bio, SSL_CTX *ssl_ctx)
SSL_CTX_sess_get_cache_size(ssl_ctx)); SSL_CTX_sess_get_cache_size(ssl_ctx));
} }
static int sv_body(char *hostname, int s, int stype, unsigned char *context) static int sv_body(int s, int stype, unsigned char *context)
{ {
char *buf = NULL; char *buf = NULL;
fd_set readfds; fd_set readfds;
@ -2780,7 +2791,7 @@ static int load_CA(SSL_CTX *ctx, char *file)
} }
#endif #endif
static int www_body(char *hostname, int s, int stype, unsigned char *context) static int www_body(int s, int stype, unsigned char *context)
{ {
char *buf = NULL; char *buf = NULL;
int ret = 1; int ret = 1;
@ -3183,7 +3194,7 @@ static int www_body(char *hostname, int s, int stype, unsigned char *context)
return (ret); return (ret);
} }
static int rev_body(char *hostname, int s, int stype, unsigned char *context) static int rev_body(int s, int stype, unsigned char *context)
{ {
char *buf = NULL; char *buf = NULL;
int i; int i;

View File

@ -109,7 +109,7 @@ static int ssl_sock_init(void);
static int init_client_ip(int *sock, unsigned char ip[4], int port, int type); static int init_client_ip(int *sock, unsigned char ip[4], int port, int type);
static int init_server(int *sock, int port, int type); static int init_server(int *sock, int port, int type);
static int init_server_long(int *sock, int port, char *ip, int type); static int init_server_long(int *sock, int port, char *ip, int type);
static int do_accept(int acc_sock, int *sock, char **host); static int do_accept(int acc_sock, int *sock);
static int host_ip(char *str, unsigned char ip[4]); static int host_ip(char *str, unsigned char ip[4]);
# ifdef OPENSSL_SYS_WIN16 # ifdef OPENSSL_SYS_WIN16
@ -290,12 +290,10 @@ static int init_client_ip(int *sock, unsigned char ip[4], int port, int type)
} }
int do_server(int port, int type, int *ret, int do_server(int port, int type, int *ret,
int (*cb) (char *hostname, int s, int stype, int (*cb) (int s, int stype, unsigned char *context),
unsigned char *context), unsigned char *context, unsigned char *context, int naccept)
int naccept)
{ {
int sock; int sock;
char *name = NULL;
int accept_socket = 0; int accept_socket = 0;
int i; int i;
@ -308,15 +306,13 @@ int do_server(int port, int type, int *ret,
} }
for (;;) { for (;;) {
if (type == SOCK_STREAM) { if (type == SOCK_STREAM) {
if (do_accept(accept_socket, &sock, &name) == 0) { if (do_accept(accept_socket, &sock) == 0) {
SHUTDOWN(accept_socket); SHUTDOWN(accept_socket);
return (0); return (0);
} }
} else } else
sock = accept_socket; sock = accept_socket;
i = (*cb) (name, sock, type, context); i = (*cb) (sock, type, context);
if (name != NULL)
OPENSSL_free(name);
if (type == SOCK_STREAM) if (type == SOCK_STREAM)
SHUTDOWN2(sock); SHUTDOWN2(sock);
if (naccept != -1) if (naccept != -1)
@ -386,30 +382,24 @@ static int init_server(int *sock, int port, int type)
return (init_server_long(sock, port, NULL, type)); return (init_server_long(sock, port, NULL, type));
} }
static int do_accept(int acc_sock, int *sock, char **host) static int do_accept(int acc_sock, int *sock)
{ {
int ret; int ret;
struct hostent *h1, *h2;
static struct sockaddr_in from;
int len;
/* struct linger ling; */
if (!ssl_sock_init()) if (!ssl_sock_init())
return (0); return 0;
# ifndef OPENSSL_SYS_WINDOWS # ifndef OPENSSL_SYS_WINDOWS
redoit: redoit:
# endif # endif
memset((char *)&from, 0, sizeof(from));
len = sizeof(from);
/* /*
* Note: under VMS with SOCKETSHR the fourth parameter is currently of * Note: under VMS with SOCKETSHR the fourth parameter is currently of
* type (int *) whereas under other systems it is (void *) if you don't * type (int *) whereas under other systems it is (void *) if you don't
* have a cast it will choke the compiler: if you do have a cast then you * have a cast it will choke the compiler: if you do have a cast then you
* can either go for (int *) or (void *). * can either go for (int *) or (void *).
*/ */
ret = accept(acc_sock, (struct sockaddr *)&from, (void *)&len); ret = accept(acc_sock, NULL, NULL);
if (ret == INVALID_SOCKET) { if (ret == INVALID_SOCKET) {
# if defined(OPENSSL_SYS_WINDOWS) || (defined(OPENSSL_SYS_NETWARE) && !defined(NETWARE_BSDSOCK)) # if defined(OPENSSL_SYS_WINDOWS) || (defined(OPENSSL_SYS_NETWARE) && !defined(NETWARE_BSDSOCK))
int i; int i;
@ -425,56 +415,11 @@ static int do_accept(int acc_sock, int *sock, char **host)
fprintf(stderr, "errno=%d ", errno); fprintf(stderr, "errno=%d ", errno);
perror("accept"); perror("accept");
# endif # endif
return (0); return 0;
} }
/*-
ling.l_onoff=1;
ling.l_linger=0;
i=setsockopt(ret,SOL_SOCKET,SO_LINGER,(char *)&ling,sizeof(ling));
if (i < 0) { perror("linger"); return(0); }
i=0;
i=setsockopt(ret,SOL_SOCKET,SO_KEEPALIVE,(char *)&i,sizeof(i));
if (i < 0) { perror("keepalive"); return(0); }
*/
if (host == NULL)
goto end;
# ifndef BIT_FIELD_LIMITS
/* I should use WSAAsyncGetHostByName() under windows */
h1 = gethostbyaddr((char *)&from.sin_addr.s_addr,
sizeof(from.sin_addr.s_addr), AF_INET);
# else
h1 = gethostbyaddr((char *)&from.sin_addr,
sizeof(struct in_addr), AF_INET);
# endif
if (h1 == NULL) {
BIO_printf(bio_err, "bad gethostbyaddr\n");
*host = NULL;
/* return(0); */
} else {
if ((*host = (char *)OPENSSL_malloc(strlen(h1->h_name) + 1)) == NULL) {
perror("OPENSSL_malloc");
closesocket(ret);
return (0);
}
BUF_strlcpy(*host, h1->h_name, strlen(h1->h_name) + 1);
h2 = GetHostByName(*host);
if (h2 == NULL) {
BIO_printf(bio_err, "gethostbyname failure\n");
closesocket(ret);
return (0);
}
if (h2->h_addrtype != AF_INET) {
BIO_printf(bio_err, "gethostbyname addr is not AF_INET\n");
closesocket(ret);
return (0);
}
}
end:
*sock = ret; *sock = ret;
return (1); return 1;
} }
int extract_host_port(char *str, char **host_ptr, unsigned char *ip, int extract_host_port(char *str, char **host_ptr, unsigned char *ip,

View File

@ -277,6 +277,7 @@ static int check(X509_STORE *ctx, char *file,
X509_STORE_set_flags(ctx, vflags); X509_STORE_set_flags(ctx, vflags);
if (!X509_STORE_CTX_init(csc, ctx, x, uchain)) { if (!X509_STORE_CTX_init(csc, ctx, x, uchain)) {
ERR_print_errors(bio_err); ERR_print_errors(bio_err);
X509_STORE_CTX_free(csc);
goto end; goto end;
} }
if (tchain) if (tchain)

View File

@ -46,7 +46,7 @@ SRC= $(LIBSRC)
EXHEADER= crypto.h opensslv.h opensslconf.h ebcdic.h symhacks.h \ EXHEADER= crypto.h opensslv.h opensslconf.h ebcdic.h symhacks.h \
ossl_typ.h ossl_typ.h
HEADER= cryptlib.h buildinf.h md32_common.h o_time.h o_str.h o_dir.h \ HEADER= cryptlib.h buildinf.h md32_common.h o_time.h o_str.h o_dir.h \
constant_time_locl.h $(EXHEADER) constant_time_locl.h bn_int.h $(EXHEADER)
ALL= $(GENERAL) $(SRC) $(HEADER) ALL= $(GENERAL) $(SRC) $(HEADER)

View File

@ -63,17 +63,31 @@
int i2d_ASN1_BOOLEAN(int a, unsigned char **pp) int i2d_ASN1_BOOLEAN(int a, unsigned char **pp)
{ {
int r; int r;
unsigned char *p; unsigned char *p, *allocated = NULL;
r = ASN1_object_size(0, 1, V_ASN1_BOOLEAN); r = ASN1_object_size(0, 1, V_ASN1_BOOLEAN);
if (pp == NULL) if (pp == NULL)
return (r); return (r);
p = *pp;
if (*pp == NULL) {
if ((p = allocated = OPENSSL_malloc(r)) == NULL) {
ASN1err(ASN1_F_I2D_ASN1_BOOLEAN, ERR_R_MALLOC_FAILURE);
return 0;
}
} else {
p = *pp;
}
ASN1_put_object(&p, 0, 1, V_ASN1_BOOLEAN, V_ASN1_UNIVERSAL); ASN1_put_object(&p, 0, 1, V_ASN1_BOOLEAN, V_ASN1_UNIVERSAL);
*(p++) = (unsigned char)a; *p = (unsigned char)a;
*pp = p;
return (r);
/*
* If a new buffer was allocated, just return it back.
* If not, return the incremented buffer pointer.
*/
*pp = allocated != NULL ? allocated : p + 1;
return r;
} }
int d2i_ASN1_BOOLEAN(int *a, const unsigned char **pp, long length) int d2i_ASN1_BOOLEAN(int *a, const unsigned char **pp, long length)

View File

@ -66,7 +66,7 @@
int i2d_ASN1_OBJECT(ASN1_OBJECT *a, unsigned char **pp) int i2d_ASN1_OBJECT(ASN1_OBJECT *a, unsigned char **pp)
{ {
unsigned char *p; unsigned char *p, *allocated = NULL;
int objsize; int objsize;
if ((a == NULL) || (a->data == NULL)) if ((a == NULL) || (a->data == NULL))
@ -76,13 +76,24 @@ int i2d_ASN1_OBJECT(ASN1_OBJECT *a, unsigned char **pp)
if (pp == NULL || objsize == -1) if (pp == NULL || objsize == -1)
return objsize; return objsize;
p = *pp; if (*pp == NULL) {
if ((p = allocated = OPENSSL_malloc(objsize)) == NULL) {
ASN1err(ASN1_F_I2D_ASN1_OBJECT, ERR_R_MALLOC_FAILURE);
return 0;
}
} else {
p = *pp;
}
ASN1_put_object(&p, 0, a->length, V_ASN1_OBJECT, V_ASN1_UNIVERSAL); ASN1_put_object(&p, 0, a->length, V_ASN1_OBJECT, V_ASN1_UNIVERSAL);
memcpy(p, a->data, a->length); memcpy(p, a->data, a->length);
p += a->length;
*pp = p; /*
return (objsize); * If a new buffer was allocated, just return it back.
* If not, return the incremented buffer pointer.
*/
*pp = allocated != NULL ? allocated : p + a->length;
return objsize;
} }
int a2d_ASN1_OBJECT(unsigned char *out, int olen, const char *buf, int num) int a2d_ASN1_OBJECT(unsigned char *out, int olen, const char *buf, int num)

View File

@ -4,7 +4,7 @@
* 2000. * 2000.
*/ */
/* ==================================================================== /* ====================================================================
* Copyright (c) 2000 The OpenSSL Project. All rights reserved. * Copyright (c) 2000-2018 The OpenSSL Project. All rights reserved.
* *
* Redistribution and use in source and binary forms, with or without * Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions * modification, are permitted provided that the following conditions
@ -194,18 +194,38 @@ static int do_buf(unsigned char *buf, int buflen,
int type, unsigned char flags, char *quotes, char_io *io_ch, int type, unsigned char flags, char *quotes, char_io *io_ch,
void *arg) void *arg)
{ {
int i, outlen, len; int i, outlen, len, charwidth;
unsigned char orflags, *p, *q; unsigned char orflags, *p, *q;
unsigned long c; unsigned long c;
p = buf; p = buf;
q = buf + buflen; q = buf + buflen;
outlen = 0; outlen = 0;
charwidth = type & BUF_TYPE_WIDTH_MASK;
switch (charwidth) {
case 4:
if (buflen & 3) {
ASN1err(ASN1_F_DO_BUF, ASN1_R_INVALID_UNIVERSALSTRING_LENGTH);
return -1;
}
break;
case 2:
if (buflen & 1) {
ASN1err(ASN1_F_DO_BUF, ASN1_R_INVALID_BMPSTRING_LENGTH);
return -1;
}
break;
default:
break;
}
while (p != q) { while (p != q) {
if (p == buf && flags & ASN1_STRFLGS_ESC_2253) if (p == buf && flags & ASN1_STRFLGS_ESC_2253)
orflags = CHARTYPE_FIRST_ESC_2253; orflags = CHARTYPE_FIRST_ESC_2253;
else else
orflags = 0; orflags = 0;
switch (type & BUF_TYPE_WIDTH_MASK) {
switch (charwidth) {
case 4: case 4:
c = ((unsigned long)*p++) << 24; c = ((unsigned long)*p++) << 24;
c |= ((unsigned long)*p++) << 16; c |= ((unsigned long)*p++) << 16;
@ -226,6 +246,7 @@ static int do_buf(unsigned char *buf, int buflen,
i = UTF8_getc(p, buflen, &c); i = UTF8_getc(p, buflen, &c);
if (i < 0) if (i < 0)
return -1; /* Invalid UTF8String */ return -1; /* Invalid UTF8String */
buflen -= i;
p += i; p += i;
break; break;
default: default:

View File

@ -3,7 +3,7 @@
* 2006. * 2006.
*/ */
/* ==================================================================== /* ====================================================================
* Copyright (c) 2006 The OpenSSL Project. All rights reserved. * Copyright (c) 2006-2018 The OpenSSL Project. All rights reserved.
* *
* Redistribution and use in source and binary forms, with or without * Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions * modification, are permitted provided that the following conditions
@ -305,6 +305,18 @@ EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_new(int id, int flags,
} else } else
ameth->info = NULL; ameth->info = NULL;
/*
* One of the following must be true:
*
* pem_str == NULL AND ASN1_PKEY_ALIAS is set
* pem_str != NULL AND ASN1_PKEY_ALIAS is clear
*
* Anything else is an error and may lead to a corrupt ASN1 method table
*/
if (!((pem_str == NULL && (flags & ASN1_PKEY_ALIAS) != 0)
|| (pem_str != NULL && (flags & ASN1_PKEY_ALIAS) == 0)))
goto err;
if (pem_str) { if (pem_str) {
ameth->pem_str = BUF_strdup(pem_str); ameth->pem_str = BUF_strdup(pem_str);
if (!ameth->pem_str) if (!ameth->pem_str)

View File

@ -1164,6 +1164,7 @@ int SMIME_text(BIO *in, BIO *out);
* The following lines are auto generated by the script mkerr.pl. Any changes * The following lines are auto generated by the script mkerr.pl. Any changes
* made after this point may be overwritten when the script is next run. * made after this point may be overwritten when the script is next run.
*/ */
void ERR_load_ASN1_strings(void); void ERR_load_ASN1_strings(void);
/* Error codes for the ASN1 functions. */ /* Error codes for the ASN1 functions. */
@ -1264,7 +1265,10 @@ void ERR_load_ASN1_strings(void);
# define ASN1_F_D2I_X509 156 # define ASN1_F_D2I_X509 156
# define ASN1_F_D2I_X509_CINF 157 # define ASN1_F_D2I_X509_CINF 157
# define ASN1_F_D2I_X509_PKEY 159 # define ASN1_F_D2I_X509_PKEY 159
# define ASN1_F_DO_BUF 221
# define ASN1_F_I2D_ASN1_BIO_STREAM 211 # define ASN1_F_I2D_ASN1_BIO_STREAM 211
# define ASN1_F_I2D_ASN1_BOOLEAN 223
# define ASN1_F_I2D_ASN1_OBJECT 222
# define ASN1_F_I2D_ASN1_SET 188 # define ASN1_F_I2D_ASN1_SET 188
# define ASN1_F_I2D_ASN1_TIME 160 # define ASN1_F_I2D_ASN1_TIME 160
# define ASN1_F_I2D_DSA_PUBKEY 161 # define ASN1_F_I2D_DSA_PUBKEY 161
@ -1414,7 +1418,7 @@ void ERR_load_ASN1_strings(void);
# define ASN1_R_WRONG_TAG 168 # define ASN1_R_WRONG_TAG 168
# define ASN1_R_WRONG_TYPE 169 # define ASN1_R_WRONG_TYPE 169
#ifdef __cplusplus # ifdef __cplusplus
} }
#endif # endif
#endif #endif

View File

@ -166,7 +166,10 @@ static ERR_STRING_DATA ASN1_str_functs[] = {
{ERR_FUNC(ASN1_F_D2I_X509), "D2I_X509"}, {ERR_FUNC(ASN1_F_D2I_X509), "D2I_X509"},
{ERR_FUNC(ASN1_F_D2I_X509_CINF), "D2I_X509_CINF"}, {ERR_FUNC(ASN1_F_D2I_X509_CINF), "D2I_X509_CINF"},
{ERR_FUNC(ASN1_F_D2I_X509_PKEY), "d2i_X509_PKEY"}, {ERR_FUNC(ASN1_F_D2I_X509_PKEY), "d2i_X509_PKEY"},
{ERR_FUNC(ASN1_F_DO_BUF), "DO_BUF"},
{ERR_FUNC(ASN1_F_I2D_ASN1_BIO_STREAM), "i2d_ASN1_bio_stream"}, {ERR_FUNC(ASN1_F_I2D_ASN1_BIO_STREAM), "i2d_ASN1_bio_stream"},
{ERR_FUNC(ASN1_F_I2D_ASN1_BOOLEAN), "i2d_ASN1_BOOLEAN"},
{ERR_FUNC(ASN1_F_I2D_ASN1_OBJECT), "i2d_ASN1_OBJECT"},
{ERR_FUNC(ASN1_F_I2D_ASN1_SET), "i2d_ASN1_SET"}, {ERR_FUNC(ASN1_F_I2D_ASN1_SET), "i2d_ASN1_SET"},
{ERR_FUNC(ASN1_F_I2D_ASN1_TIME), "I2D_ASN1_TIME"}, {ERR_FUNC(ASN1_F_I2D_ASN1_TIME), "I2D_ASN1_TIME"},
{ERR_FUNC(ASN1_F_I2D_DSA_PUBKEY), "i2d_DSA_PUBKEY"}, {ERR_FUNC(ASN1_F_I2D_DSA_PUBKEY), "i2d_DSA_PUBKEY"},

View File

@ -4,7 +4,7 @@
* 2000. * 2000.
*/ */
/* ==================================================================== /* ====================================================================
* Copyright (c) 2000-2004 The OpenSSL Project. All rights reserved. * Copyright (c) 2000-2018 The OpenSSL Project. All rights reserved.
* *
* Redistribution and use in source and binary forms, with or without * Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions * modification, are permitted provided that the following conditions
@ -588,6 +588,8 @@ int asn1_ex_i2c(ASN1_VALUE **pval, unsigned char *cout, int *putype,
otmp = (ASN1_OBJECT *)*pval; otmp = (ASN1_OBJECT *)*pval;
cont = otmp->data; cont = otmp->data;
len = otmp->length; len = otmp->length;
if (cont == NULL || len == 0)
return -1;
break; break;
case V_ASN1_NULL: case V_ASN1_NULL:

View File

@ -1,6 +1,6 @@
/* crypto/bio/bss_log.c */ /* crypto/bio/bss_log.c */
/* ==================================================================== /* ====================================================================
* Copyright (c) 1999 The OpenSSL Project. All rights reserved. * Copyright (c) 1999-2018 The OpenSSL Project. All rights reserved.
* *
* Redistribution and use in source and binary forms, with or without * Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions * modification, are permitted provided that the following conditions
@ -242,7 +242,7 @@ static int MS_CALLBACK slg_write(BIO *b, const char *in, int inl)
if ((buf = (char *)OPENSSL_malloc(inl + 1)) == NULL) { if ((buf = (char *)OPENSSL_malloc(inl + 1)) == NULL) {
return (0); return (0);
} }
strncpy(buf, in, inl); memcpy(buf, in, inl);
buf[inl] = '\0'; buf[inl] = '\0';
i = 0; i = 0;

View File

@ -188,6 +188,8 @@ static int mem_write(BIO *b, const char *in, int inl)
} }
BIO_clear_retry_flags(b); BIO_clear_retry_flags(b);
if (inl == 0)
return 0;
blen = bm->length; blen = bm->length;
if (BUF_MEM_grow_clean(bm, blen + inl) != (blen + inl)) if (BUF_MEM_grow_clean(bm, blen + inl) != (blen + inl))
goto end; goto end;

