Import OpenSSL 1.0.2p.
This commit is contained in:
parent
02be298e50
commit
43a67e02da
58
CHANGES
58
CHANGES
@ -7,6 +7,64 @@
|
||||
https://github.com/openssl/openssl/commits/ and pick the appropriate
|
||||
release branch.
|
||||
|
||||
Changes between 1.0.2o and 1.0.2p [14 Aug 2018]
|
||||
|
||||
*) Client DoS due to large DH parameter
|
||||
|
||||
During key agreement in a TLS handshake using a DH(E) based ciphersuite a
|
||||
malicious server can send a very large prime value to the client. This will
|
||||
cause the client to spend an unreasonably long period of time generating a
|
||||
key for this prime resulting in a hang until the client has finished. This
|
||||
could be exploited in a Denial Of Service attack.
|
||||
|
||||
This issue was reported to OpenSSL on 5th June 2018 by Guido Vranken
|
||||
(CVE-2018-0732)
|
||||
[Guido Vranken]
|
||||
|
||||
*) Cache timing vulnerability in RSA Key Generation
|
||||
|
||||
The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to
|
||||
a cache timing side channel attack. An attacker with sufficient access to
|
||||
mount cache timing attacks during the RSA key generation process could
|
||||
recover the private key.
|
||||
|
||||
This issue was reported to OpenSSL on 4th April 2018 by Alejandro Cabrera
|
||||
Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia.
|
||||
(CVE-2018-0737)
|
||||
[Billy Brumley]
|
||||
|
||||
*) Make EVP_PKEY_asn1_new() a bit stricter about its input. A NULL pem_str
|
||||
parameter is no longer accepted, as it leads to a corrupt table. NULL
|
||||
pem_str is reserved for alias entries only.
|
||||
[Richard Levitte]
|
||||
|
||||
*) Revert blinding in ECDSA sign and instead make problematic addition
|
||||
length-invariant. Switch even to fixed-length Montgomery multiplication.
|
||||
[Andy Polyakov]
|
||||
|
||||
*) Change generating and checking of primes so that the error rate of not
|
||||
being prime depends on the intended use based on the size of the input.
|
||||
For larger primes this will result in more rounds of Miller-Rabin.
|
||||
The maximal error rate for primes with more than 1080 bits is lowered
|
||||
to 2^-128.
|
||||
[Kurt Roeckx, Annie Yousar]
|
||||
|
||||
*) Increase the number of Miller-Rabin rounds for DSA key generating to 64.
|
||||
[Kurt Roeckx]
|
||||
|
||||
*) Add blinding to ECDSA and DSA signatures to protect against side channel
|
||||
attacks discovered by Keegan Ryan (NCC Group).
|
||||
[Matt Caswell]
|
||||
|
||||
*) When unlocking a pass phrase protected PEM file or PKCS#8 container, we
|
||||
now allow empty (zero character) pass phrases.
|
||||
[Richard Levitte]
|
||||
|
||||
*) Certificate time validation (X509_cmp_time) enforces stricter
|
||||
compliance with RFC 5280. Fractional seconds and timezone offsets
|
||||
are no longer allowed.
|
||||
[Emilia Käsper]
|
||||
|
||||
Changes between 1.0.2n and 1.0.2o [27 Mar 2018]
|
||||
|
||||
*) Constructed ASN.1 types with a recursive definition could exceed the stack
|
||||
|
50
CONTRIBUTING
50
CONTRIBUTING
@ -1,26 +1,26 @@
|
||||
HOW TO CONTRIBUTE PATCHES TO OpenSSL
|
||||
------------------------------------
|
||||
HOW TO CONTRIBUTE TO OpenSSL
|
||||
----------------------------
|
||||
|
||||
(Please visit https://www.openssl.org/community/getting-started.html for
|
||||
other ideas about how to contribute.)
|
||||
|
||||
Development is coordinated on the openssl-dev mailing list (see the
|
||||
above link or https://mta.openssl.org for information on subscribing).
|
||||
If you are unsure as to whether a feature will be useful for the general
|
||||
OpenSSL community you might want to discuss it on the openssl-dev mailing
|
||||
list first. Someone may be already working on the same thing or there
|
||||
may be a good reason as to why that feature isn't implemented.
|
||||
Development is done on GitHub, https://github.com/openssl/openssl.
|
||||
|
||||
To submit a patch, make a pull request on GitHub. If you think the patch
|
||||
could use feedback from the community, please start a thread on openssl-dev
|
||||
to discuss it.
|
||||
To request new features or report bugs, please open an issue on GitHub
|
||||
|
||||
Having addressed the following items before the PR will help make the
|
||||
acceptance and review process faster:
|
||||
To submit a patch, please open a pull request on GitHub. If you are thinking
|
||||
of making a large contribution, open an issue for it before starting work,
|
||||
to get comments from the community. Someone may be already working on
|
||||
the same thing or there may be reasons why that feature isn't implemented.
|
||||
|
||||
1. Anything other than trivial contributions will require a contributor
|
||||
licensing agreement, giving us permission to use your code. See
|
||||
https://www.openssl.org/policies/cla.html for details.
|
||||
To make it easier to review and accept your pull request, please follow these
|
||||
guidelines:
|
||||
|
||||
1. Anything other than a trivial contribution requires a Contributor
|
||||
License Agreement (CLA), giving us permission to use your code. See
|
||||
https://www.openssl.org/policies/cla.html for details. If your
|
||||
contribution is too small to require a CLA, put "CLA: trivial" on a
|
||||
line by itself in your commit message body.
|
||||
|
||||
2. All source files should start with the following text (with
|
||||
appropriate comment characters at the start of each line and the
|
||||
@ -34,21 +34,21 @@ acceptance and review process faster:
|
||||
https://www.openssl.org/source/license.html
|
||||
|
||||
3. Patches should be as current as possible; expect to have to rebase
|
||||
often. We do not accept merge commits; You will be asked to remove
|
||||
them before a patch is considered acceptable.
|
||||
often. We do not accept merge commits, you will have to remove them
|
||||
(usually by rebasing) before it will be acceptable.
|
||||
|
||||
4. Patches should follow our coding style (see
|
||||
https://www.openssl.org/policies/codingstyle.html) and compile without
|
||||
warnings. Where gcc or clang is availble you should use the
|
||||
https://www.openssl.org/policies/codingstyle.html) and compile
|
||||
without warnings. Where gcc or clang is available you should use the
|
||||
--strict-warnings Configure option. OpenSSL compiles on many varied
|
||||
platforms: try to ensure you only use portable features.
|
||||
Clean builds via Travis and AppVeyor are expected, and done whenever
|
||||
a PR is created or updated.
|
||||
platforms: try to ensure you only use portable features. Clean builds
|
||||
via Travis and AppVeyor are required, and they are started automatically
|
||||
whenever a PR is created or updated.
|
||||
|
||||
5. When at all possible, patches should include tests. These can
|
||||
either be added to an existing test, or completely new. Please see
|
||||
test/README for information on the test framework.
|
||||
|
||||
6. New features or changed functionality must include
|
||||
documentation. Please look at the "pod" files in doc/apps, doc/crypto
|
||||
and doc/ssl for examples of our style.
|
||||
documentation. Please look at the "pod" files in doc for
|
||||
examples of our style.
|
||||
|
12
Configure
12
Configure
@ -1173,6 +1173,7 @@ foreach (sort (keys %disabled))
|
||||
$depflags .= " -DOPENSSL_NO_$ALGO";
|
||||
}
|
||||
}
|
||||
if (/^comp$/) { $zlib = 0; }
|
||||
}
|
||||
|
||||
print "\n";
|
||||
@ -1671,6 +1672,13 @@ while (<PIPE>) {
|
||||
}
|
||||
close(PIPE);
|
||||
|
||||
# Xcode did not handle $cc -M before clang support
|
||||
my $cc_as_makedepend = 0;
|
||||
if ($predefined{__GNUC__} >= 3 && !(defined($predefined{__APPLE_CC__})
|
||||
&& !defined($predefined{__clang__}))) {
|
||||
$cc_as_makedepend = 1;
|
||||
}
|
||||
|
||||
if ($strict_warnings)
|
||||
{
|
||||
my $wopt;
|
||||
@ -1730,14 +1738,14 @@ while (<IN>)
|
||||
s/^NM=\s*/NM= \$\(CROSS_COMPILE\)/;
|
||||
s/^RANLIB=\s*/RANLIB= \$\(CROSS_COMPILE\)/;
|
||||
s/^RC=\s*/RC= \$\(CROSS_COMPILE\)/;
|
||||
s/^MAKEDEPPROG=.*$/MAKEDEPPROG= \$\(CROSS_COMPILE\)$cc/ if $predefined{__GNUC__} >= 3;
|
||||
s/^MAKEDEPPROG=.*$/MAKEDEPPROG= \$\(CROSS_COMPILE\)$cc/ if $cc_as_makedepend;
|
||||
}
|
||||
else {
|
||||
s/^CC=.*$/CC= $cc/;
|
||||
s/^AR=\s*ar/AR= $ar/;
|
||||
s/^RANLIB=.*/RANLIB= $ranlib/;
|
||||
s/^RC=.*/RC= $windres/;
|
||||
s/^MAKEDEPPROG=.*$/MAKEDEPPROG= $cc/ if $predefined{__GNUC__} >= 3;
|
||||
s/^MAKEDEPPROG=.*$/MAKEDEPPROG= $cc/ if $cc_as_makedepend;
|
||||
}
|
||||
s/^CFLAG=.*$/CFLAG= $cflags/;
|
||||
s/^DEPFLAG=.*$/DEPFLAG=$depflags/;
|
||||
|
@ -11,8 +11,8 @@ First, read http://wiki.freebsd.org/SubversionPrimer/VendorImports
|
||||
# Xlist
|
||||
setenv XLIST /FreeBSD/work/openssl/svn-FREEBSD-files/FREEBSD-Xlist
|
||||
setenv FSVN "svn+ssh://repo.freebsd.org/base"
|
||||
setenv OSSLVER 1.0.2o
|
||||
# OSSLTAG format: v1_0_2o
|
||||
setenv OSSLVER 1.0.2p
|
||||
# OSSLTAG format: v1_0_2p
|
||||
|
||||
###setenv OSSLTAG v`echo ${OSSLVER} | tr . _`
|
||||
|
||||
@ -21,10 +21,10 @@ fetch http://www.openssl.org/source/openssl-${OSSLVER}.tar.gz \
|
||||
http://www.openssl.org/source/openssl-${OSSLVER}.tar.gz.asc
|
||||
gpg --verify openssl-${OSSLVER}.tar.gz.asc openssl-${OSSLVER}.tar.gz
|
||||
|
||||
svn co $FSVN/vendor-crypto/openssl/dist dist
|
||||
svn co $FSVN/vendor-crypto/openssl/dist-1.0.2 dist-1.0.2
|
||||
tar -x -X $XLIST -f openssl-${OSSLVER}.tar.gz
|
||||
|
||||
cd dist
|
||||
cd dist-1.0.2
|
||||
svn list -R | egrep -v -e '/$' -e '^FREEBSD-(Xlist|upgrade)$' | sort >../old
|
||||
cd ../openssl-${OSSLVER}
|
||||
find . -type f -or -type l | cut -c 3- | sort >../new
|
||||
@ -35,21 +35,21 @@ comm -23 old new
|
||||
# See that files to add makes sense
|
||||
comm -13 old new
|
||||
|
||||
tar -cf - -C openssl-${OSSLVER} . | tar -xf - -C dist
|
||||
cd dist
|
||||
tar -cf - -C openssl-${OSSLVER} . | tar -xf - -C dist-1.0.2
|
||||
cd dist-1.0.2
|
||||
comm -23 ../old ../new | xargs svn rm
|
||||
# Make sure to remove empty directories
|
||||
comm -13 ../old ../new | xargs svn --parents add
|
||||
|
||||
svn stat
|
||||
svn ci
|
||||
svn cp ^/vendor-crypto/openssl/dist ^/vendor-crypto/openssl/$OSSLVER
|
||||
svn cp ^/vendor-crypto/openssl/dist-1.0.2 ^/vendor-crypto/openssl/$OSSLVER
|
||||
|
||||
# Merge to head
|
||||
mkdir ../head
|
||||
cd ../head
|
||||
svn co $FSVN/head/crypto/openssl crypto/openssl
|
||||
svn merge ^/vendor-crypto/openssl/dist crypto/openssl
|
||||
svn merge ^/vendor-crypto/openssl/dist-1.0.2 crypto/openssl
|
||||
|
||||
# Resolve conflicts manually
|
||||
|
||||
|
2
Makefile
2
Makefile
@ -4,7 +4,7 @@
|
||||
## Makefile for OpenSSL
|
||||
##
|
||||
|
||||
VERSION=1.0.2o
|
||||
VERSION=1.0.2p
|
||||
MAJOR=1
|
||||
MINOR=0.2
|
||||
SHLIB_VERSION_NUMBER=1.0.0
|
||||
|
5
NEWS
5
NEWS
@ -5,6 +5,11 @@
|
||||
This file gives a brief overview of the major changes between each OpenSSL
|
||||
release. For more details please read the CHANGES file.
|
||||
|
||||
Major changes between OpenSSL 1.0.2o and OpenSSL 1.0.2p [14 Aug 2018]
|
||||
|
||||
o Client DoS due to large DH parameter (CVE-2018-0732)
|
||||
o Cache timing vulnerability in RSA Key Generation (CVE-2018-0737)
|
||||
|
||||
Major changes between OpenSSL 1.0.2n and OpenSSL 1.0.2o [27 Mar 2018]
|
||||
|
||||
o Constructed ASN.1 types with a recursive definition could exceed the
|
||||
|
4
README
4
README
@ -1,7 +1,7 @@
|
||||
|
||||
OpenSSL 1.0.2o 27 Mar 2018
|
||||
OpenSSL 1.0.2p 14 Aug 2018
|
||||
|
||||
Copyright (c) 1998-2015 The OpenSSL Project
|
||||
Copyright (c) 1998-2018 The OpenSSL Project
|
||||
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
|
||||
All rights reserved.
|
||||
|
||||
|
@ -56,7 +56,7 @@
|
||||
* [including the GNU Public Licence.]
|
||||
*/
|
||||
/* ====================================================================
|
||||
* Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
|
||||
* Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
@ -1359,7 +1359,8 @@ int set_name_ex(unsigned long *flags, const char *arg)
|
||||
};
|
||||
if (set_multi_opts(flags, arg, ex_tbl) == 0)
|
||||
return 0;
|
||||
if ((*flags & XN_FLAG_SEP_MASK) == 0)
|
||||
if (*flags != XN_FLAG_COMPAT
|
||||
&& (*flags & XN_FLAG_SEP_MASK) == 0)
|
||||
*flags |= XN_FLAG_SEP_CPLUS_SPC;
|
||||
return 1;
|
||||
}
|
||||
|
@ -295,7 +295,7 @@ int MAIN(int argc, char **argv)
|
||||
ASN1_TYPE *atmp;
|
||||
int typ;
|
||||
j = atoi(sk_OPENSSL_STRING_value(osk, i));
|
||||
if (j == 0) {
|
||||
if (j <= 0 || j >= tmplen) {
|
||||
BIO_printf(bio_err, "'%s' is an invalid number\n",
|
||||
sk_OPENSSL_STRING_value(osk, i));
|
||||
continue;
|
||||
@ -327,14 +327,14 @@ int MAIN(int argc, char **argv)
|
||||
num = tmplen;
|
||||
}
|
||||
|
||||
if (offset >= num) {
|
||||
BIO_printf(bio_err, "Error: offset too large\n");
|
||||
if (offset < 0 || offset >= num) {
|
||||
BIO_printf(bio_err, "Error: offset out of range\n");
|
||||
goto end;
|
||||
}
|
||||
|
||||
num -= offset;
|
||||
|
||||
if ((length == 0) || ((long)length > num))
|
||||
if (length == 0 || length > (unsigned int)num)
|
||||
length = (unsigned int)num;
|
||||
if (derout) {
|
||||
if (BIO_write(derout, str + offset, length) != (int)length) {
|
||||
|
@ -1176,10 +1176,13 @@ int MAIN(int argc, char **argv)
|
||||
if (j > 0) {
|
||||
total_done++;
|
||||
BIO_printf(bio_err, "\n");
|
||||
if (!BN_add_word(serial, 1))
|
||||
if (!BN_add_word(serial, 1)) {
|
||||
X509_free(x);
|
||||
goto err;
|
||||
}
|
||||
if (!sk_X509_push(cert_sk, x)) {
|
||||
BIO_printf(bio_err, "Memory allocation failure\n");
|
||||
X509_free(x);
|
||||
goto err;
|
||||
}
|
||||
}
|
||||
|
@ -4,7 +4,7 @@
|
||||
* 2000.
|
||||
*/
|
||||
/* ====================================================================
|
||||
* Copyright (c) 1999 The OpenSSL Project. All rights reserved.
|
||||
* Copyright (c) 1999-2018 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
@ -787,7 +787,6 @@ int MAIN(int argc, char **argv)
|
||||
OCSP_response_status_str(i), i);
|
||||
if (ignore_err)
|
||||
goto redo_accept;
|
||||
ret = 0;
|
||||
goto end;
|
||||
}
|
||||
|
||||
|
@ -306,9 +306,9 @@ static char *md5crypt(const char *passwd, const char *magic, const char *salt)
|
||||
out_buf[0] = '$';
|
||||
out_buf[1] = 0;
|
||||
assert(strlen(magic) <= 4); /* "1" or "apr1" */
|
||||
strncat(out_buf, magic, 4);
|
||||
strncat(out_buf, "$", 1);
|
||||
strncat(out_buf, salt, 8);
|
||||
BUF_strlcat(out_buf, magic, sizeof(out_buf));
|
||||
BUF_strlcat(out_buf, "$", sizeof(out_buf));
|
||||
BUF_strlcat(out_buf, salt, sizeof(out_buf));
|
||||
assert(strlen(out_buf) <= 6 + 8); /* "$apr1$..salt.." */
|
||||
salt_out = out_buf + 2 + strlen(magic);
|
||||
salt_len = strlen(salt_out);
|
||||
|
@ -56,7 +56,7 @@
|
||||
* [including the GNU Public Licence.]
|
||||
*/
|
||||
/* ====================================================================
|
||||
* Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
|
||||
* Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
@ -152,9 +152,8 @@ typedef fd_mask fd_set;
|
||||
#define PROTOCOL "tcp"
|
||||
|
||||
int do_server(int port, int type, int *ret,
|
||||
int (*cb) (char *hostname, int s, int stype,
|
||||
unsigned char *context), unsigned char *context,
|
||||
int naccept);
|
||||
int (*cb) (int s, int stype, unsigned char *context),
|
||||
unsigned char *context, int naccept);
|
||||
#ifdef HEADER_X509_H
|
||||
int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx);
|
||||
#endif
|
||||
|
@ -56,7 +56,7 @@
|
||||
* [including the GNU Public Licence.]
|
||||
*/
|
||||
/* ====================================================================
|
||||
* Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
|
||||
* Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
@ -337,7 +337,7 @@ static void sc_usage(void)
|
||||
BIO_printf(bio_err,
|
||||
" -prexit - print session information even on connection failure\n");
|
||||
BIO_printf(bio_err,
|
||||
" -showcerts - show all certificates in the chain\n");
|
||||
" -showcerts - Show all certificates sent by the server\n");
|
||||
BIO_printf(bio_err, " -debug - extra output\n");
|
||||
#ifdef WATT32
|
||||
BIO_printf(bio_err, " -wdebug - WATT-32 tcp debugging\n");
|
||||
|
@ -56,7 +56,7 @@
|
||||
* [including the GNU Public Licence.]
|
||||
*/
|
||||
/* ====================================================================
|
||||
* Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
|
||||
* Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
@ -209,9 +209,9 @@ typedef unsigned int u_int;
|
||||
#ifndef OPENSSL_NO_RSA
|
||||
static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength);
|
||||
#endif
|
||||
static int sv_body(char *hostname, int s, int stype, unsigned char *context);
|
||||
static int www_body(char *hostname, int s, int stype, unsigned char *context);
|
||||
static int rev_body(char *hostname, int s, int stype, unsigned char *context);
|
||||
static int sv_body(int s, int stype, unsigned char *context);
|
||||
static int www_body(int s, int stype, unsigned char *context);
|
||||
static int rev_body(int s, int stype, unsigned char *context);
|
||||
static void close_accept_socket(void);
|
||||
static void sv_usage(void);
|
||||
static int init_ssl_connection(SSL *s);
|
||||
@ -1087,11 +1087,14 @@ int MAIN(int argc, char *argv[])
|
||||
char *chCApath = NULL, *chCAfile = NULL;
|
||||
char *vfyCApath = NULL, *vfyCAfile = NULL;
|
||||
unsigned char *context = NULL;
|
||||
#ifndef OPENSSL_NO_DH
|
||||
char *dhfile = NULL;
|
||||
int no_dhe = 0;
|
||||
#endif
|
||||
int badop = 0;
|
||||
int ret = 1;
|
||||
int build_chain = 0;
|
||||
int no_tmp_rsa = 0, no_dhe = 0, no_ecdhe = 0, nocert = 0;
|
||||
int no_tmp_rsa = 0, no_ecdhe = 0, nocert = 0;
|
||||
int state = 0;
|
||||
const SSL_METHOD *meth = NULL;
|
||||
int socket_type = SOCK_STREAM;
|
||||
@ -1239,11 +1242,15 @@ int MAIN(int argc, char *argv[])
|
||||
if (--argc < 1)
|
||||
goto bad;
|
||||
s_chain_file = *(++argv);
|
||||
} else if (strcmp(*argv, "-dhparam") == 0) {
|
||||
}
|
||||
#ifndef OPENSSL_NO_DH
|
||||
else if (strcmp(*argv, "-dhparam") == 0) {
|
||||
if (--argc < 1)
|
||||
goto bad;
|
||||
dhfile = *(++argv);
|
||||
} else if (strcmp(*argv, "-dcertform") == 0) {
|
||||
}
|
||||
#endif
|
||||
else if (strcmp(*argv, "-dcertform") == 0) {
|
||||
if (--argc < 1)
|
||||
goto bad;
|
||||
s_dcert_format = str2fmt(*(++argv));
|
||||
@ -1390,9 +1397,13 @@ int MAIN(int argc, char *argv[])
|
||||
verify_quiet = 1;
|
||||
} else if (strcmp(*argv, "-no_tmp_rsa") == 0) {
|
||||
no_tmp_rsa = 1;
|
||||
} else if (strcmp(*argv, "-no_dhe") == 0) {
|
||||
}
|
||||
#ifndef OPENSSL_NO_DH
|
||||
else if (strcmp(*argv, "-no_dhe") == 0) {
|
||||
no_dhe = 1;
|
||||
} else if (strcmp(*argv, "-no_ecdhe") == 0) {
|
||||
}
|
||||
#endif
|
||||
else if (strcmp(*argv, "-no_ecdhe") == 0) {
|
||||
no_ecdhe = 1;
|
||||
} else if (strcmp(*argv, "-no_resume_ephemeral") == 0) {
|
||||
no_resume_ephemeral = 1;
|
||||
@ -2165,7 +2176,7 @@ static void print_stats(BIO *bio, SSL_CTX *ssl_ctx)
|
||||
SSL_CTX_sess_get_cache_size(ssl_ctx));
|
||||
}
|
||||
|
||||
static int sv_body(char *hostname, int s, int stype, unsigned char *context)
|
||||
static int sv_body(int s, int stype, unsigned char *context)
|
||||
{
|
||||
char *buf = NULL;
|
||||
fd_set readfds;
|
||||
@ -2780,7 +2791,7 @@ static int load_CA(SSL_CTX *ctx, char *file)
|
||||
}
|
||||
#endif
|
||||
|
||||
static int www_body(char *hostname, int s, int stype, unsigned char *context)
|
||||
static int www_body(int s, int stype, unsigned char *context)
|
||||
{
|
||||
char *buf = NULL;
|
||||
int ret = 1;
|
||||
@ -3183,7 +3194,7 @@ static int www_body(char *hostname, int s, int stype, unsigned char *context)
|
||||
return (ret);
|
||||
}
|
||||
|
||||
static int rev_body(char *hostname, int s, int stype, unsigned char *context)
|
||||
static int rev_body(int s, int stype, unsigned char *context)
|
||||
{
|
||||
char *buf = NULL;
|
||||
int i;
|
||||
|
@ -109,7 +109,7 @@ static int ssl_sock_init(void);
|
||||
static int init_client_ip(int *sock, unsigned char ip[4], int port, int type);
|
||||
static int init_server(int *sock, int port, int type);
|
||||
static int init_server_long(int *sock, int port, char *ip, int type);
|
||||
static int do_accept(int acc_sock, int *sock, char **host);
|
||||
static int do_accept(int acc_sock, int *sock);
|
||||
static int host_ip(char *str, unsigned char ip[4]);
|
||||
|
||||
# ifdef OPENSSL_SYS_WIN16
|
||||
@ -290,12 +290,10 @@ static int init_client_ip(int *sock, unsigned char ip[4], int port, int type)
|
||||
}
|
||||
|
||||
int do_server(int port, int type, int *ret,
|
||||
int (*cb) (char *hostname, int s, int stype,
|
||||
unsigned char *context), unsigned char *context,
|
||||
int naccept)
|
||||
int (*cb) (int s, int stype, unsigned char *context),
|
||||
unsigned char *context, int naccept)
|
||||
{
|
||||
int sock;
|
||||
char *name = NULL;
|
||||
int accept_socket = 0;
|
||||
int i;
|
||||
|
||||
@ -308,15 +306,13 @@ int do_server(int port, int type, int *ret,
|
||||
}
|
||||
for (;;) {
|
||||
if (type == SOCK_STREAM) {
|
||||
if (do_accept(accept_socket, &sock, &name) == 0) {
|
||||
if (do_accept(accept_socket, &sock) == 0) {
|
||||
SHUTDOWN(accept_socket);
|
||||
return (0);
|
||||
}
|
||||
} else
|
||||
sock = accept_socket;
|
||||
i = (*cb) (name, sock, type, context);
|
||||
if (name != NULL)
|
||||
OPENSSL_free(name);
|
||||
i = (*cb) (sock, type, context);
|
||||
if (type == SOCK_STREAM)
|
||||
SHUTDOWN2(sock);
|
||||
if (naccept != -1)
|
||||
@ -386,30 +382,24 @@ static int init_server(int *sock, int port, int type)
|
||||
return (init_server_long(sock, port, NULL, type));
|
||||
}
|
||||
|
||||
static int do_accept(int acc_sock, int *sock, char **host)
|
||||
static int do_accept(int acc_sock, int *sock)
|
||||
{
|
||||
int ret;
|
||||
struct hostent *h1, *h2;
|
||||
static struct sockaddr_in from;
|
||||
int len;
|
||||
/* struct linger ling; */
|
||||
|
||||
if (!ssl_sock_init())
|
||||
return (0);
|
||||
return 0;
|
||||
|
||||
# ifndef OPENSSL_SYS_WINDOWS
|
||||
redoit:
|
||||
# endif
|
||||
|
||||
memset((char *)&from, 0, sizeof(from));
|
||||
len = sizeof(from);
|
||||
/*
|
||||
* Note: under VMS with SOCKETSHR the fourth parameter is currently of
|
||||
* type (int *) whereas under other systems it is (void *) if you don't
|
||||
* have a cast it will choke the compiler: if you do have a cast then you
|
||||
* can either go for (int *) or (void *).
|
||||
*/
|
||||
ret = accept(acc_sock, (struct sockaddr *)&from, (void *)&len);
|
||||
ret = accept(acc_sock, NULL, NULL);
|
||||
if (ret == INVALID_SOCKET) {
|
||||
# if defined(OPENSSL_SYS_WINDOWS) || (defined(OPENSSL_SYS_NETWARE) && !defined(NETWARE_BSDSOCK))
|
||||
int i;
|
||||
@ -425,56 +415,11 @@ static int do_accept(int acc_sock, int *sock, char **host)
|
||||
fprintf(stderr, "errno=%d ", errno);
|
||||
perror("accept");
|
||||
# endif
|
||||
return (0);
|
||||
return 0;
|
||||
}
|
||||
|
||||
/*-
|
||||
ling.l_onoff=1;
|
||||
ling.l_linger=0;
|
||||
i=setsockopt(ret,SOL_SOCKET,SO_LINGER,(char *)&ling,sizeof(ling));
|
||||
if (i < 0) { perror("linger"); return(0); }
|
||||
i=0;
|
||||
i=setsockopt(ret,SOL_SOCKET,SO_KEEPALIVE,(char *)&i,sizeof(i));
|
||||
if (i < 0) { perror("keepalive"); return(0); }
|
||||
*/
|
||||
|
||||
if (host == NULL)
|
||||
goto end;
|
||||
# ifndef BIT_FIELD_LIMITS
|
||||
/* I should use WSAAsyncGetHostByName() under windows */
|
||||
h1 = gethostbyaddr((char *)&from.sin_addr.s_addr,
|
||||
sizeof(from.sin_addr.s_addr), AF_INET);
|
||||
# else
|
||||
h1 = gethostbyaddr((char *)&from.sin_addr,
|
||||
sizeof(struct in_addr), AF_INET);
|
||||
# endif
|
||||
if (h1 == NULL) {
|
||||
BIO_printf(bio_err, "bad gethostbyaddr\n");
|
||||
*host = NULL;
|
||||
/* return(0); */
|
||||
} else {
|
||||
if ((*host = (char *)OPENSSL_malloc(strlen(h1->h_name) + 1)) == NULL) {
|
||||
perror("OPENSSL_malloc");
|
||||
closesocket(ret);
|
||||
return (0);
|
||||
}
|
||||
BUF_strlcpy(*host, h1->h_name, strlen(h1->h_name) + 1);
|
||||
|
||||
h2 = GetHostByName(*host);
|
||||
if (h2 == NULL) {
|
||||
BIO_printf(bio_err, "gethostbyname failure\n");
|
||||
closesocket(ret);
|
||||
return (0);
|
||||
}
|
||||
if (h2->h_addrtype != AF_INET) {
|
||||
BIO_printf(bio_err, "gethostbyname addr is not AF_INET\n");
|
||||
closesocket(ret);
|
||||
return (0);
|
||||
}
|
||||
}
|
||||
end:
|
||||
*sock = ret;
|
||||
return (1);
|
||||
return 1;
|
||||
}
|
||||
|
||||
int extract_host_port(char *str, char **host_ptr, unsigned char *ip,
|
||||
|
@ -277,6 +277,7 @@ static int check(X509_STORE *ctx, char *file,
|
||||
X509_STORE_set_flags(ctx, vflags);
|
||||
if (!X509_STORE_CTX_init(csc, ctx, x, uchain)) {
|
||||
ERR_print_errors(bio_err);
|
||||
X509_STORE_CTX_free(csc);
|
||||
goto end;
|
||||
}
|
||||
if (tchain)
|
||||
|
@ -45,7 +45,7 @@ SRC= $(LIBSRC)
|
||||
EXHEADER= crypto.h opensslv.h opensslconf.h ebcdic.h symhacks.h \
|
||||
ossl_typ.h
|
||||
HEADER= cryptlib.h buildinf.h md32_common.h o_time.h o_str.h o_dir.h \
|
||||
constant_time_locl.h $(EXHEADER)
|
||||
constant_time_locl.h bn_int.h $(EXHEADER)
|
||||
|
||||
ALL= $(GENERAL) $(SRC) $(HEADER)
|
||||
|
||||
|
@ -63,17 +63,31 @@
|
||||
int i2d_ASN1_BOOLEAN(int a, unsigned char **pp)
|
||||
{
|
||||
int r;
|
||||
unsigned char *p;
|
||||
unsigned char *p, *allocated = NULL;
|
||||
|
||||
r = ASN1_object_size(0, 1, V_ASN1_BOOLEAN);
|
||||
if (pp == NULL)
|
||||
return (r);
|
||||
p = *pp;
|
||||
|
||||
if (*pp == NULL) {
|
||||
if ((p = allocated = OPENSSL_malloc(r)) == NULL) {
|
||||
ASN1err(ASN1_F_I2D_ASN1_BOOLEAN, ERR_R_MALLOC_FAILURE);
|
||||
return 0;
|
||||
}
|
||||
} else {
|
||||
p = *pp;
|
||||
}
|
||||
|
||||
ASN1_put_object(&p, 0, 1, V_ASN1_BOOLEAN, V_ASN1_UNIVERSAL);
|
||||
*(p++) = (unsigned char)a;
|
||||
*pp = p;
|
||||
return (r);
|
||||
*p = (unsigned char)a;
|
||||
|
||||
|
||||
/*
|
||||
* If a new buffer was allocated, just return it back.
|
||||
* If not, return the incremented buffer pointer.
|
||||
*/
|
||||
*pp = allocated != NULL ? allocated : p + 1;
|
||||
return r;
|
||||
}
|
||||
|
||||
int d2i_ASN1_BOOLEAN(int *a, const unsigned char **pp, long length)
|
||||
|
@ -66,7 +66,7 @@
|
||||
|
||||
int i2d_ASN1_OBJECT(ASN1_OBJECT *a, unsigned char **pp)
|
||||
{
|
||||
unsigned char *p;
|
||||
unsigned char *p, *allocated = NULL;
|
||||
int objsize;
|
||||
|
||||
if ((a == NULL) || (a->data == NULL))
|
||||
@ -76,13 +76,24 @@ int i2d_ASN1_OBJECT(ASN1_OBJECT *a, unsigned char **pp)
|
||||
if (pp == NULL || objsize == -1)
|
||||
return objsize;
|
||||
|
||||
p = *pp;
|
||||
if (*pp == NULL) {
|
||||
if ((p = allocated = OPENSSL_malloc(objsize)) == NULL) {
|
||||
ASN1err(ASN1_F_I2D_ASN1_OBJECT, ERR_R_MALLOC_FAILURE);
|
||||
return 0;
|
||||
}
|
||||
} else {
|
||||
p = *pp;
|
||||
}
|
||||
|
||||
ASN1_put_object(&p, 0, a->length, V_ASN1_OBJECT, V_ASN1_UNIVERSAL);
|
||||
memcpy(p, a->data, a->length);
|
||||
p += a->length;
|
||||
|
||||
*pp = p;
|
||||
return (objsize);
|
||||
/*
|
||||
* If a new buffer was allocated, just return it back.
|
||||
* If not, return the incremented buffer pointer.
|
||||
*/
|
||||
*pp = allocated != NULL ? allocated : p + a->length;
|
||||
return objsize;
|
||||
}
|
||||
|
||||
int a2d_ASN1_OBJECT(unsigned char *out, int olen, const char *buf, int num)
|
||||
|
@ -4,7 +4,7 @@
|
||||
* 2000.
|
||||
*/
|
||||
/* ====================================================================
|
||||
* Copyright (c) 2000 The OpenSSL Project. All rights reserved.
|
||||
* Copyright (c) 2000-2018 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
@ -194,18 +194,38 @@ static int do_buf(unsigned char *buf, int buflen,
|
||||
int type, unsigned char flags, char *quotes, char_io *io_ch,
|
||||
void *arg)
|
||||
{
|
||||
int i, outlen, len;
|
||||
int i, outlen, len, charwidth;
|
||||
unsigned char orflags, *p, *q;
|
||||
unsigned long c;
|
||||
p = buf;
|
||||
q = buf + buflen;
|
||||
outlen = 0;
|
||||
charwidth = type & BUF_TYPE_WIDTH_MASK;
|
||||
|
||||
switch (charwidth) {
|
||||
case 4:
|
||||
if (buflen & 3) {
|
||||
ASN1err(ASN1_F_DO_BUF, ASN1_R_INVALID_UNIVERSALSTRING_LENGTH);
|
||||
return -1;
|
||||
}
|
||||
break;
|
||||
case 2:
|
||||
if (buflen & 1) {
|
||||
ASN1err(ASN1_F_DO_BUF, ASN1_R_INVALID_BMPSTRING_LENGTH);
|
||||
return -1;
|
||||
}
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
|
||||
while (p != q) {
|
||||
if (p == buf && flags & ASN1_STRFLGS_ESC_2253)
|
||||
orflags = CHARTYPE_FIRST_ESC_2253;
|
||||
else
|
||||
orflags = 0;
|
||||
switch (type & BUF_TYPE_WIDTH_MASK) {
|
||||
|
||||
switch (charwidth) {
|
||||
case 4:
|
||||
c = ((unsigned long)*p++) << 24;
|
||||
c |= ((unsigned long)*p++) << 16;
|
||||
@ -226,6 +246,7 @@ static int do_buf(unsigned char *buf, int buflen,
|
||||
i = UTF8_getc(p, buflen, &c);
|
||||
if (i < 0)
|
||||
return -1; /* Invalid UTF8String */
|
||||
buflen -= i;
|
||||
p += i;
|
||||
break;
|
||||
default:
|
||||
|
@ -3,7 +3,7 @@
|
||||
* 2006.
|
||||
*/
|
||||
/* ====================================================================
|
||||
* Copyright (c) 2006 The OpenSSL Project. All rights reserved.
|
||||
* Copyright (c) 2006-2018 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
@ -305,6 +305,18 @@ EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_new(int id, int flags,
|
||||
} else
|
||||
ameth->info = NULL;
|
||||
|
||||
/*
|
||||
* One of the following must be true:
|
||||
*
|
||||
* pem_str == NULL AND ASN1_PKEY_ALIAS is set
|
||||
* pem_str != NULL AND ASN1_PKEY_ALIAS is clear
|
||||
*
|
||||
* Anything else is an error and may lead to a corrupt ASN1 method table
|
||||
*/
|
||||
if (!((pem_str == NULL && (flags & ASN1_PKEY_ALIAS) != 0)
|
||||
|| (pem_str != NULL && (flags & ASN1_PKEY_ALIAS) == 0)))
|
||||
goto err;
|
||||
|
||||
if (pem_str) {
|
||||
ameth->pem_str = BUF_strdup(pem_str);
|
||||
if (!ameth->pem_str)
|
||||
|
@ -1164,6 +1164,7 @@ int SMIME_text(BIO *in, BIO *out);
|
||||
* The following lines are auto generated by the script mkerr.pl. Any changes
|
||||
* made after this point may be overwritten when the script is next run.
|
||||
*/
|
||||
|
||||
void ERR_load_ASN1_strings(void);
|
||||
|
||||
/* Error codes for the ASN1 functions. */
|
||||
@ -1264,7 +1265,10 @@ void ERR_load_ASN1_strings(void);
|
||||
# define ASN1_F_D2I_X509 156
|
||||
# define ASN1_F_D2I_X509_CINF 157
|
||||
# define ASN1_F_D2I_X509_PKEY 159
|
||||
# define ASN1_F_DO_BUF 221
|
||||
# define ASN1_F_I2D_ASN1_BIO_STREAM 211
|
||||
# define ASN1_F_I2D_ASN1_BOOLEAN 223
|
||||
# define ASN1_F_I2D_ASN1_OBJECT 222
|
||||
# define ASN1_F_I2D_ASN1_SET 188
|
||||
# define ASN1_F_I2D_ASN1_TIME 160
|
||||
# define ASN1_F_I2D_DSA_PUBKEY 161
|
||||
@ -1414,7 +1418,7 @@ void ERR_load_ASN1_strings(void);
|
||||
# define ASN1_R_WRONG_TAG 168
|
||||
# define ASN1_R_WRONG_TYPE 169
|
||||
|
||||
#ifdef __cplusplus
|
||||
# ifdef __cplusplus
|
||||
}
|
||||
#endif
|
||||
# endif
|
||||
#endif
|
||||
|
@ -166,7 +166,10 @@ static ERR_STRING_DATA ASN1_str_functs[] = {
|
||||
{ERR_FUNC(ASN1_F_D2I_X509), "D2I_X509"},
|
||||
{ERR_FUNC(ASN1_F_D2I_X509_CINF), "D2I_X509_CINF"},
|
||||
{ERR_FUNC(ASN1_F_D2I_X509_PKEY), "d2i_X509_PKEY"},
|
||||
{ERR_FUNC(ASN1_F_DO_BUF), "DO_BUF"},
|
||||
{ERR_FUNC(ASN1_F_I2D_ASN1_BIO_STREAM), "i2d_ASN1_bio_stream"},
|
||||
{ERR_FUNC(ASN1_F_I2D_ASN1_BOOLEAN), "i2d_ASN1_BOOLEAN"},
|
||||
{ERR_FUNC(ASN1_F_I2D_ASN1_OBJECT), "i2d_ASN1_OBJECT"},
|
||||
{ERR_FUNC(ASN1_F_I2D_ASN1_SET), "i2d_ASN1_SET"},
|
||||
{ERR_FUNC(ASN1_F_I2D_ASN1_TIME), "I2D_ASN1_TIME"},
|
||||
{ERR_FUNC(ASN1_F_I2D_DSA_PUBKEY), "i2d_DSA_PUBKEY"},
|
||||
|
@ -4,7 +4,7 @@
|
||||
* 2000.
|
||||
*/
|
||||
/* ====================================================================
|
||||
* Copyright (c) 2000-2004 The OpenSSL Project. All rights reserved.
|
||||
* Copyright (c) 2000-2018 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
@ -588,6 +588,8 @@ int asn1_ex_i2c(ASN1_VALUE **pval, unsigned char *cout, int *putype,
|
||||
otmp = (ASN1_OBJECT *)*pval;
|
||||
cont = otmp->data;
|
||||
len = otmp->length;
|
||||
if (cont == NULL || len == 0)
|
||||
return -1;
|
||||
break;
|
||||
|
||||
case V_ASN1_NULL:
|
||||
|
@ -1,6 +1,6 @@
|
||||
/* crypto/bio/bss_log.c */
|
||||
/* ====================================================================
|
||||
* Copyright (c) 1999 The OpenSSL Project. All rights reserved.
|
||||
* Copyright (c) 1999-2018 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
@ -242,7 +242,7 @@ static int MS_CALLBACK slg_write(BIO *b, const char *in, int inl)
|
||||
if ((buf = (char *)OPENSSL_malloc(inl + 1)) == NULL) {
|
||||
return (0);
|
||||
}
|
||||
strncpy(buf, in, inl);
|
||||
memcpy(buf, in, inl);
|
||||
buf[inl] = '\0';
|
||||
|
||||
i = 0;
|
||||
|
@ -188,6 +188,8 @@ static int mem_write(BIO *b, const char *in, int inl)
|
||||
}
|
||||
|
||||
BIO_clear_retry_flags(b);
|
||||
if (inl == 0)
|
||||
return 0;
|
||||
blen = bm->length;
|
||||
if (BUF_MEM_grow_clean(bm, blen + inl) != (blen + inl))
|
||||
goto end;
|
||||
|
@ -197,21 +197,24 @@ bn_add.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
|
||||
bn_add.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
|
||||
bn_add.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
|
||||
bn_add.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
|
||||
bn_add.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_add.c bn_lcl.h
|
||||
bn_add.o: ../../include/openssl/symhacks.h ../bn_int.h ../cryptlib.h bn_add.c
|
||||
bn_add.o: bn_lcl.h
|
||||
bn_asm.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
|
||||
bn_asm.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
|
||||
bn_asm.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
|
||||
bn_asm.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
|
||||
bn_asm.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
|
||||
bn_asm.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
|
||||
bn_asm.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_asm.c bn_lcl.h
|
||||
bn_asm.o: ../../include/openssl/symhacks.h ../bn_int.h ../cryptlib.h bn_asm.c
|
||||
bn_asm.o: bn_lcl.h
|
||||
bn_blind.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
|
||||
bn_blind.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
|
||||
bn_blind.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
|
||||
bn_blind.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
|
||||
bn_blind.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
|
||||
bn_blind.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
|
||||
bn_blind.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_blind.c bn_lcl.h
|
||||
bn_blind.o: ../../include/openssl/symhacks.h ../bn_int.h ../cryptlib.h
|
||||
bn_blind.o: bn_blind.c bn_lcl.h
|
||||
bn_const.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
|
||||
bn_const.o: ../../include/openssl/opensslconf.h
|
||||
bn_const.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
|
||||
@ -223,7 +226,8 @@ bn_ctx.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
|
||||
bn_ctx.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
|
||||
bn_ctx.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
|
||||
bn_ctx.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
|
||||
bn_ctx.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_ctx.c bn_lcl.h
|
||||
bn_ctx.o: ../../include/openssl/symhacks.h ../bn_int.h ../cryptlib.h bn_ctx.c
|
||||
bn_ctx.o: bn_lcl.h
|
||||
bn_depr.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
|
||||
bn_depr.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
|
||||
bn_depr.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
|
||||
@ -231,14 +235,15 @@ bn_depr.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
|
||||
bn_depr.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
|
||||
bn_depr.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
|
||||
bn_depr.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
|
||||
bn_depr.o: ../cryptlib.h bn_depr.c bn_lcl.h
|
||||
bn_depr.o: ../bn_int.h ../cryptlib.h bn_depr.c bn_lcl.h
|
||||
bn_div.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
|
||||
bn_div.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
|
||||
bn_div.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
|
||||
bn_div.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
|
||||
bn_div.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
|
||||
bn_div.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
|
||||
bn_div.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_div.c bn_lcl.h
|
||||
bn_div.o: ../../include/openssl/symhacks.h ../bn_int.h ../cryptlib.h bn_div.c
|
||||
bn_div.o: bn_lcl.h
|
||||
bn_err.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
|
||||
bn_err.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
|
||||
bn_err.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
|
||||
@ -252,7 +257,7 @@ bn_exp.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
|
||||
bn_exp.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
|
||||
bn_exp.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
|
||||
bn_exp.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
|
||||
bn_exp.o: ../../include/openssl/symhacks.h ../constant_time_locl.h
|
||||
bn_exp.o: ../../include/openssl/symhacks.h ../bn_int.h ../constant_time_locl.h
|
||||
bn_exp.o: ../cryptlib.h bn_exp.c bn_lcl.h rsaz_exp.h
|
||||
bn_exp2.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
|
||||
bn_exp2.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
|
||||
@ -260,70 +265,80 @@ bn_exp2.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
|
||||
bn_exp2.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
|
||||
bn_exp2.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
|
||||
bn_exp2.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
|
||||
bn_exp2.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_exp2.c bn_lcl.h
|
||||
bn_exp2.o: ../../include/openssl/symhacks.h ../bn_int.h ../cryptlib.h bn_exp2.c
|
||||
bn_exp2.o: bn_lcl.h
|
||||
bn_gcd.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
|
||||
bn_gcd.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
|
||||
bn_gcd.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
|
||||
bn_gcd.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
|
||||
bn_gcd.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
|
||||
bn_gcd.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
|
||||
bn_gcd.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_gcd.c bn_lcl.h
|
||||
bn_gcd.o: ../../include/openssl/symhacks.h ../bn_int.h ../cryptlib.h bn_gcd.c
|
||||
bn_gcd.o: bn_lcl.h
|
||||
bn_gf2m.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
|
||||
bn_gf2m.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
|
||||
bn_gf2m.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
|
||||
bn_gf2m.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
|
||||
bn_gf2m.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
|
||||
bn_gf2m.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
|
||||
bn_gf2m.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_gf2m.c bn_lcl.h
|
||||
bn_gf2m.o: ../../include/openssl/symhacks.h ../bn_int.h ../cryptlib.h bn_gf2m.c
|
||||
bn_gf2m.o: bn_lcl.h
|
||||
bn_kron.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
|
||||
bn_kron.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
|
||||
bn_kron.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
|
||||
bn_kron.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
|
||||
bn_kron.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
|
||||
bn_kron.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
|
||||
bn_kron.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_kron.c bn_lcl.h
|
||||
bn_kron.o: ../../include/openssl/symhacks.h ../bn_int.h ../cryptlib.h bn_kron.c
|
||||
bn_kron.o: bn_lcl.h
|
||||
bn_lib.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
|
||||
bn_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
|
||||
bn_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
|
||||
bn_lib.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
|
||||
bn_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
|
||||
bn_lib.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
|
||||
bn_lib.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_lcl.h bn_lib.c
|
||||
bn_lib.o: ../../include/openssl/symhacks.h ../bn_int.h ../cryptlib.h bn_lcl.h
|
||||
bn_lib.o: bn_lib.c
|
||||
bn_mod.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
|
||||
bn_mod.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
|
||||
bn_mod.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
|
||||
bn_mod.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
|
||||
bn_mod.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
|
||||
bn_mod.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
|
||||
bn_mod.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_lcl.h bn_mod.c
|
||||
bn_mod.o: ../../include/openssl/symhacks.h ../bn_int.h ../cryptlib.h bn_lcl.h
|
||||
bn_mod.o: bn_mod.c
|
||||
bn_mont.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
|
||||
bn_mont.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
|
||||
bn_mont.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
|
||||
bn_mont.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
|
||||
bn_mont.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
|
||||
bn_mont.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
|
||||
bn_mont.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_lcl.h bn_mont.c
|
||||
bn_mont.o: ../../include/openssl/symhacks.h ../bn_int.h ../cryptlib.h bn_lcl.h
|
||||
bn_mont.o: bn_mont.c
|
||||
bn_mpi.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
|
||||
bn_mpi.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
|
||||
bn_mpi.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
|
||||
bn_mpi.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
|
||||
bn_mpi.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
|
||||