View File

@ -197,21 +197,24 @@ bn_add.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
bn_add.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h bn_add.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
bn_add.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h bn_add.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
bn_add.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h bn_add.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
bn_add.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_add.c bn_lcl.h bn_add.o: ../../include/openssl/symhacks.h ../bn_int.h ../cryptlib.h bn_add.c
bn_add.o: bn_lcl.h
bn_asm.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h bn_asm.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
bn_asm.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h bn_asm.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
bn_asm.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h bn_asm.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
bn_asm.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h bn_asm.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
bn_asm.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h bn_asm.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
bn_asm.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h bn_asm.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
bn_asm.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_asm.c bn_lcl.h bn_asm.o: ../../include/openssl/symhacks.h ../bn_int.h ../cryptlib.h bn_asm.c
bn_asm.o: bn_lcl.h
bn_blind.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h bn_blind.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
bn_blind.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h bn_blind.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
bn_blind.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h bn_blind.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
bn_blind.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h bn_blind.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
bn_blind.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h bn_blind.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
bn_blind.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h bn_blind.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
bn_blind.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_blind.c bn_lcl.h bn_blind.o: ../../include/openssl/symhacks.h ../bn_int.h ../cryptlib.h
bn_blind.o: bn_blind.c bn_lcl.h
bn_const.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h bn_const.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
bn_const.o: ../../include/openssl/opensslconf.h bn_const.o: ../../include/openssl/opensslconf.h
bn_const.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h bn_const.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
@ -223,7 +226,8 @@ bn_ctx.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
bn_ctx.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h bn_ctx.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
bn_ctx.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h bn_ctx.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
bn_ctx.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h bn_ctx.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
bn_ctx.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_ctx.c bn_lcl.h bn_ctx.o: ../../include/openssl/symhacks.h ../bn_int.h ../cryptlib.h bn_ctx.c
bn_ctx.o: bn_lcl.h
bn_depr.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h bn_depr.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
bn_depr.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h bn_depr.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
bn_depr.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h bn_depr.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
@ -231,14 +235,15 @@ bn_depr.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
bn_depr.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h bn_depr.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
bn_depr.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h bn_depr.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
bn_depr.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h bn_depr.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
bn_depr.o: ../cryptlib.h bn_depr.c bn_lcl.h bn_depr.o: ../bn_int.h ../cryptlib.h bn_depr.c bn_lcl.h
bn_div.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h bn_div.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
bn_div.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h bn_div.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
bn_div.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h bn_div.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
bn_div.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h bn_div.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
bn_div.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h bn_div.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
bn_div.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h bn_div.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
bn_div.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_div.c bn_lcl.h bn_div.o: ../../include/openssl/symhacks.h ../bn_int.h ../cryptlib.h bn_div.c
bn_div.o: bn_lcl.h
bn_err.o: ../../include/openssl/bio.h ../../include/openssl/bn.h bn_err.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
bn_err.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h bn_err.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
bn_err.o: ../../include/openssl/err.h ../../include/openssl/lhash.h bn_err.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
@ -252,7 +257,7 @@ bn_exp.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
bn_exp.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h bn_exp.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
bn_exp.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h bn_exp.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
bn_exp.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h bn_exp.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
bn_exp.o: ../../include/openssl/symhacks.h ../constant_time_locl.h bn_exp.o: ../../include/openssl/symhacks.h ../bn_int.h ../constant_time_locl.h
bn_exp.o: ../cryptlib.h bn_exp.c bn_lcl.h rsaz_exp.h bn_exp.o: ../cryptlib.h bn_exp.c bn_lcl.h rsaz_exp.h
bn_exp2.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h bn_exp2.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
bn_exp2.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h bn_exp2.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
@ -260,70 +265,80 @@ bn_exp2.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
bn_exp2.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h bn_exp2.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
bn_exp2.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h bn_exp2.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
bn_exp2.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h bn_exp2.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
bn_exp2.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_exp2.c bn_lcl.h bn_exp2.o: ../../include/openssl/symhacks.h ../bn_int.h ../cryptlib.h bn_exp2.c
bn_exp2.o: bn_lcl.h
bn_gcd.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h bn_gcd.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
bn_gcd.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h bn_gcd.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
bn_gcd.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h bn_gcd.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
bn_gcd.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h bn_gcd.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
bn_gcd.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h bn_gcd.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
bn_gcd.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h bn_gcd.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
bn_gcd.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_gcd.c bn_lcl.h bn_gcd.o: ../../include/openssl/symhacks.h ../bn_int.h ../cryptlib.h bn_gcd.c
bn_gcd.o: bn_lcl.h
bn_gf2m.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h bn_gf2m.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
bn_gf2m.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h bn_gf2m.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
bn_gf2m.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h bn_gf2m.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
bn_gf2m.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h bn_gf2m.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
bn_gf2m.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h bn_gf2m.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
bn_gf2m.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h bn_gf2m.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
bn_gf2m.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_gf2m.c bn_lcl.h bn_gf2m.o: ../../include/openssl/symhacks.h ../bn_int.h ../cryptlib.h bn_gf2m.c
bn_gf2m.o: bn_lcl.h
bn_kron.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h bn_kron.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
bn_kron.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h bn_kron.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
bn_kron.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h bn_kron.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
bn_kron.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h bn_kron.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
bn_kron.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h bn_kron.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
bn_kron.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h bn_kron.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
bn_kron.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_kron.c bn_lcl.h bn_kron.o: ../../include/openssl/symhacks.h ../bn_int.h ../cryptlib.h bn_kron.c
bn_kron.o: bn_lcl.h
bn_lib.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h bn_lib.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
bn_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h bn_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
bn_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h bn_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
bn_lib.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h bn_lib.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
bn_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h bn_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
bn_lib.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h bn_lib.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
bn_lib.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_lcl.h bn_lib.c bn_lib.o: ../../include/openssl/symhacks.h ../bn_int.h ../cryptlib.h bn_lcl.h
bn_lib.o: bn_lib.c
bn_mod.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h bn_mod.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
bn_mod.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h bn_mod.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
bn_mod.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h bn_mod.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
bn_mod.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h bn_mod.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
bn_mod.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h bn_mod.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
bn_mod.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h bn_mod.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
bn_mod.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_lcl.h bn_mod.c bn_mod.o: ../../include/openssl/symhacks.h ../bn_int.h ../cryptlib.h bn_lcl.h
bn_mod.o: bn_mod.c
bn_mont.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h bn_mont.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
bn_mont.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h bn_mont.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
bn_mont.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h bn_mont.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
bn_mont.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h bn_mont.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
bn_mont.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h bn_mont.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
bn_mont.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h bn_mont.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
bn_mont.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_lcl.h bn_mont.c bn_mont.o: ../../include/openssl/symhacks.h ../bn_int.h ../cryptlib.h bn_lcl.h
bn_mont.o: bn_mont.c
bn_mpi.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h bn_mpi.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
bn_mpi.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h bn_mpi.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
bn_mpi.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h bn_mpi.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
bn_mpi.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h bn_mpi.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
bn_mpi.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h bn_mpi.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
bn_mpi.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h bn_mpi.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
bn_mpi.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_lcl.h bn_mpi.c bn_mpi.o: ../../include/openssl/symhacks.h ../bn_int.h ../cryptlib.h bn_lcl.h
bn_mpi.o: bn_mpi.c
bn_mul.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h bn_mul.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
bn_mul.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h bn_mul.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
bn_mul.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h bn_mul.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
bn_mul.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h bn_mul.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
bn_mul.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h bn_mul.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
bn_mul.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h bn_mul.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
bn_mul.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_lcl.h bn_mul.c bn_mul.o: ../../include/openssl/symhacks.h ../bn_int.h ../cryptlib.h bn_lcl.h
bn_mul.o: bn_mul.c
bn_nist.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h bn_nist.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
bn_nist.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h bn_nist.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
bn_nist.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h bn_nist.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
bn_nist.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h bn_nist.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
bn_nist.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h bn_nist.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
bn_nist.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h bn_nist.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
bn_nist.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_lcl.h bn_nist.c bn_nist.o: ../../include/openssl/symhacks.h ../bn_int.h ../cryptlib.h bn_lcl.h
bn_nist.o: bn_nist.c
bn_prime.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h bn_prime.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
bn_prime.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h bn_prime.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
bn_prime.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h bn_prime.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
@ -331,14 +346,15 @@ bn_prime.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
bn_prime.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h bn_prime.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
bn_prime.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h bn_prime.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
bn_prime.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h bn_prime.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
bn_prime.o: ../cryptlib.h bn_lcl.h bn_prime.c bn_prime.h bn_prime.o: ../bn_int.h ../cryptlib.h bn_lcl.h bn_prime.c bn_prime.h
bn_print.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h bn_print.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
bn_print.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h bn_print.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
bn_print.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h bn_print.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
bn_print.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h bn_print.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
bn_print.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h bn_print.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
bn_print.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h bn_print.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
bn_print.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_lcl.h bn_print.c bn_print.o: ../../include/openssl/symhacks.h ../bn_int.h ../cryptlib.h bn_lcl.h
bn_print.o: bn_print.c
bn_rand.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h bn_rand.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
bn_rand.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h bn_rand.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
bn_rand.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h bn_rand.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
@ -346,42 +362,47 @@ bn_rand.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
bn_rand.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h bn_rand.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
bn_rand.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h bn_rand.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
bn_rand.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h bn_rand.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
bn_rand.o: ../cryptlib.h bn_lcl.h bn_rand.c bn_rand.o: ../bn_int.h ../cryptlib.h bn_lcl.h bn_rand.c
bn_recp.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h bn_recp.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
bn_recp.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h bn_recp.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
bn_recp.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h bn_recp.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
bn_recp.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h bn_recp.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
bn_recp.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h bn_recp.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
bn_recp.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h bn_recp.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
bn_recp.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_lcl.h bn_recp.c bn_recp.o: ../../include/openssl/symhacks.h ../bn_int.h ../cryptlib.h bn_lcl.h
bn_recp.o: bn_recp.c
bn_shift.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h bn_shift.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
bn_shift.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h bn_shift.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
bn_shift.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h bn_shift.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
bn_shift.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h bn_shift.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
bn_shift.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h bn_shift.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
bn_shift.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h bn_shift.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
bn_shift.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_lcl.h bn_shift.c bn_shift.o: ../../include/openssl/symhacks.h ../bn_int.h ../cryptlib.h bn_lcl.h
bn_shift.o: bn_shift.c
bn_sqr.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h bn_sqr.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
bn_sqr.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h bn_sqr.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
bn_sqr.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h bn_sqr.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
bn_sqr.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h bn_sqr.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
bn_sqr.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h bn_sqr.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
bn_sqr.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h bn_sqr.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
bn_sqr.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_lcl.h bn_sqr.c bn_sqr.o: ../../include/openssl/symhacks.h ../bn_int.h ../cryptlib.h bn_lcl.h
bn_sqr.o: bn_sqr.c
bn_sqrt.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h bn_sqrt.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
bn_sqrt.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h bn_sqrt.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
bn_sqrt.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h bn_sqrt.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
bn_sqrt.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h bn_sqrt.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
bn_sqrt.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h bn_sqrt.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
bn_sqrt.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h bn_sqrt.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
bn_sqrt.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_lcl.h bn_sqrt.c bn_sqrt.o: ../../include/openssl/symhacks.h ../bn_int.h ../cryptlib.h bn_lcl.h
bn_sqrt.o: bn_sqrt.c
bn_word.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h bn_word.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
bn_word.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h bn_word.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
bn_word.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h bn_word.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
bn_word.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h bn_word.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
bn_word.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h bn_word.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
bn_word.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h bn_word.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
bn_word.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_lcl.h bn_word.c bn_word.o: ../../include/openssl/symhacks.h ../bn_int.h ../cryptlib.h bn_lcl.h
bn_word.o: bn_word.c
bn_x931p.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h bn_x931p.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
bn_x931p.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h bn_x931p.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
bn_x931p.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h bn_x931p.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h

View File

@ -216,14 +216,15 @@ bn_mul_mont:
mov $tp,sp @ "rewind" $tp mov $tp,sp @ "rewind" $tp
sub $rp,$rp,$aj @ "rewind" $rp sub $rp,$rp,$aj @ "rewind" $rp
and $ap,$tp,$nhi .Lcopy: ldr $tj,[$tp] @ conditional copy
bic $np,$rp,$nhi ldr $aj,[$rp]
orr $ap,$ap,$np @ ap=borrow?tp:rp
.Lcopy: ldr $tj,[$ap],#4 @ copy or in-place refresh
str sp,[$tp],#4 @ zap tp str sp,[$tp],#4 @ zap tp
str $tj,[$rp],#4 #ifdef __thumb2__
cmp $tp,$num it cc
#endif
movcc $aj,$tj
str $aj,[$rp],#4
teq $tp,$num @ preserve carry
bne .Lcopy bne .Lcopy
add sp,$num,#4 @ skip over tp[num+1] add sp,$num,#4 @ skip over tp[num+1]

View File

@ -332,19 +332,19 @@ bn_mul_mont_general:
{ .mmb; sub rptr=rptr,len // rewind { .mmb; sub rptr=rptr,len // rewind
sub tptr=tptr,len sub tptr=tptr,len
clrrrb.pr };; clrrrb.pr };;
{ .mmi; and aptr=tptr,topbit { .mmi; mov aptr=rptr
andcm bptr=rptr,topbit mov bptr=tptr
mov pr.rot=1<<16 };; mov pr.rot=1<<16 };;
{ .mii; or nptr=aptr,bptr { .mii; cmp.eq p0,p6=topbit,r0
mov ar.lc=lc mov ar.lc=lc
mov ar.ec=3 };; mov ar.ec=2 };;
.Lcopy_ctop: .Lcopy_ctop:
{ .mmb; (p16) ld8 n[0]=[nptr],8 { .mmi; (p16) ld8 a[0]=[aptr],8
(p18) st8 [tptr]=r0,8 (p16) ld8 t[0]=[bptr],8
(p16) nop.b 0 } (p6) mov a[1]=t[1] };; // (p17)
{ .mmb; (p16) nop.m 0 { .mmb; (p17) st8 [rptr]=a[1],8
(p18) st8 [rptr]=n[2],8 (p17) st8 [tptr]=r0,8
br.ctop.sptk .Lcopy_ctop };; br.ctop.sptk .Lcopy_ctop };;
.Lcopy_cend: .Lcopy_cend:

View File

@ -377,15 +377,13 @@ $code.=<<___;
$PTR_SUB $rp,$num # restore rp $PTR_SUB $rp,$num # restore rp
not $hi1,$hi0 not $hi1,$hi0
and $ap,$hi0,$sp .Lcopy: $LD $nj,($tp) # conditional move
and $bp,$hi1,$rp $LD $aj,($rp)
or $ap,$ap,$bp # ap=borrow?tp:rp
.align 4
.Lcopy: $LD $aj,($ap)
$PTR_ADD $ap,$BNSZ
$ST $zero,($tp) $ST $zero,($tp)
$PTR_ADD $tp,$BNSZ $PTR_ADD $tp,$BNSZ
and $nj,$hi0
and $aj,$hi1
or $aj,$nj
sltu $at,$tp,$tj sltu $at,$tp,$tj
$ST $aj,($rp) $ST $aj,($rp)
bnez $at,.Lcopy bnez $at,.Lcopy

View File

@ -510,7 +510,6 @@ L\$sub
stws,ma $hi1,4($rp) stws,ma $hi1,4($rp)
subb $ti0,%r0,$hi1 subb $ti0,%r0,$hi1
ldo -4($tp),$tp
___ ___
$code.=<<___ if ($BN_SZ==8); $code.=<<___ if ($BN_SZ==8);
ldd,ma 8($tp),$ti0 ldd,ma 8($tp),$ti0
@ -525,21 +524,19 @@ L\$sub
extrd,u $ti0,31,32,$ti0 ; carry in flipped word order extrd,u $ti0,31,32,$ti0 ; carry in flipped word order
sub,db $ti0,%r0,$hi1 sub,db $ti0,%r0,$hi1
ldo -8($tp),$tp
___ ___
$code.=<<___; $code.=<<___;
and $tp,$hi1,$ap ldo `$LOCALS+32`($fp),$tp
andcm $rp,$hi1,$bp
or $ap,$bp,$np
sub $rp,$arrsz,$rp ; rewind rp sub $rp,$arrsz,$rp ; rewind rp
subi 0,$arrsz,$idx subi 0,$arrsz,$idx
ldo `$LOCALS+32`($fp),$tp
L\$copy L\$copy
ldd $idx($np),$hi0 ldd 0($tp),$ti0
ldd 0($rp),$hi0
std,ma %r0,8($tp) std,ma %r0,8($tp)
addib,<> 8,$idx,.-8 ; L\$copy comiclr,= 0,$hi1,%r0
std,ma $hi0,8($rp) copy $ti0,$hi0
addib,<> 8,$idx,L\$copy
std,ma $hi0,8($rp)
___ ___
if ($BN_SZ==4) { # PA-RISC 1.1 code-path if ($BN_SZ==4) { # PA-RISC 1.1 code-path
@ -849,17 +846,16 @@ L\$sub_pa11
stws,ma $hi1,4($rp) stws,ma $hi1,4($rp)
subb $ti0,%r0,$hi1 subb $ti0,%r0,$hi1
ldo -4($tp),$tp
and $tp,$hi1,$ap
andcm $rp,$hi1,$bp
or $ap,$bp,$np
ldo `$LOCALS+32`($fp),$tp
sub $rp,$arrsz,$rp ; rewind rp sub $rp,$arrsz,$rp ; rewind rp
subi 0,$arrsz,$idx subi 0,$arrsz,$idx
ldo `$LOCALS+32`($fp),$tp
L\$copy_pa11 L\$copy_pa11
ldwx $idx($np),$hi0 ldw 0($tp),$ti0
ldw 0($rp),$hi0
stws,ma %r0,4($tp) stws,ma %r0,4($tp)
comiclr,= 0,$hi1,%r0
copy $ti0,$hi0
addib,<> 4,$idx,L\$copy_pa11 addib,<> 4,$idx,L\$copy_pa11
stws,ma $hi0,4($rp) stws,ma $hi0,4($rp)

View File

@ -294,15 +294,16 @@ Lsub: $LDX $tj,$tp,$j
li $j,0 li $j,0
mtctr $num mtctr $num
subfe $ovf,$j,$ovf ; handle upmost overflow bit subfe $ovf,$j,$ovf ; handle upmost overflow bit
and $ap,$tp,$ovf
andc $np,$rp,$ovf
or $ap,$ap,$np ; ap=borrow?tp:rp
.align 4 .align 4
Lcopy: ; copy or in-place refresh Lcopy: ; conditional copy
$LDX $tj,$ap,$j $LDX $tj,$tp,$j
$STX $tj,$rp,$j $LDX $aj,$rp,$j
and $tj,$tj,$ovf
andc $aj,$aj,$ovf
$STX $j,$tp,$j ; zap at once $STX $j,$tp,$j ; zap at once
or $aj,$aj,$tj
$STX $aj,$rp,$j
addi $j,$j,$BNSZ addi $j,$j,$BNSZ
bdnz Lcopy bdnz Lcopy

View File

@ -1494,16 +1494,14 @@ Lsub: ldx $t0,$tp,$i
li $i,0 li $i,0
subfe $ovf,$i,$ovf ; handle upmost overflow bit subfe $ovf,$i,$ovf ; handle upmost overflow bit
and $ap,$tp,$ovf
andc $np,$rp,$ovf
or $ap,$ap,$np ; ap=borrow?tp:rp
addi $t7,$ap,8
mtctr $j mtctr $j
.align 4 .align 4
Lcopy: ; copy or in-place refresh Lcopy: ; conditional copy
ldx $t0,$ap,$i ldx $t0,$tp,$i
ldx $t1,$t7,$i ldx $t1,$t4,$i
ldx $t2,$rp,$i
ldx $t3,$t6,$i
std $i,8($nap_d) ; zap nap_d std $i,8($nap_d) ; zap nap_d
std $i,16($nap_d) std $i,16($nap_d)
std $i,24($nap_d) std $i,24($nap_d)
@ -1512,6 +1510,12 @@ Lcopy: ; copy or in-place refresh
std $i,48($nap_d) std $i,48($nap_d)
std $i,56($nap_d) std $i,56($nap_d)
stdu $i,64($nap_d) stdu $i,64($nap_d)
and $t0,$t0,$ovf
and $t1,$t1,$ovf
andc $t2,$t2,$ovf
andc $t3,$t3,$ovf
or $t0,$t0,$t2
or $t1,$t1,$t3
stdx $t0,$rp,$i stdx $t0,$rp,$i
stdx $t1,$t6,$i stdx $t1,$t6,$i
stdx $i,$tp,$i ; zap tp at once stdx $i,$tp,$i ; zap tp at once
@ -1554,20 +1558,21 @@ Lsub: lwz $t0,12($tp) ; load tp[j..j+3] in 64-bit word order
li $i,0 li $i,0
subfe $ovf,$i,$ovf ; handle upmost overflow bit subfe $ovf,$i,$ovf ; handle upmost overflow bit
addi $tp,$sp,`$FRAME+$TRANSFER+4` addi $ap,$sp,`$FRAME+$TRANSFER+4`
subf $rp,$num,$rp ; rewind rp subf $rp,$num,$rp ; rewind rp
and $ap,$tp,$ovf
andc $np,$rp,$ovf
or $ap,$ap,$np ; ap=borrow?tp:rp
addi $tp,$sp,`$FRAME+$TRANSFER` addi $tp,$sp,`$FRAME+$TRANSFER`
mtctr $j mtctr $j
.align 4 .align 4
Lcopy: ; copy or in-place refresh Lcopy: ; conditional copy
lwz $t0,4($ap) lwz $t0,4($ap)
lwz $t1,8($ap) lwz $t1,8($ap)
lwz $t2,12($ap) lwz $t2,12($ap)
lwzu $t3,16($ap) lwzu $t3,16($ap)
lwz $t4,4($rp)
lwz $t5,8($rp)
lwz $t6,12($rp)
lwz $t7,16($rp)
std $i,8($nap_d) ; zap nap_d std $i,8($nap_d) ; zap nap_d
std $i,16($nap_d) std $i,16($nap_d)
std $i,24($nap_d) std $i,24($nap_d)
@ -1576,6 +1581,18 @@ Lcopy: ; copy or in-place refresh
std $i,48($nap_d) std $i,48($nap_d)
std $i,56($nap_d) std $i,56($nap_d)
stdu $i,64($nap_d) stdu $i,64($nap_d)
and $t0,$t0,$ovf
and $t1,$t1,$ovf
and $t2,$t2,$ovf
and $t3,$t3,$ovf
andc $t4,$t4,$ovf
andc $t5,$t5,$ovf
andc $t6,$t6,$ovf
andc $t7,$t7,$ovf
or $t0,$t0,$t4
or $t1,$t1,$t5
or $t2,$t2,$t6
or $t3,$t3,$t7
stw $t0,4($rp) stw $t0,4($rp)
stw $t1,8($rp) stw $t1,8($rp)
stw $t2,12($rp) stw $t2,12($rp)

View File

@ -97,7 +97,7 @@ if (!$avx && $win64 && ($flavour =~ /masm/ || $ENV{ASM} =~ /ml64/) &&
$addx = ($1>=11); $addx = ($1>=11);
} }
if (!$avx && `$ENV{CC} -v 2>&1` =~ /(^clang version|based on LLVM) ([3-9])\.([0-9]+)/) { if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|based on LLVM) ([3-9])\.([0-9]+)/) {
my $ver = $2 + $3/100.0; # 3.1->3.01, 3.10->3.10 my $ver = $2 + $3/100.0; # 3.1->3.01, 3.10->3.10
$avx = ($ver>=3.0) + ($ver>=3.01); $avx = ($ver>=3.0) + ($ver>=3.01);
$addx = ($ver>=3.03); $addx = ($ver>=3.03);

View File

@ -245,16 +245,16 @@ $code.=<<___;
brct $count,.Lsub brct $count,.Lsub
lghi $ahi,0 lghi $ahi,0
slbgr $AHI,$ahi # handle upmost carry slbgr $AHI,$ahi # handle upmost carry
lghi $NHI,-1
ngr $ap,$AHI xgr $NHI,$AHI
lghi $np,-1
xgr $np,$AHI
ngr $np,$rp
ogr $ap,$np # ap=borrow?tp:rp
la $j,0(%r0) la $j,0(%r0)
lgr $count,$num lgr $count,$num
.Lcopy: lg $alo,0($j,$ap) # copy or in-place refresh .Lcopy: lg $ahi,$stdframe($j,$sp) # conditional copy
lg $alo,0($j,$rp)
ngr $ahi,$AHI
ngr $alo,$NHI
ogr $alo,$ahi
_dswap $alo _dswap $alo
stg $j,$stdframe($j,$sp) # zap tp stg $j,$stdframe($j,$sp) # zap tp
stg $alo,0($j,$rp) stg $alo,0($j,$rp)