bn_mpi.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
|
||||
bn_mpi.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_lcl.h bn_mpi.c
|
||||
bn_mpi.o: ../../include/openssl/symhacks.h ../bn_int.h ../cryptlib.h bn_lcl.h
|
||||
bn_mpi.o: bn_mpi.c
|
||||
bn_mul.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
|
||||
bn_mul.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
|
||||
bn_mul.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
|
||||
bn_mul.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
|
||||
bn_mul.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
|
||||
bn_mul.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
|
||||
bn_mul.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_lcl.h bn_mul.c
|
||||
bn_mul.o: ../../include/openssl/symhacks.h ../bn_int.h ../cryptlib.h bn_lcl.h
|
||||
bn_mul.o: bn_mul.c
|
||||
bn_nist.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
|
||||
bn_nist.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
|
||||
bn_nist.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
|
||||
bn_nist.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
|
||||
bn_nist.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
|
||||
bn_nist.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
|
||||
bn_nist.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_lcl.h bn_nist.c
|
||||
bn_nist.o: ../../include/openssl/symhacks.h ../bn_int.h ../cryptlib.h bn_lcl.h
|
||||
bn_nist.o: bn_nist.c
|
||||
bn_prime.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
|
||||
bn_prime.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
|
||||
bn_prime.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
|
||||
@ -331,14 +346,15 @@ bn_prime.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
|
||||
bn_prime.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
|
||||
bn_prime.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
|
||||
bn_prime.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
|
||||
bn_prime.o: ../cryptlib.h bn_lcl.h bn_prime.c bn_prime.h
|
||||
bn_prime.o: ../bn_int.h ../cryptlib.h bn_lcl.h bn_prime.c bn_prime.h
|
||||
bn_print.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
|
||||
bn_print.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
|
||||
bn_print.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
|
||||
bn_print.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
|
||||
bn_print.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
|
||||
bn_print.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
|
||||
bn_print.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_lcl.h bn_print.c
|
||||
bn_print.o: ../../include/openssl/symhacks.h ../bn_int.h ../cryptlib.h bn_lcl.h
|
||||
bn_print.o: bn_print.c
|
||||
bn_rand.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
|
||||
bn_rand.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
|
||||
bn_rand.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
|
||||
@ -346,42 +362,47 @@ bn_rand.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
|
||||
bn_rand.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
|
||||
bn_rand.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
|
||||
bn_rand.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
|
||||
bn_rand.o: ../cryptlib.h bn_lcl.h bn_rand.c
|
||||
bn_rand.o: ../bn_int.h ../cryptlib.h bn_lcl.h bn_rand.c
|
||||
bn_recp.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
|
||||
bn_recp.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
|
||||
bn_recp.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
|
||||
bn_recp.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
|
||||
bn_recp.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
|
||||
bn_recp.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
|
||||
bn_recp.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_lcl.h bn_recp.c
|
||||
bn_recp.o: ../../include/openssl/symhacks.h ../bn_int.h ../cryptlib.h bn_lcl.h
|
||||
bn_recp.o: bn_recp.c
|
||||
bn_shift.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
|
||||
bn_shift.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
|
||||
bn_shift.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
|
||||
bn_shift.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
|
||||
bn_shift.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
|
||||
bn_shift.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
|
||||
bn_shift.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_lcl.h bn_shift.c
|
||||
bn_shift.o: ../../include/openssl/symhacks.h ../bn_int.h ../cryptlib.h bn_lcl.h
|
||||
bn_shift.o: bn_shift.c
|
||||
bn_sqr.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
|
||||
bn_sqr.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
|
||||
bn_sqr.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
|
||||
bn_sqr.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
|
||||
bn_sqr.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
|
||||
bn_sqr.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
|
||||
bn_sqr.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_lcl.h bn_sqr.c
|
||||
bn_sqr.o: ../../include/openssl/symhacks.h ../bn_int.h ../cryptlib.h bn_lcl.h
|
||||
bn_sqr.o: bn_sqr.c
|
||||
bn_sqrt.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
|
||||
bn_sqrt.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
|
||||
bn_sqrt.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
|
||||
bn_sqrt.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
|
||||
bn_sqrt.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
|
||||
bn_sqrt.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
|
||||
bn_sqrt.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_lcl.h bn_sqrt.c
|
||||
bn_sqrt.o: ../../include/openssl/symhacks.h ../bn_int.h ../cryptlib.h bn_lcl.h
|
||||
bn_sqrt.o: bn_sqrt.c
|
||||
bn_word.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
|
||||
bn_word.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
|
||||
bn_word.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
|
||||
bn_word.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
|
||||
bn_word.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
|
||||
bn_word.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
|
||||
bn_word.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_lcl.h bn_word.c
|
||||
bn_word.o: ../../include/openssl/symhacks.h ../bn_int.h ../cryptlib.h bn_lcl.h
|
||||
bn_word.o: bn_word.c
|
||||
bn_x931p.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
|
||||
bn_x931p.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
|
||||
bn_x931p.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
|
||||
|
@ -216,14 +216,15 @@ bn_mul_mont:
|
||||
mov $tp,sp @ "rewind" $tp
|
||||
sub $rp,$rp,$aj @ "rewind" $rp
|
||||
|
||||
and $ap,$tp,$nhi
|
||||
bic $np,$rp,$nhi
|
||||
orr $ap,$ap,$np @ ap=borrow?tp:rp
|
||||
|
||||
.Lcopy: ldr $tj,[$ap],#4 @ copy or in-place refresh
|
||||
.Lcopy: ldr $tj,[$tp] @ conditional copy
|
||||
ldr $aj,[$rp]
|
||||
str sp,[$tp],#4 @ zap tp
|
||||
str $tj,[$rp],#4
|
||||
cmp $tp,$num
|
||||
#ifdef __thumb2__
|
||||
it cc
|
||||
#endif
|
||||
movcc $aj,$tj
|
||||
str $aj,[$rp],#4
|
||||
teq $tp,$num @ preserve carry
|
||||
bne .Lcopy
|
||||
|
||||
add sp,$num,#4 @ skip over tp[num+1]
|
||||
|
@ -332,19 +332,19 @@ bn_mul_mont_general:
|
||||
{ .mmb; sub rptr=rptr,len // rewind
|
||||
sub tptr=tptr,len
|
||||
clrrrb.pr };;
|
||||
{ .mmi; and aptr=tptr,topbit
|
||||
andcm bptr=rptr,topbit
|
||||
{ .mmi; mov aptr=rptr
|
||||
mov bptr=tptr
|
||||
mov pr.rot=1<<16 };;
|
||||
{ .mii; or nptr=aptr,bptr
|
||||
{ .mii; cmp.eq p0,p6=topbit,r0
|
||||
mov ar.lc=lc
|
||||
mov ar.ec=3 };;
|
||||
mov ar.ec=2 };;
|
||||
|
||||
.Lcopy_ctop:
|
||||
{ .mmb; (p16) ld8 n[0]=[nptr],8
|
||||
(p18) st8 [tptr]=r0,8
|
||||
(p16) nop.b 0 }
|
||||
{ .mmb; (p16) nop.m 0
|
||||
(p18) st8 [rptr]=n[2],8
|
||||
{ .mmi; (p16) ld8 a[0]=[aptr],8
|
||||
(p16) ld8 t[0]=[bptr],8
|
||||
(p6) mov a[1]=t[1] };; // (p17)
|
||||
{ .mmb; (p17) st8 [rptr]=a[1],8
|
||||
(p17) st8 [tptr]=r0,8
|
||||
br.ctop.sptk .Lcopy_ctop };;
|
||||
.Lcopy_cend:
|
||||
|
||||
|
@ -377,15 +377,13 @@ $code.=<<___;
|
||||
$PTR_SUB $rp,$num # restore rp
|
||||
not $hi1,$hi0
|
||||
|
||||
and $ap,$hi0,$sp
|
||||
and $bp,$hi1,$rp
|
||||
or $ap,$ap,$bp # ap=borrow?tp:rp
|
||||
|
||||
.align 4
|
||||
.Lcopy: $LD $aj,($ap)
|
||||
$PTR_ADD $ap,$BNSZ
|
||||
.Lcopy: $LD $nj,($tp) # conditional move
|
||||
$LD $aj,($rp)
|
||||
$ST $zero,($tp)
|
||||
$PTR_ADD $tp,$BNSZ
|
||||
and $nj,$hi0
|
||||
and $aj,$hi1
|
||||
or $aj,$nj
|
||||
sltu $at,$tp,$tj
|
||||
$ST $aj,($rp)
|
||||
bnez $at,.Lcopy
|
||||
|
@ -510,7 +510,6 @@ L\$sub
|
||||
stws,ma $hi1,4($rp)
|
||||
|
||||
subb $ti0,%r0,$hi1
|
||||
ldo -4($tp),$tp
|
||||
___
|
||||
$code.=<<___ if ($BN_SZ==8);
|
||||
ldd,ma 8($tp),$ti0
|
||||
@ -525,21 +524,19 @@ L\$sub
|
||||
|
||||
extrd,u $ti0,31,32,$ti0 ; carry in flipped word order
|
||||
sub,db $ti0,%r0,$hi1
|
||||
ldo -8($tp),$tp
|
||||
___
|
||||
$code.=<<___;
|
||||
and $tp,$hi1,$ap
|
||||
andcm $rp,$hi1,$bp
|
||||
or $ap,$bp,$np
|
||||
|
||||
ldo `$LOCALS+32`($fp),$tp
|
||||
sub $rp,$arrsz,$rp ; rewind rp
|
||||
subi 0,$arrsz,$idx
|
||||
ldo `$LOCALS+32`($fp),$tp
|
||||
L\$copy
|
||||
ldd $idx($np),$hi0
|
||||
ldd 0($tp),$ti0
|
||||
ldd 0($rp),$hi0
|
||||
std,ma %r0,8($tp)
|
||||
addib,<> 8,$idx,.-8 ; L\$copy
|
||||
std,ma $hi0,8($rp)
|
||||
comiclr,= 0,$hi1,%r0
|
||||
copy $ti0,$hi0
|
||||
addib,<> 8,$idx,L\$copy
|
||||
std,ma $hi0,8($rp)
|
||||
___
|
||||
|
||||
if ($BN_SZ==4) { # PA-RISC 1.1 code-path
|
||||
@ -849,17 +846,16 @@ L\$sub_pa11
|
||||
stws,ma $hi1,4($rp)
|
||||
|
||||
subb $ti0,%r0,$hi1
|
||||
ldo -4($tp),$tp
|
||||
and $tp,$hi1,$ap
|
||||
andcm $rp,$hi1,$bp
|
||||
or $ap,$bp,$np
|
||||
|
||||
ldo `$LOCALS+32`($fp),$tp
|
||||
sub $rp,$arrsz,$rp ; rewind rp
|
||||
subi 0,$arrsz,$idx
|
||||
ldo `$LOCALS+32`($fp),$tp
|
||||
L\$copy_pa11
|
||||
ldwx $idx($np),$hi0
|
||||
ldw 0($tp),$ti0
|
||||
ldw 0($rp),$hi0
|
||||
stws,ma %r0,4($tp)
|
||||
comiclr,= 0,$hi1,%r0
|
||||
copy $ti0,$hi0
|
||||
addib,<> 4,$idx,L\$copy_pa11
|
||||
stws,ma $hi0,4($rp)
|
||||
|
||||
|
@ -294,15 +294,16 @@ Lsub: $LDX $tj,$tp,$j
|
||||
li $j,0
|
||||
mtctr $num
|
||||
subfe $ovf,$j,$ovf ; handle upmost overflow bit
|
||||
and $ap,$tp,$ovf
|
||||
andc $np,$rp,$ovf
|
||||
or $ap,$ap,$np ; ap=borrow?tp:rp
|
||||
|
||||
.align 4
|
||||
Lcopy: ; copy or in-place refresh
|
||||
$LDX $tj,$ap,$j
|
||||
$STX $tj,$rp,$j
|
||||
Lcopy: ; conditional copy
|
||||
$LDX $tj,$tp,$j
|
||||
$LDX $aj,$rp,$j
|
||||
and $tj,$tj,$ovf
|
||||
andc $aj,$aj,$ovf
|
||||
$STX $j,$tp,$j ; zap at once
|
||||
or $aj,$aj,$tj
|
||||
$STX $aj,$rp,$j
|
||||
addi $j,$j,$BNSZ
|
||||
bdnz Lcopy
|
||||
|
||||
|
@ -1494,16 +1494,14 @@ Lsub: ldx $t0,$tp,$i
|
||||
|
||||
li $i,0
|
||||
subfe $ovf,$i,$ovf ; handle upmost overflow bit
|
||||
and $ap,$tp,$ovf
|
||||
andc $np,$rp,$ovf
|
||||
or $ap,$ap,$np ; ap=borrow?tp:rp
|
||||
addi $t7,$ap,8
|
||||
mtctr $j
|
||||
|
||||
.align 4
|
||||
Lcopy: ; copy or in-place refresh
|
||||
ldx $t0,$ap,$i
|
||||
ldx $t1,$t7,$i
|
||||
Lcopy: ; conditional copy
|
||||
ldx $t0,$tp,$i
|
||||
ldx $t1,$t4,$i
|
||||
ldx $t2,$rp,$i
|
||||
ldx $t3,$t6,$i
|
||||
std $i,8($nap_d) ; zap nap_d
|
||||
std $i,16($nap_d)
|
||||
std $i,24($nap_d)
|
||||
@ -1512,6 +1510,12 @@ Lcopy: ; copy or in-place refresh
|
||||
std $i,48($nap_d)
|
||||
std $i,56($nap_d)
|
||||
stdu $i,64($nap_d)
|
||||
and $t0,$t0,$ovf
|
||||
and $t1,$t1,$ovf
|
||||
andc $t2,$t2,$ovf
|
||||
andc $t3,$t3,$ovf
|
||||
or $t0,$t0,$t2
|
||||
or $t1,$t1,$t3
|
||||
stdx $t0,$rp,$i
|
||||
stdx $t1,$t6,$i
|
||||
stdx $i,$tp,$i ; zap tp at once
|
||||
@ -1554,20 +1558,21 @@ Lsub: lwz $t0,12($tp) ; load tp[j..j+3] in 64-bit word order
|
||||
|
||||
li $i,0
|
||||
subfe $ovf,$i,$ovf ; handle upmost overflow bit
|
||||
addi $tp,$sp,`$FRAME+$TRANSFER+4`
|
||||
addi $ap,$sp,`$FRAME+$TRANSFER+4`
|
||||
subf $rp,$num,$rp ; rewind rp
|
||||
and $ap,$tp,$ovf
|
||||
andc $np,$rp,$ovf
|
||||
or $ap,$ap,$np ; ap=borrow?tp:rp
|
||||
addi $tp,$sp,`$FRAME+$TRANSFER`
|
||||
mtctr $j
|
||||
|
||||
.align 4
|
||||
Lcopy: ; copy or in-place refresh
|
||||
Lcopy: ; conditional copy
|
||||
lwz $t0,4($ap)
|
||||
lwz $t1,8($ap)
|
||||
lwz $t2,12($ap)
|
||||
lwzu $t3,16($ap)
|
||||
lwz $t4,4($rp)
|
||||
lwz $t5,8($rp)
|
||||
lwz $t6,12($rp)
|
||||
lwz $t7,16($rp)
|
||||
std $i,8($nap_d) ; zap nap_d
|
||||
std $i,16($nap_d)
|
||||
std $i,24($nap_d)
|
||||
@ -1576,6 +1581,18 @@ Lcopy: ; copy or in-place refresh
|
||||
std $i,48($nap_d)
|
||||
std $i,56($nap_d)
|
||||
stdu $i,64($nap_d)
|
||||
and $t0,$t0,$ovf
|
||||
and $t1,$t1,$ovf
|
||||
and $t2,$t2,$ovf
|
||||
and $t3,$t3,$ovf
|
||||
andc $t4,$t4,$ovf
|
||||
andc $t5,$t5,$ovf
|
||||
andc $t6,$t6,$ovf
|
||||
andc $t7,$t7,$ovf
|
||||
or $t0,$t0,$t4
|
||||
or $t1,$t1,$t5
|
||||
or $t2,$t2,$t6
|
||||
or $t3,$t3,$t7
|
||||
stw $t0,4($rp)
|
||||
stw $t1,8($rp)
|
||||
stw $t2,12($rp)
|
||||
|
@ -97,7 +97,7 @@ if (!$avx && $win64 && ($flavour =~ /masm/ || $ENV{ASM} =~ /ml64/) &&
|
||||
$addx = ($1>=11);
|
||||
}
|
||||
|
||||
if (!$avx && `$ENV{CC} -v 2>&1` =~ /(^clang version|based on LLVM) ([3-9])\.([0-9]+)/) {
|
||||
if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|based on LLVM) ([3-9])\.([0-9]+)/) {
|
||||
my $ver = $2 + $3/100.0; # 3.1->3.01, 3.10->3.10
|
||||
$avx = ($ver>=3.0) + ($ver>=3.01);
|
||||
$addx = ($ver>=3.03);
|
||||
|
@ -245,16 +245,16 @@ $code.=<<___;
|
||||
brct $count,.Lsub
|
||||
lghi $ahi,0
|
||||
slbgr $AHI,$ahi # handle upmost carry
|
||||
|
||||
ngr $ap,$AHI
|
||||
lghi $np,-1
|
||||
xgr $np,$AHI
|
||||
ngr $np,$rp
|
||||
ogr $ap,$np # ap=borrow?tp:rp
|
||||
lghi $NHI,-1
|
||||
xgr $NHI,$AHI
|
||||
|
||||
la $j,0(%r0)
|
||||
lgr $count,$num
|
||||
.Lcopy: lg $alo,0($j,$ap) # copy or in-place refresh
|
||||
.Lcopy: lg $ahi,$stdframe($j,$sp) # conditional copy
|
||||
lg $alo,0($j,$rp)
|
||||
ngr $ahi,$AHI
|
||||
ngr $alo,$NHI
|
||||
ogr $alo,$ahi
|
||||
_dswap $alo
|
||||
stg $j,$stdframe($j,$sp) # zap tp
|
||||
stg $alo,0($j,$rp)
|
||||
|
@ -878,19 +878,17 @@ $code.=<<___;
|
||||
sub $tp, $num, $tp
|
||||
sub $rp, $num, $rp
|
||||
|
||||
subc $ovf, %g0, $ovf ! handle upmost overflow bit
|
||||
and $tp, $ovf, $ap
|
||||
andn $rp, $ovf, $np
|
||||
or $np, $ap, $ap ! ap=borrow?tp:rp
|
||||
subccc $ovf, %g0, $ovf ! handle upmost overflow bit
|
||||
ba .Lcopy
|
||||
sub $num, 8, $cnt
|
||||
|
||||
.align 16
|
||||
.Lcopy: ! copy or in-place refresh
|
||||
ldx [$ap+0], $t2
|
||||
add $ap, 8, $ap
|
||||
.Lcopy: ! conditional copy
|
||||
ldx [$tp], $tj
|
||||
ldx [$rp+0], $t2
|
||||
stx %g0, [$tp] ! zap
|
||||
add $tp, 8, $tp
|
||||
movcs %icc, $tj, $t2
|
||||
stx $t2, [$rp+0]
|
||||
add $rp, 8, $rp
|
||||
brnz $cnt, .Lcopy
|
||||
@ -1126,19 +1124,17 @@ $code.=<<___;
|
||||
sub $tp, $num, $tp
|
||||
sub $rp, $num, $rp
|
||||
|
||||
subc $ovf, %g0, $ovf ! handle upmost overflow bit
|
||||
and $tp, $ovf, $ap
|
||||
andn $rp, $ovf, $np
|
||||
or $np, $ap, $ap ! ap=borrow?tp:rp
|
||||
subccc $ovf, %g0, $ovf ! handle upmost overflow bit
|
||||
ba .Lcopy_g5
|
||||
sub $num, 8, $cnt
|
||||
|
||||
.align 16
|
||||
.Lcopy_g5: ! copy or in-place refresh
|
||||
ldx [$ap+0], $t2
|
||||
add $ap, 8, $ap
|
||||
.Lcopy_g5: ! conditional copy
|
||||
ldx [$tp], $tj
|
||||
ldx [$rp+0], $t2
|
||||
stx %g0, [$tp] ! zap
|
||||
add $tp, 8, $tp
|
||||
movcs %icc, $tj, $t2
|
||||
stx $t2, [$rp+0]
|
||||
add $rp, 8, $rp
|
||||
brnz $cnt, .Lcopy_g5
|
||||
|
@ -255,7 +255,6 @@ $fname:
|
||||
.Ltail:
|
||||
add $np,$num,$np
|
||||
add $rp,$num,$rp
|
||||
mov $tp,$ap
|
||||
sub %g0,$num,%o7 ! k=-num
|
||||
ba .Lsub
|
||||
subcc %g0,%g0,%g0 ! clear %icc.c
|
||||
@ -268,15 +267,14 @@ $fname:
|
||||
add %o7,4,%o7
|
||||
brnz %o7,.Lsub
|
||||
st %o1,[$i]
|
||||
subc $car2,0,$car2 ! handle upmost overflow bit
|
||||
and $tp,$car2,$ap
|
||||
andn $rp,$car2,$np
|
||||
or $ap,$np,$ap
|
||||
subccc $car2,0,$car2 ! handle upmost overflow bit
|
||||
sub %g0,$num,%o7
|
||||
|
||||
.Lcopy:
|
||||
ld [$ap+%o7],%o0 ! copy or in-place refresh
|
||||
ld [$tp+%o7],%o1 ! conditional copy
|
||||
ld [$rp+%o7],%o0
|
||||
st %g0,[$tp+%o7] ! zap tp
|
||||
movcs %icc,%o1,%o0
|
||||
st %o0,[$rp+%o7]
|
||||
add %o7,4,%o7
|
||||
brnz %o7,.Lcopy
|
||||
@ -485,6 +483,9 @@ $code.=<<___;
|
||||
mulx $npj,$mul1,$acc1
|
||||
add $tpj,$car1,$car1
|
||||
ld [$np+$j],$npj ! np[j]
|
||||
srlx $car1,32,$tmp0
|
||||
and $car1,$mask,$car1
|
||||
add $tmp0,$sbit,$sbit
|
||||
add $acc0,$car1,$car1
|
||||
ld [$tp+8],$tpj ! tp[j]
|
||||
add $acc1,$car1,$car1
|
||||
|
@ -203,18 +203,15 @@ $sp=&DWP(28,"esp");
|
||||
|
||||
&mov ("eax",&DWP(0,"esi","edx",4)); # upmost overflow bit
|
||||
&sbb ("eax",0);
|
||||
&and ("esi","eax");
|
||||
¬ ("eax");
|
||||
&mov ("ebp","edi");
|
||||
&and ("ebp","eax");
|
||||
&or ("esi","ebp"); # tp=carry?tp:rp
|
||||
|
||||
&mov ("ecx","edx"); # num
|
||||
&xor ("edx","edx"); # i=0
|
||||
&mov ("edx",0); # i=0
|
||||
|
||||
&set_label("copy",8);
|
||||
&mov ("eax",&DWP(0,"esi","edx",4));
|
||||
&mov (&DWP(64,"esp","edx",4),"ecx"); # zap tp
|
||||
&mov ("ebx",&DWP(0,"esi","edx",4));
|
||||
&mov ("eax",&DWP(0,"edi","edx",4));
|
||||
&mov (&DWP(0,"esi","edx",4),"ecx"); # zap tp
|
||||
&cmovc ("eax","ebx");
|
||||
&mov (&DWP(0,"edi","edx",4),"eax");
|
||||
&lea ("edx",&DWP(1,"edx")); # i++
|
||||
&loop (&label("copy"));
|
||||
|
@ -299,23 +299,23 @@ $code.=<<___;
|
||||
sub $anp, $num, $anp
|
||||
sub $rp, $num, $rp
|
||||
|
||||
subc $ovf, %g0, $ovf ! handle upmost overflow bit
|
||||
and $tp, $ovf, $ap
|
||||
andn $rp, $ovf, $np
|
||||
or $np, $ap, $ap ! ap=borrow?tp:rp
|
||||
subccc $ovf, %g0, $ovf ! handle upmost overflow bit
|
||||
ba .Lcopy
|
||||
sub $num, 8, $cnt
|
||||
|
||||
.align 16
|
||||
.Lcopy: ! copy or in-place refresh
|
||||
ld [$ap+0], $t2
|
||||
ld [$ap+4], $t3
|
||||
add $ap, 8, $ap
|
||||
.Lcopy: ! conditional copy
|
||||
ld [$tp+0], $t0
|
||||
ld [$tp+4], $t1
|
||||
ld [$rp+0], $t2
|
||||
ld [$rp+4], $t3
|
||||
stx %g0, [$tp] ! zap
|
||||
add $tp, 8, $tp
|
||||
stx %g0, [$anp] ! zap
|
||||
stx %g0, [$anp+8]
|
||||
add $anp, 16, $anp
|
||||
movcs %icc, $t0, $t2
|
||||
movcs %icc, $t1, $t3
|
||||
st $t3, [$rp+0] ! flip order
|
||||
st $t2, [$rp+4]
|
||||
add $rp, 8, $rp
|
||||
|
@ -592,16 +592,18 @@ $sbit=$num;
|
||||
&jge (&label("sub"));
|
||||
|
||||
&sbb ("eax",0); # handle upmost overflow bit
|
||||
&and ($tp,"eax");
|
||||
¬ ("eax");
|
||||
&mov ($np,$rp);
|
||||
&and ($np,"eax");
|
||||
&or ($tp,$np); # tp=carry?tp:rp
|
||||
&mov ("edx",-1);
|
||||
&xor ("edx","eax");
|
||||
&jmp (&label("copy"));
|
||||
|
||||
&set_label("copy",16); # copy or in-place refresh
|
||||
&mov ("eax",&DWP(0,$tp,$num,4));
|
||||
&mov (&DWP(0,$rp,$num,4),"eax"); # rp[i]=tp[i]
|
||||
&set_label("copy",16); # conditional copy
|
||||
&mov ($tp,&DWP($frame,"esp",$num,4));
|
||||
&mov ($np,&DWP(0,$rp,$num,4));
|
||||
&mov (&DWP($frame,"esp",$num,4),$j); # zap temporary vector
|
||||
&and ($tp,"eax");
|
||||
&and ($np,"edx");
|
||||
&or ($np,$tp);
|
||||
&mov (&DWP(0,$rp,$num,4),$np);
|
||||
&dec ($num);
|
||||
&jge (&label("copy"));
|
||||
|
||||
|
@ -293,30 +293,30 @@ $code.=<<___;
|
||||
|
||||
xor $i,$i # i=0 and clear CF!
|
||||
mov (%rsp),%rax # tp[0]
|
||||
lea (%rsp),$ap # borrow ap for tp
|
||||
mov $num,$j # j=num
|
||||
jmp .Lsub
|
||||
|
||||
.align 16
|
||||
.Lsub: sbb ($np,$i,8),%rax
|
||||
mov %rax,($rp,$i,8) # rp[i]=tp[i]-np[i]
|
||||
mov 8($ap,$i,8),%rax # tp[i+1]
|
||||
mov 8(%rsp,$i,8),%rax # tp[i+1]
|
||||
lea 1($i),$i # i++
|
||||
dec $j # doesnn't affect CF!