View File

@ -878,19 +878,17 @@ $code.=<<___;
sub $tp, $num, $tp sub $tp, $num, $tp
sub $rp, $num, $rp sub $rp, $num, $rp
subc $ovf, %g0, $ovf ! handle upmost overflow bit subccc $ovf, %g0, $ovf ! handle upmost overflow bit
and $tp, $ovf, $ap
andn $rp, $ovf, $np
or $np, $ap, $ap ! ap=borrow?tp:rp
ba .Lcopy ba .Lcopy
sub $num, 8, $cnt sub $num, 8, $cnt
.align 16 .align 16
.Lcopy: ! copy or in-place refresh .Lcopy: ! conditional copy
ldx [$ap+0], $t2 ldx [$tp], $tj
add $ap, 8, $ap ldx [$rp+0], $t2
stx %g0, [$tp] ! zap stx %g0, [$tp] ! zap
add $tp, 8, $tp add $tp, 8, $tp
movcs %icc, $tj, $t2
stx $t2, [$rp+0] stx $t2, [$rp+0]
add $rp, 8, $rp add $rp, 8, $rp
brnz $cnt, .Lcopy brnz $cnt, .Lcopy
@ -1126,19 +1124,17 @@ $code.=<<___;
sub $tp, $num, $tp sub $tp, $num, $tp
sub $rp, $num, $rp sub $rp, $num, $rp
subc $ovf, %g0, $ovf ! handle upmost overflow bit subccc $ovf, %g0, $ovf ! handle upmost overflow bit
and $tp, $ovf, $ap
andn $rp, $ovf, $np
or $np, $ap, $ap ! ap=borrow?tp:rp
ba .Lcopy_g5 ba .Lcopy_g5
sub $num, 8, $cnt sub $num, 8, $cnt
.align 16 .align 16
.Lcopy_g5: ! copy or in-place refresh .Lcopy_g5: ! conditional copy
ldx [$ap+0], $t2 ldx [$tp], $tj
add $ap, 8, $ap ldx [$rp+0], $t2
stx %g0, [$tp] ! zap stx %g0, [$tp] ! zap
add $tp, 8, $tp add $tp, 8, $tp
movcs %icc, $tj, $t2
stx $t2, [$rp+0] stx $t2, [$rp+0]
add $rp, 8, $rp add $rp, 8, $rp
brnz $cnt, .Lcopy_g5 brnz $cnt, .Lcopy_g5

View File

@ -255,7 +255,6 @@ $fname:
.Ltail: .Ltail:
add $np,$num,$np add $np,$num,$np
add $rp,$num,$rp add $rp,$num,$rp
mov $tp,$ap
sub %g0,$num,%o7 ! k=-num sub %g0,$num,%o7 ! k=-num
ba .Lsub ba .Lsub
subcc %g0,%g0,%g0 ! clear %icc.c subcc %g0,%g0,%g0 ! clear %icc.c
@ -268,15 +267,14 @@ $fname:
add %o7,4,%o7 add %o7,4,%o7
brnz %o7,.Lsub brnz %o7,.Lsub
st %o1,[$i] st %o1,[$i]
subc $car2,0,$car2 ! handle upmost overflow bit subccc $car2,0,$car2 ! handle upmost overflow bit
and $tp,$car2,$ap
andn $rp,$car2,$np
or $ap,$np,$ap
sub %g0,$num,%o7 sub %g0,$num,%o7
.Lcopy: .Lcopy:
ld [$ap+%o7],%o0 ! copy or in-place refresh ld [$tp+%o7],%o1 ! conditional copy
ld [$rp+%o7],%o0
st %g0,[$tp+%o7] ! zap tp st %g0,[$tp+%o7] ! zap tp
movcs %icc,%o1,%o0
st %o0,[$rp+%o7] st %o0,[$rp+%o7]
add %o7,4,%o7 add %o7,4,%o7
brnz %o7,.Lcopy brnz %o7,.Lcopy
@ -485,6 +483,9 @@ $code.=<<___;
mulx $npj,$mul1,$acc1 mulx $npj,$mul1,$acc1
add $tpj,$car1,$car1 add $tpj,$car1,$car1
ld [$np+$j],$npj ! np[j] ld [$np+$j],$npj ! np[j]
srlx $car1,32,$tmp0
and $car1,$mask,$car1
add $tmp0,$sbit,$sbit
add $acc0,$car1,$car1 add $acc0,$car1,$car1
ld [$tp+8],$tpj ! tp[j] ld [$tp+8],$tpj ! tp[j]
add $acc1,$car1,$car1 add $acc1,$car1,$car1

View File

@ -203,18 +203,15 @@ $sp=&DWP(28,"esp");
&mov ("eax",&DWP(0,"esi","edx",4)); # upmost overflow bit &mov ("eax",&DWP(0,"esi","edx",4)); # upmost overflow bit
&sbb ("eax",0); &sbb ("eax",0);
&and ("esi","eax");
&not ("eax");
&mov ("ebp","edi");
&and ("ebp","eax");
&or ("esi","ebp"); # tp=carry?tp:rp
&mov ("ecx","edx"); # num &mov ("ecx","edx"); # num
&xor ("edx","edx"); # i=0 &mov ("edx",0); # i=0
&set_label("copy",8); &set_label("copy",8);
&mov ("eax",&DWP(0,"esi","edx",4)); &mov ("ebx",&DWP(0,"esi","edx",4));
&mov (&DWP(64,"esp","edx",4),"ecx"); # zap tp &mov ("eax",&DWP(0,"edi","edx",4));
&mov (&DWP(0,"esi","edx",4),"ecx"); # zap tp
&cmovc ("eax","ebx");
&mov (&DWP(0,"edi","edx",4),"eax"); &mov (&DWP(0,"edi","edx",4),"eax");
&lea ("edx",&DWP(1,"edx")); # i++ &lea ("edx",&DWP(1,"edx")); # i++
&loop (&label("copy")); &loop (&label("copy"));

View File

@ -299,23 +299,23 @@ $code.=<<___;
sub $anp, $num, $anp sub $anp, $num, $anp
sub $rp, $num, $rp sub $rp, $num, $rp
subc $ovf, %g0, $ovf ! handle upmost overflow bit subccc $ovf, %g0, $ovf ! handle upmost overflow bit
and $tp, $ovf, $ap
andn $rp, $ovf, $np
or $np, $ap, $ap ! ap=borrow?tp:rp
ba .Lcopy ba .Lcopy
sub $num, 8, $cnt sub $num, 8, $cnt
.align 16 .align 16
.Lcopy: ! copy or in-place refresh .Lcopy: ! conditional copy
ld [$ap+0], $t2 ld [$tp+0], $t0
ld [$ap+4], $t3 ld [$tp+4], $t1
add $ap, 8, $ap ld [$rp+0], $t2
ld [$rp+4], $t3
stx %g0, [$tp] ! zap stx %g0, [$tp] ! zap
add $tp, 8, $tp add $tp, 8, $tp
stx %g0, [$anp] ! zap stx %g0, [$anp] ! zap
stx %g0, [$anp+8] stx %g0, [$anp+8]
add $anp, 16, $anp add $anp, 16, $anp
movcs %icc, $t0, $t2
movcs %icc, $t1, $t3
st $t3, [$rp+0] ! flip order st $t3, [$rp+0] ! flip order
st $t2, [$rp+4] st $t2, [$rp+4]
add $rp, 8, $rp add $rp, 8, $rp

View File

@ -592,16 +592,18 @@ $sbit=$num;
&jge (&label("sub")); &jge (&label("sub"));
&sbb ("eax",0); # handle upmost overflow bit &sbb ("eax",0); # handle upmost overflow bit
&and ($tp,"eax"); &mov ("edx",-1);
&not ("eax"); &xor ("edx","eax");
&mov ($np,$rp); &jmp (&label("copy"));
&and ($np,"eax");
&or ($tp,$np); # tp=carry?tp:rp
&set_label("copy",16); # copy or in-place refresh &set_label("copy",16); # conditional copy
&mov ("eax",&DWP(0,$tp,$num,4)); &mov ($tp,&DWP($frame,"esp",$num,4));
&mov (&DWP(0,$rp,$num,4),"eax"); # rp[i]=tp[i] &mov ($np,&DWP(0,$rp,$num,4));
&mov (&DWP($frame,"esp",$num,4),$j); # zap temporary vector &mov (&DWP($frame,"esp",$num,4),$j); # zap temporary vector
&and ($tp,"eax");
&and ($np,"edx");
&or ($np,$tp);
&mov (&DWP(0,$rp,$num,4),$np);
&dec ($num); &dec ($num);
&jge (&label("copy")); &jge (&label("copy"));

View File

@ -293,30 +293,30 @@ $code.=<<___;
xor $i,$i # i=0 and clear CF! xor $i,$i # i=0 and clear CF!
mov (%rsp),%rax # tp[0] mov (%rsp),%rax # tp[0]
lea (%rsp),$ap # borrow ap for tp
mov $num,$j # j=num mov $num,$j # j=num
jmp .Lsub
.align 16 .align 16
.Lsub: sbb ($np,$i,8),%rax .Lsub: sbb ($np,$i,8),%rax
mov %rax,($rp,$i,8) # rp[i]=tp[i]-np[i] mov %rax,($rp,$i,8) # rp[i]=tp[i]-np[i]
mov 8($ap,$i,8),%rax # tp[i+1] mov 8(%rsp,$i,8),%rax # tp[i+1]
lea 1($i),$i # i++ lea 1($i),$i # i++
dec $j # doesnn't affect CF! dec $j # doesnn't affect CF!
jnz .Lsub jnz .Lsub
sbb \$0,%rax # handle upmost overflow bit sbb \$0,%rax # handle upmost overflow bit
mov \$-1,%rbx
xor %rax,%rbx # not %rax
xor $i,$i xor $i,$i
and %rax,$ap
not %rax
mov $rp,$np
and %rax,$np
mov $num,$j # j=num mov $num,$j # j=num
or $np,$ap # ap=borrow?tp:rp
.align 16 .Lcopy: # conditional copy
.Lcopy: # copy or in-place refresh mov ($rp,$i,8),%rcx
mov ($ap,$i,8),%rax mov (%rsp,$i,8),%rdx
mov $i,(%rsp,$i,8) # zap temporary vector and %rbx,%rcx
mov %rax,($rp,$i,8) # rp[i]=tp[i] and %rax,%rdx
mov $num,(%rsp,$i,8) # zap temporary vector
or %rcx,%rdx
mov %rdx,($rp,$i,8) # rp[i]=tp[i]
lea 1($i),$i lea 1($i),$i
sub \$1,$j sub \$1,$j
jnz .Lcopy jnz .Lcopy
@ -686,10 +686,10 @@ ___
my @ri=("%rax","%rdx",$m0,$m1); my @ri=("%rax","%rdx",$m0,$m1);
$code.=<<___; $code.=<<___;
mov 16(%rsp,$num,8),$rp # restore $rp mov 16(%rsp,$num,8),$rp # restore $rp
lea -4($num),$j
mov 0(%rsp),@ri[0] # tp[0] mov 0(%rsp),@ri[0] # tp[0]
pxor %xmm0,%xmm0
mov 8(%rsp),@ri[1] # tp[1] mov 8(%rsp),@ri[1] # tp[1]
shr \$2,$num # num/=4 shr \$2,$j # j=num/4-1
lea (%rsp),$ap # borrow ap for tp lea (%rsp),$ap # borrow ap for tp
xor $i,$i # i=0 and clear CF! xor $i,$i # i=0 and clear CF!
@ -697,9 +697,7 @@ $code.=<<___;
mov 16($ap),@ri[2] # tp[2] mov 16($ap),@ri[2] # tp[2]
mov 24($ap),@ri[3] # tp[3] mov 24($ap),@ri[3] # tp[3]
sbb 8($np),@ri[1] sbb 8($np),@ri[1]
lea -1($num),$j # j=num/4-1
jmp .Lsub4x
.align 16
.Lsub4x: .Lsub4x:
mov @ri[0],0($rp,$i,8) # rp[i]=tp[i]-np[i] mov @ri[0],0($rp,$i,8) # rp[i]=tp[i]-np[i]
mov @ri[1],8($rp,$i,8) # rp[i]=tp[i]-np[i] mov @ri[1],8($rp,$i,8) # rp[i]=tp[i]-np[i]
@ -726,34 +724,35 @@ $code.=<<___;
sbb \$0,@ri[0] # handle upmost overflow bit sbb \$0,@ri[0] # handle upmost overflow bit
mov @ri[3],24($rp,$i,8) # rp[i]=tp[i]-np[i] mov @ri[3],24($rp,$i,8) # rp[i]=tp[i]-np[i]
xor $i,$i # i=0 pxor %xmm0,%xmm0
and @ri[0],$ap movq @ri[0],%xmm4
not @ri[0] pcmpeqd %xmm5,%xmm5
mov $rp,$np pshufd \$0,%xmm4,%xmm4
and @ri[0],$np mov $num,$j
lea -1($num),$j pxor %xmm4,%xmm5
or $np,$ap # ap=borrow?tp:rp shr \$2,$j # j=num/4
xor %eax,%eax # i=0
movdqu ($ap),%xmm1
movdqa %xmm0,(%rsp)
movdqu %xmm1,($rp)
jmp .Lcopy4x jmp .Lcopy4x
.align 16 .align 16
.Lcopy4x: # copy or in-place refresh .Lcopy4x: # conditional copy
movdqu 16($ap,$i),%xmm2 movdqa (%rsp,%rax),%xmm1
movdqu 32($ap,$i),%xmm1 movdqu ($rp,%rax),%xmm2
movdqa %xmm0,16(%rsp,$i) pand %xmm4,%xmm1
movdqu %xmm2,16($rp,$i) pand %xmm5,%xmm2
movdqa %xmm0,32(%rsp,$i) movdqa 16(%rsp,%rax),%xmm3
movdqu %xmm1,32($rp,$i) movdqa %xmm0,(%rsp,%rax)
lea 32($i),$i por %xmm2,%xmm1
movdqu 16($rp,%rax),%xmm2
movdqu %xmm1,($rp,%rax)
pand %xmm4,%xmm3
pand %xmm5,%xmm2
movdqa %xmm0,16(%rsp,%rax)
por %xmm2,%xmm3
movdqu %xmm3,16($rp,%rax)
lea 32(%rax),%rax
dec $j dec $j
jnz .Lcopy4x jnz .Lcopy4x
shl \$2,$num
movdqu 16($ap,$i),%xmm2
movdqa %xmm0,16(%rsp,$i)
movdqu %xmm2,16($rp,$i)
___ ___
} }
$code.=<<___; $code.=<<___;

View File

@ -405,18 +405,19 @@ $code.=<<___;
jnz .Lsub jnz .Lsub
sbb \$0,%rax # handle upmost overflow bit sbb \$0,%rax # handle upmost overflow bit
mov \$-1,%rbx
xor %rax,%rbx
xor $i,$i xor $i,$i
and %rax,$ap
not %rax
mov $rp,$np
and %rax,$np
mov $num,$j # j=num mov $num,$j # j=num
or $np,$ap # ap=borrow?tp:rp
.align 16 .Lcopy: # conditional copy
.Lcopy: # copy or in-place refresh mov ($rp,$i,8),%rcx
mov ($ap,$i,8),%rax mov (%rsp,$i,8),%rdx
and %rbx,%rcx
and %rax,%rdx
mov $i,(%rsp,$i,8) # zap temporary vector mov $i,(%rsp,$i,8) # zap temporary vector
mov %rax,($rp,$i,8) # rp[i]=tp[i] or %rcx,%rdx
mov %rdx,($rp,$i,8) # rp[i]=tp[i]
lea 1($i),$i lea 1($i),$i
sub \$1,$j sub \$1,$j
jnz .Lcopy jnz .Lcopy

View File

@ -56,7 +56,7 @@
* [including the GNU Public Licence.] * [including the GNU Public Licence.]
*/ */
/* ==================================================================== /* ====================================================================
* Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. * Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved.
* *
* Redistribution and use in source and binary forms, with or without * Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions * modification, are permitted provided that the following conditions
@ -375,25 +375,76 @@ int BN_GENCB_call(BN_GENCB *cb, int a, int b);
* on the size of the number */ * on the size of the number */
/* /*
* number of Miller-Rabin iterations for an error rate of less than 2^-80 for * BN_prime_checks_for_size() returns the number of Miller-Rabin iterations
* random 'b'-bit input, b >= 100 (taken from table 4.4 in the Handbook of * that will be done for checking that a random number is probably prime. The
* Applied Cryptography [Menezes, van Oorschot, Vanstone; CRC Press 1996]; * error rate for accepting a composite number as prime depends on the size of
* original paper: Damgaard, Landrock, Pomerance: Average case error * the prime |b|. The error rates used are for calculating an RSA key with 2 primes,
* estimates for the strong probable prime test. -- Math. Comp. 61 (1993) * and so the level is what you would expect for a key of double the size of the
* 177-194) * prime.
*
* This table is generated using the algorithm of FIPS PUB 186-4
* Digital Signature Standard (DSS), section F.1, page 117.
* (https://dx.doi.org/10.6028/NIST.FIPS.186-4)
*
* The following magma script was used to generate the output:
* securitybits:=125;
* k:=1024;
* for t:=1 to 65 do
* for M:=3 to Floor(2*Sqrt(k-1)-1) do
* S:=0;
* // Sum over m
* for m:=3 to M do
* s:=0;
* // Sum over j
* for j:=2 to m do
* s+:=(RealField(32)!2)^-(j+(k-1)/j);
* end for;
* S+:=2^(m-(m-1)*t)*s;
* end for;
* A:=2^(k-2-M*t);
* B:=8*(Pi(RealField(32))^2-6)/3*2^(k-2)*S;
* pkt:=2.00743*Log(2)*k*2^-k*(A+B);
* seclevel:=Floor(-Log(2,pkt));
* if seclevel ge securitybits then
* printf "k: %5o, security: %o bits (t: %o, M: %o)\n",k,seclevel,t,M;
* break;
* end if;
* end for;
* if seclevel ge securitybits then break; end if;
* end for;
*
* It can be run online at:
* http://magma.maths.usyd.edu.au/calc
*
* And will output:
* k: 1024, security: 129 bits (t: 6, M: 23)
*
* k is the number of bits of the prime, securitybits is the level we want to
* reach.
*
* prime length | RSA key size | # MR tests | security level
* -------------+--------------|------------+---------------
* (b) >= 6394 | >= 12788 | 3 | 256 bit
* (b) >= 3747 | >= 7494 | 3 | 192 bit
* (b) >= 1345 | >= 2690 | 4 | 128 bit
* (b) >= 1080 | >= 2160 | 5 | 128 bit
* (b) >= 852 | >= 1704 | 5 | 112 bit
* (b) >= 476 | >= 952 | 5 | 80 bit
* (b) >= 400 | >= 800 | 6 | 80 bit
* (b) >= 347 | >= 694 | 7 | 80 bit
* (b) >= 308 | >= 616 | 8 | 80 bit
* (b) >= 55 | >= 110 | 27 | 64 bit
* (b) >= 6 | >= 12 | 34 | 64 bit
*/ */
# define BN_prime_checks_for_size(b) ((b) >= 1300 ? 2 : \
(b) >= 850 ? 3 : \ # define BN_prime_checks_for_size(b) ((b) >= 3747 ? 3 : \
(b) >= 650 ? 4 : \ (b) >= 1345 ? 4 : \
(b) >= 550 ? 5 : \ (b) >= 476 ? 5 : \
(b) >= 450 ? 6 : \ (b) >= 400 ? 6 : \
(b) >= 400 ? 7 : \ (b) >= 347 ? 7 : \
(b) >= 350 ? 8 : \ (b) >= 308 ? 8 : \
(b) >= 300 ? 9 : \ (b) >= 55 ? 27 : \
(b) >= 250 ? 12 : \ /* b >= 6 */ 34)
(b) >= 200 ? 15 : \
(b) >= 150 ? 18 : \
/* b >= 100 */ 27)
# define BN_num_bytes(a) ((BN_num_bits(a)+7)/8) # define BN_num_bytes(a) ((BN_num_bits(a)+7)/8)
@ -773,6 +824,16 @@ BIGNUM *bn_dup_expand(const BIGNUM *a, int words); /* unused */
/* We only need assert() when debugging */ /* We only need assert() when debugging */
# include <assert.h> # include <assert.h>
/*
* The new BN_FLG_FIXED_TOP flag marks vectors that were not treated with
* bn_correct_top, in other words such vectors are permitted to have zeros
* in most significant limbs. Such vectors are used internally to achieve
* execution time invariance for critical operations with private keys.
* It's BN_DEBUG-only flag, because user application is not supposed to
* observe it anyway. Moreover, optimizing compiler would actually remove
* all operations manipulating the bit in question in non-BN_DEBUG build.
*/
# define BN_FLG_FIXED_TOP 0x10000
# ifdef BN_DEBUG_RAND # ifdef BN_DEBUG_RAND
/* To avoid "make update" cvs wars due to BN_DEBUG, use some tricks */ /* To avoid "make update" cvs wars due to BN_DEBUG, use some tricks */
# ifndef RAND_pseudo_bytes # ifndef RAND_pseudo_bytes
@ -805,8 +866,10 @@ int RAND_pseudo_bytes(unsigned char *buf, int num);
do { \ do { \
const BIGNUM *_bnum2 = (a); \ const BIGNUM *_bnum2 = (a); \
if (_bnum2 != NULL) { \ if (_bnum2 != NULL) { \
assert((_bnum2->top == 0) || \ int _top = _bnum2->top; \
(_bnum2->d[_bnum2->top - 1] != 0)); \ assert((_top == 0) || \
(_bnum2->flags & BN_FLG_FIXED_TOP) || \
(_bnum2->d[_top - 1] != 0)); \
bn_pollute(_bnum2); \ bn_pollute(_bnum2); \
} \ } \
} while(0) } while(0)
@ -824,6 +887,7 @@ int RAND_pseudo_bytes(unsigned char *buf, int num);
# else /* !BN_DEBUG */ # else /* !BN_DEBUG */
# define BN_FLG_FIXED_TOP 0
# define bn_pollute(a) # define bn_pollute(a)
# define bn_check_top(a) # define bn_check_top(a)
# define bn_fix_top(a) bn_correct_top(a) # define bn_fix_top(a) bn_correct_top(a)

View File

@ -290,6 +290,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
wnum.neg = 0; wnum.neg = 0;
wnum.d = &(snum->d[loop]); wnum.d = &(snum->d[loop]);
wnum.top = div_n; wnum.top = div_n;
wnum.flags = BN_FLG_STATIC_DATA;
/* /*
* only needed when BN_ucmp messes up the values between top and max * only needed when BN_ucmp messes up the values between top and max
*/ */