|
||||
jnz .Lsub
|
||||
|
||||
sbb \$0,%rax # handle upmost overflow bit
|
||||
mov \$-1,%rbx
|
||||
xor %rax,%rbx # not %rax
|
||||
xor $i,$i
|
||||
and %rax,$ap
|
||||
not %rax
|
||||
mov $rp,$np
|
||||
and %rax,$np
|
||||
mov $num,$j # j=num
|
||||
or $np,$ap # ap=borrow?tp:rp
|
||||
.align 16
|
||||
.Lcopy: # copy or in-place refresh
|
||||
mov ($ap,$i,8),%rax
|
||||
mov $i,(%rsp,$i,8) # zap temporary vector
|
||||
mov %rax,($rp,$i,8) # rp[i]=tp[i]
|
||||
|
||||
.Lcopy: # conditional copy
|
||||
mov ($rp,$i,8),%rcx
|
||||
mov (%rsp,$i,8),%rdx
|
||||
and %rbx,%rcx
|
||||
and %rax,%rdx
|
||||
mov $num,(%rsp,$i,8) # zap temporary vector
|
||||
or %rcx,%rdx
|
||||
mov %rdx,($rp,$i,8) # rp[i]=tp[i]
|
||||
lea 1($i),$i
|
||||
sub \$1,$j
|
||||
jnz .Lcopy
|
||||
@ -686,10 +686,10 @@ ___
|
||||
my @ri=("%rax","%rdx",$m0,$m1);
|
||||
$code.=<<___;
|
||||
mov 16(%rsp,$num,8),$rp # restore $rp
|
||||
lea -4($num),$j
|
||||
mov 0(%rsp),@ri[0] # tp[0]
|
||||
pxor %xmm0,%xmm0
|
||||
mov 8(%rsp),@ri[1] # tp[1]
|
||||
shr \$2,$num # num/=4
|
||||
shr \$2,$j # j=num/4-1
|
||||
lea (%rsp),$ap # borrow ap for tp
|
||||
xor $i,$i # i=0 and clear CF!
|
||||
|
||||
@ -697,9 +697,7 @@ $code.=<<___;
|
||||
mov 16($ap),@ri[2] # tp[2]
|
||||
mov 24($ap),@ri[3] # tp[3]
|
||||
sbb 8($np),@ri[1]
|
||||
lea -1($num),$j # j=num/4-1
|
||||
jmp .Lsub4x
|
||||
.align 16
|
||||
|
||||
.Lsub4x:
|
||||
mov @ri[0],0($rp,$i,8) # rp[i]=tp[i]-np[i]
|
||||
mov @ri[1],8($rp,$i,8) # rp[i]=tp[i]-np[i]
|
||||
@ -726,34 +724,35 @@ $code.=<<___;
|
||||
|
||||
sbb \$0,@ri[0] # handle upmost overflow bit
|
||||
mov @ri[3],24($rp,$i,8) # rp[i]=tp[i]-np[i]
|
||||
xor $i,$i # i=0
|
||||
and @ri[0],$ap
|
||||
not @ri[0]
|
||||
mov $rp,$np
|
||||
and @ri[0],$np
|
||||
lea -1($num),$j
|
||||
or $np,$ap # ap=borrow?tp:rp
|
||||
pxor %xmm0,%xmm0
|
||||
movq @ri[0],%xmm4
|
||||
pcmpeqd %xmm5,%xmm5
|
||||
pshufd \$0,%xmm4,%xmm4
|
||||
mov $num,$j
|
||||
pxor %xmm4,%xmm5
|
||||
shr \$2,$j # j=num/4
|
||||
xor %eax,%eax # i=0
|
||||
|
||||
movdqu ($ap),%xmm1
|
||||
movdqa %xmm0,(%rsp)
|
||||
movdqu %xmm1,($rp)
|
||||
jmp .Lcopy4x
|
||||
.align 16
|
||||
.Lcopy4x: # copy or in-place refresh
|
||||
movdqu 16($ap,$i),%xmm2
|
||||
movdqu 32($ap,$i),%xmm1
|
||||
movdqa %xmm0,16(%rsp,$i)
|
||||
movdqu %xmm2,16($rp,$i)
|
||||
movdqa %xmm0,32(%rsp,$i)
|
||||
movdqu %xmm1,32($rp,$i)
|
||||
lea 32($i),$i
|
||||
.Lcopy4x: # conditional copy
|
||||
movdqa (%rsp,%rax),%xmm1
|
||||
movdqu ($rp,%rax),%xmm2
|
||||
pand %xmm4,%xmm1
|
||||
pand %xmm5,%xmm2
|
||||
movdqa 16(%rsp,%rax),%xmm3
|
||||
movdqa %xmm0,(%rsp,%rax)
|
||||
por %xmm2,%xmm1
|
||||
movdqu 16($rp,%rax),%xmm2
|
||||
movdqu %xmm1,($rp,%rax)
|
||||
pand %xmm4,%xmm3
|
||||
pand %xmm5,%xmm2
|
||||
movdqa %xmm0,16(%rsp,%rax)
|
||||
por %xmm2,%xmm3
|
||||
movdqu %xmm3,16($rp,%rax)
|
||||
lea 32(%rax),%rax
|
||||
dec $j
|
||||
jnz .Lcopy4x
|
||||
|
||||
shl \$2,$num
|
||||
movdqu 16($ap,$i),%xmm2
|
||||
movdqa %xmm0,16(%rsp,$i)
|
||||
movdqu %xmm2,16($rp,$i)
|
||||
___
|
||||
}
|
||||
$code.=<<___;
|
||||
|
@ -405,18 +405,19 @@ $code.=<<___;
|
||||
jnz .Lsub
|
||||
|
||||
sbb \$0,%rax # handle upmost overflow bit
|
||||
mov \$-1,%rbx
|
||||
xor %rax,%rbx
|
||||
xor $i,$i
|
||||
and %rax,$ap
|
||||
not %rax
|
||||
mov $rp,$np
|
||||
and %rax,$np
|
||||
mov $num,$j # j=num
|
||||
or $np,$ap # ap=borrow?tp:rp
|
||||
.align 16
|
||||
.Lcopy: # copy or in-place refresh
|
||||
mov ($ap,$i,8),%rax
|
||||
|
||||
.Lcopy: # conditional copy
|
||||
mov ($rp,$i,8),%rcx
|
||||
mov (%rsp,$i,8),%rdx
|
||||
and %rbx,%rcx
|
||||
and %rax,%rdx
|
||||
mov $i,(%rsp,$i,8) # zap temporary vector
|
||||
mov %rax,($rp,$i,8) # rp[i]=tp[i]
|
||||
or %rcx,%rdx
|
||||
mov %rdx,($rp,$i,8) # rp[i]=tp[i]
|
||||
lea 1($i),$i
|
||||
sub \$1,$j
|
||||
jnz .Lcopy
|
||||
|
106
crypto/bn/bn.h
106
crypto/bn/bn.h
@ -56,7 +56,7 @@
|
||||
* [including the GNU Public Licence.]
|
||||
*/
|
||||
/* ====================================================================
|
||||
* Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
|
||||
* Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
@ -375,25 +375,76 @@ int BN_GENCB_call(BN_GENCB *cb, int a, int b);
|
||||
* on the size of the number */
|
||||
|
||||
/*
|
||||
* number of Miller-Rabin iterations for an error rate of less than 2^-80 for
|
||||
* random 'b'-bit input, b >= 100 (taken from table 4.4 in the Handbook of
|
||||
* Applied Cryptography [Menezes, van Oorschot, Vanstone; CRC Press 1996];
|
||||
* original paper: Damgaard, Landrock, Pomerance: Average case error
|
||||
* estimates for the strong probable prime test. -- Math. Comp. 61 (1993)
|
||||
* 177-194)
|
||||
* BN_prime_checks_for_size() returns the number of Miller-Rabin iterations
|
||||
* that will be done for checking that a random number is probably prime. The
|
||||
* error rate for accepting a composite number as prime depends on the size of
|
||||
* the prime |b|. The error rates used are for calculating an RSA key with 2 primes,
|
||||
* and so the level is what you would expect for a key of double the size of the
|
||||
* prime.
|
||||
*
|
||||
* This table is generated using the algorithm of FIPS PUB 186-4
|
||||
* Digital Signature Standard (DSS), section F.1, page 117.
|
||||
* (https://dx.doi.org/10.6028/NIST.FIPS.186-4)
|
||||
*
|
||||
* The following magma script was used to generate the output:
|
||||
* securitybits:=125;
|
||||
* k:=1024;
|
||||
* for t:=1 to 65 do
|
||||
* for M:=3 to Floor(2*Sqrt(k-1)-1) do
|
||||
* S:=0;
|
||||
* // Sum over m
|
||||
* for m:=3 to M do
|
||||
* s:=0;
|
||||
* // Sum over j
|
||||
* for j:=2 to m do
|
||||
* s+:=(RealField(32)!2)^-(j+(k-1)/j);
|
||||
* end for;
|
||||
* S+:=2^(m-(m-1)*t)*s;
|
||||
* end for;
|
||||
* A:=2^(k-2-M*t);
|
||||
* B:=8*(Pi(RealField(32))^2-6)/3*2^(k-2)*S;
|
||||
* pkt:=2.00743*Log(2)*k*2^-k*(A+B);
|
||||
* seclevel:=Floor(-Log(2,pkt));
|
||||
* if seclevel ge securitybits then
|
||||
* printf "k: %5o, security: %o bits (t: %o, M: %o)\n",k,seclevel,t,M;
|
||||
* break;
|
||||
* end if;
|
||||
* end for;
|
||||
* if seclevel ge securitybits then break; end if;
|
||||
* end for;
|
||||
*
|
||||
* It can be run online at:
|
||||
* http://magma.maths.usyd.edu.au/calc
|
||||
*
|
||||
* And will output:
|
||||
* k: 1024, security: 129 bits (t: 6, M: 23)
|
||||
*
|
||||
* k is the number of bits of the prime, securitybits is the level we want to
|
||||
* reach.
|
||||
*
|
||||
* prime length | RSA key size | # MR tests | security level
|
||||
* -------------+--------------|------------+---------------
|
||||
* (b) >= 6394 | >= 12788 | 3 | 256 bit
|
||||
* (b) >= 3747 | >= 7494 | 3 | 192 bit
|
||||
* (b) >= 1345 | >= 2690 | 4 | 128 bit
|
||||
* (b) >= 1080 | >= 2160 | 5 | 128 bit
|
||||
* (b) >= 852 | >= 1704 | 5 | 112 bit
|
||||
* (b) >= 476 | >= 952 | 5 | 80 bit
|
||||
* (b) >= 400 | >= 800 | 6 | 80 bit
|
||||
* (b) >= 347 | >= 694 | 7 | 80 bit
|
||||
* (b) >= 308 | >= 616 | 8 | 80 bit
|
||||
* (b) >= 55 | >= 110 | 27 | 64 bit
|
||||
* (b) >= 6 | >= 12 | 34 | 64 bit
|
||||
*/
|
||||
# define BN_prime_checks_for_size(b) ((b) >= 1300 ? 2 : \
|
||||
(b) >= 850 ? 3 : \
|
||||
(b) >= 650 ? 4 : \
|
||||
(b) >= 550 ? 5 : \
|
||||
(b) >= 450 ? 6 : \
|
||||
(b) >= 400 ? 7 : \
|
||||
(b) >= 350 ? 8 : \
|
||||
(b) >= 300 ? 9 : \
|
||||
(b) >= 250 ? 12 : \
|
||||
(b) >= 200 ? 15 : \
|
||||
(b) >= 150 ? 18 : \
|
||||
/* b >= 100 */ 27)
|
||||
|
||||
# define BN_prime_checks_for_size(b) ((b) >= 3747 ? 3 : \
|
||||
(b) >= 1345 ? 4 : \
|
||||
(b) >= 476 ? 5 : \
|
||||
(b) >= 400 ? 6 : \
|
||||
(b) >= 347 ? 7 : \
|
||||
(b) >= 308 ? 8 : \
|
||||
(b) >= 55 ? 27 : \
|
||||
/* b >= 6 */ 34)
|
||||
|
||||
# define BN_num_bytes(a) ((BN_num_bits(a)+7)/8)
|
||||
|
||||
@ -773,6 +824,16 @@ BIGNUM *bn_dup_expand(const BIGNUM *a, int words); /* unused */
|
||||
/* We only need assert() when debugging */
|
||||
# include <assert.h>
|
||||
|
||||
/*
|
||||
* The new BN_FLG_FIXED_TOP flag marks vectors that were not treated with
|
||||
* bn_correct_top, in other words such vectors are permitted to have zeros
|
||||
* in most significant limbs. Such vectors are used internally to achieve
|
||||
* execution time invariance for critical operations with private keys.
|
||||
* It's BN_DEBUG-only flag, because user application is not supposed to
|
||||
* observe it anyway. Moreover, optimizing compiler would actually remove
|
||||
* all operations manipulating the bit in question in non-BN_DEBUG build.
|
||||
*/
|
||||
# define BN_FLG_FIXED_TOP 0x10000
|
||||
# ifdef BN_DEBUG_RAND
|
||||
/* To avoid "make update" cvs wars due to BN_DEBUG, use some tricks */
|
||||
# ifndef RAND_pseudo_bytes
|
||||
@ -805,8 +866,10 @@ int RAND_pseudo_bytes(unsigned char *buf, int num);
|
||||
do { \
|
||||
const BIGNUM *_bnum2 = (a); \
|
||||
if (_bnum2 != NULL) { \
|
||||
assert((_bnum2->top == 0) || \
|
||||
(_bnum2->d[_bnum2->top - 1] != 0)); \
|
||||
int _top = _bnum2->top; \
|
||||
assert((_top == 0) || \
|
||||
(_bnum2->flags & BN_FLG_FIXED_TOP) || \
|
||||
(_bnum2->d[_top - 1] != 0)); \
|
||||
bn_pollute(_bnum2); \
|
||||
} \
|
||||
} while(0)
|
||||
@ -824,6 +887,7 @@ int RAND_pseudo_bytes(unsigned char *buf, int num);
|
||||
|
||||
# else /* !BN_DEBUG */
|
||||
|
||||
# define BN_FLG_FIXED_TOP 0
|
||||
# define bn_pollute(a)
|
||||
# define bn_check_top(a)
|
||||
# define bn_fix_top(a) bn_correct_top(a)
|
||||
|
@ -290,6 +290,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
|
||||
wnum.neg = 0;
|
||||
wnum.d = &(snum->d[loop]);
|
||||
wnum.top = div_n;
|
||||
wnum.flags = BN_FLG_STATIC_DATA;
|
||||
/*
|
||||
* only needed when BN_ucmp messes up the values between top and max
|
||||
*/
|
||||
|
@ -290,8 +290,8 @@ int BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
|
||||
|
||||
bits = BN_num_bits(p);
|
||||
if (bits == 0) {
|
||||
/* x**0 mod 1 is still zero. */
|
||||
if (BN_is_one(m)) {
|
||||
/* x**0 mod 1, or x**0 mod -1 is still zero. */
|
||||
if (BN_abs_is_word(m, 1)) {
|
||||
ret = 1;
|
||||
BN_zero(r);
|
||||
} else {
|
||||
@ -432,8 +432,8 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
|
||||
}
|
||||
bits = BN_num_bits(p);
|
||||
if (bits == 0) {
|
||||
/* x**0 mod 1 is still zero. */
|
||||
if (BN_is_one(m)) {
|
||||
/* x**0 mod 1, or x**0 mod -1 is still zero. */
|
||||
if (BN_abs_is_word(m, 1)) {
|
||||
ret = 1;
|
||||
BN_zero(rr);
|
||||
} else {
|
||||
@ -473,17 +473,17 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
|
||||
ret = 1;
|
||||
goto err;
|
||||
}
|
||||
if (!BN_to_montgomery(val[0], aa, mont, ctx))
|
||||
if (!bn_to_mont_fixed_top(val[0], aa, mont, ctx))
|
||||
goto err; /* 1 */
|
||||
|
||||
window = BN_window_bits_for_exponent_size(bits);
|
||||
if (window > 1) {
|
||||
if (!BN_mod_mul_montgomery(d, val[0], val[0], mont, ctx))
|
||||
if (!bn_mul_mont_fixed_top(d, val[0], val[0], mont, ctx))
|
||||
goto err; /* 2 */
|
||||
j = 1 << (window - 1);
|
||||
for (i = 1; i < j; i++) {
|
||||
if (((val[i] = BN_CTX_get(ctx)) == NULL) ||
|
||||
!BN_mod_mul_montgomery(val[i], val[i - 1], d, mont, ctx))
|
||||
!bn_mul_mont_fixed_top(val[i], val[i - 1], d, mont, ctx))
|
||||
goto err;
|
||||
}
|
||||
}
|
||||
@ -505,19 +505,15 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
|
||||
for (i = 1; i < j; i++)
|
||||
r->d[i] = (~m->d[i]) & BN_MASK2;
|
||||
r->top = j;
|
||||
/*
|
||||
* Upper words will be zero if the corresponding words of 'm' were
|
||||
* 0xfff[...], so decrement r->top accordingly.
|
||||
*/
|
||||
bn_correct_top(r);
|
||||
r->flags |= BN_FLG_FIXED_TOP;
|
||||
} else
|
||||
#endif
|
||||
if (!BN_to_montgomery(r, BN_value_one(), mont, ctx))
|
||||
if (!bn_to_mont_fixed_top(r, BN_value_one(), mont, ctx))
|
||||
goto err;
|
||||
for (;;) {
|
||||
if (BN_is_bit_set(p, wstart) == 0) {
|
||||
if (!start) {
|
||||
if (!BN_mod_mul_montgomery(r, r, r, mont, ctx))
|
||||
if (!bn_mul_mont_fixed_top(r, r, r, mont, ctx))
|
||||
goto err;
|
||||
}
|
||||
if (wstart == 0)
|
||||
@ -548,12 +544,12 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
|
||||
/* add the 'bytes above' */
|
||||
if (!start)
|
||||
for (i = 0; i < j; i++) {
|
||||
if (!BN_mod_mul_montgomery(r, r, r, mont, ctx))
|
||||
if (!bn_mul_mont_fixed_top(r, r, r, mont, ctx))
|
||||
goto err;
|
||||
}
|
||||
|
||||
/* wvalue will be an odd number < 2^window */
|
||||
if (!BN_mod_mul_montgomery(r, r, val[wvalue >> 1], mont, ctx))
|
||||
if (!bn_mul_mont_fixed_top(r, r, val[wvalue >> 1], mont, ctx))
|
||||
goto err;
|
||||
|
||||
/* move the 'window' down further */
|
||||
@ -563,6 +559,11 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
|
||||
if (wstart < 0)
|
||||
break;
|
||||
}
|
||||
/*
|
||||
* Done with zero-padded intermediate BIGNUMs. Final BN_from_montgomery
|
||||
* removes padding [if any] and makes return value suitable for public
|
||||
* API consumer.
|
||||
*/
|
||||
#if defined(SPARC_T4_MONT)
|
||||
if (OPENSSL_sparcv9cap_P[0] & (SPARCV9_VIS3 | SPARCV9_PREFER_FPU)) {
|
||||
j = mont->N.top; /* borrow j */
|
||||
@ -681,7 +682,7 @@ static int MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM *b, int top,
|
||||
}
|
||||
|
||||
b->top = top;
|
||||
bn_correct_top(b);
|
||||
b->flags |= BN_FLG_FIXED_TOP;
|
||||
return 1;
|
||||
}
|
||||
|
||||
@ -733,8 +734,8 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
|
||||
*/
|
||||
bits = p->top * BN_BITS2;
|
||||
if (bits == 0) {
|
||||
/* x**0 mod 1 is still zero. */
|
||||
if (BN_is_one(m)) {
|
||||
/* x**0 mod 1, or x**0 mod -1 is still zero. */
|
||||
if (BN_abs_is_word(m, 1)) {
|
||||
ret = 1;
|
||||
BN_zero(rr);
|
||||
} else {
|
||||
@ -852,16 +853,16 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
|
||||
tmp.top = top;
|
||||
} else
|
||||
#endif
|
||||
if (!BN_to_montgomery(&tmp, BN_value_one(), mont, ctx))
|
||||
if (!bn_to_mont_fixed_top(&tmp, BN_value_one(), mont, ctx))
|
||||
goto err;
|
||||
|
||||
/* prepare a^1 in Montgomery domain */
|
||||
if (a->neg || BN_ucmp(a, m) >= 0) {
|
||||
if (!BN_mod(&am, a, m, ctx))
|
||||
goto err;
|
||||
if (!BN_to_montgomery(&am, &am, mont, ctx))
|
||||
if (!bn_to_mont_fixed_top(&am, &am, mont, ctx))
|
||||
goto err;
|
||||
} else if (!BN_to_montgomery(&am, a, mont, ctx))
|
||||
} else if (!bn_to_mont_fixed_top(&am, a, mont, ctx))
|
||||
goto err;
|
||||
|
||||
#if defined(SPARC_T4_MONT)
|
||||
@ -1128,14 +1129,14 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
|
||||
* performance advantage of sqr over mul).
|
||||
*/
|
||||
if (window > 1) {
|
||||
if (!BN_mod_mul_montgomery(&tmp, &am, &am, mont, ctx))
|
||||
if (!bn_mul_mont_fixed_top(&tmp, &am, &am, mont, ctx))
|
||||
goto err;
|
||||
if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&tmp, top, powerbuf, 2,
|
||||
window))
|
||||
goto err;
|
||||
for (i = 3; i < numPowers; i++) {
|
||||
/* Calculate a^i = a^(i-1) * a */
|
||||
if (!BN_mod_mul_montgomery(&tmp, &am, &tmp, mont, ctx))
|
||||
if (!bn_mul_mont_fixed_top(&tmp, &am, &tmp, mont, ctx))
|
||||
goto err;
|
||||
if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&tmp, top, powerbuf, i,
|
||||
window))
|
||||
@ -1159,7 +1160,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
|
||||
|
||||
/* Scan the window, squaring the result as we go */
|
||||
for (i = 0; i < window; i++, bits--) {
|
||||
if (!BN_mod_mul_montgomery(&tmp, &tmp, &tmp, mont, ctx))
|
||||
if (!bn_mul_mont_fixed_top(&tmp, &tmp, &tmp, mont, ctx))
|
||||
goto err;
|
||||
wvalue = (wvalue << 1) + BN_is_bit_set(p, bits);
|
||||
}
|
||||
@ -1172,12 +1173,16 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
|
||||
goto err;
|
||||
|
||||
/* Multiply the result into the intermediate result */
|
||||
if (!BN_mod_mul_montgomery(&tmp, &tmp, &am, mont, ctx))
|
||||
if (!bn_mul_mont_fixed_top(&tmp, &tmp, &am, mont, ctx))
|
||||
goto err;
|
||||
}
|
||||
}
|
||||
|
||||
/* Convert the final result from montgomery to standard format */
|
||||
/*
|
||||
* Done with zero-padded intermediate BIGNUMs. Final BN_from_montgomery
|
||||
* removes padding [if any] and makes return value suitable for public
|
||||
* API consumer.
|
||||
*/
|
||||
#if defined(SPARC_T4_MONT)
|
||||
if (OPENSSL_sparcv9cap_P[0] & (SPARCV9_VIS3 | SPARCV9_PREFER_FPU)) {
|
||||
am.d[0] = 1; /* borrow am */
|
||||
@ -1247,8 +1252,8 @@ int BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p,
|
||||
|
||||
bits = BN_num_bits(p);
|
||||
if (bits == 0) {
|
||||
/* x**0 mod 1 is still zero. */
|
||||
if (BN_is_one(m)) {
|
||||
/* x**0 mod 1, or x**0 mod -1 is still zero. */
|
||||
if (BN_abs_is_word(m, 1)) {
|
||||
ret = 1;
|
||||
BN_zero(rr);
|
||||
} else {
|
||||
@ -1369,9 +1374,9 @@ int BN_mod_exp_simple(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
|
||||
}
|
||||
|
||||
bits = BN_num_bits(p);
|
||||
if (bits == 0) {
|
||||
/* x**0 mod 1 is still zero. */
|
||||
if (BN_is_one(m)) {
|
||||
if (bits == 0) {
|
||||
/* x**0 mod 1, or x**0 mod -1 is still zero. */
|
||||
if (BN_abs_is_word(m, 1)) {
|
||||
ret = 1;
|
||||
BN_zero(r);
|
||||
} else {
|
||||
|
@ -36,7 +36,7 @@
|
||||
*/
|
||||
|
||||
/* ====================================================================
|
||||
* Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
|
||||
* Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
@ -103,30 +103,32 @@
|
||||
*/
|
||||
# define MAX_ITERATIONS 50
|
||||
|
||||
static const BN_ULONG SQR_tb[16] = { 0, 1, 4, 5, 16, 17, 20, 21,
|
||||
64, 65, 68, 69, 80, 81, 84, 85
|
||||
};
|
||||
# define SQR_nibble(w) ((((w) & 8) << 3) \
|
||||
| (((w) & 4) << 2) \
|
||||
| (((w) & 2) << 1) \
|
||||
| ((w) & 1))
|
||||
|
||||
|
||||
/* Platform-specific macros to accelerate squaring. */
|
||||
# if defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG)
|
||||
# define SQR1(w) \
|
||||
SQR_tb[(w) >> 60 & 0xF] << 56 | SQR_tb[(w) >> 56 & 0xF] << 48 | \
|
||||
SQR_tb[(w) >> 52 & 0xF] << 40 | SQR_tb[(w) >> 48 & 0xF] << 32 | \
|
||||
SQR_tb[(w) >> 44 & 0xF] << 24 | SQR_tb[(w) >> 40 & 0xF] << 16 | \
|
||||
SQR_tb[(w) >> 36 & 0xF] << 8 | SQR_tb[(w) >> 32 & 0xF]
|
||||
SQR_nibble((w) >> 60) << 56 | SQR_nibble((w) >> 56) << 48 | \
|
||||
SQR_nibble((w) >> 52) << 40 | SQR_nibble((w) >> 48) << 32 | \
|
||||
SQR_nibble((w) >> 44) << 24 | SQR_nibble((w) >> 40) << 16 | \
|
||||
SQR_nibble((w) >> 36) << 8 | SQR_nibble((w) >> 32)
|
||||
# define SQR0(w) \
|
||||
SQR_tb[(w) >> 28 & 0xF] << 56 | SQR_tb[(w) >> 24 & 0xF] << 48 | \
|
||||
SQR_tb[(w) >> 20 & 0xF] << 40 | SQR_tb[(w) >> 16 & 0xF] << 32 | \
|
||||
SQR_tb[(w) >> 12 & 0xF] << 24 | SQR_tb[(w) >> 8 & 0xF] << 16 | \
|
||||
SQR_tb[(w) >> 4 & 0xF] << 8 | SQR_tb[(w) & 0xF]
|
||||
SQR_nibble((w) >> 28) << 56 | SQR_nibble((w) >> 24) << 48 | \
|
||||
SQR_nibble((w) >> 20) << 40 | SQR_nibble((w) >> 16) << 32 | \
|
||||
SQR_nibble((w) >> 12) << 24 | SQR_nibble((w) >> 8) << 16 | \
|
||||
SQR_nibble((w) >> 4) << 8 | SQR_nibble((w) )
|
||||
# endif
|
||||
# ifdef THIRTY_TWO_BIT
|
||||
# define SQR1(w) \
|
||||
SQR_tb[(w) >> 28 & 0xF] << 24 | SQR_tb[(w) >> 24 & 0xF] << 16 | \
|
||||
SQR_tb[(w) >> 20 & 0xF] << 8 | SQR_tb[(w) >> 16 & 0xF]
|
||||
SQR_nibble((w) >> 28) << 24 | SQR_nibble((w) >> 24) << 16 | \
|
||||
SQR_nibble((w) >> 20) << 8 | SQR_nibble((w) >> 16)
|
||||
# define SQR0(w) \
|
||||
SQR_tb[(w) >> 12 & 0xF] << 24 | SQR_tb[(w) >> 8 & 0xF] << 16 | \
|
||||
SQR_tb[(w) >> 4 & 0xF] << 8 | SQR_tb[(w) & 0xF]
|
||||
SQR_nibble((w) >> 12) << 24 | SQR_nibble((w) >> 8) << 16 | \
|
||||
SQR_nibble((w) >> 4) << 8 | SQR_nibble((w) )
|
||||
# endif
|
||||
|
||||
# if !defined(OPENSSL_BN_ASM_GF2m)
|
||||
|
@ -56,7 +56,7 @@
|
||||
* [including the GNU Public Licence.]
|
||||
*/
|
||||
/* ====================================================================
|
||||
* Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
|
||||
* Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
@ -113,6 +113,7 @@
|
||||
# define HEADER_BN_LCL_H
|
||||
|
||||
# include <openssl/bn.h>
|
||||
# include "bn_int.h"
|
||||
|
||||
#ifdef __cplusplus
|
||||
extern "C" {
|
||||
|
@ -263,8 +263,6 @@ static BN_ULONG *bn_expand_internal(const BIGNUM *b, int words)
|
||||
const BN_ULONG *B;
|
||||
int i;
|
||||
|
||||
bn_check_top(b);
|
||||
|
||||
if (words > (INT_MAX / (4 * BN_BITS2))) {
|
||||
BNerr(BN_F_BN_EXPAND_INTERNAL, BN_R_BIGNUM_TOO_LONG);
|
||||
return NULL;
|
||||
@ -398,8 +396,6 @@ BIGNUM *bn_dup_expand(const BIGNUM *b, int words)
|
||||
|
||||
BIGNUM *bn_expand2(BIGNUM *b, int words)
|
||||
{
|
||||
bn_check_top(b);
|
||||
|
||||
if (words > b->dmax) {
|
||||
BN_ULONG *a = bn_expand_internal(b, words);
|
||||
if (!a)
|
||||
@ -433,7 +429,6 @@ BIGNUM *bn_expand2(BIGNUM *b, int words)
|
||||
assert(A == &(b->d[b->dmax]));
|
||||
}
|
||||
#endif
|
||||
bn_check_top(b);
|
||||
return b;
|
||||
}
|
||||
|
||||
@ -497,12 +492,18 @@ BIGNUM *BN_copy(BIGNUM *a, const BIGNUM *b)
|
||||
memcpy(a->d, b->d, sizeof(b->d[0]) * b->top);
|
||||
#endif
|
||||
|
||||
a->top = b->top;
|
||||
a->neg = b->neg;
|
||||
a->top = b->top;
|
||||
a->flags |= b->flags & BN_FLG_FIXED_TOP;
|
||||
bn_check_top(a);
|
||||
return (a);
|
||||
}
|
||||
|
||||
#define FLAGS_DATA(flags) ((flags) & (BN_FLG_STATIC_DATA \
|
||||
| BN_FLG_CONSTTIME \
|
||||
| BN_FLG_FIXED_TOP))
|
||||
#define FLAGS_STRUCT(flags) ((flags) & (BN_FLG_MALLOCED))
|
||||
|
||||
void BN_swap(BIGNUM *a, BIGNUM *b)
|
||||
{
|
||||
int flags_old_a, flags_old_b;
|
||||
@ -530,10 +531,8 @@ void BN_swap(BIGNUM *a, BIGNUM *b)
|
||||
b->dmax = tmp_dmax;
|
||||
b->neg = tmp_neg;
|
||||
|
||||
a->flags =
|
||||
(flags_old_a & BN_FLG_MALLOCED) | (flags_old_b & BN_FLG_STATIC_DATA);
|
||||
b->flags =
|
||||
(flags_old_b & BN_FLG_MALLOCED) | (flags_old_a & BN_FLG_STATIC_DATA);
|
||||
a->flags = FLAGS_STRUCT(flags_old_a) | FLAGS_DATA(flags_old_b);
|
||||
b->flags = FLAGS_STRUCT(flags_old_b) | FLAGS_DATA(flags_old_a);
|
||||
bn_check_top(a);
|
||||
bn_check_top(b);
|
||||
}
|
||||
@ -545,6 +544,7 @@ void BN_clear(BIGNUM *a)
|
||||
OPENSSL_cleanse(a->d, a->dmax * sizeof(a->d[0]));
|
||||
a->top = 0;
|
||||
a->neg = 0;
|
||||
a->flags &= ~BN_FLG_FIXED_TOP;
|
||||
}
|
||||
|
||||
BN_ULONG BN_get_word(const BIGNUM *a)
|
||||
@ -565,6 +565,7 @@ int BN_set_word(BIGNUM *a, BN_ULONG w)
|
||||
a->neg = 0;
|
||||
a->d[0] = w;
|
||||
a->top = (w ? 1 : 0);
|
||||
a->flags &= ~BN_FLG_FIXED_TOP;
|
||||
bn_check_top(a);
|
||||
return (1);
|
||||
}
|
||||
@ -613,6 +614,41 @@ BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret)
|
||||
}
|
||||
|
||||
/* ignore negative */
|
||||
static int bn2binpad(const BIGNUM *a, unsigned char *to, int tolen)
|
||||
{
|
||||
int n;
|
||||
size_t i, inc, lasti, j;
|
||||
BN_ULONG l;
|
||||
|
||||
n = BN_num_bytes(a);
|
||||
if (tolen == -1)
|
||||
tolen = n;
|
||||
else if (tolen < n)
|
||||
return -1;
|
||||
|
||||
if (n == 0) {
|
||||
OPENSSL_cleanse(to, tolen);
|
||||
return tolen;
|
||||
}
|
||||
|
||||
lasti = n - 1;
|
||||
for (i = 0, inc = 1, j = tolen; j > 0;) {
|
||||
l = a->d[i / BN_BYTES];
|
||||
to[--j] = (unsigned char)(l >> (8 * (i % BN_BYTES)) & (0 - inc));
|
||||
inc = (i - lasti) >> (8 * sizeof(i) - 1);
|
||||
i += inc; /* stay on top limb */
|
||||
}
|
||||
|
||||
return tolen;
|
||||
}
|
||||
|
||||
int bn_bn2binpad(const BIGNUM *a, unsigned char *to, int tolen)
|
||||
{
|
||||
if (tolen < 0)
|
||||
return -1;
|
||||
return bn2binpad(a, to, tolen);
|
||||
}
|
||||
|
||||
int BN_bn2bin(const BIGNUM *a, unsigned char *to)
|
||||
{
|
||||
int n, i;
|
||||
@ -711,6 +747,7 @@ int BN_set_bit(BIGNUM *a, int n)
|
||||
for (k = a->top; k < i + 1; k++)
|
||||
a->d[k] = 0;
|
||||
a->top = i + 1;
|
||||
a->flags &= ~BN_FLG_FIXED_TOP;
|
||||
}
|
||||
|
||||
a->d[i] |= (((BN_ULONG)1) << j);
|
||||
|
@ -4,7 +4,7 @@
|
||||
* for the OpenSSL project.
|
||||
*/
|
||||
/* ====================================================================
|
||||
* Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
|
||||
* Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
@ -149,16 +149,71 @@ int BN_mod_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m,
|
||||
|
||||
/*
|
||||
* BN_mod_add variant that may be used if both a and b are non-negative and
|
||||
* less than m
|
||||
* less than m. The original algorithm was
|
||||
*
|
||||
* if (!BN_uadd(r, a, b))
|
||||
* return 0;
|
||||
* if (BN_ucmp(r, m) >= 0)
|
||||
* return BN_usub(r, r, m);
|
||||
*
|
||||
* which is replaced with addition, subtracting modulus, and conditional
|
||||
* move depending on whether or not subtraction borrowed.
|
||||
*/
|
||||
int bn_mod_add_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
|
||||
const BIGNUM *m)
|
||||
{
|
||||
size_t i, ai, bi, mtop = m->top;
|
||||
BN_ULONG storage[1024 / BN_BITS2];
|
||||
BN_ULONG carry, temp, mask, *rp, *tp = storage;
|
||||
const BN_ULONG *ap, *bp;
|
||||
|
||||
if (bn_wexpand(r, m->top) == NULL)
|
||||
return 0;
|
||||
|
||||
if (mtop > sizeof(storage) / sizeof(storage[0])
|
||||
&& (tp = OPENSSL_malloc(mtop * sizeof(BN_ULONG))) == NULL)
|
||||
return 0;
|
||||
|
||||
ap = a->d != NULL ? a->d : tp;
|
||||
bp = b->d != NULL ? b->d : tp;
|
||||
|
||||
for (i = 0, ai = 0, bi = 0, carry = 0; i < mtop;) {
|
||||
mask = (BN_ULONG)0 - ((i - a->top) >> (8 * sizeof(i) - 1));
|
||||
temp = ((ap[ai] & mask) + carry) & BN_MASK2;
|
||||
carry = (temp < carry);
|
||||
|
||||
mask = (BN_ULONG)0 - ((i - b->top) >> (8 * sizeof(i) - 1));
|
||||
tp[i] = ((bp[bi] & mask) + temp) & BN_MASK2;
|
||||
carry += (tp[i] < temp);
|
||||
|
||||
i++;
|
||||
ai += (i - a->dmax) >> (8 * sizeof(i) - 1);
|
||||
bi += (i - b->dmax) >> (8 * sizeof(i) - 1);
|
||||
}
|
||||
rp = r->d;
|
||||
carry -= bn_sub_words(rp, tp, m->d, mtop);
|
||||
for (i = 0; i < mtop; i++) {
|
||||
rp[i] = (carry & tp[i]) | (~carry & rp[i]);
|
||||
((volatile BN_ULONG *)tp)[i] = 0;
|
||||
}
|
||||
r->top = mtop;
|
||||
r->neg = 0;
|
||||
|
||||
if (tp != storage)
|
||||
OPENSSL_free(tp);
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
int BN_mod_add_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
|
||||
const BIGNUM *m)
|
||||
{
|
||||
if (!BN_uadd(r, a, b))
|
||||
return 0;
|
||||
if (BN_ucmp(r, m) >= 0)
|
||||
return BN_usub(r, r, m);
|
||||
return 1;
|
||||
int ret = bn_mod_add_fixed_top(r, a, b, m);
|
||||
|
||||
if (ret)
|
||||
bn_correct_top(r);
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
int BN_mod_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m,
|
||||
|
@ -123,11 +123,22 @@
|
||||
#define MONT_WORD /* use the faster word-based algorithm */
|
||||
|
||||
#ifdef MONT_WORD
|
||||
static int BN_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont);
|
||||
static int bn_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont);
|
||||
#endif
|
||||
|
||||
int BN_mod_mul_montgomery(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
|
||||
BN_MONT_CTX *mont, BN_CTX *ctx)
|
||||
{
|
||||
int ret = bn_mul_mont_fixed_top(r, a, b, mont, ctx);
|
||||
|
||||
bn_correct_top(r);
|
||||
bn_check_top(r);
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
int bn_mul_mont_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
|
||||
BN_MONT_CTX *mont, BN_CTX *ctx)
|
||||
{
|
||||
BIGNUM *tmp;
|
||||
int ret = 0;
|
||||
@ -140,8 +151,8 @@ int BN_mod_mul_montgomery(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
|
||||
if (bn_mul_mont(r->d, a->d, b->d, mont->N.d, mont->n0, num)) {
|
||||
r->neg = a->neg ^ b->neg;
|
||||
r->top = num;
|
||||
bn_correct_top(r);
|
||||
return (1);
|
||||
r->flags |= BN_FLG_FIXED_TOP;
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
#endif
|
||||
@ -161,13 +172,12 @@ int BN_mod_mul_montgomery(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
|
||||
}
|
||||
/* reduce from aRR to aR */
|
||||
#ifdef MONT_WORD
|
||||
if (!BN_from_montgomery_word(r, tmp, mont))
|
||||
if (!bn_from_montgomery_word(r, tmp, mont))
|
||||
goto err;
|
||||
#else
|
||||
if (!BN_from_montgomery(r, tmp, mont, ctx))
|
||||
goto err;
|
||||
#endif
|
||||
bn_check_top(r);
|
||||
ret = 1;
|
||||
err:
|
||||
BN_CTX_end(ctx);
|
||||
@ -175,7 +185,7 @@ int BN_mod_mul_montgomery(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
|
||||
}
|
||||
|
||||
#ifdef MONT_WORD
|
||||
static int BN_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont)
|
||||
static int bn_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont)
|
||||
{
|
||||
BIGNUM *n;
|
||||
BN_ULONG *ap, *np, *rp, n0, v, carry;
|
||||
@ -205,6 +215,7 @@ static int BN_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont)
|
||||
# endif
|
||||
|
||||
r->top = max;
|
||||
r->flags |= BN_FLG_FIXED_TOP;
|
||||
n0 = mont->n0[0];
|
||||
|
||||
/*
|
||||
@ -223,6 +234,7 @@ static int BN_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont)
|
||||
if (bn_wexpand(ret, nl) == NULL)
|
||||
return (0);
|
||||
ret->top = nl;
|
||||
ret->flags |= BN_FLG_FIXED_TOP;
|
||||
ret->neg = r->neg;
|
||||
|
||||
rp = ret->d;
|
||||
@ -233,20 +245,16 @@ static int BN_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont)
|
||||
*/
|
||||
ap = &(r->d[nl]);
|
||||
|
||||
carry -= bn_sub_words(rp, ap, np, nl);
|
||||
/*
|
||||
* |v| is one if |ap| - |np| underflowed or zero if it did not. Note |v|
|
||||
* cannot be -1. That would imply the subtraction did not fit in |nl| words,
|
||||
* and we know at most one subtraction is needed.
|
||||
* |carry| is -1 if |ap| - |np| underflowed or zero if it did not. Note
|
||||
* |carry| cannot be 1. That would imply the subtraction did not fit in
|
||||
* |nl| words, and we know at most one subtraction is needed.
|
||||
*/
|
||||
v = bn_sub_words(rp, ap, np, nl) - carry;
|
||||
v = 0 - v;
|
||||
for (i = 0; i < nl; i++) {
|
||||
rp[i] = (v & ap[i]) | (~v & rp[i]);
|
||||
rp[i] = (carry & ap[i]) | (~carry & rp[i]);
|
||||
ap[i] = 0;
|
||||
}
|
||||
bn_correct_top(r);
|
||||
bn_correct_top(ret);
|
||||
bn_check_top(ret);
|
||||
|
||||
return (1);
|
||||
}
|
||||
@ -260,8 +268,11 @@ int BN_from_montgomery(BIGNUM *ret, const BIGNUM *a, BN_MONT_CTX *mont,
|
||||
BIGNUM *t;
|
||||
|
||||
BN_CTX_start(ctx);
|
||||
if ((t = BN_CTX_get(ctx)) && BN_copy(t, a))
|
||||
retn = BN_from_montgomery_word(ret, t, mont);
|
||||
if ((t = BN_CTX_get(ctx)) && BN_copy(t, a)) {
|
||||
retn = bn_from_montgomery_word(ret, t, mont);
|
||||
bn_correct_top(ret);
|
||||
bn_check_top(ret);
|
||||
}
|
||||
BN_CTX_end(ctx);
|
||||
#else /* !MONT_WORD */
|
||||
BIGNUM *t1, *t2;
|
||||
@ -299,6 +310,12 @@ int BN_from_montgomery(BIGNUM *ret, const BIGNUM *a, BN_MONT_CTX *mont,
|
||||
return (retn);
|
||||
}
|
||||
|
||||
int bn_to_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont,
|
||||
BN_CTX *ctx)
|
||||
{
|
||||
return bn_mul_mont_fixed_top(r, a, &(mont->RR), mont, ctx);
|
||||
}
|
||||
|
||||
BN_MONT_CTX *BN_MONT_CTX_new(void)
|
||||
{
|
||||
BN_MONT_CTX *ret;
|
||||
@ -335,7 +352,7 @@ void BN_MONT_CTX_free(BN_MONT_CTX *mont)
|
||||
|
||||
int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx)
|
||||
{
|
||||
int ret = 0;
|
||||
int i, ret = 0;
|
||||
BIGNUM *Ri, *R;
|
||||
|
||||
if (BN_is_zero(mod))
|
||||
@ -466,6 +483,11 @@ int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx)
|
||||
if (!BN_mod(&(mont->RR), &(mont->RR), &(mont->N), ctx))
|
||||
goto err;
|
||||
|
||||
for (i = mont->RR.top, ret = mont->N.top; i < ret; i++)
|
||||
mont->RR.d[i] = 0;
|
||||
mont->RR.top = ret;
|
||||
mont->RR.flags |= BN_FLG_FIXED_TOP;
|
||||
|
||||
ret = 1;
|
||||
err:
|
||||
BN_CTX_end(ctx);
|
||||
|
@ -135,14 +135,8 @@ int BN_sqr(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx)
|
||||
}
|
||||
|
||||
rr->neg = 0;
|
||||
/*
|
||||
* If the most-significant half of the top word of 'a' is zero, then the
|
||||
* square of 'a' will max-1 words.
|
||||
*/
|
||||
if (a->d[al - 1] == (a->d[al - 1] & BN_MASK2l))
|
||||
rr->top = max - 1;
|
||||
else
|
||||
rr->top = max;
|
||||
rr->top = max;
|
||||
bn_correct_top(rr);
|
||||
if (r != rr && BN_copy(r, rr) == NULL)
|
||||
goto err;
|
||||
|
||||
|
15
crypto/bn_int.h
Normal file
15
crypto/bn_int.h
Normal file
@ -0,0 +1,15 @@
|
||||
/*
|
||||
* Some BIGNUM functions assume most significant limb to be non-zero, which
|
||||
* is customarily arranged by bn_correct_top. Output from below functions
|
||||
* is not processed with bn_correct_top, and for this reason it may not be
|
||||
* returned out of public API. It may only be passed internally into other
|
||||
* functions known to support non-minimal or zero-padded BIGNUMs.
|
||||
*/
|
||||
int bn_mul_mont_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
|
||||
BN_MONT_CTX *mont, BN_CTX *ctx);
|
||||
int bn_to_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont,
|
||||
BN_CTX *ctx);
|
||||
int bn_mod_add_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
|
||||
const BIGNUM *m);
|
||||
|
||||
int bn_bn2binpad(const BIGNUM *a, unsigned char *to, int tolen);
|
@ -290,6 +290,8 @@ CONF_VALUE *_CONF_new_section(CONF *conf, const char *section)
|
||||
|
||||
vv = lh_CONF_VALUE_insert(conf->data, v);
|
||||
OPENSSL_assert(vv == NULL);
|
||||
if (lh_CONF_VALUE_error(conf->data) > 0)
|
||||
goto err;
|
||||
ok = 1;
|
||||
err:
|
||||
if (!ok) {
|
||||
|
@ -130,10 +130,15 @@ static int generate_key(DH *dh)
|
||||
int ok = 0;
|
||||
int generate_new_key = 0;
|
||||
unsigned l;
|
||||
BN_CTX *ctx;
|
||||
BN_CTX *ctx = NULL;
|
||||
BN_MONT_CTX *mont = NULL;
|
||||
BIGNUM *pub_key = NULL, *priv_key = NULL;
|
||||
|
||||
if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) {
|
||||
DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_LARGE);
|
||||
return 0;
|
||||
}
|
||||
|
||||
ctx = BN_CTX_new();
|
||||
if (ctx == NULL)
|
||||
goto err;
|
||||
|
@ -3,7 +3,7 @@
|
||||
* 2006.
|
||||
*/
|
||||
/* ====================================================================
|
||||
* Copyright (c) 2006 The OpenSSL Project. All rights reserved.
|
||||
* Copyright (c) 2006-2018 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
@ -486,7 +486,7 @@ static int pkey_dh_derive(EVP_PKEY_CTX *ctx, unsigned char *key,
|
||||
return ret;
|
||||
}
|
||||
#endif
|
||||
return 1;
|
||||
return 0;
|
||||
}
|
||||
|
||||
const EVP_PKEY_METHOD dh_pkey_meth = {
|
||||
|
@ -249,10 +249,12 @@ int DSAparams_print_fp(FILE *fp, const DSA *x);
|
||||
int DSA_print_fp(FILE *bp, const DSA *x, int off);
|
||||
# endif
|
||||
|
||||
# define DSS_prime_checks 50
|
||||
# define DSS_prime_checks 64
|
||||
/*
|
||||
* Primality test according to FIPS PUB 186[-1], Appendix 2.1: 50 rounds of
|
||||
* Rabin-Miller
|
||||
* Primality test according to FIPS PUB 186-4, Appendix C.3. Since we only
|
||||
* have one value here we set the number of checks to 64 which is the 128 bit
|
||||
* security level that is the highest level and valid for creating a 3072 bit
|
||||
* DSA key.
|
||||
*/
|
||||
# define DSA_is_prime(n, callback, cb_arg) \
|
||||
BN_is_prime(n, DSS_prime_checks, callback, NULL, cb_arg)
|
||||
@ -307,6 +309,7 @@ void ERR_load_DSA_strings(void);
|
||||
# define DSA_F_I2D_DSA_SIG 111
|
||||
# define DSA_F_OLD_DSA_PRIV_DECODE 122
|
||||
# define DSA_F_PKEY_DSA_CTRL 120
|
||||
# define DSA_F_PKEY_DSA_CTRL_STR 127
|
||||
# define DSA_F_PKEY_DSA_KEYGEN 121
|
||||
# define DSA_F_SIG_CB 114
|
||||
|
||||
|
@ -1,6 +1,6 @@
|
||||
/* crypto/dsa/dsa_err.c */
|
||||
/* ====================================================================
|
||||
* Copyright (c) 1999-2013 The OpenSSL Project. All rights reserved.