View File

@ -290,8 +290,8 @@ int BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
bits = BN_num_bits(p); bits = BN_num_bits(p);
if (bits == 0) { if (bits == 0) {
/* x**0 mod 1 is still zero. */ /* x**0 mod 1, or x**0 mod -1 is still zero. */
if (BN_is_one(m)) { if (BN_abs_is_word(m, 1)) {
ret = 1; ret = 1;
BN_zero(r); BN_zero(r);
} else { } else {
@ -432,8 +432,8 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
} }
bits = BN_num_bits(p); bits = BN_num_bits(p);
if (bits == 0) { if (bits == 0) {
/* x**0 mod 1 is still zero. */ /* x**0 mod 1, or x**0 mod -1 is still zero. */
if (BN_is_one(m)) { if (BN_abs_is_word(m, 1)) {
ret = 1; ret = 1;
BN_zero(rr); BN_zero(rr);
} else { } else {
@ -473,17 +473,17 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
ret = 1; ret = 1;
goto err; goto err;
} }
if (!BN_to_montgomery(val[0], aa, mont, ctx)) if (!bn_to_mont_fixed_top(val[0], aa, mont, ctx))
goto err; /* 1 */ goto err; /* 1 */
window = BN_window_bits_for_exponent_size(bits); window = BN_window_bits_for_exponent_size(bits);
if (window > 1) { if (window > 1) {
if (!BN_mod_mul_montgomery(d, val[0], val[0], mont, ctx)) if (!bn_mul_mont_fixed_top(d, val[0], val[0], mont, ctx))
goto err; /* 2 */ goto err; /* 2 */
j = 1 << (window - 1); j = 1 << (window - 1);
for (i = 1; i < j; i++) { for (i = 1; i < j; i++) {
if (((val[i] = BN_CTX_get(ctx)) == NULL) || if (((val[i] = BN_CTX_get(ctx)) == NULL) ||
!BN_mod_mul_montgomery(val[i], val[i - 1], d, mont, ctx)) !bn_mul_mont_fixed_top(val[i], val[i - 1], d, mont, ctx))
goto err; goto err;
} }
} }
@ -505,19 +505,15 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
for (i = 1; i < j; i++) for (i = 1; i < j; i++)
r->d[i] = (~m->d[i]) & BN_MASK2; r->d[i] = (~m->d[i]) & BN_MASK2;
r->top = j; r->top = j;
/* r->flags |= BN_FLG_FIXED_TOP;
* Upper words will be zero if the corresponding words of 'm' were
* 0xfff[...], so decrement r->top accordingly.
*/
bn_correct_top(r);
} else } else
#endif #endif
if (!BN_to_montgomery(r, BN_value_one(), mont, ctx)) if (!bn_to_mont_fixed_top(r, BN_value_one(), mont, ctx))
goto err; goto err;
for (;;) { for (;;) {
if (BN_is_bit_set(p, wstart) == 0) { if (BN_is_bit_set(p, wstart) == 0) {
if (!start) { if (!start) {
if (!BN_mod_mul_montgomery(r, r, r, mont, ctx)) if (!bn_mul_mont_fixed_top(r, r, r, mont, ctx))
goto err; goto err;
} }
if (wstart == 0) if (wstart == 0)
@ -548,12 +544,12 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
/* add the 'bytes above' */ /* add the 'bytes above' */
if (!start) if (!start)
for (i = 0; i < j; i++) { for (i = 0; i < j; i++) {
if (!BN_mod_mul_montgomery(r, r, r, mont, ctx)) if (!bn_mul_mont_fixed_top(r, r, r, mont, ctx))
goto err; goto err;
} }
/* wvalue will be an odd number < 2^window */ /* wvalue will be an odd number < 2^window */
if (!BN_mod_mul_montgomery(r, r, val[wvalue >> 1], mont, ctx)) if (!bn_mul_mont_fixed_top(r, r, val[wvalue >> 1], mont, ctx))
goto err; goto err;
/* move the 'window' down further */ /* move the 'window' down further */
@ -563,6 +559,11 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
if (wstart < 0) if (wstart < 0)
break; break;
} }
/*
* Done with zero-padded intermediate BIGNUMs. Final BN_from_montgomery
* removes padding [if any] and makes return value suitable for public
* API consumer.
*/
#if defined(SPARC_T4_MONT) #if defined(SPARC_T4_MONT)
if (OPENSSL_sparcv9cap_P[0] & (SPARCV9_VIS3 | SPARCV9_PREFER_FPU)) { if (OPENSSL_sparcv9cap_P[0] & (SPARCV9_VIS3 | SPARCV9_PREFER_FPU)) {
j = mont->N.top; /* borrow j */ j = mont->N.top; /* borrow j */
@ -681,7 +682,7 @@ static int MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM *b, int top,
} }
b->top = top; b->top = top;
bn_correct_top(b); b->flags |= BN_FLG_FIXED_TOP;
return 1; return 1;
} }
@ -733,8 +734,8 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
*/ */
bits = p->top * BN_BITS2; bits = p->top * BN_BITS2;
if (bits == 0) { if (bits == 0) {
/* x**0 mod 1 is still zero. */ /* x**0 mod 1, or x**0 mod -1 is still zero. */
if (BN_is_one(m)) { if (BN_abs_is_word(m, 1)) {
ret = 1; ret = 1;
BN_zero(rr); BN_zero(rr);
} else { } else {
@ -852,16 +853,16 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
tmp.top = top; tmp.top = top;
} else } else
#endif #endif
if (!BN_to_montgomery(&tmp, BN_value_one(), mont, ctx)) if (!bn_to_mont_fixed_top(&tmp, BN_value_one(), mont, ctx))
goto err; goto err;
/* prepare a^1 in Montgomery domain */ /* prepare a^1 in Montgomery domain */
if (a->neg || BN_ucmp(a, m) >= 0) { if (a->neg || BN_ucmp(a, m) >= 0) {
if (!BN_mod(&am, a, m, ctx)) if (!BN_mod(&am, a, m, ctx))
goto err; goto err;
if (!BN_to_montgomery(&am, &am, mont, ctx)) if (!bn_to_mont_fixed_top(&am, &am, mont, ctx))
goto err; goto err;
} else if (!BN_to_montgomery(&am, a, mont, ctx)) } else if (!bn_to_mont_fixed_top(&am, a, mont, ctx))
goto err; goto err;
#if defined(SPARC_T4_MONT) #if defined(SPARC_T4_MONT)
@ -1128,14 +1129,14 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
* performance advantage of sqr over mul). * performance advantage of sqr over mul).
*/ */
if (window > 1) { if (window > 1) {
if (!BN_mod_mul_montgomery(&tmp, &am, &am, mont, ctx)) if (!bn_mul_mont_fixed_top(&tmp, &am, &am, mont, ctx))
goto err; goto err;
if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&tmp, top, powerbuf, 2, if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&tmp, top, powerbuf, 2,
window)) window))
goto err; goto err;
for (i = 3; i < numPowers; i++) { for (i = 3; i < numPowers; i++) {
/* Calculate a^i = a^(i-1) * a */ /* Calculate a^i = a^(i-1) * a */
if (!BN_mod_mul_montgomery(&tmp, &am, &tmp, mont, ctx)) if (!bn_mul_mont_fixed_top(&tmp, &am, &tmp, mont, ctx))
goto err; goto err;
if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&tmp, top, powerbuf, i, if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&tmp, top, powerbuf, i,
window)) window))
@ -1159,7 +1160,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
/* Scan the window, squaring the result as we go */ /* Scan the window, squaring the result as we go */
for (i = 0; i < window; i++, bits--) { for (i = 0; i < window; i++, bits--) {
if (!BN_mod_mul_montgomery(&tmp, &tmp, &tmp, mont, ctx)) if (!bn_mul_mont_fixed_top(&tmp, &tmp, &tmp, mont, ctx))
goto err; goto err;
wvalue = (wvalue << 1) + BN_is_bit_set(p, bits); wvalue = (wvalue << 1) + BN_is_bit_set(p, bits);
} }
@ -1172,12 +1173,16 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
goto err; goto err;
/* Multiply the result into the intermediate result */ /* Multiply the result into the intermediate result */
if (!BN_mod_mul_montgomery(&tmp, &tmp, &am, mont, ctx)) if (!bn_mul_mont_fixed_top(&tmp, &tmp, &am, mont, ctx))
goto err; goto err;
} }
} }
/* Convert the final result from montgomery to standard format */ /*
* Done with zero-padded intermediate BIGNUMs. Final BN_from_montgomery
* removes padding [if any] and makes return value suitable for public
* API consumer.
*/
#if defined(SPARC_T4_MONT) #if defined(SPARC_T4_MONT)
if (OPENSSL_sparcv9cap_P[0] & (SPARCV9_VIS3 | SPARCV9_PREFER_FPU)) { if (OPENSSL_sparcv9cap_P[0] & (SPARCV9_VIS3 | SPARCV9_PREFER_FPU)) {
am.d[0] = 1; /* borrow am */ am.d[0] = 1; /* borrow am */
@ -1247,8 +1252,8 @@ int BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p,
bits = BN_num_bits(p); bits = BN_num_bits(p);
if (bits == 0) { if (bits == 0) {
/* x**0 mod 1 is still zero. */ /* x**0 mod 1, or x**0 mod -1 is still zero. */
if (BN_is_one(m)) { if (BN_abs_is_word(m, 1)) {
ret = 1; ret = 1;
BN_zero(rr); BN_zero(rr);
} else { } else {
@ -1369,9 +1374,9 @@ int BN_mod_exp_simple(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
} }
bits = BN_num_bits(p); bits = BN_num_bits(p);
if (bits == 0) { if (bits == 0) {
/* x**0 mod 1 is still zero. */ /* x**0 mod 1, or x**0 mod -1 is still zero. */
if (BN_is_one(m)) { if (BN_abs_is_word(m, 1)) {
ret = 1; ret = 1;
BN_zero(r); BN_zero(r);
} else { } else {

View File

@ -36,7 +36,7 @@
*/ */
/* ==================================================================== /* ====================================================================
* Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. * Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved.
* *
* Redistribution and use in source and binary forms, with or without * Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions * modification, are permitted provided that the following conditions
@ -103,30 +103,32 @@
*/ */
# define MAX_ITERATIONS 50 # define MAX_ITERATIONS 50
static const BN_ULONG SQR_tb[16] = { 0, 1, 4, 5, 16, 17, 20, 21, # define SQR_nibble(w) ((((w) & 8) << 3) \
64, 65, 68, 69, 80, 81, 84, 85 | (((w) & 4) << 2) \
}; | (((w) & 2) << 1) \
| ((w) & 1))
/* Platform-specific macros to accelerate squaring. */ /* Platform-specific macros to accelerate squaring. */
# if defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG) # if defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG)
# define SQR1(w) \ # define SQR1(w) \
SQR_tb[(w) >> 60 & 0xF] << 56 | SQR_tb[(w) >> 56 & 0xF] << 48 | \ SQR_nibble((w) >> 60) << 56 | SQR_nibble((w) >> 56) << 48 | \
SQR_tb[(w) >> 52 & 0xF] << 40 | SQR_tb[(w) >> 48 & 0xF] << 32 | \ SQR_nibble((w) >> 52) << 40 | SQR_nibble((w) >> 48) << 32 | \
SQR_tb[(w) >> 44 & 0xF] << 24 | SQR_tb[(w) >> 40 & 0xF] << 16 | \ SQR_nibble((w) >> 44) << 24 | SQR_nibble((w) >> 40) << 16 | \
SQR_tb[(w) >> 36 & 0xF] << 8 | SQR_tb[(w) >> 32 & 0xF] SQR_nibble((w) >> 36) << 8 | SQR_nibble((w) >> 32)
# define SQR0(w) \ # define SQR0(w) \
SQR_tb[(w) >> 28 & 0xF] << 56 | SQR_tb[(w) >> 24 & 0xF] << 48 | \ SQR_nibble((w) >> 28) << 56 | SQR_nibble((w) >> 24) << 48 | \
SQR_tb[(w) >> 20 & 0xF] << 40 | SQR_tb[(w) >> 16 & 0xF] << 32 | \ SQR_nibble((w) >> 20) << 40 | SQR_nibble((w) >> 16) << 32 | \
SQR_tb[(w) >> 12 & 0xF] << 24 | SQR_tb[(w) >> 8 & 0xF] << 16 | \ SQR_nibble((w) >> 12) << 24 | SQR_nibble((w) >> 8) << 16 | \
SQR_tb[(w) >> 4 & 0xF] << 8 | SQR_tb[(w) & 0xF] SQR_nibble((w) >> 4) << 8 | SQR_nibble((w) )
# endif # endif
# ifdef THIRTY_TWO_BIT # ifdef THIRTY_TWO_BIT
# define SQR1(w) \ # define SQR1(w) \
SQR_tb[(w) >> 28 & 0xF] << 24 | SQR_tb[(w) >> 24 & 0xF] << 16 | \ SQR_nibble((w) >> 28) << 24 | SQR_nibble((w) >> 24) << 16 | \
SQR_tb[(w) >> 20 & 0xF] << 8 | SQR_tb[(w) >> 16 & 0xF] SQR_nibble((w) >> 20) << 8 | SQR_nibble((w) >> 16)
# define SQR0(w) \ # define SQR0(w) \
SQR_tb[(w) >> 12 & 0xF] << 24 | SQR_tb[(w) >> 8 & 0xF] << 16 | \ SQR_nibble((w) >> 12) << 24 | SQR_nibble((w) >> 8) << 16 | \
SQR_tb[(w) >> 4 & 0xF] << 8 | SQR_tb[(w) & 0xF] SQR_nibble((w) >> 4) << 8 | SQR_nibble((w) )
# endif # endif
# if !defined(OPENSSL_BN_ASM_GF2m) # if !defined(OPENSSL_BN_ASM_GF2m)

View File

@ -56,7 +56,7 @@
* [including the GNU Public Licence.] * [including the GNU Public Licence.]
*/ */
/* ==================================================================== /* ====================================================================
* Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. * Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved.
* *
* Redistribution and use in source and binary forms, with or without * Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions * modification, are permitted provided that the following conditions
@ -113,6 +113,7 @@
# define HEADER_BN_LCL_H # define HEADER_BN_LCL_H
# include <openssl/bn.h> # include <openssl/bn.h>
# include "bn_int.h"
#ifdef __cplusplus #ifdef __cplusplus
extern "C" { extern "C" {

View File

@ -263,8 +263,6 @@ static BN_ULONG *bn_expand_internal(const BIGNUM *b, int words)
const BN_ULONG *B; const BN_ULONG *B;
int i; int i;
bn_check_top(b);
if (words > (INT_MAX / (4 * BN_BITS2))) { if (words > (INT_MAX / (4 * BN_BITS2))) {
BNerr(BN_F_BN_EXPAND_INTERNAL, BN_R_BIGNUM_TOO_LONG); BNerr(BN_F_BN_EXPAND_INTERNAL, BN_R_BIGNUM_TOO_LONG);
return NULL; return NULL;
@ -398,8 +396,6 @@ BIGNUM *bn_dup_expand(const BIGNUM *b, int words)
BIGNUM *bn_expand2(BIGNUM *b, int words) BIGNUM *bn_expand2(BIGNUM *b, int words)
{ {
bn_check_top(b);
if (words > b->dmax) { if (words > b->dmax) {
BN_ULONG *a = bn_expand_internal(b, words); BN_ULONG *a = bn_expand_internal(b, words);
if (!a) if (!a)
@ -433,7 +429,6 @@ BIGNUM *bn_expand2(BIGNUM *b, int words)
assert(A == &(b->d[b->dmax])); assert(A == &(b->d[b->dmax]));
} }
#endif #endif
bn_check_top(b);
return b; return b;
} }
@ -497,12 +492,18 @@ BIGNUM *BN_copy(BIGNUM *a, const BIGNUM *b)
memcpy(a->d, b->d, sizeof(b->d[0]) * b->top); memcpy(a->d, b->d, sizeof(b->d[0]) * b->top);
#endif #endif
a->top = b->top;
a->neg = b->neg; a->neg = b->neg;
a->top = b->top;
a->flags |= b->flags & BN_FLG_FIXED_TOP;
bn_check_top(a); bn_check_top(a);
return (a); return (a);
} }
#define FLAGS_DATA(flags) ((flags) & (BN_FLG_STATIC_DATA \
| BN_FLG_CONSTTIME \
| BN_FLG_FIXED_TOP))
#define FLAGS_STRUCT(flags) ((flags) & (BN_FLG_MALLOCED))
void BN_swap(BIGNUM *a, BIGNUM *b) void BN_swap(BIGNUM *a, BIGNUM *b)
{ {
int flags_old_a, flags_old_b; int flags_old_a, flags_old_b;
@ -530,10 +531,8 @@ void BN_swap(BIGNUM *a, BIGNUM *b)
b->dmax = tmp_dmax; b->dmax = tmp_dmax;
b->neg = tmp_neg; b->neg = tmp_neg;
a->flags = a->flags = FLAGS_STRUCT(flags_old_a) | FLAGS_DATA(flags_old_b);
(flags_old_a & BN_FLG_MALLOCED) | (flags_old_b & BN_FLG_STATIC_DATA); b->flags = FLAGS_STRUCT(flags_old_b) | FLAGS_DATA(flags_old_a);
b->flags =
(flags_old_b & BN_FLG_MALLOCED) | (flags_old_a & BN_FLG_STATIC_DATA);
bn_check_top(a); bn_check_top(a);
bn_check_top(b); bn_check_top(b);
} }
@ -545,6 +544,7 @@ void BN_clear(BIGNUM *a)
OPENSSL_cleanse(a->d, a->dmax * sizeof(a->d[0])); OPENSSL_cleanse(a->d, a->dmax * sizeof(a->d[0]));
a->top = 0; a->top = 0;
a->neg = 0; a->neg = 0;
a->flags &= ~BN_FLG_FIXED_TOP;
} }
BN_ULONG BN_get_word(const BIGNUM *a) BN_ULONG BN_get_word(const BIGNUM *a)
@ -565,6 +565,7 @@ int BN_set_word(BIGNUM *a, BN_ULONG w)
a->neg = 0; a->neg = 0;
a->d[0] = w; a->d[0] = w;
a->top = (w ? 1 : 0); a->top = (w ? 1 : 0);
a->flags &= ~BN_FLG_FIXED_TOP;
bn_check_top(a); bn_check_top(a);
return (1); return (1);
} }
@ -613,6 +614,41 @@ BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret)
} }
/* ignore negative */ /* ignore negative */
static int bn2binpad(const BIGNUM *a, unsigned char *to, int tolen)
{
int n;
size_t i, inc, lasti, j;
BN_ULONG l;
n = BN_num_bytes(a);
if (tolen == -1)
tolen = n;
else if (tolen < n)
return -1;
if (n == 0) {
OPENSSL_cleanse(to, tolen);
return tolen;
}
lasti = n - 1;
for (i = 0, inc = 1, j = tolen; j > 0;) {
l = a->d[i / BN_BYTES];
to[--j] = (unsigned char)(l >> (8 * (i % BN_BYTES)) & (0 - inc));
inc = (i - lasti) >> (8 * sizeof(i) - 1);
i += inc; /* stay on top limb */
}
return tolen;
}
int bn_bn2binpad(const BIGNUM *a, unsigned char *to, int tolen)
{
if (tolen < 0)
return -1;
return bn2binpad(a, to, tolen);
}
int BN_bn2bin(const BIGNUM *a, unsigned char *to) int BN_bn2bin(const BIGNUM *a, unsigned char *to)
{ {
int n, i; int n, i;
@ -711,6 +747,7 @@ int BN_set_bit(BIGNUM *a, int n)
for (k = a->top; k < i + 1; k++) for (k = a->top; k < i + 1; k++)
a->d[k] = 0; a->d[k] = 0;
a->top = i + 1; a->top = i + 1;
a->flags &= ~BN_FLG_FIXED_TOP;
} }
a->d[i] |= (((BN_ULONG)1) << j); a->d[i] |= (((BN_ULONG)1) << j);

View File

@ -4,7 +4,7 @@
* for the OpenSSL project. * for the OpenSSL project.
*/ */
/* ==================================================================== /* ====================================================================
* Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. * Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved.
* *
* Redistribution and use in source and binary forms, with or without * Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions * modification, are permitted provided that the following conditions
@ -149,16 +149,71 @@ int BN_mod_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m,
/* /*
* BN_mod_add variant that may be used if both a and b are non-negative and * BN_mod_add variant that may be used if both a and b are non-negative and
* less than m * less than m. The original algorithm was
*
* if (!BN_uadd(r, a, b))
* return 0;
* if (BN_ucmp(r, m) >= 0)
* return BN_usub(r, r, m);
*
* which is replaced with addition, subtracting modulus, and conditional
* move depending on whether or not subtraction borrowed.
*/ */
int bn_mod_add_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
const BIGNUM *m)
{
size_t i, ai, bi, mtop = m->top;
BN_ULONG storage[1024 / BN_BITS2];
BN_ULONG carry, temp, mask, *rp, *tp = storage;
const BN_ULONG *ap, *bp;
if (bn_wexpand(r, m->top) == NULL)
return 0;
if (mtop > sizeof(storage) / sizeof(storage[0])
&& (tp = OPENSSL_malloc(mtop * sizeof(BN_ULONG))) == NULL)
return 0;
ap = a->d != NULL ? a->d : tp;
bp = b->d != NULL ? b->d : tp;
for (i = 0, ai = 0, bi = 0, carry = 0; i < mtop;) {
mask = (BN_ULONG)0 - ((i - a->top) >> (8 * sizeof(i) - 1));
temp = ((ap[ai] & mask) + carry) & BN_MASK2;
carry = (temp < carry);
mask = (BN_ULONG)0 - ((i - b->top) >> (8 * sizeof(i) - 1));
tp[i] = ((bp[bi] & mask) + temp) & BN_MASK2;
carry += (tp[i] < temp);
i++;
ai += (i - a->dmax) >> (8 * sizeof(i) - 1);
bi += (i - b->dmax) >> (8 * sizeof(i) - 1);
}
rp = r->d;
carry -= bn_sub_words(rp, tp, m->d, mtop);
for (i = 0; i < mtop; i++) {
rp[i] = (carry & tp[i]) | (~carry & rp[i]);
((volatile BN_ULONG *)tp)[i] = 0;
}
r->top = mtop;
r->neg = 0;
if (tp != storage)
OPENSSL_free(tp);
return 1;
}
int BN_mod_add_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, int BN_mod_add_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
const BIGNUM *m) const BIGNUM *m)
{ {
if (!BN_uadd(r, a, b)) int ret = bn_mod_add_fixed_top(r, a, b, m);
return 0;
if (BN_ucmp(r, m) >= 0) if (ret)
return BN_usub(r, r, m); bn_correct_top(r);
return 1;
return ret;
} }
int BN_mod_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m, int BN_mod_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m,

View File

@ -123,11 +123,22 @@
#define MONT_WORD /* use the faster word-based algorithm */ #define MONT_WORD /* use the faster word-based algorithm */
#ifdef MONT_WORD #ifdef MONT_WORD
static int BN_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont); static int bn_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont);
#endif #endif
int BN_mod_mul_montgomery(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, int BN_mod_mul_montgomery(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
BN_MONT_CTX *mont, BN_CTX *ctx) BN_MONT_CTX *mont, BN_CTX *ctx)
{
int ret = bn_mul_mont_fixed_top(r, a, b, mont, ctx);
bn_correct_top(r);
bn_check_top(r);
return ret;
}
int bn_mul_mont_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
BN_MONT_CTX *mont, BN_CTX *ctx)
{ {
BIGNUM *tmp; BIGNUM *tmp;
int ret = 0; int ret = 0;
@ -140,8 +151,8 @@ int BN_mod_mul_montgomery(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
if (bn_mul_mont(r->d, a->d, b->d, mont->N.d, mont->n0, num)) { if (bn_mul_mont(r->d, a->d, b->d, mont->N.d, mont->n0, num)) {
r->neg = a->neg ^ b->neg; r->neg = a->neg ^ b->neg;
r->top = num; r->top = num;
bn_correct_top(r); r->flags |= BN_FLG_FIXED_TOP;
return (1); return 1;
} }
} }
#endif #endif
@ -161,13 +172,12 @@ int BN_mod_mul_montgomery(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
} }
/* reduce from aRR to aR */ /* reduce from aRR to aR */
#ifdef MONT_WORD #ifdef MONT_WORD
if (!BN_from_montgomery_word(r, tmp, mont)) if (!bn_from_montgomery_word(r, tmp, mont))
goto err; goto err;
#else #else
if (!BN_from_montgomery(r, tmp, mont, ctx)) if (!BN_from_montgomery(r, tmp, mont, ctx))
goto err; goto err;
#endif #endif
bn_check_top(r);
ret = 1; ret = 1;
err: err:
BN_CTX_end(ctx); BN_CTX_end(ctx);
@ -175,7 +185,7 @@ int BN_mod_mul_montgomery(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
} }
#ifdef MONT_WORD #ifdef MONT_WORD
static int BN_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont) static int bn_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont)
{ {
BIGNUM *n; BIGNUM *n;
BN_ULONG *ap, *np, *rp, n0, v, carry; BN_ULONG *ap, *np, *rp, n0, v, carry;
@ -205,6 +215,7 @@ static int BN_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont)
# endif # endif
r->top = max; r->top = max;
r->flags |= BN_FLG_FIXED_TOP;
n0 = mont->n0[0]; n0 = mont->n0[0];
/* /*
@ -223,6 +234,7 @@ static int BN_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont)
if (bn_wexpand(ret, nl) == NULL) if (bn_wexpand(ret, nl) == NULL)
return (0); return (0);
ret->top = nl; ret->top = nl;
ret->flags |= BN_FLG_FIXED_TOP;
ret->neg = r->neg; ret->neg = r->neg;
rp = ret->d; rp = ret->d;
@ -233,20 +245,16 @@ static int BN_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont)
*/ */
ap = &(r->d[nl]); ap = &(r->d[nl]);
carry -= bn_sub_words(rp, ap, np, nl);
/* /*
* |v| is one if |ap| - |np| underflowed or zero if it did not. Note |v| * |carry| is -1 if |ap| - |np| underflowed or zero if it did not. Note
* cannot be -1. That would imply the subtraction did not fit in |nl| words, * |carry| cannot be 1. That would imply the subtraction did not fit in
* and we know at most one subtraction is needed. * |nl| words, and we know at most one subtraction is needed.
*/ */
v = bn_sub_words(rp, ap, np, nl) - carry;
v = 0 - v;
for (i = 0; i < nl; i++) { for (i = 0; i < nl; i++) {
rp[i] = (v & ap[i]) | (~v & rp[i]); rp[i] = (carry & ap[i]) | (~carry & rp[i]);
ap[i] = 0; ap[i] = 0;
} }
bn_correct_top(r);
bn_correct_top(ret);
bn_check_top(ret);
return (1); return (1);
} }
@ -260,8 +268,11 @@ int BN_from_montgomery(BIGNUM *ret, const BIGNUM *a, BN_MONT_CTX *mont,
BIGNUM *t; BIGNUM *t;
BN_CTX_start(ctx); BN_CTX_start(ctx);
if ((t = BN_CTX_get(ctx)) && BN_copy(t, a)) if ((t = BN_CTX_get(ctx)) && BN_copy(t, a)) {
retn = BN_from_montgomery_word(ret, t, mont); retn = bn_from_montgomery_word(ret, t, mont);
bn_correct_top(ret);
bn_check_top(ret);
}
BN_CTX_end(ctx); BN_CTX_end(ctx);
#else /* !MONT_WORD */ #else /* !MONT_WORD */
BIGNUM *t1, *t2; BIGNUM *t1, *t2;
@ -299,6 +310,12 @@ int BN_from_montgomery(BIGNUM *ret, const BIGNUM *a, BN_MONT_CTX *mont,
return (retn); return (retn);
} }
int bn_to_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont,
BN_CTX *ctx)
{
return bn_mul_mont_fixed_top(r, a, &(mont->RR), mont, ctx);
}
BN_MONT_CTX *BN_MONT_CTX_new(void) BN_MONT_CTX *BN_MONT_CTX_new(void)
{ {
BN_MONT_CTX *ret; BN_MONT_CTX *ret;
@ -335,7 +352,7 @@ void BN_MONT_CTX_free(BN_MONT_CTX *mont)
int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx) int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx)
{ {
int ret = 0; int i, ret = 0;
BIGNUM *Ri, *R; BIGNUM *Ri, *R;
if (BN_is_zero(mod)) if (BN_is_zero(mod))
@ -466,6 +483,11 @@ int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx)
if (!BN_mod(&(mont->RR), &(mont->RR), &(mont->N), ctx)) if (!BN_mod(&(mont->RR), &(mont->RR), &(mont->N), ctx))
goto err; goto err;
for (i = mont->RR.top, ret = mont->N.top; i < ret; i++)
mont->RR.d[i] = 0;
mont->RR.top = ret;
mont->RR.flags |= BN_FLG_FIXED_TOP;
ret = 1; ret = 1;
err: err:
BN_CTX_end(ctx); BN_CTX_end(ctx);

View File

@ -135,14 +135,8 @@ int BN_sqr(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx)
} }
rr->neg = 0; rr->neg = 0;
/* rr->top = max;
* If the most-significant half of the top word of 'a' is zero, then the bn_correct_top(rr);
* square of 'a' will max-1 words.
*/
if (a->d[al - 1] == (a->d[al - 1] & BN_MASK2l))
rr->top = max - 1;
else
rr->top = max;
if (r != rr && BN_copy(r, rr) == NULL) if (r != rr && BN_copy(r, rr) == NULL)
goto err; goto err;

View File

@ -0,0 +1,15 @@
/*
* Some BIGNUM functions assume most significant limb to be non-zero, which
* is customarily arranged by bn_correct_top. Output from below functions
* is not processed with bn_correct_top, and for this reason it may not be
* returned out of public API. It may only be passed internally into other
* functions known to support non-minimal or zero-padded BIGNUMs.
*/
int bn_mul_mont_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
BN_MONT_CTX *mont, BN_CTX *ctx);
int bn_to_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont,
BN_CTX *ctx);
int bn_mod_add_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
const BIGNUM *m);
int bn_bn2binpad(const BIGNUM *a, unsigned char *to, int tolen);

View File

@ -290,6 +290,8 @@ CONF_VALUE *_CONF_new_section(CONF *conf, const char *section)
vv = lh_CONF_VALUE_insert(conf->data, v); vv = lh_CONF_VALUE_insert(conf->data, v);
OPENSSL_assert(vv == NULL); OPENSSL_assert(vv == NULL);
if (lh_CONF_VALUE_error(conf->data) > 0)
goto err;
ok = 1; ok = 1;
err: err:
if (!ok) { if (!ok) {

View File

@ -130,10 +130,15 @@ static int generate_key(DH *dh)
int ok = 0; int ok = 0;
int generate_new_key = 0; int generate_new_key = 0;
unsigned l; unsigned l;
BN_CTX *ctx; BN_CTX *ctx = NULL;
BN_MONT_CTX *mont = NULL; BN_MONT_CTX *mont = NULL;
BIGNUM *pub_key = NULL, *priv_key = NULL; BIGNUM *pub_key = NULL, *priv_key = NULL;
if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) {
DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_LARGE);
return 0;
}
ctx = BN_CTX_new(); ctx = BN_CTX_new();
if (ctx == NULL) if (ctx == NULL)
goto err; goto err;

View File

@ -3,7 +3,7 @@
* 2006. * 2006.
*/ */
/* ==================================================================== /* ====================================================================
* Copyright (c) 2006 The OpenSSL Project. All rights reserved. * Copyright (c) 2006-2018 The OpenSSL Project. All rights reserved.
* *
* Redistribution and use in source and binary forms, with or without * Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions * modification, are permitted provided that the following conditions
@ -486,7 +486,7 @@ static int pkey_dh_derive(EVP_PKEY_CTX *ctx, unsigned char *key,
return ret; return ret;
} }
#endif #endif
return 1; return 0;
} }
const EVP_PKEY_METHOD dh_pkey_meth = { const EVP_PKEY_METHOD dh_pkey_meth = {

View File

@ -249,10 +249,12 @@ int DSAparams_print_fp(FILE *fp, const DSA *x);
int DSA_print_fp(FILE *bp, const DSA *x, int off); int DSA_print_fp(FILE *bp, const DSA *x, int off);
# endif # endif
# define DSS_prime_checks 50 # define DSS_prime_checks 64
/* /*
* Primality test according to FIPS PUB 186[-1], Appendix 2.1: 50 rounds of * Primality test according to FIPS PUB 186-4, Appendix C.3. Since we only
* Rabin-Miller * have one value here we set the number of checks to 64 which is the 128 bit
* security level that is the highest level and valid for creating a 3072 bit
* DSA key.
*/ */
# define DSA_is_prime(n, callback, cb_arg) \ # define DSA_is_prime(n, callback, cb_arg) \
BN_is_prime(n, DSS_prime_checks, callback, NULL, cb_arg) BN_is_prime(n, DSS_prime_checks, callback, NULL, cb_arg)
@ -307,6 +309,7 @@ void ERR_load_DSA_strings(void);
# define DSA_F_I2D_DSA_SIG 111 # define DSA_F_I2D_DSA_SIG 111
# define DSA_F_OLD_DSA_PRIV_DECODE 122 # define DSA_F_OLD_DSA_PRIV_DECODE 122
# define DSA_F_PKEY_DSA_CTRL 120 # define DSA_F_PKEY_DSA_CTRL 120
# define DSA_F_PKEY_DSA_CTRL_STR 127
# define DSA_F_PKEY_DSA_KEYGEN 121 # define DSA_F_PKEY_DSA_KEYGEN 121
# define DSA_F_SIG_CB 114 # define DSA_F_SIG_CB 114

View File

@ -1,6 +1,6 @@
/* crypto/dsa/dsa_err.c */ /* crypto/dsa/dsa_err.c */
/* ==================================================================== /* ====================================================================
* Copyright (c) 1999-2013 The OpenSSL Project. All rights reserved. * Copyright (c) 1999-2018 The OpenSSL Project. All rights reserved.
* *
* Redistribution and use in source and binary forms, with or without * Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions * modification, are permitted provided that the following conditions
@ -95,6 +95,7 @@ static ERR_STRING_DATA DSA_str_functs[] = {
{ERR_FUNC(DSA_F_I2D_DSA_SIG), "i2d_DSA_SIG"}, {ERR_FUNC(DSA_F_I2D_DSA_SIG), "i2d_DSA_SIG"},
{ERR_FUNC(DSA_F_OLD_DSA_PRIV_DECODE), "OLD_DSA_PRIV_DECODE"}, {ERR_FUNC(DSA_F_OLD_DSA_PRIV_DECODE), "OLD_DSA_PRIV_DECODE"},
{ERR_FUNC(DSA_F_PKEY_DSA_CTRL), "PKEY_DSA_CTRL"}, {ERR_FUNC(DSA_F_PKEY_DSA_CTRL), "PKEY_DSA_CTRL"},
{ERR_FUNC(DSA_F_PKEY_DSA_CTRL_STR), "PKEY_DSA_CTRL_STR"},
{ERR_FUNC(DSA_F_PKEY_DSA_KEYGEN), "PKEY_DSA_KEYGEN"}, {ERR_FUNC(DSA_F_PKEY_DSA_KEYGEN), "PKEY_DSA_KEYGEN"},
{ERR_FUNC(DSA_F_SIG_CB), "SIG_CB"}, {ERR_FUNC(DSA_F_SIG_CB), "SIG_CB"},
{0, NULL} {0, NULL}

View File

@ -146,9 +146,16 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
/* invalid q size */ /* invalid q size */
return 0; return 0;
if (evpmd == NULL) if (evpmd == NULL) {
/* use SHA1 as default */ if (qsize == SHA_DIGEST_LENGTH)
evpmd = EVP_sha1(); evpmd = EVP_sha1();
else if (qsize == SHA224_DIGEST_LENGTH)
evpmd = EVP_sha224();
else
evpmd = EVP_sha256();
} else {
qsize = EVP_MD_size(evpmd);
}
if (bits < 512) if (bits < 512)
bits = 512; bits = 512;

View File

@ -133,17 +133,13 @@ const DSA_METHOD *DSA_OpenSSL(void)
static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
{ {
BIGNUM *kinv = NULL, *r = NULL, *s = NULL; BIGNUM *kinv = NULL, *r = NULL, *s = NULL;
BIGNUM m; BIGNUM *m, *blind, *blindm, *tmp;
BIGNUM xr;
BN_CTX *ctx = NULL; BN_CTX *ctx = NULL;
int reason = ERR_R_BN_LIB; int reason = ERR_R_BN_LIB;
DSA_SIG *ret = NULL; DSA_SIG *ret = NULL;
int noredo = 0; int noredo = 0;
BN_init(&m); if (dsa->p == NULL || dsa->q == NULL || dsa->g == NULL) {
BN_init(&xr);
if (!dsa->p || !dsa->q || !dsa->g) {
reason = DSA_R_MISSING_PARAMETERS; reason = DSA_R_MISSING_PARAMETERS;
goto err; goto err;
} }
@ -154,6 +150,13 @@ static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
ctx = BN_CTX_new(); ctx = BN_CTX_new();
if (ctx == NULL) if (ctx == NULL)
goto err; goto err;
m = BN_CTX_get(ctx);
blind = BN_CTX_get(ctx);
blindm = BN_CTX_get(ctx);
tmp = BN_CTX_get(ctx);
if (tmp == NULL)
goto err;
redo: redo:
if ((dsa->kinv == NULL) || (dsa->r == NULL)) { if ((dsa->kinv == NULL) || (dsa->r == NULL)) {
if (!DSA_sign_setup(dsa, ctx, &kinv, &r)) if (!DSA_sign_setup(dsa, ctx, &kinv, &r))
@ -173,20 +176,52 @@ static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
* 4.2 * 4.2
*/ */
dlen = BN_num_bytes(dsa->q); dlen = BN_num_bytes(dsa->q);
if (BN_bin2bn(dgst, dlen, &m) == NULL) if (BN_bin2bn(dgst, dlen, m) == NULL)
goto err; goto err;
/* Compute s = inv(k) (m + xr) mod q */ /*
if (!BN_mod_mul(&xr, dsa->priv_key, r, dsa->q, ctx)) * The normal signature calculation is:
goto err; /* s = xr */ *
if (!BN_add(s, &xr, &m)) * s := k^-1 * (m + r * priv_key) mod q
goto err; /* s = m + xr */ *
if (BN_cmp(s, dsa->q) > 0) * We will blind this to protect against side channel attacks
if (!BN_sub(s, s, dsa->q)) *
* s := blind^-1 * k^-1 * (blind * m + blind * r * priv_key) mod q
*/
/* Generate a blinding value */
do {
if (!BN_rand(blind, BN_num_bits(dsa->q) - 1, -1, 0))
goto err; goto err;
} while (BN_is_zero(blind));
BN_set_flags(blind, BN_FLG_CONSTTIME);
BN_set_flags(blindm, BN_FLG_CONSTTIME);
BN_set_flags(tmp, BN_FLG_CONSTTIME);
/* tmp := blind * priv_key * r mod q */
if (!BN_mod_mul(tmp, blind, dsa->priv_key, dsa->q, ctx))
goto err;
if (!BN_mod_mul(tmp, tmp, r, dsa->q, ctx))
goto err;
/* blindm := blind * m mod q */
if (!BN_mod_mul(blindm, blind, m, dsa->q, ctx))
goto err;
/* s : = (blind * priv_key * r) + (blind * m) mod q */
if (!BN_mod_add_quick(s, tmp, blindm, dsa->q))
goto err;
/* s := s * k^-1 mod q */
if (!BN_mod_mul(s, s, kinv, dsa->q, ctx)) if (!BN_mod_mul(s, s, kinv, dsa->q, ctx))
goto err; goto err;
/* s:= s * blind^-1 mod q */
if (BN_mod_inverse(blind, blind, dsa->q, ctx) == NULL)
goto err;
if (!BN_mod_mul(s, s, blind, dsa->q, ctx))
goto err;
/* /*
* Redo if r or s is zero as required by FIPS 186-3: this is very * Redo if r or s is zero as required by FIPS 186-3: this is very
* unlikely. * unlikely.
@ -210,13 +245,9 @@ static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
BN_free(r); BN_free(r);
BN_free(s); BN_free(s);
} }
if (ctx != NULL) BN_CTX_free(ctx);
BN_CTX_free(ctx); BN_clear_free(kinv);
BN_clear_free(&m); return ret;
BN_clear_free(&xr);
if (kinv != NULL) /* dsa->kinv is NULL now if we used it */
BN_clear_free(kinv);
return (ret);
} }
static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,

View File

@ -3,7 +3,7 @@
* 2006. * 2006.
*/ */
/* ==================================================================== /* ====================================================================
* Copyright (c) 2006 The OpenSSL Project. All rights reserved. * Copyright (c) 2006-2018 The OpenSSL Project. All rights reserved.
* *
* Redistribution and use in source and binary forms, with or without * Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions * modification, are permitted provided that the following conditions
@ -230,10 +230,16 @@ static int pkey_dsa_ctrl_str(EVP_PKEY_CTX *ctx,
EVP_PKEY_CTRL_DSA_PARAMGEN_Q_BITS, qbits, EVP_PKEY_CTRL_DSA_PARAMGEN_Q_BITS, qbits,
NULL); NULL);
} }
if (!strcmp(type, "dsa_paramgen_md")) { if (strcmp(type, "dsa_paramgen_md") == 0) {
const EVP_MD *md = EVP_get_digestbyname(value);
if (md == NULL) {
DSAerr(DSA_F_PKEY_DSA_CTRL_STR, DSA_R_INVALID_DIGEST_TYPE);
return 0;
}
return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DSA, EVP_PKEY_OP_PARAMGEN, return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DSA, EVP_PKEY_OP_PARAMGEN,
EVP_PKEY_CTRL_DSA_PARAMGEN_MD, 0, EVP_PKEY_CTRL_DSA_PARAMGEN_MD, 0,
(void *)EVP_get_digestbyname(value)); (void *)md);
} }
return -2; return -2;
} }

View File

@ -3,7 +3,7 @@
* 2006. * 2006.
*/ */
/* ==================================================================== /* ====================================================================
* Copyright (c) 2006 The OpenSSL Project. All rights reserved. * Copyright (c) 2006-2018 The OpenSSL Project. All rights reserved.
* *
* Redistribution and use in source and binary forms, with or without * Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions * modification, are permitted provided that the following conditions
@ -143,19 +143,19 @@ static int eckey_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
static EC_KEY *eckey_type2param(int ptype, void *pval) static EC_KEY *eckey_type2param(int ptype, void *pval)
{ {
EC_KEY *eckey = NULL; EC_KEY *eckey = NULL;
EC_GROUP *group = NULL;
if (ptype == V_ASN1_SEQUENCE) { if (ptype == V_ASN1_SEQUENCE) {
ASN1_STRING *pstr = pval; const ASN1_STRING *pstr = pval;
const unsigned char *pm = NULL; const unsigned char *pm = pstr->data;
int pmlen; int pmlen = pstr->length;
pm = pstr->data;
pmlen = pstr->length; if ((eckey = d2i_ECParameters(NULL, &pm, pmlen)) == NULL) {
if (!(eckey = d2i_ECParameters(NULL, &pm, pmlen))) {
ECerr(EC_F_ECKEY_TYPE2PARAM, EC_R_DECODE_ERROR); ECerr(EC_F_ECKEY_TYPE2PARAM, EC_R_DECODE_ERROR);
goto ecerr; goto ecerr;
} }
} else if (ptype == V_ASN1_OBJECT) { } else if (ptype == V_ASN1_OBJECT) {
ASN1_OBJECT *poid = pval; const ASN1_OBJECT *poid = pval;
EC_GROUP *group;
/* /*
* type == V_ASN1_OBJECT => the parameters are given by an asn1 OID * type == V_ASN1_OBJECT => the parameters are given by an asn1 OID
@ -179,8 +179,8 @@ static EC_KEY *eckey_type2param(int ptype, void *pval)
return eckey; return eckey;
ecerr: ecerr:
if (eckey) EC_KEY_free(eckey);
EC_KEY_free(eckey); EC_GROUP_free(group);
return NULL; return NULL;
} }

View File

@ -3,7 +3,7 @@
* Originally written by Bodo Moeller for the OpenSSL project. * Originally written by Bodo Moeller for the OpenSSL project.
*/ */
/* ==================================================================== /* ====================================================================
* Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved. * Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved.
* *
* Redistribution and use in source and binary forms, with or without * Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions * modification, are permitted provided that the following conditions
@ -319,12 +319,16 @@ int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator,
BN_zero(&group->cofactor); BN_zero(&group->cofactor);
/* /*
* We ignore the return value because some groups have an order with * Some groups have an order with
* factors of two, which makes the Montgomery setup fail. * factors of two, which makes the Montgomery setup fail.
* |group->mont_data| will be NULL in this case. * |group->mont_data| will be NULL in this case.
*/ */
ec_precompute_mont_data(group); if (BN_is_odd(&group->order)) {
return ec_precompute_mont_data(group);
}
BN_MONT_CTX_free(group->mont_data);
group->mont_data = NULL;
return 1; return 1;
} }