|
||||
* Copyright (c) 1999-2018 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
@ -95,6 +95,7 @@ static ERR_STRING_DATA DSA_str_functs[] = {
|
||||
{ERR_FUNC(DSA_F_I2D_DSA_SIG), "i2d_DSA_SIG"},
|
||||
{ERR_FUNC(DSA_F_OLD_DSA_PRIV_DECODE), "OLD_DSA_PRIV_DECODE"},
|
||||
{ERR_FUNC(DSA_F_PKEY_DSA_CTRL), "PKEY_DSA_CTRL"},
|
||||
{ERR_FUNC(DSA_F_PKEY_DSA_CTRL_STR), "PKEY_DSA_CTRL_STR"},
|
||||
{ERR_FUNC(DSA_F_PKEY_DSA_KEYGEN), "PKEY_DSA_KEYGEN"},
|
||||
{ERR_FUNC(DSA_F_SIG_CB), "SIG_CB"},
|
||||
{0, NULL}
|
||||
|
@ -146,9 +146,16 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
|
||||
/* invalid q size */
|
||||
return 0;
|
||||
|
||||
if (evpmd == NULL)
|
||||
/* use SHA1 as default */
|
||||
evpmd = EVP_sha1();
|
||||
if (evpmd == NULL) {
|
||||
if (qsize == SHA_DIGEST_LENGTH)
|
||||
evpmd = EVP_sha1();
|
||||
else if (qsize == SHA224_DIGEST_LENGTH)
|
||||
evpmd = EVP_sha224();
|
||||
else
|
||||
evpmd = EVP_sha256();
|
||||
} else {
|
||||
qsize = EVP_MD_size(evpmd);
|
||||
}
|
||||
|
||||
if (bits < 512)
|
||||
bits = 512;
|
||||
|
@ -133,17 +133,13 @@ const DSA_METHOD *DSA_OpenSSL(void)
|
||||
static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
|
||||
{
|
||||
BIGNUM *kinv = NULL, *r = NULL, *s = NULL;
|
||||
BIGNUM m;
|
||||
BIGNUM xr;
|
||||
BIGNUM *m, *blind, *blindm, *tmp;
|
||||
BN_CTX *ctx = NULL;
|
||||
int reason = ERR_R_BN_LIB;
|
||||
DSA_SIG *ret = NULL;
|
||||
int noredo = 0;
|
||||
|
||||
BN_init(&m);
|
||||
BN_init(&xr);
|
||||
|
||||
if (!dsa->p || !dsa->q || !dsa->g) {
|
||||
if (dsa->p == NULL || dsa->q == NULL || dsa->g == NULL) {
|
||||
reason = DSA_R_MISSING_PARAMETERS;
|
||||
goto err;
|
||||
}
|
||||
@ -154,6 +150,13 @@ static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
|
||||
ctx = BN_CTX_new();
|
||||
if (ctx == NULL)
|
||||
goto err;
|
||||
m = BN_CTX_get(ctx);
|
||||
blind = BN_CTX_get(ctx);
|
||||
blindm = BN_CTX_get(ctx);
|
||||
tmp = BN_CTX_get(ctx);
|
||||
if (tmp == NULL)
|
||||
goto err;
|
||||
|
||||
redo:
|
||||
if ((dsa->kinv == NULL) || (dsa->r == NULL)) {
|
||||
if (!DSA_sign_setup(dsa, ctx, &kinv, &r))
|
||||
@ -173,20 +176,52 @@ static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
|
||||
* 4.2
|
||||
*/
|
||||
dlen = BN_num_bytes(dsa->q);
|
||||
if (BN_bin2bn(dgst, dlen, &m) == NULL)
|
||||
if (BN_bin2bn(dgst, dlen, m) == NULL)
|
||||
goto err;
|
||||
|
||||
/* Compute s = inv(k) (m + xr) mod q */
|
||||
if (!BN_mod_mul(&xr, dsa->priv_key, r, dsa->q, ctx))
|
||||
goto err; /* s = xr */
|
||||
if (!BN_add(s, &xr, &m))
|
||||
goto err; /* s = m + xr */
|
||||
if (BN_cmp(s, dsa->q) > 0)
|
||||
if (!BN_sub(s, s, dsa->q))
|
||||
/*
|
||||
* The normal signature calculation is:
|
||||
*
|
||||
* s := k^-1 * (m + r * priv_key) mod q
|
||||
*
|
||||
* We will blind this to protect against side channel attacks
|
||||
*
|
||||
* s := blind^-1 * k^-1 * (blind * m + blind * r * priv_key) mod q
|
||||
*/
|
||||
|
||||
/* Generate a blinding value */
|
||||
do {
|
||||
if (!BN_rand(blind, BN_num_bits(dsa->q) - 1, -1, 0))
|
||||
goto err;
|
||||
} while (BN_is_zero(blind));
|
||||
BN_set_flags(blind, BN_FLG_CONSTTIME);
|
||||
BN_set_flags(blindm, BN_FLG_CONSTTIME);
|
||||
BN_set_flags(tmp, BN_FLG_CONSTTIME);
|
||||
|
||||
/* tmp := blind * priv_key * r mod q */
|
||||
if (!BN_mod_mul(tmp, blind, dsa->priv_key, dsa->q, ctx))
|
||||
goto err;
|
||||
if (!BN_mod_mul(tmp, tmp, r, dsa->q, ctx))
|
||||
goto err;
|
||||
|
||||
/* blindm := blind * m mod q */
|
||||
if (!BN_mod_mul(blindm, blind, m, dsa->q, ctx))
|
||||
goto err;
|
||||
|
||||
/* s : = (blind * priv_key * r) + (blind * m) mod q */
|
||||
if (!BN_mod_add_quick(s, tmp, blindm, dsa->q))
|
||||
goto err;
|
||||
|
||||
/* s := s * k^-1 mod q */
|
||||
if (!BN_mod_mul(s, s, kinv, dsa->q, ctx))
|
||||
goto err;
|
||||
|
||||
/* s:= s * blind^-1 mod q */
|
||||
if (BN_mod_inverse(blind, blind, dsa->q, ctx) == NULL)
|
||||
goto err;
|
||||
if (!BN_mod_mul(s, s, blind, dsa->q, ctx))
|
||||
goto err;
|
||||
|
||||
/*
|
||||
* Redo if r or s is zero as required by FIPS 186-3: this is very
|
||||
* unlikely.
|
||||
@ -210,13 +245,9 @@ static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
|
||||
BN_free(r);
|
||||
BN_free(s);
|
||||
}
|
||||
if (ctx != NULL)
|
||||
BN_CTX_free(ctx);
|
||||
BN_clear_free(&m);
|
||||
BN_clear_free(&xr);
|
||||
if (kinv != NULL) /* dsa->kinv is NULL now if we used it */
|
||||
BN_clear_free(kinv);
|
||||
return (ret);
|
||||
BN_CTX_free(ctx);
|
||||
BN_clear_free(kinv);
|
||||
return ret;
|
||||
}
|
||||
|
||||
static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
|
||||
|
@ -3,7 +3,7 @@
|
||||
* 2006.
|
||||
*/
|
||||
/* ====================================================================
|
||||
* Copyright (c) 2006 The OpenSSL Project. All rights reserved.
|
||||
* Copyright (c) 2006-2018 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
@ -230,10 +230,16 @@ static int pkey_dsa_ctrl_str(EVP_PKEY_CTX *ctx,
|
||||
EVP_PKEY_CTRL_DSA_PARAMGEN_Q_BITS, qbits,
|
||||
NULL);
|
||||
}
|
||||
if (!strcmp(type, "dsa_paramgen_md")) {
|
||||
if (strcmp(type, "dsa_paramgen_md") == 0) {
|
||||
const EVP_MD *md = EVP_get_digestbyname(value);
|
||||
|
||||
if (md == NULL) {
|
||||
DSAerr(DSA_F_PKEY_DSA_CTRL_STR, DSA_R_INVALID_DIGEST_TYPE);
|
||||
return 0;
|
||||
}
|
||||
return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DSA, EVP_PKEY_OP_PARAMGEN,
|
||||
EVP_PKEY_CTRL_DSA_PARAMGEN_MD, 0,
|
||||
(void *)EVP_get_digestbyname(value));
|
||||
(void *)md);
|
||||
}
|
||||
return -2;
|
||||
}
|
||||
|
@ -3,7 +3,7 @@
|
||||
* 2006.
|
||||
*/
|
||||
/* ====================================================================
|
||||
* Copyright (c) 2006 The OpenSSL Project. All rights reserved.
|
||||
* Copyright (c) 2006-2018 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
@ -143,19 +143,19 @@ static int eckey_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
|
||||
static EC_KEY *eckey_type2param(int ptype, void *pval)
|
||||
{
|
||||
EC_KEY *eckey = NULL;
|
||||
EC_GROUP *group = NULL;
|
||||
|
||||
if (ptype == V_ASN1_SEQUENCE) {
|
||||
ASN1_STRING *pstr = pval;
|
||||
const unsigned char *pm = NULL;
|
||||
int pmlen;
|
||||
pm = pstr->data;
|
||||
pmlen = pstr->length;
|
||||
if (!(eckey = d2i_ECParameters(NULL, &pm, pmlen))) {
|
||||
const ASN1_STRING *pstr = pval;
|
||||
const unsigned char *pm = pstr->data;
|
||||
int pmlen = pstr->length;
|
||||
|
||||
if ((eckey = d2i_ECParameters(NULL, &pm, pmlen)) == NULL) {
|
||||
ECerr(EC_F_ECKEY_TYPE2PARAM, EC_R_DECODE_ERROR);
|
||||
goto ecerr;
|
||||
}
|
||||
} else if (ptype == V_ASN1_OBJECT) {
|
||||
ASN1_OBJECT *poid = pval;
|
||||
EC_GROUP *group;
|
||||
const ASN1_OBJECT *poid = pval;
|
||||
|
||||
/*
|
||||
* type == V_ASN1_OBJECT => the parameters are given by an asn1 OID
|
||||
@ -179,8 +179,8 @@ static EC_KEY *eckey_type2param(int ptype, void *pval)
|
||||
return eckey;
|
||||
|
||||
ecerr:
|
||||
if (eckey)
|
||||
EC_KEY_free(eckey);
|
||||
EC_KEY_free(eckey);
|
||||
EC_GROUP_free(group);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
|
@ -3,7 +3,7 @@
|
||||
* Originally written by Bodo Moeller for the OpenSSL project.
|
||||
*/
|
||||
/* ====================================================================
|
||||
* Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved.
|
||||
* Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
@ -319,12 +319,16 @@ int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator,
|
||||
BN_zero(&group->cofactor);
|
||||
|
||||
/*
|
||||
* We ignore the return value because some groups have an order with
|
||||
* Some groups have an order with
|
||||
* factors of two, which makes the Montgomery setup fail.
|
||||
* |group->mont_data| will be NULL in this case.
|
||||
*/
|
||||
ec_precompute_mont_data(group);
|
||||
if (BN_is_odd(&group->order)) {
|
||||
return ec_precompute_mont_data(group);
|
||||
}
|
||||
|
||||
BN_MONT_CTX_free(group->mont_data);
|
||||
group->mont_data = NULL;
|
||||
return 1;
|
||||
}
|
||||
|
||||
|
@ -1118,23 +1118,32 @@ static int ecp_nistz256_set_from_affine(EC_POINT *out, const EC_GROUP *group,
|
||||
const P256_POINT_AFFINE *in,
|
||||
BN_CTX *ctx)
|
||||
{
|
||||
BIGNUM x, y;
|
||||
BN_ULONG d_x[P256_LIMBS], d_y[P256_LIMBS];
|
||||
BIGNUM x, y, z;
|
||||
int ret = 0;
|
||||
|
||||
memcpy(d_x, in->X, sizeof(d_x));
|
||||
x.d = d_x;
|
||||
/*
|
||||
* |const| qualifier omission is compensated by BN_FLG_STATIC_DATA
|
||||
* flag, which effectively means "read-only data".
|
||||
*/
|
||||
x.d = (BN_ULONG *)in->X;
|
||||
x.dmax = x.top = P256_LIMBS;
|
||||
x.neg = 0;
|
||||
x.flags = BN_FLG_STATIC_DATA;
|
||||
|
||||
memcpy(d_y, in->Y, sizeof(d_y));
|
||||
y.d = d_y;
|
||||
y.d = (BN_ULONG *)in->Y;
|
||||
y.dmax = y.top = P256_LIMBS;
|
||||
y.neg = 0;
|
||||
y.flags = BN_FLG_STATIC_DATA;
|
||||
|
||||
ret = EC_POINT_set_affine_coordinates_GFp(group, out, &x, &y, ctx);
|
||||
z.d = (BN_ULONG *)ONE;
|
||||
z.dmax = z.top = P256_LIMBS;
|
||||
z.neg = 0;
|
||||
z.flags = BN_FLG_STATIC_DATA;
|
||||
|
||||
if ((ret = (BN_copy(&out->X, &x) != NULL))
|
||||
&& (ret = (BN_copy(&out->Y, &y) != NULL))
|
||||
&& (ret = (BN_copy(&out->Z, &z) != NULL)))
|
||||
out->Z_is_one = 1;
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
@ -114,7 +114,7 @@ ecs_ossl.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
|
||||
ecs_ossl.o: ../../include/openssl/opensslconf.h
|
||||
ecs_ossl.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
|
||||
ecs_ossl.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
|
||||
ecs_ossl.o: ../../include/openssl/symhacks.h ecs_locl.h ecs_ossl.c
|
||||
ecs_ossl.o: ../../include/openssl/symhacks.h ../bn_int.h ecs_locl.h ecs_ossl.c
|
||||
ecs_sign.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
|
||||
ecs_sign.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
|
||||
ecs_sign.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
|
||||
|
@ -3,7 +3,7 @@
|
||||
* Written by Nils Larsch for the OpenSSL project.
|
||||
*/
|
||||
/* ====================================================================
|
||||
* Copyright (c) 2000-2005 The OpenSSL Project. All rights reserved.
|
||||
* Copyright (c) 2000-2018 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
@ -137,7 +137,7 @@ int restore_rand(void)
|
||||
return 1;
|
||||
}
|
||||
|
||||
static int fbytes_counter = 0;
|
||||
static int fbytes_counter = 0, use_fake = 0;
|
||||
static const char *numbers[8] = {
|
||||
"651056770906015076056810763456358567190100156695615665659",
|
||||
"6140507067065001063065065565667405560006161556565665656654",
|
||||
@ -158,6 +158,11 @@ int fbytes(unsigned char *buf, int num)
|
||||
int ret;
|
||||
BIGNUM *tmp = NULL;
|
||||
|
||||
if (use_fake == 0)
|
||||
return old_rand->bytes(buf, num);
|
||||
|
||||
use_fake = 0;
|
||||
|
||||
if (fbytes_counter >= 8)
|
||||
return 0;
|
||||
tmp = BN_new();
|
||||
@ -199,11 +204,13 @@ int x9_62_test_internal(BIO *out, int nid, const char *r_in, const char *s_in)
|
||||
/* create the key */
|
||||
if ((key = EC_KEY_new_by_curve_name(nid)) == NULL)
|
||||
goto x962_int_err;
|
||||
use_fake = 1;
|
||||
if (!EC_KEY_generate_key(key))
|
||||
goto x962_int_err;
|
||||
BIO_printf(out, ".");
|
||||
(void)BIO_flush(out);
|
||||
/* create the signature */
|
||||
use_fake = 1;
|
||||
signature = ECDSA_do_sign(digest, 20, key);
|
||||
if (signature == NULL)
|
||||
goto x962_int_err;
|
||||
|
@ -3,7 +3,7 @@
|
||||
* Written by Nils Larsch for the OpenSSL project
|
||||
*/
|
||||
/* ====================================================================
|
||||
* Copyright (c) 1998-2004 The OpenSSL Project. All rights reserved.
|
||||
* Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
@ -60,6 +60,7 @@
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/obj_mac.h>
|
||||
#include <openssl/bn.h>
|
||||
#include "bn_int.h"
|
||||
|
||||
static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dlen,
|
||||
const BIGNUM *, const BIGNUM *,
|
||||
@ -251,13 +252,14 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
|
||||
EC_KEY *eckey)
|
||||
{
|
||||
int ok = 0, i;
|
||||
BIGNUM *kinv = NULL, *s, *m = NULL, *tmp = NULL, *order = NULL;
|
||||
BIGNUM *kinv = NULL, *s, *m = NULL, *order = NULL;
|
||||
const BIGNUM *ckinv;
|
||||
BN_CTX *ctx = NULL;
|
||||
const EC_GROUP *group;
|
||||
ECDSA_SIG *ret;
|
||||
ECDSA_DATA *ecdsa;
|
||||
const BIGNUM *priv_key;
|
||||
BN_MONT_CTX *mont_data;
|
||||
|
||||
ecdsa = ecdsa_check(eckey);
|
||||
group = EC_KEY_get0_group(eckey);
|
||||
@ -276,7 +278,7 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
|
||||
s = ret->s;
|
||||
|
||||
if ((ctx = BN_CTX_new()) == NULL || (order = BN_new()) == NULL ||
|
||||
(tmp = BN_new()) == NULL || (m = BN_new()) == NULL) {
|
||||
(m = BN_new()) == NULL) {
|
||||
ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_MALLOC_FAILURE);
|
||||
goto err;
|
||||
}
|
||||
@ -285,6 +287,8 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
|
||||
ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_EC_LIB);
|
||||
goto err;
|
||||
}
|
||||
mont_data = EC_GROUP_get_mont_data(group);
|
||||
|
||||
i = BN_num_bits(order);
|
||||
/*
|
||||
* Need to truncate digest if it is too long: first truncate whole bytes.
|
||||
@ -315,15 +319,27 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
|
||||
}
|
||||
}
|
||||
|
||||
if (!BN_mod_mul(tmp, priv_key, ret->r, order, ctx)) {
|
||||
/*
|
||||
* With only one multiplicant being in Montgomery domain
|
||||
* multiplication yields real result without post-conversion.
|
||||
* Also note that all operations but last are performed with
|
||||
* zero-padded vectors. Last operation, BN_mod_mul_montgomery
|
||||
* below, returns user-visible value with removed zero padding.
|
||||
*/
|
||||
if (!bn_to_mont_fixed_top(s, ret->r, mont_data, ctx)
|
||||
|| !bn_mul_mont_fixed_top(s, s, priv_key, mont_data, ctx)) {
|
||||
goto err;
|
||||
}
|
||||
if (!bn_mod_add_fixed_top(s, s, m, order)) {
|
||||
ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
|
||||
goto err;
|
||||
}
|
||||
if (!BN_mod_add_quick(s, tmp, m, order)) {
|
||||
ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
|
||||
goto err;
|
||||
}
|
||||
if (!BN_mod_mul(s, s, ckinv, order, ctx)) {
|
||||
/*
|
||||
* |s| can still be larger than modulus, because |m| can be. In
|
||||
* such case we count on Montgomery reduction to tie it up.
|
||||
*/
|
||||
if (!bn_to_mont_fixed_top(s, s, mont_data, ctx)
|
||||
|| !BN_mod_mul_montgomery(s, s, ckinv, mont_data, ctx)) {
|
||||
ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
|
||||
goto err;
|
||||
}
|
||||
@ -353,8 +369,6 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
|
||||
BN_CTX_free(ctx);
|
||||
if (m)
|
||||
BN_clear_free(m);
|
||||
if (tmp)
|
||||
BN_clear_free(tmp);
|
||||
if (order)
|
||||
BN_free(order);
|
||||
if (kinv)
|
||||
|
@ -4,7 +4,7 @@
|
||||
* 2000.
|
||||
*/
|
||||
/* ====================================================================
|
||||
* Copyright (c) 1999-2001 The OpenSSL Project. All rights reserved.
|
||||
* Copyright (c) 1999-2018 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
@ -188,8 +188,10 @@ void engine_cleanup_add_last(ENGINE_CLEANUP_CB *cb)
|
||||
if (!int_cleanup_check(1))
|
||||
return;
|
||||
item = int_cleanup_item(cb);
|
||||
if (item)
|
||||
sk_ENGINE_CLEANUP_ITEM_push(cleanup_stack, item);
|
||||
if (item != NULL) {
|
||||
if (sk_ENGINE_CLEANUP_ITEM_push(cleanup_stack, item) <= 0)
|
||||
OPENSSL_free(item);
|
||||
}
|
||||
}
|
||||
|
||||
/* The API function that performs all cleanup */
|
||||
|
@ -1,5 +1,5 @@
|
||||
/* ====================================================================
|
||||
* Copyright (c) 2006 The OpenSSL Project. All rights reserved.
|
||||
* Copyright (c) 2006-2018 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
@ -215,7 +215,7 @@ static void look_str_cb(int nid, STACK_OF(ENGINE) *sk, ENGINE *def, void *arg)
|
||||
ENGINE *e = sk_ENGINE_value(sk, i);
|
||||
EVP_PKEY_ASN1_METHOD *ameth;
|
||||
e->pkey_asn1_meths(e, &ameth, NULL, nid);
|
||||
if (((int)strlen(ameth->pem_str) == lk->len) &&
|
||||
if (ameth != NULL && ((int)strlen(ameth->pem_str) == lk->len) &&
|
||||
!strncasecmp(ameth->pem_str, lk->str, lk->len)) {
|
||||
lk->e = e;
|
||||
lk->ameth = ameth;
|
||||
|
@ -109,6 +109,10 @@ struct tm *OPENSSL_gmtime(const time_t *timer, struct tm *result)
|
||||
if (gmtime_r(timer, result) == NULL)
|
||||
return NULL;
|
||||
ts = result;
|
||||
#elif defined (OPENSSL_SYS_WINDOWS) && defined(_MSC_VER) && _MSC_VER >= 1400
|
||||
if (gmtime_s(result, timer))
|
||||
return NULL;
|
||||
ts = result;
|
||||
#elif !defined(OPENSSL_SYS_VMS) || defined(VMS_GMTIME_OK)
|
||||
ts = gmtime(timer);
|
||||
if (ts == NULL)
|
||||
|
@ -30,11 +30,11 @@ extern "C" {
|
||||
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
|
||||
* major minor fix final patch/beta)
|
||||
*/
|
||||
# define OPENSSL_VERSION_NUMBER 0x100020ffL
|
||||
# define OPENSSL_VERSION_NUMBER 0x1000210fL
|
||||
# ifdef OPENSSL_FIPS
|
||||
# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2o-fips 27 Mar 2018"
|
||||
# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2p-fips 14 Aug 2018"
|
||||
# else
|
||||
# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2o 27 Mar 2018"
|
||||
# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2p 14 Aug 2018"
|
||||
# endif
|
||||
# define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT
|
||||
|
||||
|
@ -442,7 +442,8 @@ void PEM_SignUpdate(EVP_MD_CTX *ctx, unsigned char *d, unsigned int cnt);
|
||||
int PEM_SignFinal(EVP_MD_CTX *ctx, unsigned char *sigret,
|
||||
unsigned int *siglen, EVP_PKEY *pkey);
|
||||
|
||||
int PEM_def_callback(char *buf, int num, int w, void *key);
|
||||
/* The default pem_password_cb that's used internally */
|
||||
int PEM_def_callback(char *buf, int num, int rwflag, void *userdata);
|
||||
void PEM_proc_type(char *buf, int type);
|
||||
void PEM_dek_info(char *buf, const char *type, int len, char *str);
|
||||
|
||||
|
@ -82,51 +82,39 @@ static int load_iv(char **fromp, unsigned char *to, int num);
|
||||
static int check_pem(const char *nm, const char *name);
|
||||
int pem_check_suffix(const char *pem_str, const char *suffix);
|
||||
|
||||
int PEM_def_callback(char *buf, int num, int w, void *key)
|
||||
int PEM_def_callback(char *buf, int num, int rwflag, void *userdata)
|
||||
{
|
||||
#ifdef OPENSSL_NO_FP_API
|
||||
/*
|
||||
* We should not ever call the default callback routine from windows.
|
||||
*/
|
||||
PEMerr(PEM_F_PEM_DEF_CALLBACK, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
|
||||
return (-1);
|
||||
#else
|
||||
int i, j;
|
||||
int i, min_len;
|
||||
const char *prompt;
|
||||
if (key) {
|
||||
i = strlen(key);
|
||||
|
||||
/* We assume that the user passes a default password as userdata */
|
||||
if (userdata) {
|
||||
i = strlen(userdata);
|
||||
i = (i > num) ? num : i;
|
||||
memcpy(buf, key, i);
|
||||
return (i);
|
||||
memcpy(buf, userdata, i);
|
||||
return i;
|
||||
}
|
||||
|
||||
prompt = EVP_get_pw_prompt();
|
||||
if (prompt == NULL)
|
||||
prompt = "Enter PEM pass phrase:";
|
||||
|
||||
for (;;) {
|
||||
/*
|
||||
* We assume that w == 0 means decryption,
|
||||
* while w == 1 means encryption
|
||||
*/
|
||||
int min_len = w ? MIN_LENGTH : 0;
|
||||
/*
|
||||
* rwflag == 0 means decryption
|
||||
* rwflag == 1 means encryption
|
||||
*
|
||||
* We assume that for encryption, we want a minimum length, while for
|
||||
* decryption, we cannot know any minimum length, so we assume zero.
|
||||
*/
|
||||
min_len = rwflag ? MIN_LENGTH : 0;
|
||||
|
||||
i = EVP_read_pw_string_min(buf, min_len, num, prompt, w);
|
||||
if (i != 0) {
|
||||
PEMerr(PEM_F_PEM_DEF_CALLBACK, PEM_R_PROBLEMS_GETTING_PASSWORD);
|
||||
memset(buf, 0, (unsigned int)num);
|
||||
return (-1);
|
||||
}
|
||||
j = strlen(buf);
|
||||
if (min_len && j < min_len) {
|
||||
fprintf(stderr,
|
||||
"phrase is too short, needs to be at least %d chars\n",
|
||||
min_len);
|
||||
} else
|
||||
break;
|
||||
i = EVP_read_pw_string_min(buf, min_len, num, prompt, rwflag);
|
||||
if (i != 0) {
|
||||
PEMerr(PEM_F_PEM_DEF_CALLBACK, PEM_R_PROBLEMS_GETTING_PASSWORD);
|
||||
memset(buf, 0, (unsigned int)num);
|
||||
return -1;
|
||||
}
|
||||
return (j);
|
||||
#endif
|
||||
return strlen(buf);
|
||||
}
|
||||
|
||||
void PEM_proc_type(char *buf, int type)
|
||||
@ -459,7 +447,7 @@ int PEM_do_header(EVP_CIPHER_INFO *cipher, unsigned char *data, long *plen,
|
||||
klen = PEM_def_callback(buf, PEM_BUFSIZE, 0, u);
|
||||
else
|
||||
klen = callback(buf, PEM_BUFSIZE, 0, u);
|
||||
if (klen <= 0) {
|
||||
if (klen < 0) {
|
||||
PEMerr(PEM_F_PEM_DO_HEADER, PEM_R_BAD_PASSWORD_READ);
|
||||
return (0);
|
||||
}
|
||||
@ -499,6 +487,7 @@ int PEM_get_EVP_CIPHER_INFO(char *header, EVP_CIPHER_INFO *cipher)
|
||||
char **header_pp = &header;
|
||||
|
||||
cipher->cipher = NULL;
|
||||
memset(cipher->iv, 0, sizeof(cipher->iv));
|
||||
if ((header == NULL) || (*header == '\0') || (*header == '\n'))
|
||||
return (1);
|
||||
if (strncmp(header, "Proc-Type: ", 11) != 0) {
|
||||
|
@ -171,7 +171,7 @@ EVP_PKEY *d2i_PKCS8PrivateKey_bio(BIO *bp, EVP_PKEY **x, pem_password_cb *cb,
|
||||
klen = cb(psbuf, PEM_BUFSIZE, 0, u);
|
||||
else
|
||||
klen = PEM_def_callback(psbuf, PEM_BUFSIZE, 0, u);
|
||||
if (klen <= 0) {
|
||||
if (klen < 0) {
|
||||
PEMerr(PEM_F_D2I_PKCS8PRIVATEKEY_BIO, PEM_R_BAD_PASSWORD_READ);
|
||||
X509_SIG_free(p8);
|
||||
return NULL;
|
||||
|
@ -113,7 +113,7 @@ EVP_PKEY *PEM_read_bio_PrivateKey(BIO *bp, EVP_PKEY **x, pem_password_cb *cb,
|
||||
klen = cb(psbuf, PEM_BUFSIZE, 0, u);
|
||||
else
|
||||
klen = PEM_def_callback(psbuf, PEM_BUFSIZE, 0, u);
|
||||
if (klen <= 0) {
|
||||
if (klen < 0) {
|
||||
PEMerr(PEM_F_PEM_READ_BIO_PRIVATEKEY, PEM_R_BAD_PASSWORD_READ);
|
||||
X509_SIG_free(p8);
|
||||
goto err;
|
||||
|
@ -3,7 +3,7 @@
|
||||
* 2005.