View File

@ -1118,23 +1118,32 @@ static int ecp_nistz256_set_from_affine(EC_POINT *out, const EC_GROUP *group,
const P256_POINT_AFFINE *in, const P256_POINT_AFFINE *in,
BN_CTX *ctx) BN_CTX *ctx)
{ {
BIGNUM x, y; BIGNUM x, y, z;
BN_ULONG d_x[P256_LIMBS], d_y[P256_LIMBS];
int ret = 0; int ret = 0;
memcpy(d_x, in->X, sizeof(d_x)); /*
x.d = d_x; * |const| qualifier omission is compensated by BN_FLG_STATIC_DATA
* flag, which effectively means "read-only data".
*/
x.d = (BN_ULONG *)in->X;
x.dmax = x.top = P256_LIMBS; x.dmax = x.top = P256_LIMBS;
x.neg = 0; x.neg = 0;
x.flags = BN_FLG_STATIC_DATA; x.flags = BN_FLG_STATIC_DATA;
memcpy(d_y, in->Y, sizeof(d_y)); y.d = (BN_ULONG *)in->Y;
y.d = d_y;
y.dmax = y.top = P256_LIMBS; y.dmax = y.top = P256_LIMBS;
y.neg = 0; y.neg = 0;
y.flags = BN_FLG_STATIC_DATA; y.flags = BN_FLG_STATIC_DATA;
ret = EC_POINT_set_affine_coordinates_GFp(group, out, &x, &y, ctx); z.d = (BN_ULONG *)ONE;
z.dmax = z.top = P256_LIMBS;
z.neg = 0;
z.flags = BN_FLG_STATIC_DATA;
if ((ret = (BN_copy(&out->X, &x) != NULL))
&& (ret = (BN_copy(&out->Y, &y) != NULL))
&& (ret = (BN_copy(&out->Z, &z) != NULL)))
out->Z_is_one = 1;
return ret; return ret;
} }

View File

@ -114,7 +114,7 @@ ecs_ossl.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
ecs_ossl.o: ../../include/openssl/opensslconf.h ecs_ossl.o: ../../include/openssl/opensslconf.h
ecs_ossl.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h ecs_ossl.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
ecs_ossl.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h ecs_ossl.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
ecs_ossl.o: ../../include/openssl/symhacks.h ecs_locl.h ecs_ossl.c ecs_ossl.o: ../../include/openssl/symhacks.h ../bn_int.h ecs_locl.h ecs_ossl.c
ecs_sign.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h ecs_sign.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
ecs_sign.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h ecs_sign.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
ecs_sign.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h ecs_sign.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h

View File

@ -3,7 +3,7 @@
* Written by Nils Larsch for the OpenSSL project. * Written by Nils Larsch for the OpenSSL project.
*/ */
/* ==================================================================== /* ====================================================================
* Copyright (c) 2000-2005 The OpenSSL Project. All rights reserved. * Copyright (c) 2000-2018 The OpenSSL Project. All rights reserved.
* *
* Redistribution and use in source and binary forms, with or without * Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions * modification, are permitted provided that the following conditions
@ -137,7 +137,7 @@ int restore_rand(void)
return 1; return 1;
} }
static int fbytes_counter = 0; static int fbytes_counter = 0, use_fake = 0;
static const char *numbers[8] = { static const char *numbers[8] = {
"651056770906015076056810763456358567190100156695615665659", "651056770906015076056810763456358567190100156695615665659",
"6140507067065001063065065565667405560006161556565665656654", "6140507067065001063065065565667405560006161556565665656654",
@ -158,6 +158,11 @@ int fbytes(unsigned char *buf, int num)
int ret; int ret;
BIGNUM *tmp = NULL; BIGNUM *tmp = NULL;
if (use_fake == 0)
return old_rand->bytes(buf, num);
use_fake = 0;
if (fbytes_counter >= 8) if (fbytes_counter >= 8)
return 0; return 0;
tmp = BN_new(); tmp = BN_new();
@ -199,11 +204,13 @@ int x9_62_test_internal(BIO *out, int nid, const char *r_in, const char *s_in)
/* create the key */ /* create the key */
if ((key = EC_KEY_new_by_curve_name(nid)) == NULL) if ((key = EC_KEY_new_by_curve_name(nid)) == NULL)
goto x962_int_err; goto x962_int_err;
use_fake = 1;
if (!EC_KEY_generate_key(key)) if (!EC_KEY_generate_key(key))
goto x962_int_err; goto x962_int_err;
BIO_printf(out, "."); BIO_printf(out, ".");
(void)BIO_flush(out); (void)BIO_flush(out);
/* create the signature */ /* create the signature */
use_fake = 1;
signature = ECDSA_do_sign(digest, 20, key); signature = ECDSA_do_sign(digest, 20, key);
if (signature == NULL) if (signature == NULL)
goto x962_int_err; goto x962_int_err;

View File

@ -3,7 +3,7 @@
* Written by Nils Larsch for the OpenSSL project * Written by Nils Larsch for the OpenSSL project
*/ */
/* ==================================================================== /* ====================================================================
* Copyright (c) 1998-2004 The OpenSSL Project. All rights reserved. * Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved.
* *
* Redistribution and use in source and binary forms, with or without * Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions * modification, are permitted provided that the following conditions
@ -60,6 +60,7 @@
#include <openssl/err.h> #include <openssl/err.h>
#include <openssl/obj_mac.h> #include <openssl/obj_mac.h>
#include <openssl/bn.h> #include <openssl/bn.h>
#include "bn_int.h"
static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dlen, static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dlen,
const BIGNUM *, const BIGNUM *, const BIGNUM *, const BIGNUM *,
@ -251,13 +252,14 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
EC_KEY *eckey) EC_KEY *eckey)
{ {
int ok = 0, i; int ok = 0, i;
BIGNUM *kinv = NULL, *s, *m = NULL, *tmp = NULL, *order = NULL; BIGNUM *kinv = NULL, *s, *m = NULL, *order = NULL;
const BIGNUM *ckinv; const BIGNUM *ckinv;
BN_CTX *ctx = NULL; BN_CTX *ctx = NULL;
const EC_GROUP *group; const EC_GROUP *group;
ECDSA_SIG *ret; ECDSA_SIG *ret;
ECDSA_DATA *ecdsa; ECDSA_DATA *ecdsa;
const BIGNUM *priv_key; const BIGNUM *priv_key;
BN_MONT_CTX *mont_data;
ecdsa = ecdsa_check(eckey); ecdsa = ecdsa_check(eckey);
group = EC_KEY_get0_group(eckey); group = EC_KEY_get0_group(eckey);
@ -276,7 +278,7 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
s = ret->s; s = ret->s;
if ((ctx = BN_CTX_new()) == NULL || (order = BN_new()) == NULL || if ((ctx = BN_CTX_new()) == NULL || (order = BN_new()) == NULL ||
(tmp = BN_new()) == NULL || (m = BN_new()) == NULL) { (m = BN_new()) == NULL) {
ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_MALLOC_FAILURE); ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_MALLOC_FAILURE);
goto err; goto err;
} }
@ -285,6 +287,8 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_EC_LIB); ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_EC_LIB);
goto err; goto err;
} }
mont_data = EC_GROUP_get_mont_data(group);
i = BN_num_bits(order); i = BN_num_bits(order);
/* /*
* Need to truncate digest if it is too long: first truncate whole bytes. * Need to truncate digest if it is too long: first truncate whole bytes.
@ -315,15 +319,27 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
} }
} }
if (!BN_mod_mul(tmp, priv_key, ret->r, order, ctx)) { /*
* With only one multiplicant being in Montgomery domain
* multiplication yields real result without post-conversion.
* Also note that all operations but last are performed with
* zero-padded vectors. Last operation, BN_mod_mul_montgomery
* below, returns user-visible value with removed zero padding.
*/
if (!bn_to_mont_fixed_top(s, ret->r, mont_data, ctx)
|| !bn_mul_mont_fixed_top(s, s, priv_key, mont_data, ctx)) {
goto err;
}
if (!bn_mod_add_fixed_top(s, s, m, order)) {
ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB); ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
goto err; goto err;
} }
if (!BN_mod_add_quick(s, tmp, m, order)) { /*
ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB); * |s| can still be larger than modulus, because |m| can be. In
goto err; * such case we count on Montgomery reduction to tie it up.
} */
if (!BN_mod_mul(s, s, ckinv, order, ctx)) { if (!bn_to_mont_fixed_top(s, s, mont_data, ctx)
|| !BN_mod_mul_montgomery(s, s, ckinv, mont_data, ctx)) {
ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB); ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
goto err; goto err;
} }
@ -353,8 +369,6 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
BN_CTX_free(ctx); BN_CTX_free(ctx);
if (m) if (m)
BN_clear_free(m); BN_clear_free(m);
if (tmp)
BN_clear_free(tmp);
if (order) if (order)
BN_free(order); BN_free(order);
if (kinv) if (kinv)

View File

@ -4,7 +4,7 @@
* 2000. * 2000.
*/ */
/* ==================================================================== /* ====================================================================
* Copyright (c) 1999-2001 The OpenSSL Project. All rights reserved. * Copyright (c) 1999-2018 The OpenSSL Project. All rights reserved.
* *
* Redistribution and use in source and binary forms, with or without * Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions * modification, are permitted provided that the following conditions
@ -188,8 +188,10 @@ void engine_cleanup_add_last(ENGINE_CLEANUP_CB *cb)
if (!int_cleanup_check(1)) if (!int_cleanup_check(1))
return; return;
item = int_cleanup_item(cb); item = int_cleanup_item(cb);
if (item) if (item != NULL) {
sk_ENGINE_CLEANUP_ITEM_push(cleanup_stack, item); if (sk_ENGINE_CLEANUP_ITEM_push(cleanup_stack, item) <= 0)
OPENSSL_free(item);
}
} }
/* The API function that performs all cleanup */ /* The API function that performs all cleanup */

View File

@ -1,5 +1,5 @@
/* ==================================================================== /* ====================================================================
* Copyright (c) 2006 The OpenSSL Project. All rights reserved. * Copyright (c) 2006-2018 The OpenSSL Project. All rights reserved.
* *
* Redistribution and use in source and binary forms, with or without * Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions * modification, are permitted provided that the following conditions
@ -215,7 +215,7 @@ static void look_str_cb(int nid, STACK_OF(ENGINE) *sk, ENGINE *def, void *arg)
ENGINE *e = sk_ENGINE_value(sk, i); ENGINE *e = sk_ENGINE_value(sk, i);
EVP_PKEY_ASN1_METHOD *ameth; EVP_PKEY_ASN1_METHOD *ameth;
e->pkey_asn1_meths(e, &ameth, NULL, nid); e->pkey_asn1_meths(e, &ameth, NULL, nid);
if (((int)strlen(ameth->pem_str) == lk->len) && if (ameth != NULL && ((int)strlen(ameth->pem_str) == lk->len) &&
!strncasecmp(ameth->pem_str, lk->str, lk->len)) { !strncasecmp(ameth->pem_str, lk->str, lk->len)) {
lk->e = e; lk->e = e;
lk->ameth = ameth; lk->ameth = ameth;

View File

@ -109,6 +109,10 @@ struct tm *OPENSSL_gmtime(const time_t *timer, struct tm *result)
if (gmtime_r(timer, result) == NULL) if (gmtime_r(timer, result) == NULL)
return NULL; return NULL;
ts = result; ts = result;
#elif defined (OPENSSL_SYS_WINDOWS) && defined(_MSC_VER) && _MSC_VER >= 1400
if (gmtime_s(result, timer))
return NULL;
ts = result;
#elif !defined(OPENSSL_SYS_VMS) || defined(VMS_GMTIME_OK) #elif !defined(OPENSSL_SYS_VMS) || defined(VMS_GMTIME_OK)
ts = gmtime(timer); ts = gmtime(timer);
if (ts == NULL) if (ts == NULL)

View File

@ -30,11 +30,11 @@ extern "C" {
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
* major minor fix final patch/beta) * major minor fix final patch/beta)
*/ */
# define OPENSSL_VERSION_NUMBER 0x100020ffL # define OPENSSL_VERSION_NUMBER 0x1000210fL
# ifdef OPENSSL_FIPS # ifdef OPENSSL_FIPS
# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2o-fips 27 Mar 2018" # define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2p-fips 14 Aug 2018"
# else # else
# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2o-freebsd 27 Mar 2018" # define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2p-freebsd 14 Aug 2018"
# endif # endif
# define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT # define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT

View File

@ -442,7 +442,8 @@ void PEM_SignUpdate(EVP_MD_CTX *ctx, unsigned char *d, unsigned int cnt);
int PEM_SignFinal(EVP_MD_CTX *ctx, unsigned char *sigret, int PEM_SignFinal(EVP_MD_CTX *ctx, unsigned char *sigret,
unsigned int *siglen, EVP_PKEY *pkey); unsigned int *siglen, EVP_PKEY *pkey);
int PEM_def_callback(char *buf, int num, int w, void *key); /* The default pem_password_cb that's used internally */
int PEM_def_callback(char *buf, int num, int rwflag, void *userdata);
void PEM_proc_type(char *buf, int type); void PEM_proc_type(char *buf, int type);
void PEM_dek_info(char *buf, const char *type, int len, char *str); void PEM_dek_info(char *buf, const char *type, int len, char *str);

View File

@ -82,51 +82,39 @@ static int load_iv(char **fromp, unsigned char *to, int num);
static int check_pem(const char *nm, const char *name); static int check_pem(const char *nm, const char *name);
int pem_check_suffix(const char *pem_str, const char *suffix); int pem_check_suffix(const char *pem_str, const char *suffix);
int PEM_def_callback(char *buf, int num, int w, void *key) int PEM_def_callback(char *buf, int num, int rwflag, void *userdata)
{ {
#ifdef OPENSSL_NO_FP_API int i, min_len;
/*
* We should not ever call the default callback routine from windows.
*/
PEMerr(PEM_F_PEM_DEF_CALLBACK, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
return (-1);
#else
int i, j;
const char *prompt; const char *prompt;
if (key) {
i = strlen(key); /* We assume that the user passes a default password as userdata */
if (userdata) {
i = strlen(userdata);
i = (i > num) ? num : i; i = (i > num) ? num : i;
memcpy(buf, key, i); memcpy(buf, userdata, i);
return (i); return i;
} }
prompt = EVP_get_pw_prompt(); prompt = EVP_get_pw_prompt();
if (prompt == NULL) if (prompt == NULL)
prompt = "Enter PEM pass phrase:"; prompt = "Enter PEM pass phrase:";
for (;;) { /*
/* * rwflag == 0 means decryption
* We assume that w == 0 means decryption, * rwflag == 1 means encryption
* while w == 1 means encryption *
*/ * We assume that for encryption, we want a minimum length, while for
int min_len = w ? MIN_LENGTH : 0; * decryption, we cannot know any minimum length, so we assume zero.
*/
min_len = rwflag ? MIN_LENGTH : 0;
i = EVP_read_pw_string_min(buf, min_len, num, prompt, w); i = EVP_read_pw_string_min(buf, min_len, num, prompt, rwflag);
if (i != 0) { if (i != 0) {
PEMerr(PEM_F_PEM_DEF_CALLBACK, PEM_R_PROBLEMS_GETTING_PASSWORD); PEMerr(PEM_F_PEM_DEF_CALLBACK, PEM_R_PROBLEMS_GETTING_PASSWORD);
memset(buf, 0, (unsigned int)num); memset(buf, 0, (unsigned int)num);
return (-1); return -1;
}
j = strlen(buf);
if (min_len && j < min_len) {
fprintf(stderr,
"phrase is too short, needs to be at least %d chars\n",
min_len);
} else
break;
} }
return (j); return strlen(buf);
#endif
} }
void PEM_proc_type(char *buf, int type) void PEM_proc_type(char *buf, int type)
@ -459,7 +447,7 @@ int PEM_do_header(EVP_CIPHER_INFO *cipher, unsigned char *data, long *plen,
klen = PEM_def_callback(buf, PEM_BUFSIZE, 0, u); klen = PEM_def_callback(buf, PEM_BUFSIZE, 0, u);
else else
klen = callback(buf, PEM_BUFSIZE, 0, u); klen = callback(buf, PEM_BUFSIZE, 0, u);
if (klen <= 0) { if (klen < 0) {
PEMerr(PEM_F_PEM_DO_HEADER, PEM_R_BAD_PASSWORD_READ); PEMerr(PEM_F_PEM_DO_HEADER, PEM_R_BAD_PASSWORD_READ);
return (0); return (0);
} }
@ -499,6 +487,7 @@ int PEM_get_EVP_CIPHER_INFO(char *header, EVP_CIPHER_INFO *cipher)
char **header_pp = &header; char **header_pp = &header;
cipher->cipher = NULL; cipher->cipher = NULL;
memset(cipher->iv, 0, sizeof(cipher->iv));
if ((header == NULL) || (*header == '\0') || (*header == '\n')) if ((header == NULL) || (*header == '\0') || (*header == '\n'))
return (1); return (1);
if (strncmp(header, "Proc-Type: ", 11) != 0) { if (strncmp(header, "Proc-Type: ", 11) != 0) {

View File

@ -171,7 +171,7 @@ EVP_PKEY *d2i_PKCS8PrivateKey_bio(BIO *bp, EVP_PKEY **x, pem_password_cb *cb,
klen = cb(psbuf, PEM_BUFSIZE, 0, u); klen = cb(psbuf, PEM_BUFSIZE, 0, u);
else else
klen = PEM_def_callback(psbuf, PEM_BUFSIZE, 0, u); klen = PEM_def_callback(psbuf, PEM_BUFSIZE, 0, u);
if (klen <= 0) { if (klen < 0) {
PEMerr(PEM_F_D2I_PKCS8PRIVATEKEY_BIO, PEM_R_BAD_PASSWORD_READ); PEMerr(PEM_F_D2I_PKCS8PRIVATEKEY_BIO, PEM_R_BAD_PASSWORD_READ);
X509_SIG_free(p8); X509_SIG_free(p8);
return NULL; return NULL;

View File

@ -113,7 +113,7 @@ EVP_PKEY *PEM_read_bio_PrivateKey(BIO *bp, EVP_PKEY **x, pem_password_cb *cb,
klen = cb(psbuf, PEM_BUFSIZE, 0, u); klen = cb(psbuf, PEM_BUFSIZE, 0, u);
else else
klen = PEM_def_callback(psbuf, PEM_BUFSIZE, 0, u); klen = PEM_def_callback(psbuf, PEM_BUFSIZE, 0, u);
if (klen <= 0) { if (klen < 0) {
PEMerr(PEM_F_PEM_READ_BIO_PRIVATEKEY, PEM_R_BAD_PASSWORD_READ); PEMerr(PEM_F_PEM_READ_BIO_PRIVATEKEY, PEM_R_BAD_PASSWORD_READ);
X509_SIG_free(p8); X509_SIG_free(p8);
goto err; goto err;

View File

@ -3,7 +3,7 @@
* 2005. * 2005.
*/ */
/* ==================================================================== /* ====================================================================
* Copyright (c) 2005 The OpenSSL Project. All rights reserved. * Copyright (c) 2005-2018 The OpenSSL Project. All rights reserved.
* *
* Redistribution and use in source and binary forms, with or without * Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions * modification, are permitted provided that the following conditions
@ -702,7 +702,7 @@ static EVP_PKEY *do_PVK_body(const unsigned char **in,
inlen = cb(psbuf, PEM_BUFSIZE, 0, u); inlen = cb(psbuf, PEM_BUFSIZE, 0, u);
else else
inlen = PEM_def_callback(psbuf, PEM_BUFSIZE, 0, u); inlen = PEM_def_callback(psbuf, PEM_BUFSIZE, 0, u);
if (inlen <= 0) { if (inlen < 0) {
PEMerr(PEM_F_DO_PVK_BODY, PEM_R_BAD_PASSWORD_READ); PEMerr(PEM_F_DO_PVK_BODY, PEM_R_BAD_PASSWORD_READ);
goto err; goto err;
} }

View File

@ -4,7 +4,7 @@
* 1999. * 1999.
*/ */
/* ==================================================================== /* ====================================================================
* Copyright (c) 1999 The OpenSSL Project. All rights reserved. * Copyright (c) 1999-2018 The OpenSSL Project. All rights reserved.
* *
* Redistribution and use in source and binary forms, with or without * Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions * modification, are permitted provided that the following conditions
@ -100,7 +100,7 @@ ASN1_ADB_TEMPLATE(safebag_default) = ASN1_EXP(PKCS12_SAFEBAG, value.other, ASN1_
ASN1_ADB(PKCS12_SAFEBAG) = { ASN1_ADB(PKCS12_SAFEBAG) = {
ADB_ENTRY(NID_keyBag, ASN1_EXP(PKCS12_SAFEBAG, value.keybag, PKCS8_PRIV_KEY_INFO, 0)), ADB_ENTRY(NID_keyBag, ASN1_EXP(PKCS12_SAFEBAG, value.keybag, PKCS8_PRIV_KEY_INFO, 0)),
ADB_ENTRY(NID_pkcs8ShroudedKeyBag, ASN1_EXP(PKCS12_SAFEBAG, value.shkeybag, X509_SIG, 0)), ADB_ENTRY(NID_pkcs8ShroudedKeyBag, ASN1_EXP(PKCS12_SAFEBAG, value.shkeybag, X509_SIG, 0)),
ADB_ENTRY(NID_safeContentsBag, ASN1_EXP_SET_OF(PKCS12_SAFEBAG, value.safes, PKCS12_SAFEBAG, 0)), ADB_ENTRY(NID_safeContentsBag, ASN1_EXP_SEQUENCE_OF(PKCS12_SAFEBAG, value.safes, PKCS12_SAFEBAG, 0)),
ADB_ENTRY(NID_certBag, ASN1_EXP(PKCS12_SAFEBAG, value.bag, PKCS12_BAGS, 0)), ADB_ENTRY(NID_certBag, ASN1_EXP(PKCS12_SAFEBAG, value.bag, PKCS12_BAGS, 0)),
ADB_ENTRY(NID_crlBag, ASN1_EXP(PKCS12_SAFEBAG, value.bag, PKCS12_BAGS, 0)), ADB_ENTRY(NID_crlBag, ASN1_EXP(PKCS12_SAFEBAG, value.bag, PKCS12_BAGS, 0)),
ADB_ENTRY(NID_secretBag, ASN1_EXP(PKCS12_SAFEBAG, value.bag, PKCS12_BAGS, 0)) ADB_ENTRY(NID_secretBag, ASN1_EXP(PKCS12_SAFEBAG, value.bag, PKCS12_BAGS, 0))

View File

@ -153,7 +153,7 @@ rsa_eay.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
rsa_eay.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h rsa_eay.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
rsa_eay.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h rsa_eay.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
rsa_eay.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h rsa_eay.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
rsa_eay.o: ../../include/openssl/symhacks.h ../cryptlib.h rsa_eay.c rsa_eay.o: ../../include/openssl/symhacks.h ../bn_int.h ../cryptlib.h rsa_eay.c
rsa_err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h rsa_err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
rsa_err.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h rsa_err.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
rsa_err.o: ../../include/openssl/err.h ../../include/openssl/lhash.h rsa_err.o: ../../include/openssl/err.h ../../include/openssl/lhash.h