|
||||
*/
|
||||
/* ====================================================================
|
||||
* Copyright (c) 2005 The OpenSSL Project. All rights reserved.
|
||||
* Copyright (c) 2005-2018 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
@ -702,7 +702,7 @@ static EVP_PKEY *do_PVK_body(const unsigned char **in,
|
||||
inlen = cb(psbuf, PEM_BUFSIZE, 0, u);
|
||||
else
|
||||
inlen = PEM_def_callback(psbuf, PEM_BUFSIZE, 0, u);
|
||||
if (inlen <= 0) {
|
||||
if (inlen < 0) {
|
||||
PEMerr(PEM_F_DO_PVK_BODY, PEM_R_BAD_PASSWORD_READ);
|
||||
goto err;
|
||||
}
|
||||
|
@ -4,7 +4,7 @@
|
||||
* 1999.
|
||||
*/
|
||||
/* ====================================================================
|
||||
* Copyright (c) 1999 The OpenSSL Project. All rights reserved.
|
||||
* Copyright (c) 1999-2018 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
@ -100,7 +100,7 @@ ASN1_ADB_TEMPLATE(safebag_default) = ASN1_EXP(PKCS12_SAFEBAG, value.other, ASN1_
|
||||
ASN1_ADB(PKCS12_SAFEBAG) = {
|
||||
ADB_ENTRY(NID_keyBag, ASN1_EXP(PKCS12_SAFEBAG, value.keybag, PKCS8_PRIV_KEY_INFO, 0)),
|
||||
ADB_ENTRY(NID_pkcs8ShroudedKeyBag, ASN1_EXP(PKCS12_SAFEBAG, value.shkeybag, X509_SIG, 0)),
|
||||
ADB_ENTRY(NID_safeContentsBag, ASN1_EXP_SET_OF(PKCS12_SAFEBAG, value.safes, PKCS12_SAFEBAG, 0)),
|
||||
ADB_ENTRY(NID_safeContentsBag, ASN1_EXP_SEQUENCE_OF(PKCS12_SAFEBAG, value.safes, PKCS12_SAFEBAG, 0)),
|
||||
ADB_ENTRY(NID_certBag, ASN1_EXP(PKCS12_SAFEBAG, value.bag, PKCS12_BAGS, 0)),
|
||||
ADB_ENTRY(NID_crlBag, ASN1_EXP(PKCS12_SAFEBAG, value.bag, PKCS12_BAGS, 0)),
|
||||
ADB_ENTRY(NID_secretBag, ASN1_EXP(PKCS12_SAFEBAG, value.bag, PKCS12_BAGS, 0))
|
||||
|
@ -153,7 +153,7 @@ rsa_eay.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
|
||||
rsa_eay.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
|
||||
rsa_eay.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
|
||||
rsa_eay.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
|
||||
rsa_eay.o: ../../include/openssl/symhacks.h ../cryptlib.h rsa_eay.c
|
||||
rsa_eay.o: ../../include/openssl/symhacks.h ../bn_int.h ../cryptlib.h rsa_eay.c
|
||||
rsa_err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
|
||||
rsa_err.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
|
||||
rsa_err.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
|
||||
|
@ -56,7 +56,7 @@
|
||||
* [including the GNU Public Licence.]
|
||||
*/
|
||||
/* ====================================================================
|
||||
* Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
|
||||
* Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
@ -114,6 +114,7 @@
|
||||
#include <openssl/bn.h>
|
||||
#include <openssl/rsa.h>
|
||||
#include <openssl/rand.h>
|
||||
#include "bn_int.h"
|
||||
|
||||
#ifndef RSA_NULL
|
||||
|
||||
@ -156,7 +157,7 @@ static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
|
||||
unsigned char *to, RSA *rsa, int padding)
|
||||
{
|
||||
BIGNUM *f, *ret;
|
||||
int i, j, k, num = 0, r = -1;
|
||||
int i, num = 0, r = -1;
|
||||
unsigned char *buf = NULL;
|
||||
BN_CTX *ctx = NULL;
|
||||
|
||||
@ -232,15 +233,10 @@ static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
|
||||
goto err;
|
||||
|
||||
/*
|
||||
* put in leading 0 bytes if the number is less than the length of the
|
||||
* modulus
|
||||
* BN_bn2binpad puts in leading 0 bytes if the number is less than
|
||||
* the length of the modulus.
|
||||
*/
|
||||
j = BN_num_bytes(ret);
|
||||
i = BN_bn2bin(ret, &(to[num - j]));
|
||||
for (k = 0; k < (num - i); k++)
|
||||
to[k] = 0;
|
||||
|
||||
r = num;
|
||||
r = bn_bn2binpad(ret, to, num);
|
||||
err:
|
||||
if (ctx != NULL) {
|
||||
BN_CTX_end(ctx);
|
||||
@ -349,7 +345,7 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
|
||||
unsigned char *to, RSA *rsa, int padding)
|
||||
{
|
||||
BIGNUM *f, *ret, *res;
|
||||
int i, j, k, num = 0, r = -1;
|
||||
int i, num = 0, r = -1;
|
||||
unsigned char *buf = NULL;
|
||||
BN_CTX *ctx = NULL;
|
||||
int local_blinding = 0;
|
||||
@ -459,15 +455,10 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
|
||||
res = ret;
|
||||
|
||||
/*
|
||||
* put in leading 0 bytes if the number is less than the length of the
|
||||
* modulus
|
||||
* BN_bn2binpad puts in leading 0 bytes if the number is less than
|
||||
* the length of the modulus.
|
||||
*/
|
||||
j = BN_num_bytes(res);
|
||||
i = BN_bn2bin(res, &(to[num - j]));
|
||||
for (k = 0; k < (num - i); k++)
|
||||
to[k] = 0;
|
||||
|
||||
r = num;
|
||||
r = bn_bn2binpad(res, to, num);
|
||||
err:
|
||||
if (ctx != NULL) {
|
||||
BN_CTX_end(ctx);
|
||||
@ -485,7 +476,6 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
|
||||
{
|
||||
BIGNUM *f, *ret;
|
||||
int j, num = 0, r = -1;
|
||||
unsigned char *p;
|
||||
unsigned char *buf = NULL;
|
||||
BN_CTX *ctx = NULL;
|
||||
int local_blinding = 0;
|
||||
@ -576,8 +566,7 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
|
||||
if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
|
||||
goto err;
|
||||
|
||||
p = buf;
|
||||
j = BN_bn2bin(ret, p); /* j is only used with no-padding mode */
|
||||
j = bn_bn2binpad(ret, buf, num);
|
||||
|
||||
switch (padding) {
|
||||
case RSA_PKCS1_PADDING:
|
||||
@ -592,7 +581,7 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
|
||||
r = RSA_padding_check_SSLv23(to, num, buf, j, num);
|
||||
break;
|
||||
case RSA_NO_PADDING:
|
||||
r = RSA_padding_check_none(to, num, buf, j, num);
|
||||
memcpy(to, buf, (r = j));
|
||||
break;
|
||||
default:
|
||||
RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
|
||||
@ -619,7 +608,6 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
|
||||
{
|
||||
BIGNUM *f, *ret;
|
||||
int i, num = 0, r = -1;
|
||||
unsigned char *p;
|
||||
unsigned char *buf = NULL;
|
||||
BN_CTX *ctx = NULL;
|
||||
|
||||
@ -684,8 +672,7 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
|
||||
if (!BN_sub(ret, rsa->n, ret))
|
||||
goto err;
|
||||
|
||||
p = buf;
|
||||
i = BN_bn2bin(ret, p);
|
||||
i = bn_bn2binpad(ret, buf, num);
|
||||
|
||||
switch (padding) {
|
||||
case RSA_PKCS1_PADDING:
|
||||
@ -695,7 +682,7 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
|
||||
r = RSA_padding_check_X931(to, num, buf, i, num);
|
||||
break;
|
||||
case RSA_NO_PADDING:
|
||||
r = RSA_padding_check_none(to, num, buf, i, num);
|
||||
memcpy(to, buf, (r = i));
|
||||
break;
|
||||
default:
|
||||
RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
|
||||
|
@ -156,6 +156,8 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value,
|
||||
if (BN_copy(rsa->e, e_value) == NULL)
|
||||
goto err;
|
||||
|
||||
BN_set_flags(rsa->p, BN_FLG_CONSTTIME);
|
||||
BN_set_flags(rsa->q, BN_FLG_CONSTTIME);
|
||||
BN_set_flags(r2, BN_FLG_CONSTTIME);
|
||||
/* generate p and q */
|
||||
for (;;) {
|
||||
|
@ -120,7 +120,7 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
|
||||
int plen, const EVP_MD *md,
|
||||
const EVP_MD *mgf1md)
|
||||
{
|
||||
int i, dblen, mlen = -1, one_index = 0, msg_index;
|
||||
int i, dblen = 0, mlen = -1, one_index = 0, msg_index;
|
||||
unsigned int good, found_one_byte;
|
||||
const unsigned char *maskedseed, *maskeddb;
|
||||
/*
|
||||
@ -153,32 +153,41 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
|
||||
|
||||
dblen = num - mdlen - 1;
|
||||
db = OPENSSL_malloc(dblen);
|
||||
em = OPENSSL_malloc(num);
|
||||
if (db == NULL || em == NULL) {
|
||||
if (db == NULL) {
|
||||
RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1, ERR_R_MALLOC_FAILURE);
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
/*
|
||||
* Always do this zero-padding copy (even when num == flen) to avoid
|
||||
* leaking that information. The copy still leaks some side-channel
|
||||
* information, but it's impossible to have a fixed memory access
|
||||
* pattern since we can't read out of the bounds of |from|.
|
||||
*
|
||||
* TODO(emilia): Consider porting BN_bn2bin_padded from BoringSSL.
|
||||
*/
|
||||
memset(em, 0, num);
|
||||
memcpy(em + num - flen, from, flen);
|
||||
if (flen != num) {
|
||||
em = OPENSSL_malloc(num);
|
||||
if (em == NULL) {
|
||||
RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1,
|
||||
ERR_R_MALLOC_FAILURE);
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
/*
|
||||
* Caller is encouraged to pass zero-padded message created with
|
||||
* BN_bn2binpad, but if it doesn't, we do this zero-padding copy
|
||||
* to avoid leaking that information. The copy still leaks some
|
||||
* side-channel information, but it's impossible to have a fixed
|
||||
* memory access pattern since we can't read out of the bounds of
|
||||
* |from|.
|
||||
*/
|
||||
memset(em, 0, num);
|
||||
memcpy(em + num - flen, from, flen);
|
||||
from = em;
|
||||
}
|
||||
|
||||
/*
|
||||
* The first byte must be zero, however we must not leak if this is
|
||||
* true. See James H. Manger, "A Chosen Ciphertext Attack on RSA
|
||||
* Optimal Asymmetric Encryption Padding (OAEP) [...]", CRYPTO 2001).
|
||||
*/
|
||||
good = constant_time_is_zero(em[0]);
|
||||
good = constant_time_is_zero(from[0]);
|
||||
|
||||
maskedseed = em + 1;
|
||||
maskeddb = em + 1 + mdlen;
|
||||
maskedseed = from + 1;
|
||||
maskeddb = from + 1 + mdlen;
|
||||
|
||||
if (PKCS1_MGF1(seed, mdlen, maskeddb, dblen, mgf1md))
|
||||
goto cleanup;
|
||||
|
@ -98,6 +98,27 @@ int RSA_padding_check_PKCS1_type_1(unsigned char *to, int tlen,
|
||||
const unsigned char *p;
|
||||
|
||||
p = from;
|
||||
|
||||
/*
|
||||
* The format is
|
||||
* 00 || 01 || PS || 00 || D
|
||||
* PS - padding string, at least 8 bytes of FF
|
||||
* D - data.
|
||||
*/
|
||||
|
||||
if (num < 11)
|
||||
return -1;
|
||||
|
||||
/* Accept inputs with and without the leading 0-byte. */
|
||||
if (num == flen) {
|
||||
if ((*p++) != 0x00) {
|
||||
RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,
|
||||
RSA_R_INVALID_PADDING);
|
||||
return -1;
|
||||
}
|
||||
flen--;
|
||||
}
|
||||
|
||||
if ((num != (flen + 1)) || (*(p++) != 01)) {
|
||||
RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,
|
||||
RSA_R_BLOCK_TYPE_IS_NOT_01);
|
||||
@ -203,28 +224,31 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
|
||||
if (num < 11)
|
||||
goto err;
|
||||
|
||||
em = OPENSSL_malloc(num);
|
||||
if (em == NULL) {
|
||||
RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2, ERR_R_MALLOC_FAILURE);
|
||||
return -1;
|
||||
if (flen != num) {
|
||||
em = OPENSSL_malloc(num);
|
||||
if (em == NULL) {
|
||||
RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2, ERR_R_MALLOC_FAILURE);
|
||||
return -1;
|
||||
}
|
||||
/*
|
||||
* Caller is encouraged to pass zero-padded message created with
|
||||
* BN_bn2binpad, but if it doesn't, we do this zero-padding copy
|
||||
* to avoid leaking that information. The copy still leaks some
|
||||
* side-channel information, but it's impossible to have a fixed
|
||||
* memory access pattern since we can't read out of the bounds of
|
||||
* |from|.
|
||||
*/
|
||||
memset(em, 0, num);
|
||||
memcpy(em + num - flen, from, flen);
|
||||
from = em;
|
||||
}
|
||||
memset(em, 0, num);
|
||||
/*
|
||||
* Always do this zero-padding copy (even when num == flen) to avoid
|
||||
* leaking that information. The copy still leaks some side-channel
|
||||
* information, but it's impossible to have a fixed memory access
|
||||
* pattern since we can't read out of the bounds of |from|.
|
||||
*
|
||||
* TODO(emilia): Consider porting BN_bn2bin_padded from BoringSSL.
|
||||
*/
|
||||
memcpy(em + num - flen, from, flen);
|
||||
|
||||
good = constant_time_is_zero(em[0]);
|
||||
good &= constant_time_eq(em[1], 2);
|
||||
good = constant_time_is_zero(from[0]);
|
||||
good &= constant_time_eq(from[1], 2);
|
||||
|
||||
found_zero_byte = 0;
|
||||
for (i = 2; i < num; i++) {
|
||||
unsigned int equals0 = constant_time_is_zero(em[i]);
|
||||
unsigned int equals0 = constant_time_is_zero(from[i]);
|
||||
zero_index =
|
||||
constant_time_select_int(~found_zero_byte & equals0, i,
|
||||
zero_index);
|
||||
@ -232,7 +256,7 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
|
||||
}
|
||||
|
||||
/*
|
||||
* PS must be at least 8 bytes long, and it starts two bytes into |em|.
|
||||
* PS must be at least 8 bytes long, and it starts two bytes into |from|.
|
||||
* If we never found a 0-byte, then |zero_index| is 0 and the check
|
||||
* also fails.
|
||||
*/
|
||||
@ -261,7 +285,7 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
|
||||
goto err;
|
||||
}
|
||||
|
||||
memcpy(to, em + msg_index, mlen);
|
||||
memcpy(to, from + msg_index, mlen);
|
||||
|
||||
err:
|
||||
if (em != NULL) {
|
||||
|
@ -84,7 +84,7 @@ int RSA_sign(int type, const unsigned char *m, unsigned int m_len,
|
||||
return 0;
|
||||
}
|
||||
#endif
|
||||
if ((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_sign) {
|
||||
if ((rsa->meth->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_sign) {
|
||||
return rsa->meth->rsa_sign(type, m, m_len, sigret, siglen, rsa);
|
||||
}
|
||||
/* Special case: SSL signature, just check the length */
|
||||
@ -293,7 +293,7 @@ int RSA_verify(int dtype, const unsigned char *m, unsigned int m_len,
|
||||
const unsigned char *sigbuf, unsigned int siglen, RSA *rsa)
|
||||
{
|
||||
|
||||
if ((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_verify) {
|
||||
if ((rsa->meth->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_verify) {
|
||||
return rsa->meth->rsa_verify(dtype, m, m_len, sigbuf, siglen, rsa);
|
||||
}
|
||||
|
||||
|
@ -112,6 +112,14 @@ int RSA_padding_check_SSLv23(unsigned char *to, int tlen,
|
||||
RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_DATA_TOO_SMALL);
|
||||
return (-1);
|
||||
}
|
||||
/* Accept even zero-padded input */
|
||||
if (flen == num) {
|
||||
if (*(p++) != 0) {
|
||||
RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_BLOCK_TYPE_IS_NOT_02);
|
||||
return -1;
|
||||
}
|
||||
flen--;
|
||||
}
|
||||
if ((num != (flen + 1)) || (*(p++) != 02)) {
|
||||
RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_BLOCK_TYPE_IS_NOT_02);
|
||||
return (-1);
|
||||
|
@ -131,7 +131,7 @@ $ymm=1 if ($xmm && !$ymm && $ARGV[0] eq "win32" &&
|
||||
`ml 2>&1` =~ /Version ([0-9]+)\./ &&
|
||||
$1>=10); # first version supporting AVX
|
||||
|
||||
$ymm=1 if ($xmm && !$ymm && `$ENV{CC} -v 2>&1` =~ /(^clang version|based on LLVM) ([3-9]\.[0-9]+)/ &&
|
||||
$ymm=1 if ($xmm && !$ymm && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|based on LLVM) ([3-9]\.[0-9]+)/ &&
|
||||
$2>=3.0); # first version supporting AVX
|
||||
|
||||
$shaext=$xmm; ### set to zero if compiling for 1.0.1
|
||||
|
@ -83,7 +83,7 @@ if ($xmm && !$avx && $ARGV[0] eq "win32" &&
|
||||
$avx = ($1>=10) + ($1>=11);
|
||||
}
|
||||
|
||||
if ($xmm && !$avx && `$ENV{CC} -v 2>&1` =~ /(^clang version|based on LLVM) ([3-9]\.[0-9]+)/) {
|
||||
if ($xmm && !$avx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|based on LLVM) ([3-9]\.[0-9]+)/) {
|
||||
$avx = ($2>=3.0) + ($2>3.0);
|
||||
}
|
||||
|
||||
|
@ -4,7 +4,7 @@
|
||||
* OpenSSL project 2001.
|
||||
*/
|
||||
/* ====================================================================
|
||||
* Copyright (c) 2001 The OpenSSL Project. All rights reserved.
|
||||
* Copyright (c) 2001-2018 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
@ -567,17 +567,13 @@ static int echo_console(UI *ui)
|
||||
{
|
||||
#if defined(TTY_set) && !defined(OPENSSL_SYS_VMS)
|
||||
memcpy(&(tty_new), &(tty_orig), sizeof(tty_orig));
|
||||
tty_new.TTY_FLAGS |= ECHO;
|
||||
#endif
|
||||
|
||||
#if defined(TTY_set) && !defined(OPENSSL_SYS_VMS)
|
||||
if (is_a_tty && (TTY_set(fileno(tty_in), &tty_new) == -1))
|
||||
return 0;
|
||||
#endif
|
||||
#ifdef OPENSSL_SYS_VMS
|
||||
if (is_a_tty) {
|
||||
tty_new[0] = tty_orig[0];
|
||||
tty_new[1] = tty_orig[1] & ~TT$M_NOECHO;
|
||||
tty_new[1] = tty_orig[1];
|
||||
tty_new[2] = tty_orig[2];
|
||||
status = sys$qiow(0, channel, IO$_SETMODE, &iosb, 0, 0, tty_new, 12,
|
||||
0, 0, 0, 0);
|
||||
|
@ -219,7 +219,7 @@ int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b)
|
||||
|
||||
ret = a->canon_enclen - b->canon_enclen;
|
||||
|
||||
if (ret)
|
||||
if (ret != 0 || a->canon_enclen == 0)
|
||||
return ret;
|
||||
|
||||
return memcmp(a->canon_enc, b->canon_enc, a->canon_enclen);
|
||||
|
@ -311,7 +311,11 @@ int X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name,
|
||||
X509_OBJECT stmp, *tmp;
|
||||
int i, j;
|
||||
|
||||
if (ctx == NULL)
|
||||
return 0;
|
||||
|
||||
CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
|
||||
|
||||
tmp = X509_OBJECT_retrieve_by_subject(ctx->objs, type, name);
|
||||
CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
|
||||
|
||||
@ -506,6 +510,10 @@ STACK_OF(X509) *X509_STORE_get1_certs(X509_STORE_CTX *ctx, X509_NAME *nm)
|
||||
STACK_OF(X509) *sk;
|
||||
X509 *x;
|
||||
X509_OBJECT *obj;
|
||||
|
||||
if (ctx->ctx == NULL)
|
||||
return NULL;
|
||||
|
||||
sk = sk_X509_new_null();
|
||||
CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
|
||||
idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_X509, nm, &cnt);
|
||||
@ -551,6 +559,11 @@ STACK_OF(X509_CRL) *X509_STORE_get1_crls(X509_STORE_CTX *ctx, X509_NAME *nm)
|
||||
STACK_OF(X509_CRL) *sk;
|
||||
X509_CRL *x;
|
||||
X509_OBJECT *obj, xobj;
|
||||
|
||||
|
||||
if (ctx->ctx == NULL)
|
||||
return NULL;
|
||||
|
||||
sk = sk_X509_CRL_new_null();
|
||||
CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
|
||||
|
||||
@ -651,6 +664,9 @@ int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
|
||||
}
|
||||
X509_OBJECT_free_contents(&obj);
|
||||
|
||||
if (ctx->ctx == NULL)
|
||||
return 0;
|
||||
|
||||
/* Else find index of first cert accepted by 'check_issued' */
|
||||
ret = 0;
|
||||
CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
|
||||
|
@ -56,6 +56,7 @@
|
||||
* [including the GNU Public Licence.]
|
||||
*/
|
||||
|
||||
#include <ctype.h>
|
||||
#include <stdio.h>
|
||||
#include <time.h>
|
||||
#include <errno.h>
|
||||
@ -1937,119 +1938,67 @@ int X509_cmp_current_time(const ASN1_TIME *ctm)
|
||||
|
||||
int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time)
|
||||
{
|
||||
char *str;
|
||||
ASN1_TIME atm;
|
||||
long offset;
|
||||
char buff1[24], buff2[24], *p;
|
||||
int i, j, remaining;
|
||||
static const size_t utctime_length = sizeof("YYMMDDHHMMSSZ") - 1;
|
||||
static const size_t generalizedtime_length = sizeof("YYYYMMDDHHMMSSZ") - 1;
|
||||
ASN1_TIME *asn1_cmp_time = NULL;
|
||||
int i, day, sec, ret = 0;
|
||||
|
||||
p = buff1;
|
||||
remaining = ctm->length;
|
||||
str = (char *)ctm->data;
|
||||
/*
|
||||
* Note that the following (historical) code allows much more slack in the
|
||||
* time format than RFC5280. In RFC5280, the representation is fixed:
|
||||
* Note that ASN.1 allows much more slack in the time format than RFC5280.
|
||||
* In RFC5280, the representation is fixed:
|
||||
* UTCTime: YYMMDDHHMMSSZ
|
||||
* GeneralizedTime: YYYYMMDDHHMMSSZ
|
||||
*
|
||||
* We do NOT currently enforce the following RFC 5280 requirement:
|
||||
* "CAs conforming to this profile MUST always encode certificate
|
||||
* validity dates through the year 2049 as UTCTime; certificate validity
|
||||
* dates in 2050 or later MUST be encoded as GeneralizedTime."
|
||||
*/
|
||||
if (ctm->type == V_ASN1_UTCTIME) {
|
||||
/* YYMMDDHHMM[SS]Z or YYMMDDHHMM[SS](+-)hhmm */
|
||||
int min_length = sizeof("YYMMDDHHMMZ") - 1;
|
||||
int max_length = sizeof("YYMMDDHHMMSS+hhmm") - 1;
|
||||
if (remaining < min_length || remaining > max_length)
|
||||
switch (ctm->type) {
|
||||
case V_ASN1_UTCTIME:
|
||||
if (ctm->length != (int)(utctime_length))
|
||||
return 0;
|
||||
memcpy(p, str, 10);
|
||||
p += 10;
|
||||
str += 10;
|
||||
remaining -= 10;
|
||||
} else {
|
||||
/* YYYYMMDDHHMM[SS[.fff]]Z or YYYYMMDDHHMM[SS[.f[f[f]]]](+-)hhmm */
|
||||
int min_length = sizeof("YYYYMMDDHHMMZ") - 1;
|
||||
int max_length = sizeof("YYYYMMDDHHMMSS.fff+hhmm") - 1;
|
||||
if (remaining < min_length || remaining > max_length)
|
||||
break;
|
||||
case V_ASN1_GENERALIZEDTIME:
|
||||
if (ctm->length != (int)(generalizedtime_length))
|
||||
return 0;
|
||||
memcpy(p, str, 12);
|
||||
p += 12;
|
||||
str += 12;
|
||||
remaining -= 12;
|
||||
}
|
||||
|
||||
if ((*str == 'Z') || (*str == '-') || (*str == '+')) {
|
||||
*(p++) = '0';
|
||||
*(p++) = '0';
|
||||
} else {
|
||||
/* SS (seconds) */
|
||||
if (remaining < 2)
|
||||
return 0;
|
||||
*(p++) = *(str++);
|
||||
*(p++) = *(str++);
|
||||
remaining -= 2;
|
||||
/*
|
||||
* Skip any (up to three) fractional seconds...