View File

@ -56,7 +56,7 @@
* [including the GNU Public Licence.] * [including the GNU Public Licence.]
*/ */
/* ==================================================================== /* ====================================================================
* Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. * Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved.
* *
* Redistribution and use in source and binary forms, with or without * Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions * modification, are permitted provided that the following conditions
@ -114,6 +114,7 @@
#include <openssl/bn.h> #include <openssl/bn.h>
#include <openssl/rsa.h> #include <openssl/rsa.h>
#include <openssl/rand.h> #include <openssl/rand.h>
#include "bn_int.h"
#ifndef RSA_NULL #ifndef RSA_NULL
@ -156,7 +157,7 @@ static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
unsigned char *to, RSA *rsa, int padding) unsigned char *to, RSA *rsa, int padding)
{ {
BIGNUM *f, *ret; BIGNUM *f, *ret;
int i, j, k, num = 0, r = -1; int i, num = 0, r = -1;
unsigned char *buf = NULL; unsigned char *buf = NULL;
BN_CTX *ctx = NULL; BN_CTX *ctx = NULL;
@ -232,15 +233,10 @@ static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
goto err; goto err;
/* /*
* put in leading 0 bytes if the number is less than the length of the * BN_bn2binpad puts in leading 0 bytes if the number is less than
* modulus * the length of the modulus.
*/ */
j = BN_num_bytes(ret); r = bn_bn2binpad(ret, to, num);
i = BN_bn2bin(ret, &(to[num - j]));
for (k = 0; k < (num - i); k++)
to[k] = 0;
r = num;
err: err:
if (ctx != NULL) { if (ctx != NULL) {
BN_CTX_end(ctx); BN_CTX_end(ctx);
@ -349,7 +345,7 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
unsigned char *to, RSA *rsa, int padding) unsigned char *to, RSA *rsa, int padding)
{ {
BIGNUM *f, *ret, *res; BIGNUM *f, *ret, *res;
int i, j, k, num = 0, r = -1; int i, num = 0, r = -1;
unsigned char *buf = NULL; unsigned char *buf = NULL;
BN_CTX *ctx = NULL; BN_CTX *ctx = NULL;
int local_blinding = 0; int local_blinding = 0;
@ -459,15 +455,10 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
res = ret; res = ret;
/* /*
* put in leading 0 bytes if the number is less than the length of the * BN_bn2binpad puts in leading 0 bytes if the number is less than
* modulus * the length of the modulus.
*/ */
j = BN_num_bytes(res); r = bn_bn2binpad(res, to, num);
i = BN_bn2bin(res, &(to[num - j]));
for (k = 0; k < (num - i); k++)
to[k] = 0;
r = num;
err: err:
if (ctx != NULL) { if (ctx != NULL) {
BN_CTX_end(ctx); BN_CTX_end(ctx);
@ -485,7 +476,6 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
{ {
BIGNUM *f, *ret; BIGNUM *f, *ret;
int j, num = 0, r = -1; int j, num = 0, r = -1;
unsigned char *p;
unsigned char *buf = NULL; unsigned char *buf = NULL;
BN_CTX *ctx = NULL; BN_CTX *ctx = NULL;
int local_blinding = 0; int local_blinding = 0;
@ -576,8 +566,7 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
if (!rsa_blinding_invert(blinding, ret, unblind, ctx)) if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
goto err; goto err;
p = buf; j = bn_bn2binpad(ret, buf, num);
j = BN_bn2bin(ret, p); /* j is only used with no-padding mode */
switch (padding) { switch (padding) {
case RSA_PKCS1_PADDING: case RSA_PKCS1_PADDING:
@ -592,7 +581,7 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
r = RSA_padding_check_SSLv23(to, num, buf, j, num); r = RSA_padding_check_SSLv23(to, num, buf, j, num);
break; break;
case RSA_NO_PADDING: case RSA_NO_PADDING:
r = RSA_padding_check_none(to, num, buf, j, num); memcpy(to, buf, (r = j));
break; break;
default: default:
RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_UNKNOWN_PADDING_TYPE); RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
@ -619,7 +608,6 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
{ {
BIGNUM *f, *ret; BIGNUM *f, *ret;
int i, num = 0, r = -1; int i, num = 0, r = -1;
unsigned char *p;
unsigned char *buf = NULL; unsigned char *buf = NULL;
BN_CTX *ctx = NULL; BN_CTX *ctx = NULL;
@ -684,8 +672,7 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
if (!BN_sub(ret, rsa->n, ret)) if (!BN_sub(ret, rsa->n, ret))
goto err; goto err;
p = buf; i = bn_bn2binpad(ret, buf, num);
i = BN_bn2bin(ret, p);
switch (padding) { switch (padding) {
case RSA_PKCS1_PADDING: case RSA_PKCS1_PADDING:
@ -695,7 +682,7 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
r = RSA_padding_check_X931(to, num, buf, i, num); r = RSA_padding_check_X931(to, num, buf, i, num);
break; break;
case RSA_NO_PADDING: case RSA_NO_PADDING:
r = RSA_padding_check_none(to, num, buf, i, num); memcpy(to, buf, (r = i));
break; break;
default: default:
RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_UNKNOWN_PADDING_TYPE); RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_UNKNOWN_PADDING_TYPE);

View File

@ -156,6 +156,8 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value,
if (BN_copy(rsa->e, e_value) == NULL) if (BN_copy(rsa->e, e_value) == NULL)
goto err; goto err;
BN_set_flags(rsa->p, BN_FLG_CONSTTIME);
BN_set_flags(rsa->q, BN_FLG_CONSTTIME);
BN_set_flags(r2, BN_FLG_CONSTTIME); BN_set_flags(r2, BN_FLG_CONSTTIME);
/* generate p and q */ /* generate p and q */
for (;;) { for (;;) {

View File

@ -120,7 +120,7 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
int plen, const EVP_MD *md, int plen, const EVP_MD *md,
const EVP_MD *mgf1md) const EVP_MD *mgf1md)
{ {
int i, dblen, mlen = -1, one_index = 0, msg_index; int i, dblen = 0, mlen = -1, one_index = 0, msg_index;
unsigned int good, found_one_byte; unsigned int good, found_one_byte;
const unsigned char *maskedseed, *maskeddb; const unsigned char *maskedseed, *maskeddb;
/* /*
@ -153,32 +153,41 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
dblen = num - mdlen - 1; dblen = num - mdlen - 1;
db = OPENSSL_malloc(dblen); db = OPENSSL_malloc(dblen);
em = OPENSSL_malloc(num); if (db == NULL) {
if (db == NULL || em == NULL) {
RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1, ERR_R_MALLOC_FAILURE); RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1, ERR_R_MALLOC_FAILURE);
goto cleanup; goto cleanup;
} }
/* if (flen != num) {
* Always do this zero-padding copy (even when num == flen) to avoid em = OPENSSL_malloc(num);
* leaking that information. The copy still leaks some side-channel if (em == NULL) {
* information, but it's impossible to have a fixed memory access RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1,
* pattern since we can't read out of the bounds of |from|. ERR_R_MALLOC_FAILURE);
* goto cleanup;
* TODO(emilia): Consider porting BN_bn2bin_padded from BoringSSL. }
*/
memset(em, 0, num); /*
memcpy(em + num - flen, from, flen); * Caller is encouraged to pass zero-padded message created with
* BN_bn2binpad, but if it doesn't, we do this zero-padding copy
* to avoid leaking that information. The copy still leaks some
* side-channel information, but it's impossible to have a fixed
* memory access pattern since we can't read out of the bounds of
* |from|.
*/
memset(em, 0, num);
memcpy(em + num - flen, from, flen);
from = em;
}
/* /*
* The first byte must be zero, however we must not leak if this is * The first byte must be zero, however we must not leak if this is
* true. See James H. Manger, "A Chosen Ciphertext Attack on RSA * true. See James H. Manger, "A Chosen Ciphertext Attack on RSA
* Optimal Asymmetric Encryption Padding (OAEP) [...]", CRYPTO 2001). * Optimal Asymmetric Encryption Padding (OAEP) [...]", CRYPTO 2001).
*/ */
good = constant_time_is_zero(em[0]); good = constant_time_is_zero(from[0]);
maskedseed = em + 1; maskedseed = from + 1;
maskeddb = em + 1 + mdlen; maskeddb = from + 1 + mdlen;
if (PKCS1_MGF1(seed, mdlen, maskeddb, dblen, mgf1md)) if (PKCS1_MGF1(seed, mdlen, maskeddb, dblen, mgf1md))
goto cleanup; goto cleanup;

View File

@ -98,6 +98,27 @@ int RSA_padding_check_PKCS1_type_1(unsigned char *to, int tlen,
const unsigned char *p; const unsigned char *p;
p = from; p = from;
/*
* The format is
* 00 || 01 || PS || 00 || D
* PS - padding string, at least 8 bytes of FF
* D - data.
*/
if (num < 11)
return -1;
/* Accept inputs with and without the leading 0-byte. */
if (num == flen) {
if ((*p++) != 0x00) {
RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,
RSA_R_INVALID_PADDING);
return -1;
}
flen--;
}
if ((num != (flen + 1)) || (*(p++) != 01)) { if ((num != (flen + 1)) || (*(p++) != 01)) {
RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1, RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,
RSA_R_BLOCK_TYPE_IS_NOT_01); RSA_R_BLOCK_TYPE_IS_NOT_01);
@ -203,28 +224,31 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
if (num < 11) if (num < 11)
goto err; goto err;
em = OPENSSL_malloc(num); if (flen != num) {
if (em == NULL) { em = OPENSSL_malloc(num);
RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2, ERR_R_MALLOC_FAILURE); if (em == NULL) {
return -1; RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2, ERR_R_MALLOC_FAILURE);
return -1;
}
/*
* Caller is encouraged to pass zero-padded message created with
* BN_bn2binpad, but if it doesn't, we do this zero-padding copy
* to avoid leaking that information. The copy still leaks some
* side-channel information, but it's impossible to have a fixed
* memory access pattern since we can't read out of the bounds of
* |from|.
*/
memset(em, 0, num);
memcpy(em + num - flen, from, flen);
from = em;
} }
memset(em, 0, num);
/*
* Always do this zero-padding copy (even when num == flen) to avoid
* leaking that information. The copy still leaks some side-channel
* information, but it's impossible to have a fixed memory access
* pattern since we can't read out of the bounds of |from|.
*
* TODO(emilia): Consider porting BN_bn2bin_padded from BoringSSL.
*/
memcpy(em + num - flen, from, flen);
good = constant_time_is_zero(em[0]); good = constant_time_is_zero(from[0]);
good &= constant_time_eq(em[1], 2); good &= constant_time_eq(from[1], 2);
found_zero_byte = 0; found_zero_byte = 0;
for (i = 2; i < num; i++) { for (i = 2; i < num; i++) {
unsigned int equals0 = constant_time_is_zero(em[i]); unsigned int equals0 = constant_time_is_zero(from[i]);
zero_index = zero_index =
constant_time_select_int(~found_zero_byte & equals0, i, constant_time_select_int(~found_zero_byte & equals0, i,
zero_index); zero_index);
@ -232,7 +256,7 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
} }
/* /*
* PS must be at least 8 bytes long, and it starts two bytes into |em|. * PS must be at least 8 bytes long, and it starts two bytes into |from|.
* If we never found a 0-byte, then |zero_index| is 0 and the check * If we never found a 0-byte, then |zero_index| is 0 and the check
* also fails. * also fails.
*/ */
@ -261,7 +285,7 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
goto err; goto err;
} }
memcpy(to, em + msg_index, mlen); memcpy(to, from + msg_index, mlen);
err: err:
if (em != NULL) { if (em != NULL) {

View File

@ -84,7 +84,7 @@ int RSA_sign(int type, const unsigned char *m, unsigned int m_len,
return 0; return 0;
} }
#endif #endif
if ((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_sign) { if ((rsa->meth->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_sign) {
return rsa->meth->rsa_sign(type, m, m_len, sigret, siglen, rsa); return rsa->meth->rsa_sign(type, m, m_len, sigret, siglen, rsa);
} }
/* Special case: SSL signature, just check the length */ /* Special case: SSL signature, just check the length */
@ -293,7 +293,7 @@ int RSA_verify(int dtype, const unsigned char *m, unsigned int m_len,
const unsigned char *sigbuf, unsigned int siglen, RSA *rsa) const unsigned char *sigbuf, unsigned int siglen, RSA *rsa)
{ {
if ((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_verify) { if ((rsa->meth->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_verify) {
return rsa->meth->rsa_verify(dtype, m, m_len, sigbuf, siglen, rsa); return rsa->meth->rsa_verify(dtype, m, m_len, sigbuf, siglen, rsa);
} }

View File

@ -112,6 +112,14 @@ int RSA_padding_check_SSLv23(unsigned char *to, int tlen,
RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_DATA_TOO_SMALL); RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_DATA_TOO_SMALL);
return (-1); return (-1);
} }
/* Accept even zero-padded input */
if (flen == num) {
if (*(p++) != 0) {
RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_BLOCK_TYPE_IS_NOT_02);
return -1;
}
flen--;
}
if ((num != (flen + 1)) || (*(p++) != 02)) { if ((num != (flen + 1)) || (*(p++) != 02)) {
RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_BLOCK_TYPE_IS_NOT_02); RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_BLOCK_TYPE_IS_NOT_02);
return (-1); return (-1);

View File

@ -131,7 +131,7 @@ $ymm=1 if ($xmm && !$ymm && $ARGV[0] eq "win32" &&
`ml 2>&1` =~ /Version ([0-9]+)\./ && `ml 2>&1` =~ /Version ([0-9]+)\./ &&
$1>=10); # first version supporting AVX $1>=10); # first version supporting AVX
$ymm=1 if ($xmm && !$ymm && `$ENV{CC} -v 2>&1` =~ /(^clang version|based on LLVM) ([3-9]\.[0-9]+)/ && $ymm=1 if ($xmm && !$ymm && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|based on LLVM) ([3-9]\.[0-9]+)/ &&
$2>=3.0); # first version supporting AVX $2>=3.0); # first version supporting AVX
$shaext=$xmm; ### set to zero if compiling for 1.0.1 $shaext=$xmm; ### set to zero if compiling for 1.0.1

View File

@ -83,7 +83,7 @@ if ($xmm && !$avx && $ARGV[0] eq "win32" &&
$avx = ($1>=10) + ($1>=11); $avx = ($1>=10) + ($1>=11);
} }
if ($xmm && !$avx && `$ENV{CC} -v 2>&1` =~ /(^clang version|based on LLVM) ([3-9]\.[0-9]+)/) { if ($xmm && !$avx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|based on LLVM) ([3-9]\.[0-9]+)/) {
$avx = ($2>=3.0) + ($2>3.0); $avx = ($2>=3.0) + ($2>3.0);
} }

View File

@ -4,7 +4,7 @@
* OpenSSL project 2001. * OpenSSL project 2001.
*/ */
/* ==================================================================== /* ====================================================================
* Copyright (c) 2001 The OpenSSL Project. All rights reserved. * Copyright (c) 2001-2018 The OpenSSL Project. All rights reserved.
* *
* Redistribution and use in source and binary forms, with or without * Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions * modification, are permitted provided that the following conditions
@ -567,17 +567,13 @@ static int echo_console(UI *ui)
{ {
#if defined(TTY_set) && !defined(OPENSSL_SYS_VMS) #if defined(TTY_set) && !defined(OPENSSL_SYS_VMS)
memcpy(&(tty_new), &(tty_orig), sizeof(tty_orig)); memcpy(&(tty_new), &(tty_orig), sizeof(tty_orig));
tty_new.TTY_FLAGS |= ECHO;
#endif
#if defined(TTY_set) && !defined(OPENSSL_SYS_VMS)
if (is_a_tty && (TTY_set(fileno(tty_in), &tty_new) == -1)) if (is_a_tty && (TTY_set(fileno(tty_in), &tty_new) == -1))
return 0; return 0;
#endif #endif
#ifdef OPENSSL_SYS_VMS #ifdef OPENSSL_SYS_VMS
if (is_a_tty) { if (is_a_tty) {
tty_new[0] = tty_orig[0]; tty_new[0] = tty_orig[0];
tty_new[1] = tty_orig[1] & ~TT$M_NOECHO; tty_new[1] = tty_orig[1];
tty_new[2] = tty_orig[2]; tty_new[2] = tty_orig[2];
status = sys$qiow(0, channel, IO$_SETMODE, &iosb, 0, 0, tty_new, 12, status = sys$qiow(0, channel, IO$_SETMODE, &iosb, 0, 0, tty_new, 12,
0, 0, 0, 0); 0, 0, 0, 0);

View File

@ -219,7 +219,7 @@ int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b)
ret = a->canon_enclen - b->canon_enclen; ret = a->canon_enclen - b->canon_enclen;
if (ret) if (ret != 0 || a->canon_enclen == 0)
return ret; return ret;
return memcmp(a->canon_enc, b->canon_enc, a->canon_enclen); return memcmp(a->canon_enc, b->canon_enc, a->canon_enclen);

View File

@ -311,7 +311,11 @@ int X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name,
X509_OBJECT stmp, *tmp; X509_OBJECT stmp, *tmp;
int i, j; int i, j;
if (ctx == NULL)
return 0;
CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE); CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
tmp = X509_OBJECT_retrieve_by_subject(ctx->objs, type, name); tmp = X509_OBJECT_retrieve_by_subject(ctx->objs, type, name);
CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
@ -506,6 +510,10 @@ STACK_OF(X509) *X509_STORE_get1_certs(X509_STORE_CTX *ctx, X509_NAME *nm)
STACK_OF(X509) *sk; STACK_OF(X509) *sk;
X509 *x; X509 *x;
X509_OBJECT *obj; X509_OBJECT *obj;
if (ctx->ctx == NULL)
return NULL;
sk = sk_X509_new_null(); sk = sk_X509_new_null();
CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE); CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_X509, nm, &cnt); idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_X509, nm, &cnt);
@ -551,6 +559,11 @@ STACK_OF(X509_CRL) *X509_STORE_get1_crls(X509_STORE_CTX *ctx, X509_NAME *nm)
STACK_OF(X509_CRL) *sk; STACK_OF(X509_CRL) *sk;
X509_CRL *x; X509_CRL *x;
X509_OBJECT *obj, xobj; X509_OBJECT *obj, xobj;
if (ctx->ctx == NULL)
return NULL;
sk = sk_X509_CRL_new_null(); sk = sk_X509_CRL_new_null();
CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE); CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
@ -651,6 +664,9 @@ int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
} }
X509_OBJECT_free_contents(&obj); X509_OBJECT_free_contents(&obj);
if (ctx->ctx == NULL)
return 0;
/* Else find index of first cert accepted by 'check_issued' */ /* Else find index of first cert accepted by 'check_issued' */
ret = 0; ret = 0;
CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE); CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);

View File

@ -56,6 +56,7 @@
* [including the GNU Public Licence.] * [including the GNU Public Licence.]
*/ */
#include <ctype.h>
#include <stdio.h> #include <stdio.h>
#include <time.h> #include <time.h>
#include <errno.h> #include <errno.h>
@ -1937,119 +1938,67 @@ int X509_cmp_current_time(const ASN1_TIME *ctm)
int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time) int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time)
{ {
char *str; static const size_t utctime_length = sizeof("YYMMDDHHMMSSZ") - 1;
ASN1_TIME atm; static const size_t generalizedtime_length = sizeof("YYYYMMDDHHMMSSZ") - 1;
long offset; ASN1_TIME *asn1_cmp_time = NULL;
char buff1[24], buff2[24], *p; int i, day, sec, ret = 0;
int i, j, remaining;
p = buff1;
remaining = ctm->length;
str = (char *)ctm->data;
/* /*
* Note that the following (historical) code allows much more slack in the * Note that ASN.1 allows much more slack in the time format than RFC5280.
* time format than RFC5280. In RFC5280, the representation is fixed: * In RFC5280, the representation is fixed:
* UTCTime: YYMMDDHHMMSSZ * UTCTime: YYMMDDHHMMSSZ
* GeneralizedTime: YYYYMMDDHHMMSSZ * GeneralizedTime: YYYYMMDDHHMMSSZ
*
* We do NOT currently enforce the following RFC 5280 requirement:
* "CAs conforming to this profile MUST always encode certificate
* validity dates through the year 2049 as UTCTime; certificate validity
* dates in 2050 or later MUST be encoded as GeneralizedTime."
*/ */
if (ctm->type == V_ASN1_UTCTIME) { switch (ctm->type) {
/* YYMMDDHHMM[SS]Z or YYMMDDHHMM[SS](+-)hhmm */ case V_ASN1_UTCTIME:
int min_length = sizeof("YYMMDDHHMMZ") - 1; if (ctm->length != (int)(utctime_length))
int max_length = sizeof("YYMMDDHHMMSS+hhmm") - 1;
if (remaining < min_length || remaining > max_length)
return 0; return 0;
memcpy(p, str, 10); break;
p += 10; case V_ASN1_GENERALIZEDTIME:
str += 10; if (ctm->length != (int)(generalizedtime_length))
remaining -= 10;
} else {
/* YYYYMMDDHHMM[SS[.fff]]Z or YYYYMMDDHHMM[SS[.f[f[f]]]](+-)hhmm */
int min_length = sizeof("YYYYMMDDHHMMZ") - 1;
int max_length = sizeof("YYYYMMDDHHMMSS.fff+hhmm") - 1;
if (remaining < min_length || remaining > max_length)
return 0; return 0;
memcpy(p, str, 12); break;
p += 12; default:
str += 12;
remaining -= 12;
}
if ((*str == 'Z') || (*str == '-') || (*str == '+')) {
*(p++) = '0';
*(p++) = '0';
} else {
/* SS (seconds) */
if (remaining < 2)
return 0;
*(p++) = *(str++);
*(p++) = *(str++);
remaining -= 2;
/*
* Skip any (up to three) fractional seconds...
* TODO(emilia): in RFC5280, fractional seconds are forbidden.
* Can we just kill them altogether?
*/
if (remaining && *str == '.') {
str++;
remaining--;
for (i = 0; i < 3 && remaining; i++, str++, remaining--) {
if (*str < '0' || *str > '9')
break;
}
}
}
*(p++) = 'Z';
*(p++) = '\0';
/* We now need either a terminating 'Z' or an offset. */
if (!remaining)
return 0; return 0;
if (*str == 'Z') {
if (remaining != 1)
return 0;
offset = 0;
} else {
/* (+-)HHMM */
if ((*str != '+') && (*str != '-'))
return 0;
/* Historical behaviour: the (+-)hhmm offset is forbidden in RFC5280. */
if (remaining != 5)
return 0;
if (str[1] < '0' || str[1] > '9' || str[2] < '0' || str[2] > '9' ||
str[3] < '0' || str[3] > '9' || str[4] < '0' || str[4] > '9')
return 0;
offset = ((str[1] - '0') * 10 + (str[2] - '0')) * 60;
offset += (str[3] - '0') * 10 + (str[4] - '0');
if (*str == '-')
offset = -offset;
} }
atm.type = ctm->type;
atm.flags = 0;
atm.length = sizeof(buff2);
atm.data = (unsigned char *)buff2;
if (X509_time_adj(&atm, offset * 60, cmp_time) == NULL) /**
* Verify the format: the ASN.1 functions we use below allow a more
* flexible format than what's mandated by RFC 5280.
* Digit and date ranges will be verified in the conversion methods.
*/
for (i = 0; i < ctm->length - 1; i++) {
if (!isdigit(ctm->data[i]))
return 0;
}
if (ctm->data[ctm->length - 1] != 'Z')
return 0; return 0;
if (ctm->type == V_ASN1_UTCTIME) { /*
i = (buff1[0] - '0') * 10 + (buff1[1] - '0'); * There is ASN1_UTCTIME_cmp_time_t but no
if (i < 50) * ASN1_GENERALIZEDTIME_cmp_time_t or ASN1_TIME_cmp_time_t,
i += 100; /* cf. RFC 2459 */ * so we go through ASN.1
j = (buff2[0] - '0') * 10 + (buff2[1] - '0'); */
if (j < 50) asn1_cmp_time = X509_time_adj(NULL, 0, cmp_time);
j += 100; if (asn1_cmp_time == NULL)
goto err;
if (!ASN1_TIME_diff(&day, &sec, ctm, asn1_cmp_time))
goto err;
if (i < j) /*
return -1; * X509_cmp_time comparison is <=.
if (i > j) * The return value 0 is reserved for errors.
return 1; */
} ret = (day >= 0 && sec >= 0) ? -1 : 1;
i = strcmp(buff1, buff2);
if (i == 0) /* wait a second then return younger :-) */ err:
return -1; ASN1_TIME_free(asn1_cmp_time);
else return ret;
return i;
} }
ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj) ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj)

View File

@ -4,7 +4,7 @@
* 2001. * 2001.
*/ */
/* ==================================================================== /* ====================================================================
* Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved. * Copyright (c) 1999-2018 The OpenSSL Project. All rights reserved.
* *
* Redistribution and use in source and binary forms, with or without * Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions * modification, are permitted provided that the following conditions
@ -128,11 +128,10 @@ int X509_check_purpose(X509 *x, int id, int ca)
{ {
int idx; int idx;
const X509_PURPOSE *pt; const X509_PURPOSE *pt;
if (!(x->ex_flags & EXFLAG_SET)) {
CRYPTO_w_lock(CRYPTO_LOCK_X509); x509v3_cache_extensions(x);
x509v3_cache_extensions(x);
CRYPTO_w_unlock(CRYPTO_LOCK_X509); /* Return if side-effect only call */
}
if (id == -1) if (id == -1)
return 1; return 1;
idx = X509_PURPOSE_get_by_id(id); idx = X509_PURPOSE_get_by_id(id);
@ -399,8 +398,16 @@ static void x509v3_cache_extensions(X509 *x)
X509_EXTENSION *ex; X509_EXTENSION *ex;
int i; int i;
if (x->ex_flags & EXFLAG_SET) if (x->ex_flags & EXFLAG_SET)
return; return;
CRYPTO_w_lock(CRYPTO_LOCK_X509);
if (x->ex_flags & EXFLAG_SET) {
CRYPTO_w_unlock(CRYPTO_LOCK_X509);
return;
}
#ifndef OPENSSL_NO_SHA #ifndef OPENSSL_NO_SHA
X509_digest(x, EVP_sha1(), x->sha1_hash, NULL); X509_digest(x, EVP_sha1(), x->sha1_hash, NULL);
#endif #endif
@ -536,6 +543,7 @@ static void x509v3_cache_extensions(X509 *x)
} }
} }
x->ex_flags |= EXFLAG_SET; x->ex_flags |= EXFLAG_SET;
CRYPTO_w_unlock(CRYPTO_LOCK_X509);
} }
/*- /*-
@ -578,11 +586,7 @@ static int check_ca(const X509 *x)
int X509_check_ca(X509 *x) int X509_check_ca(X509 *x)
{ {
if (!(x->ex_flags & EXFLAG_SET)) { x509v3_cache_extensions(x);
CRYPTO_w_lock(CRYPTO_LOCK_X509);
x509v3_cache_extensions(x);
CRYPTO_w_unlock(CRYPTO_LOCK_X509);
}
return check_ca(x); return check_ca(x);
} }
@ -796,6 +800,7 @@ int X509_check_issued(X509 *issuer, X509 *subject)
if (X509_NAME_cmp(X509_get_subject_name(issuer), if (X509_NAME_cmp(X509_get_subject_name(issuer),
X509_get_issuer_name(subject))) X509_get_issuer_name(subject)))
return X509_V_ERR_SUBJECT_ISSUER_MISMATCH; return X509_V_ERR_SUBJECT_ISSUER_MISMATCH;
x509v3_cache_extensions(issuer); x509v3_cache_extensions(issuer);
x509v3_cache_extensions(subject); x509v3_cache_extensions(subject);

View File

@ -335,6 +335,9 @@ When encrypting a message this option may be used multiple times to specify
each recipient. This form B<must> be used if customised parameters are each recipient. This form B<must> be used if customised parameters are
required (for example to specify RSA-OAEP). required (for example to specify RSA-OAEP).
Only certificates carrying RSA, Diffie-Hellman or EC keys are supported by this
option.
=item B<-keyid> =item B<-keyid>
use subject key identifier to identify certificates instead of issuer name and use subject key identifier to identify certificates instead of issuer name and
@ -648,17 +651,14 @@ No revocation checking is done on the signer's certificate.
=head1 HISTORY =head1 HISTORY
The use of multiple B<-signer> options and the B<-resign> command were first The use of multiple B<-signer> options and the B<-resign> command were first
added in OpenSSL 1.0.0 added in OpenSSL 1.0.0.
The B<keyopt> option was first added in OpenSSL 1.1.0 The B<keyopt> option was first added in OpenSSL 1.0.2.
The use of B<-recip> to specify the recipient when encrypting mail was first Support for RSA-OAEP and RSA-PSS was first added to OpenSSL 1.0.2.
added to OpenSSL 1.1.0
Support for RSA-OAEP and RSA-PSS was first added to OpenSSL 1.1.0.
The use of non-RSA keys with B<-encrypt> and B<-decrypt> was first added The use of non-RSA keys with B<-encrypt> and B<-decrypt> was first added
to OpenSSL 1.1.0. to OpenSSL 1.0.2.
The -no_alt_chains options was first added to OpenSSL 1.0.2b. The -no_alt_chains options was first added to OpenSSL 1.0.2b.

View File

@ -21,7 +21,7 @@ started or end of file is reached. A section name can consist of
alphanumeric characters and underscores. alphanumeric characters and underscores.
The first section of a configuration file is special and is referred The first section of a configuration file is special and is referred
to as the B<default> section this is usually unnamed and is from the to as the B<default> section. This section is usually unnamed and spans from the
start of file until the first named section. When a name is being looked up start of file until the first named section. When a name is being looked up
it is first looked up in a named section (if any) and then the it is first looked up in a named section (if any) and then the
default section. default section.

View File

@ -11,7 +11,7 @@ B<openssl> B<genpkey>
[B<-out filename>] [B<-out filename>]
[B<-outform PEM|DER>] [B<-outform PEM|DER>]
[B<-pass arg>] [B<-pass arg>]
[B<-cipher>] [B<-I<cipher>>]
[B<-engine id>] [B<-engine id>]
[B<-paramfile file>] [B<-paramfile file>]
[B<-algorithm alg>] [B<-algorithm alg>]
@ -34,21 +34,21 @@ used.
=item B<-outform DER|PEM> =item B<-outform DER|PEM>
This specifies the output format DER or PEM. This specifies the output format DER or PEM. The default format is PEM.
=item B<-pass arg> =item B<-pass arg>
the output file password source. For more information about the format of B<arg> The output file password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>. see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-cipher> =item B<-I<cipher>>
This option encrypts the private key with the supplied cipher. Any algorithm This option encrypts the private key with the supplied cipher. Any algorithm
name accepted by EVP_get_cipherbyname() is acceptable such as B<des3>. name accepted by EVP_get_cipherbyname() is acceptable such as B<des3>.
=item B<-engine id> =item B<-engine id>
specifying an engine (by its unique B<id> string) will cause B<genpkey> Specifying an engine (by its unique B<id> string) will cause B<genpkey>
to attempt to obtain a functional reference to the specified engine, to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default thus initialising it if needed. The engine will then be set as the default
for all available algorithms. If used this option should precede all other for all available algorithms. If used this option should precede all other
@ -56,20 +56,33 @@ options.
=item B<-algorithm alg> =item B<-algorithm alg>
public key algorithm to use such as RSA, DSA or DH. If used this option must Public key algorithm to use such as RSA, DSA or DH. If used this option must
precede any B<-pkeyopt> options. The options B<-paramfile> and B<-algorithm> precede any B<-pkeyopt> options. The options B<-paramfile> and B<-algorithm>
are mutually exclusive. are mutually exclusive. Engines may add algorithms in addition to the standard
built-in ones.
Valid built-in algorithm names for private key generation are RSA and EC.
Valid built-in algorithm names for parameter generation (see the B<-genparam>
option) are DH, DSA and EC.
Note that the algorithm name X9.42 DH may be used as a synonym for the DH
algorithm. These are identical and do not indicate the type of parameters that
will be generated. Use the B<dh_paramgen_type> option to indicate whether PKCS#3
or X9.42 DH parameters are required. See L<DH Parameter Generation Options>
below for more details.
=item B<-pkeyopt opt:value> =item B<-pkeyopt opt:value>
set the public key algorithm option B<opt> to B<value>. The precise set of Set the public key algorithm option B<opt> to B<value>. The precise set of
options supported depends on the public key algorithm used and its options supported depends on the public key algorithm used and its
implementation. See B<KEY GENERATION OPTIONS> below for more details. implementation. See L<KEY GENERATION OPTIONS> and
L<PARAMETER GENERATION OPTIONS> below for more details.
=item B<-genparam> =item B<-genparam>
generate a set of parameters instead of a private key. If used this option must Generate a set of parameters instead of a private key. If used this option must
precede and B<-algorithm>, B<-paramfile> or B<-pkeyopt> options. precede any B<-algorithm>, B<-paramfile> or B<-pkeyopt> options.
=item B<-paramfile filename> =item B<-paramfile filename>
@ -92,7 +105,7 @@ The options supported by each algorith and indeed each implementation of an
algorithm can vary. The options for the OpenSSL implementations are detailed algorithm can vary. The options for the OpenSSL implementations are detailed
below. below.
=head1 RSA KEY GENERATION OPTIONS =head2 RSA Key Generation Options
=over 4 =over 4
@ -107,49 +120,93 @@ hexadecimal value if preceded by B<0x>. Default value is 65537.
=back =back
=head1 DSA PARAMETER GENERATION OPTIONS =head2 EC Key Generation Options
=over 4 The EC key generation options can also be used for parameter generation.
=item B<dsa_paramgen_bits:numbits>
The number of bits in the generated parameters. If not specified 1024 is used.
=back
=head1 DH PARAMETER GENERATION OPTIONS
=over 4
=item B<dh_paramgen_prime_len:numbits>
The number of bits in the prime parameter B<p>.
=item B<dh_paramgen_generator:value>
The value to use for the generator B<g>.
=item B<dh_rfc5114:num>
If this option is set then the appropriate RFC5114 parameters are used
instead of generating new parameters. The value B<num> can take the
values 1, 2 or 3 corresponding to RFC5114 DH parameters consisting of
1024 bit group with 160 bit subgroup, 2048 bit group with 224 bit subgroup
and 2048 bit group with 256 bit subgroup as mentioned in RFC5114 sections
2.1, 2.2 and 2.3 respectively.
=back
=head1 EC PARAMETER GENERATION OPTIONS
=over 4 =over 4
=item B<ec_paramgen_curve:curve> =item B<ec_paramgen_curve:curve>
the EC curve to use. The EC curve to use. OpenSSL supports NIST curve names such as "P-256".
=item B<ec_param_enc:encoding>
The encoding to use for parameters. The "encoding" parameter must be either
"named_curve" or "explicit". The default value is "named_curve".
=back =back
=head1 PARAMETER GENERATION OPTIONS
The options supported by each algorithm and indeed each implementation of an
algorithm can vary. The options for the OpenSSL implementations are detailed
below.
=head2 DSA Parameter Generation Options
=over 4
=item B<dsa_paramgen_bits:numbits>
The number of bits in the generated prime. If not specified 1024 is used.
=item B<dsa_paramgen_q_bits:numbits>
The number of bits in the q parameter. Must be one of 160, 224 or 256. If not
specified 160 is used.
=item B<dsa_paramgen_md:digest>
The digest to use during parameter generation. Must be one of B<sha1>, B<sha224>
or B<sha256>. If set, then the number of bits in B<q> will match the output size
of the specified digest and the B<dsa_paramgen_q_bits> parameter will be
ignored. If not set, then a digest will be used that gives an output matching
the number of bits in B<q>, i.e. B<sha1> if q length is 160, B<sha224> if it 224
or B<sha256> if it is 256.
=back
=head2 DH Parameter Generation Options
=over 4
=item B<dh_paramgen_prime_len:numbits>
The number of bits in the prime parameter B<p>. The default is 1024.
=item B<dh_paramgen_subprime_len:numbits>
The number of bits in the sub prime parameter B<q>. The default is 256 if the
prime is at least 2048 bits long or 160 otherwise. Only relevant if used in
conjunction with the B<dh_paramgen_type> option to generate X9.42 DH parameters.
=item B<dh_paramgen_generator:value>
The value to use for the generator B<g>. The default is 2.
=item B<dh_paramgen_type:value>
The type of DH parameters to generate. Use 0 for PKCS#3 DH and 1 for X9.42 DH.
The default is 0.
=item B<dh_rfc5114:num>
If this option is set, then the appropriate RFC5114 parameters are used
instead of generating new parameters. The value B<num> can take the
values 1, 2 or 3 corresponding to RFC5114 DH parameters consisting of
1024 bit group with 160 bit subgroup, 2048 bit group with 224 bit subgroup
and 2048 bit group with 256 bit subgroup as mentioned in RFC5114 sections
2.1, 2.2 and 2.3 respectively. If present this overrides all other DH parameter
options.
=back
=head2 EC Parameter Generation Options
The EC parameter generation options are the same as for key generation. See
L<EC Key Generation Options> above.
=head1 GOST2001 KEY GENERATION AND PARAMETER OPTIONS =head1 GOST2001 KEY GENERATION AND PARAMETER OPTIONS
Gost 2001 support is not enabled by default. To enable this algorithm, Gost 2001 support is not enabled by default. To enable this algorithm,
@ -179,8 +236,6 @@ numeric OID. Following parameter sets are supported:
=back =back
=head1 NOTES =head1 NOTES
The use of the genpkey program is encouraged over the algorithm specific The use of the genpkey program is encouraged over the algorithm specific
@ -202,19 +257,25 @@ Generate a 2048 bit RSA key using 3 as the public exponent:
openssl genpkey -algorithm RSA -out key.pem -pkeyopt rsa_keygen_bits:2048 \ openssl genpkey -algorithm RSA -out key.pem -pkeyopt rsa_keygen_bits:2048 \
-pkeyopt rsa_keygen_pubexp:3 -pkeyopt rsa_keygen_pubexp:3
Generate 1024 bit DSA parameters: Generate 2048 bit DSA parameters:
openssl genpkey -genparam -algorithm DSA -out dsap.pem \ openssl genpkey -genparam -algorithm DSA -out dsap.pem \
-pkeyopt dsa_paramgen_bits:1024 -pkeyopt dsa_paramgen_bits:2048
Generate DSA key from parameters: Generate DSA key from parameters:
openssl genpkey -paramfile dsap.pem -out dsakey.pem openssl genpkey -paramfile dsap.pem -out dsakey.pem
Generate 1024 bit DH parameters: Generate 2048 bit DH parameters:
openssl genpkey -genparam -algorithm DH -out dhp.pem \ openssl genpkey -genparam -algorithm DH -out dhp.pem \
-pkeyopt dh_paramgen_prime_len:1024 -pkeyopt dh_paramgen_prime_len:2048
Generate 2048 bit X9.42 DH parameters:
openssl genpkey -genparam -algorithm DH -out dhpx.pem \
-pkeyopt dh_paramgen_prime_len:2048 \
-pkeyopt dh_paramgen_type:1
Output RFC5114 2048 bit DH parameters with 224 bit subgroup: Output RFC5114 2048 bit DH parameters with 224 bit subgroup:
@ -224,6 +285,16 @@ Generate DH key from parameters:
openssl genpkey -paramfile dhp.pem -out dhkey.pem openssl genpkey -paramfile dhp.pem -out dhkey.pem
Generate EC key directly:
openssl genpkey -algorithm EC -out eckey.pem \
-pkeyopt ec_paramgen_curve:P-384 \
-pkeyopt ec_param_enc:named_curve
=head1 HISTORY
The ability to use NIST curve names, and to generate an EC key directly,
were added in OpenSSL 1.0.2.
=cut =cut

View File

@ -141,8 +141,9 @@ pauses 1 second between each read and write call.
=item B<-showcerts> =item B<-showcerts>
display the whole server certificate chain: normally only the server Displays the server certificate list as sent by the server: it only consists of
certificate itself is displayed. certificates the server has sent (in the order the server has sent them). It is
B<not> a verified chain.
=item B<-prexit> =item B<-prexit>
@ -354,7 +355,8 @@ a client certificate. Therefor merely including a client certificate
on the command line is no guarantee that the certificate works. on the command line is no guarantee that the certificate works.
If there are problems verifying a server certificate then the If there are problems verifying a server certificate then the
B<-showcerts> option can be used to show the whole chain. B<-showcerts> option can be used to show all the certificates sent by the
server.
Since the SSLv23 client hello cannot include compression methods or extensions Since the SSLv23 client hello cannot include compression methods or extensions
these will only be supported if its use is disabled, for example by using the these will only be supported if its use is disabled, for example by using the

View File

@ -60,7 +60,7 @@ BIO_s_fd() returns the file descriptor BIO method.
BIO_reset() returns zero for success and -1 if an error occurred. BIO_reset() returns zero for success and -1 if an error occurred.
BIO_seek() and BIO_tell() return the current file position or -1 BIO_seek() and BIO_tell() return the current file position or -1
is an error occurred. These values reflect the underlying lseek() if an error occurred. These values reflect the underlying lseek()
behaviour. behaviour.
BIO_set_fd() always returns 1. BIO_set_fd() always returns 1.

View File

@ -91,7 +91,9 @@ BN_exp() raises I<a> to the I<p>-th power and places the result in I<r>
BN_mul(). BN_mul().
BN_mod_exp() computes I<a> to the I<p>-th power modulo I<m> (C<r=a^p % BN_mod_exp() computes I<a> to the I<p>-th power modulo I<m> (C<r=a^p %
m>). This function uses less time and space than BN_exp(). m>). This function uses less time and space than BN_exp(). Do not call this
function when B<m> is even and any of the parameters have the
B<BN_FLG_CONSTTIME> flag set.
BN_gcd() computes the greatest common divisor of I<a> and I<b> and BN_gcd() computes the greatest common divisor of I<a> and I<b> and
places the result in I<r>. I<r> may be the same B<BIGNUM> as I<a> or places the result in I<r>. I<r> may be the same B<BIGNUM> as I<a> or

View File

@ -39,8 +39,8 @@ numbers, the string is prefaced with a leading '-'. The string must be
freed later using OPENSSL_free(). freed later using OPENSSL_free().
BN_hex2bn() converts the string B<str> containing a hexadecimal number BN_hex2bn() converts the string B<str> containing a hexadecimal number
to a B<BIGNUM> and stores it in **B<bn>. If *B<bn> is NULL, a new to a B<BIGNUM> and stores it in **B<a>. If *B<a> is NULL, a new
B<BIGNUM> is created. If B<bn> is NULL, it only computes the number's B<BIGNUM> is created. If B<a> is NULL, it only computes the number's
length in hexadecimal digits. If the string starts with '-', the length in hexadecimal digits. If the string starts with '-', the
number is negative. number is negative.
A "negative zero" is converted to zero. A "negative zero" is converted to zero.

View File

@ -90,7 +90,17 @@ If B<do_trial_division == 0>, this test is skipped.
Both BN_is_prime_ex() and BN_is_prime_fasttest_ex() perform a Miller-Rabin Both BN_is_prime_ex() and BN_is_prime_fasttest_ex() perform a Miller-Rabin
probabilistic primality test with B<nchecks> iterations. If probabilistic primality test with B<nchecks> iterations. If
B<nchecks == BN_prime_checks>, a number of iterations is used that B<nchecks == BN_prime_checks>, a number of iterations is used that
yields a false positive rate of at most 2^-80 for random input. yields a false positive rate of at most 2^-64 for random input.
The error rate depends on the size of the prime and goes down for bigger primes.
The rate is 2^-80 starting at 308 bits, 2^-112 at 852 bits, 2^-128 at 1080 bits,
2^-192 at 3747 bits and 2^-256 at 6394 bits.
When the source of the prime is not random or not trusted, the number
of checks needs to be much higher to reach the same level of assurance:
It should equal half of the targeted security level in bits (rounded up to the
next integer if necessary).
For instance, to reach the 128 bit security level, B<nchecks> should be set to
64.
If B<cb> is not B<NULL>, B<BN_GENCB_call(cb, 1, j)> is called If B<cb> is not B<NULL>, B<BN_GENCB_call(cb, 1, j)> is called
after the j-th iteration (j = 0, 1, ...). B<ctx> is a after the j-th iteration (j = 0, 1, ...). B<ctx> is a

View File

@ -18,9 +18,8 @@ B<cipher> is the symmetric cipher to use. B<flags> is an optional set of flags.
=head1 NOTES =head1 NOTES
Only certificates carrying RSA keys are supported so the recipient certificates Only certificates carrying RSA, Diffie-Hellman or EC keys are supported by this
supplied to this function must all contain RSA public keys, though they do not function.
have to be signed using the RSA algorithm.
EVP_des_ede3_cbc() (triple DES) is the algorithm of choice for S/MIME use EVP_des_ede3_cbc() (triple DES) is the algorithm of choice for S/MIME use
because most clients will support it. because most clients will support it.

View File

@ -51,7 +51,7 @@ CMS_SignerInfo_set1_signer_cert().
Once all signer certificates have been set CMS_verify() can be used. Once all signer certificates have been set CMS_verify() can be used.
Although CMS_get0_SignerInfos() can return NULL is an error occur B<or> if Although CMS_get0_SignerInfos() can return NULL if an error occurs B<or> if
there are no signers this is not a problem in practice because the only there are no signers this is not a problem in practice because the only
error which can occur is if the B<cms> structure is not of type signedData error which can occur is if the B<cms> structure is not of type signedData
due to application error. due to application error.

Some files were not shown because too many files have changed in this diff Show More