|
||||
* TODO(emilia): in RFC5280, fractional seconds are forbidden.
|
||||
* Can we just kill them altogether?
|
||||
*/
|
||||
if (remaining && *str == '.') {
|
||||
str++;
|
||||
remaining--;
|
||||
for (i = 0; i < 3 && remaining; i++, str++, remaining--) {
|
||||
if (*str < '0' || *str > '9')
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
*(p++) = 'Z';
|
||||
*(p++) = '\0';
|
||||
|
||||
/* We now need either a terminating 'Z' or an offset. */
|
||||
if (!remaining)
|
||||
break;
|
||||
default:
|
||||
return 0;
|
||||
if (*str == 'Z') {
|
||||
if (remaining != 1)
|
||||
return 0;
|
||||
offset = 0;
|
||||
} else {
|
||||
/* (+-)HHMM */
|
||||
if ((*str != '+') && (*str != '-'))
|
||||
return 0;
|
||||
/* Historical behaviour: the (+-)hhmm offset is forbidden in RFC5280. */
|
||||
if (remaining != 5)
|
||||
return 0;
|
||||
if (str[1] < '0' || str[1] > '9' || str[2] < '0' || str[2] > '9' ||
|
||||
str[3] < '0' || str[3] > '9' || str[4] < '0' || str[4] > '9')
|
||||
return 0;
|
||||
offset = ((str[1] - '0') * 10 + (str[2] - '0')) * 60;
|
||||
offset += (str[3] - '0') * 10 + (str[4] - '0');
|
||||
if (*str == '-')
|
||||
offset = -offset;
|
||||
}
|
||||
atm.type = ctm->type;
|
||||
atm.flags = 0;
|
||||
atm.length = sizeof(buff2);
|
||||
atm.data = (unsigned char *)buff2;
|
||||
|
||||
if (X509_time_adj(&atm, offset * 60, cmp_time) == NULL)
|
||||
/**
|
||||
* Verify the format: the ASN.1 functions we use below allow a more
|
||||
* flexible format than what's mandated by RFC 5280.
|
||||
* Digit and date ranges will be verified in the conversion methods.
|
||||
*/
|
||||
for (i = 0; i < ctm->length - 1; i++) {
|
||||
if (!isdigit(ctm->data[i]))
|
||||
return 0;
|
||||
}
|
||||
if (ctm->data[ctm->length - 1] != 'Z')
|
||||
return 0;
|
||||
|
||||
if (ctm->type == V_ASN1_UTCTIME) {
|
||||
i = (buff1[0] - '0') * 10 + (buff1[1] - '0');
|
||||
if (i < 50)
|
||||
i += 100; /* cf. RFC 2459 */
|
||||
j = (buff2[0] - '0') * 10 + (buff2[1] - '0');
|
||||
if (j < 50)
|
||||
j += 100;
|
||||
/*
|
||||
* There is ASN1_UTCTIME_cmp_time_t but no
|
||||
* ASN1_GENERALIZEDTIME_cmp_time_t or ASN1_TIME_cmp_time_t,
|
||||
* so we go through ASN.1
|
||||
*/
|
||||
asn1_cmp_time = X509_time_adj(NULL, 0, cmp_time);
|
||||
if (asn1_cmp_time == NULL)
|
||||
goto err;
|
||||
if (!ASN1_TIME_diff(&day, &sec, ctm, asn1_cmp_time))
|
||||
goto err;
|
||||
|
||||
if (i < j)
|
||||
return -1;
|
||||
if (i > j)
|
||||
return 1;
|
||||
}
|
||||
i = strcmp(buff1, buff2);
|
||||
if (i == 0) /* wait a second then return younger :-) */
|
||||
return -1;
|
||||
else
|
||||
return i;
|
||||
/*
|
||||
* X509_cmp_time comparison is <=.
|
||||
* The return value 0 is reserved for errors.
|
||||
*/
|
||||
ret = (day >= 0 && sec >= 0) ? -1 : 1;
|
||||
|
||||
err:
|
||||
ASN1_TIME_free(asn1_cmp_time);
|
||||
return ret;
|
||||
}
|
||||
|
||||
ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj)
|
||||
|
@ -4,7 +4,7 @@
|
||||
* 2001.
|
||||
*/
|
||||
/* ====================================================================
|
||||
* Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved.
|
||||
* Copyright (c) 1999-2018 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
@ -128,11 +128,10 @@ int X509_check_purpose(X509 *x, int id, int ca)
|
||||
{
|
||||
int idx;
|
||||
const X509_PURPOSE *pt;
|
||||
if (!(x->ex_flags & EXFLAG_SET)) {
|
||||
CRYPTO_w_lock(CRYPTO_LOCK_X509);
|
||||
x509v3_cache_extensions(x);
|
||||
CRYPTO_w_unlock(CRYPTO_LOCK_X509);
|
||||
}
|
||||
|
||||
x509v3_cache_extensions(x);
|
||||
|
||||
/* Return if side-effect only call */
|
||||
if (id == -1)
|
||||
return 1;
|
||||
idx = X509_PURPOSE_get_by_id(id);
|
||||
@ -399,8 +398,16 @@ static void x509v3_cache_extensions(X509 *x)
|
||||
X509_EXTENSION *ex;
|
||||
|
||||
int i;
|
||||
|
||||
if (x->ex_flags & EXFLAG_SET)
|
||||
return;
|
||||
|
||||
CRYPTO_w_lock(CRYPTO_LOCK_X509);
|
||||
if (x->ex_flags & EXFLAG_SET) {
|
||||
CRYPTO_w_unlock(CRYPTO_LOCK_X509);
|
||||
return;
|
||||
}
|
||||
|
||||
#ifndef OPENSSL_NO_SHA
|
||||
X509_digest(x, EVP_sha1(), x->sha1_hash, NULL);
|
||||
#endif
|
||||
@ -536,6 +543,7 @@ static void x509v3_cache_extensions(X509 *x)
|
||||
}
|
||||
}
|
||||
x->ex_flags |= EXFLAG_SET;
|
||||
CRYPTO_w_unlock(CRYPTO_LOCK_X509);
|
||||
}
|
||||
|
||||
/*-
|
||||
@ -578,11 +586,7 @@ static int check_ca(const X509 *x)
|
||||
|
||||
int X509_check_ca(X509 *x)
|
||||
{
|
||||
if (!(x->ex_flags & EXFLAG_SET)) {
|
||||
CRYPTO_w_lock(CRYPTO_LOCK_X509);
|
||||
x509v3_cache_extensions(x);
|
||||
CRYPTO_w_unlock(CRYPTO_LOCK_X509);
|
||||
}
|
||||
x509v3_cache_extensions(x);
|
||||
|
||||
return check_ca(x);
|
||||
}
|
||||
@ -796,6 +800,7 @@ int X509_check_issued(X509 *issuer, X509 *subject)
|
||||
if (X509_NAME_cmp(X509_get_subject_name(issuer),
|
||||
X509_get_issuer_name(subject)))
|
||||
return X509_V_ERR_SUBJECT_ISSUER_MISMATCH;
|
||||
|
||||
x509v3_cache_extensions(issuer);
|
||||
x509v3_cache_extensions(subject);
|
||||
|
||||
|
@ -335,6 +335,9 @@ When encrypting a message this option may be used multiple times to specify
|
||||
each recipient. This form B<must> be used if customised parameters are
|
||||
required (for example to specify RSA-OAEP).
|
||||
|
||||
Only certificates carrying RSA, Diffie-Hellman or EC keys are supported by this
|
||||
option.
|
||||
|
||||
=item B<-keyid>
|
||||
|
||||
use subject key identifier to identify certificates instead of issuer name and
|
||||
@ -648,17 +651,14 @@ No revocation checking is done on the signer's certificate.
|
||||
=head1 HISTORY
|
||||
|
||||
The use of multiple B<-signer> options and the B<-resign> command were first
|
||||
added in OpenSSL 1.0.0
|
||||
added in OpenSSL 1.0.0.
|
||||
|
||||
The B<keyopt> option was first added in OpenSSL 1.1.0
|
||||
The B<keyopt> option was first added in OpenSSL 1.0.2.
|
||||
|
||||
The use of B<-recip> to specify the recipient when encrypting mail was first
|
||||
added to OpenSSL 1.1.0
|
||||
|
||||
Support for RSA-OAEP and RSA-PSS was first added to OpenSSL 1.1.0.
|
||||
Support for RSA-OAEP and RSA-PSS was first added to OpenSSL 1.0.2.
|
||||
|
||||
The use of non-RSA keys with B<-encrypt> and B<-decrypt> was first added
|
||||
to OpenSSL 1.1.0.
|
||||
to OpenSSL 1.0.2.
|
||||
|
||||
The -no_alt_chains options was first added to OpenSSL 1.0.2b.
|
||||
|
||||
|
@ -21,7 +21,7 @@ started or end of file is reached. A section name can consist of
|
||||
alphanumeric characters and underscores.
|
||||
|
||||
The first section of a configuration file is special and is referred
|
||||
to as the B<default> section this is usually unnamed and is from the
|
||||
to as the B<default> section. This section is usually unnamed and spans from the
|
||||
start of file until the first named section. When a name is being looked up
|
||||
it is first looked up in a named section (if any) and then the
|
||||
default section.
|
||||
|
@ -11,7 +11,7 @@ B<openssl> B<genpkey>
|
||||
[B<-out filename>]
|
||||
[B<-outform PEM|DER>]
|
||||
[B<-pass arg>]
|
||||
[B<-cipher>]
|
||||
[B<-I<cipher>>]
|
||||
[B<-engine id>]
|
||||
[B<-paramfile file>]
|
||||
[B<-algorithm alg>]
|
||||
@ -34,21 +34,21 @@ used.
|
||||
|
||||
=item B<-outform DER|PEM>
|
||||
|
||||
This specifies the output format DER or PEM.
|
||||
This specifies the output format DER or PEM. The default format is PEM.
|
||||
|
||||
=item B<-pass arg>
|
||||
|
||||
the output file password source. For more information about the format of B<arg>
|
||||
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
|
||||
The output file password source. For more information about the format of B<arg>
|
||||
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
|
||||
|
||||
=item B<-cipher>
|
||||
=item B<-I<cipher>>
|
||||
|
||||
This option encrypts the private key with the supplied cipher. Any algorithm
|
||||
name accepted by EVP_get_cipherbyname() is acceptable such as B<des3>.
|
||||
|
||||
=item B<-engine id>
|
||||
|
||||
specifying an engine (by its unique B<id> string) will cause B<genpkey>
|
||||
Specifying an engine (by its unique B<id> string) will cause B<genpkey>
|
||||
to attempt to obtain a functional reference to the specified engine,
|
||||
thus initialising it if needed. The engine will then be set as the default
|
||||
for all available algorithms. If used this option should precede all other
|
||||
@ -56,20 +56,33 @@ options.
|
||||
|
||||
=item B<-algorithm alg>
|
||||
|
||||
public key algorithm to use such as RSA, DSA or DH. If used this option must
|
||||
Public key algorithm to use such as RSA, DSA or DH. If used this option must
|
||||
precede any B<-pkeyopt> options. The options B<-paramfile> and B<-algorithm>
|
||||
are mutually exclusive.
|
||||
are mutually exclusive. Engines may add algorithms in addition to the standard
|
||||
built-in ones.
|
||||
|
||||
Valid built-in algorithm names for private key generation are RSA and EC.
|
||||
|
||||
Valid built-in algorithm names for parameter generation (see the B<-genparam>
|
||||
option) are DH, DSA and EC.
|
||||
|
||||
Note that the algorithm name X9.42 DH may be used as a synonym for the DH
|
||||
algorithm. These are identical and do not indicate the type of parameters that
|
||||
will be generated. Use the B<dh_paramgen_type> option to indicate whether PKCS#3
|
||||
or X9.42 DH parameters are required. See L<DH Parameter Generation Options>
|
||||
below for more details.
|
||||
|
||||
=item B<-pkeyopt opt:value>
|
||||
|
||||
set the public key algorithm option B<opt> to B<value>. The precise set of
|
||||
Set the public key algorithm option B<opt> to B<value>. The precise set of
|
||||
options supported depends on the public key algorithm used and its
|
||||
implementation. See B<KEY GENERATION OPTIONS> below for more details.
|
||||
implementation. See L<KEY GENERATION OPTIONS> and
|
||||
L<PARAMETER GENERATION OPTIONS> below for more details.
|
||||
|
||||
=item B<-genparam>
|
||||
|
||||
generate a set of parameters instead of a private key. If used this option must
|
||||
precede and B<-algorithm>, B<-paramfile> or B<-pkeyopt> options.
|
||||
Generate a set of parameters instead of a private key. If used this option must
|
||||
precede any B<-algorithm>, B<-paramfile> or B<-pkeyopt> options.
|
||||
|
||||
=item B<-paramfile filename>
|
||||
|
||||
@ -92,7 +105,7 @@ The options supported by each algorith and indeed each implementation of an
|
||||
algorithm can vary. The options for the OpenSSL implementations are detailed
|
||||
below.
|
||||
|
||||
=head1 RSA KEY GENERATION OPTIONS
|
||||
=head2 RSA Key Generation Options
|
||||
|
||||
=over 4
|
||||
|
||||
@ -107,49 +120,93 @@ hexadecimal value if preceded by B<0x>. Default value is 65537.
|
||||
|
||||
=back
|
||||
|
||||
=head1 DSA PARAMETER GENERATION OPTIONS
|
||||
=head2 EC Key Generation Options
|
||||
|
||||
=over 4
|
||||
|
||||
=item B<dsa_paramgen_bits:numbits>
|
||||
|
||||
The number of bits in the generated parameters. If not specified 1024 is used.
|
||||
|
||||
=back
|
||||
|
||||
=head1 DH PARAMETER GENERATION OPTIONS
|
||||
|
||||
=over 4
|
||||
|
||||
=item B<dh_paramgen_prime_len:numbits>
|
||||
|
||||
The number of bits in the prime parameter B<p>.
|
||||
|
||||
=item B<dh_paramgen_generator:value>
|
||||
|
||||
The value to use for the generator B<g>.
|
||||
|
||||
=item B<dh_rfc5114:num>
|
||||
|
||||
If this option is set then the appropriate RFC5114 parameters are used
|
||||
instead of generating new parameters. The value B<num> can take the
|
||||
values 1, 2 or 3 corresponding to RFC5114 DH parameters consisting of
|
||||
1024 bit group with 160 bit subgroup, 2048 bit group with 224 bit subgroup
|
||||
and 2048 bit group with 256 bit subgroup as mentioned in RFC5114 sections
|
||||
2.1, 2.2 and 2.3 respectively.
|
||||
|
||||
=back
|
||||
|
||||
=head1 EC PARAMETER GENERATION OPTIONS
|
||||
The EC key generation options can also be used for parameter generation.
|
||||
|
||||
=over 4
|
||||
|
||||
=item B<ec_paramgen_curve:curve>
|
||||
|
||||
the EC curve to use.
|
||||
The EC curve to use. OpenSSL supports NIST curve names such as "P-256".
|
||||
|
||||
=item B<ec_param_enc:encoding>
|
||||
|
||||
The encoding to use for parameters. The "encoding" parameter must be either
|
||||
"named_curve" or "explicit". The default value is "named_curve".
|
||||
|
||||
=back
|
||||
|
||||
=head1 PARAMETER GENERATION OPTIONS
|
||||
|
||||
The options supported by each algorithm and indeed each implementation of an
|
||||
algorithm can vary. The options for the OpenSSL implementations are detailed
|
||||
below.
|
||||
|
||||
=head2 DSA Parameter Generation Options
|
||||
|
||||
=over 4
|
||||
|
||||
=item B<dsa_paramgen_bits:numbits>
|
||||
|
||||
The number of bits in the generated prime. If not specified 1024 is used.
|
||||
|
||||
=item B<dsa_paramgen_q_bits:numbits>
|
||||
|
||||
The number of bits in the q parameter. Must be one of 160, 224 or 256. If not
|
||||
specified 160 is used.
|
||||
|
||||
=item B<dsa_paramgen_md:digest>
|
||||
|
||||
The digest to use during parameter generation. Must be one of B<sha1>, B<sha224>
|
||||
or B<sha256>. If set, then the number of bits in B<q> will match the output size
|
||||
of the specified digest and the B<dsa_paramgen_q_bits> parameter will be
|
||||
ignored. If not set, then a digest will be used that gives an output matching
|
||||
the number of bits in B<q>, i.e. B<sha1> if q length is 160, B<sha224> if it 224
|
||||
or B<sha256> if it is 256.
|
||||
|
||||
=back
|
||||
|
||||
=head2 DH Parameter Generation Options
|
||||
|
||||
=over 4
|
||||
|
||||
=item B<dh_paramgen_prime_len:numbits>
|
||||
|
||||
The number of bits in the prime parameter B<p>. The default is 1024.
|
||||
|
||||
=item B<dh_paramgen_subprime_len:numbits>
|
||||
|
||||
The number of bits in the sub prime parameter B<q>. The default is 256 if the
|
||||
prime is at least 2048 bits long or 160 otherwise. Only relevant if used in
|
||||
conjunction with the B<dh_paramgen_type> option to generate X9.42 DH parameters.
|
||||
|
||||
=item B<dh_paramgen_generator:value>
|
||||
|
||||
The value to use for the generator B<g>. The default is 2.
|
||||
|
||||
=item B<dh_paramgen_type:value>
|
||||
|
||||
The type of DH parameters to generate. Use 0 for PKCS#3 DH and 1 for X9.42 DH.
|
||||
The default is 0.
|
||||
|
||||
=item B<dh_rfc5114:num>
|
||||
|
||||
If this option is set, then the appropriate RFC5114 parameters are used
|
||||
instead of generating new parameters. The value B<num> can take the
|
||||
values 1, 2 or 3 corresponding to RFC5114 DH parameters consisting of
|
||||
1024 bit group with 160 bit subgroup, 2048 bit group with 224 bit subgroup
|
||||
and 2048 bit group with 256 bit subgroup as mentioned in RFC5114 sections
|
||||
2.1, 2.2 and 2.3 respectively. If present this overrides all other DH parameter
|
||||
options.
|
||||
|
||||
=back
|
||||
|
||||
=head2 EC Parameter Generation Options
|
||||
|
||||
The EC parameter generation options are the same as for key generation. See
|
||||
L<EC Key Generation Options> above.
|
||||
|
||||
=head1 GOST2001 KEY GENERATION AND PARAMETER OPTIONS
|
||||
|
||||
Gost 2001 support is not enabled by default. To enable this algorithm,
|
||||
@ -179,8 +236,6 @@ numeric OID. Following parameter sets are supported:
|
||||
|
||||
=back
|
||||
|
||||
|
||||
|
||||
=head1 NOTES
|
||||
|
||||
The use of the genpkey program is encouraged over the algorithm specific
|
||||
@ -202,19 +257,25 @@ Generate a 2048 bit RSA key using 3 as the public exponent:
|
||||
openssl genpkey -algorithm RSA -out key.pem -pkeyopt rsa_keygen_bits:2048 \
|
||||
-pkeyopt rsa_keygen_pubexp:3
|
||||
|
||||
Generate 1024 bit DSA parameters:
|
||||
Generate 2048 bit DSA parameters:
|
||||
|
||||
openssl genpkey -genparam -algorithm DSA -out dsap.pem \
|
||||
-pkeyopt dsa_paramgen_bits:1024
|
||||
-pkeyopt dsa_paramgen_bits:2048
|
||||
|
||||
Generate DSA key from parameters:
|
||||
|
||||
openssl genpkey -paramfile dsap.pem -out dsakey.pem
|
||||
|
||||
Generate 1024 bit DH parameters:
|
||||
Generate 2048 bit DH parameters:
|
||||
|
||||
openssl genpkey -genparam -algorithm DH -out dhp.pem \
|
||||
-pkeyopt dh_paramgen_prime_len:1024
|
||||
-pkeyopt dh_paramgen_prime_len:2048
|
||||
|
||||
Generate 2048 bit X9.42 DH parameters:
|
||||
|
||||
openssl genpkey -genparam -algorithm DH -out dhpx.pem \
|
||||
-pkeyopt dh_paramgen_prime_len:2048 \
|
||||
-pkeyopt dh_paramgen_type:1
|
||||
|
||||
Output RFC5114 2048 bit DH parameters with 224 bit subgroup:
|
||||
|
||||
@ -224,6 +285,16 @@ Generate DH key from parameters:
|
||||
|
||||
openssl genpkey -paramfile dhp.pem -out dhkey.pem
|
||||
|
||||
Generate EC key directly:
|
||||
|
||||
openssl genpkey -algorithm EC -out eckey.pem \
|
||||
-pkeyopt ec_paramgen_curve:P-384 \
|
||||
-pkeyopt ec_param_enc:named_curve
|
||||
|
||||
=head1 HISTORY
|
||||
|
||||
The ability to use NIST curve names, and to generate an EC key directly,
|
||||
were added in OpenSSL 1.0.2.
|
||||
|
||||
=cut
|
||||
|
||||
|
@ -141,8 +141,9 @@ pauses 1 second between each read and write call.
|
||||
|
||||
=item B<-showcerts>
|
||||
|
||||
display the whole server certificate chain: normally only the server
|
||||
certificate itself is displayed.
|
||||
Displays the server certificate list as sent by the server: it only consists of
|
||||
certificates the server has sent (in the order the server has sent them). It is
|
||||
B<not> a verified chain.
|
||||
|
||||
=item B<-prexit>
|
||||
|
||||
@ -354,7 +355,8 @@ a client certificate. Therefor merely including a client certificate
|
||||
on the command line is no guarantee that the certificate works.
|
||||
|
||||
If there are problems verifying a server certificate then the
|
||||
B<-showcerts> option can be used to show the whole chain.
|
||||
B<-showcerts> option can be used to show all the certificates sent by the
|
||||
server.
|
||||
|
||||
Since the SSLv23 client hello cannot include compression methods or extensions
|
||||
these will only be supported if its use is disabled, for example by using the
|
||||
|
@ -60,7 +60,7 @@ BIO_s_fd() returns the file descriptor BIO method.
|
||||
|
||||
BIO_reset() returns zero for success and -1 if an error occurred.
|
||||
BIO_seek() and BIO_tell() return the current file position or -1
|
||||
is an error occurred. These values reflect the underlying lseek()
|
||||
if an error occurred. These values reflect the underlying lseek()
|
||||
behaviour.
|
||||
|
||||
BIO_set_fd() always returns 1.
|
||||
|
@ -91,7 +91,9 @@ BN_exp() raises I<a> to the I<p>-th power and places the result in I<r>
|
||||
BN_mul().
|
||||
|
||||
BN_mod_exp() computes I<a> to the I<p>-th power modulo I<m> (C<r=a^p %
|
||||
m>). This function uses less time and space than BN_exp().
|
||||
m>). This function uses less time and space than BN_exp(). Do not call this
|
||||
function when B<m> is even and any of the parameters have the
|
||||
B<BN_FLG_CONSTTIME> flag set.
|
||||
|
||||
BN_gcd() computes the greatest common divisor of I<a> and I<b> and
|
||||
places the result in I<r>. I<r> may be the same B<BIGNUM> as I<a> or
|
||||
|
@ -39,8 +39,8 @@ numbers, the string is prefaced with a leading '-'. The string must be
|
||||
freed later using OPENSSL_free().
|
||||
|
||||
BN_hex2bn() converts the string B<str> containing a hexadecimal number
|
||||
to a B<BIGNUM> and stores it in **B<bn>. If *B<bn> is NULL, a new
|
||||
B<BIGNUM> is created. If B<bn> is NULL, it only computes the number's
|
||||
to a B<BIGNUM> and stores it in **B<a>. If *B<a> is NULL, a new
|
||||
B<BIGNUM> is created. If B<a> is NULL, it only computes the number's
|
||||
length in hexadecimal digits. If the string starts with '-', the
|
||||
number is negative.
|
||||
A "negative zero" is converted to zero.
|
||||
|
@ -90,7 +90,17 @@ If B<do_trial_division == 0>, this test is skipped.
|
||||
Both BN_is_prime_ex() and BN_is_prime_fasttest_ex() perform a Miller-Rabin
|
||||
probabilistic primality test with B<nchecks> iterations. If
|
||||
B<nchecks == BN_prime_checks>, a number of iterations is used that
|
||||
yields a false positive rate of at most 2^-80 for random input.
|
||||
yields a false positive rate of at most 2^-64 for random input.
|
||||
The error rate depends on the size of the prime and goes down for bigger primes.
|
||||
The rate is 2^-80 starting at 308 bits, 2^-112 at 852 bits, 2^-128 at 1080 bits,
|
||||
2^-192 at 3747 bits and 2^-256 at 6394 bits.
|
||||
|
||||
When the source of the prime is not random or not trusted, the number
|
||||
of checks needs to be much higher to reach the same level of assurance:
|
||||
It should equal half of the targeted security level in bits (rounded up to the
|
||||
next integer if necessary).
|
||||
For instance, to reach the 128 bit security level, B<nchecks> should be set to
|
||||
64.
|
||||
|
||||
If B<cb> is not B<NULL>, B<BN_GENCB_call(cb, 1, j)> is called
|
||||
after the j-th iteration (j = 0, 1, ...). B<ctx> is a
|
||||
|
@ -18,9 +18,8 @@ B<cipher> is the symmetric cipher to use. B<flags> is an optional set of flags.
|
||||
|
||||
=head1 NOTES
|
||||
|
||||
Only certificates carrying RSA keys are supported so the recipient certificates
|
||||
supplied to this function must all contain RSA public keys, though they do not
|
||||
have to be signed using the RSA algorithm.
|
||||
Only certificates carrying RSA, Diffie-Hellman or EC keys are supported by this
|
||||
function.
|
||||
|
||||
EVP_des_ede3_cbc() (triple DES) is the algorithm of choice for S/MIME use
|
||||
because most clients will support it.
|
||||
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user