openssl: Update to pristine 1.0.2q (security update)
(cherry picked from commit cff0913be8
)
This commit is contained in:
parent
0429b21f10
commit
f2a42e1ae5
|
@ -381,6 +381,7 @@ if (env['builtin_openssl'] != 'no'):
|
|||
"crypto/evp/p_verify.c",
|
||||
"crypto/ex_data.c",
|
||||
"crypto/fips_ers.c",
|
||||
"crypto/getenv.c",
|
||||
"crypto/hmac/hmac.c",
|
||||
"crypto/hmac/hm_ameth.c",
|
||||
"crypto/hmac/hm_pmeth.c",
|
||||
|
|
|
@ -241,7 +241,7 @@ Collection of single-file libraries used in Godot components.
|
|||
## openssl
|
||||
|
||||
- Upstream: https://www.openssl.org
|
||||
- Version: 1.0.2o
|
||||
- Version: 1.0.2q
|
||||
- License: OpenSSL license / BSD-like
|
||||
|
||||
Files extracted from the upstream source:
|
||||
|
@ -262,7 +262,12 @@ Files extracted from the upstream source:
|
|||
```
|
||||
For the rest check the `git status` and decide.
|
||||
- e_os.h
|
||||
- Apply the Godot-specific patches in the `patches/` folder.
|
||||
- MacOS/buildinf.h
|
||||
- LICENSE
|
||||
- Apply the Godot-specific patches in the `patches/` folder
|
||||
(make sure not to commit .orig/.rej files generated by `patch`).
|
||||
- Review `openssl/opensslconf.h` changes and make sure they make sense
|
||||
for our "one size fits all" config.
|
||||
|
||||
|
||||
## opus
|
||||
|
|
|
@ -63,17 +63,31 @@
|
|||
int i2d_ASN1_BOOLEAN(int a, unsigned char **pp)
|
||||
{
|
||||
int r;
|
||||
unsigned char *p;
|
||||
unsigned char *p, *allocated = NULL;
|
||||
|
||||
r = ASN1_object_size(0, 1, V_ASN1_BOOLEAN);
|
||||
if (pp == NULL)
|
||||
return (r);
|
||||
p = *pp;
|
||||
|
||||
if (*pp == NULL) {
|
||||
if ((p = allocated = OPENSSL_malloc(r)) == NULL) {
|
||||
ASN1err(ASN1_F_I2D_ASN1_BOOLEAN, ERR_R_MALLOC_FAILURE);
|
||||
return 0;
|
||||
}
|
||||
} else {
|
||||
p = *pp;
|
||||
}
|
||||
|
||||
ASN1_put_object(&p, 0, 1, V_ASN1_BOOLEAN, V_ASN1_UNIVERSAL);
|
||||
*(p++) = (unsigned char)a;
|
||||
*pp = p;
|
||||
return (r);
|
||||
*p = (unsigned char)a;
|
||||
|
||||
|
||||
/*
|
||||
* If a new buffer was allocated, just return it back.
|
||||
* If not, return the incremented buffer pointer.
|
||||
*/
|
||||
*pp = allocated != NULL ? allocated : p + 1;
|
||||
return r;
|
||||
}
|
||||
|
||||
int d2i_ASN1_BOOLEAN(int *a, const unsigned char **pp, long length)
|
||||
|
|
|
@ -66,7 +66,7 @@
|
|||
|
||||
int i2d_ASN1_OBJECT(ASN1_OBJECT *a, unsigned char **pp)
|
||||
{
|
||||
unsigned char *p;
|
||||
unsigned char *p, *allocated = NULL;
|
||||
int objsize;
|
||||
|
||||
if ((a == NULL) || (a->data == NULL))
|
||||
|
@ -76,13 +76,24 @@ int i2d_ASN1_OBJECT(ASN1_OBJECT *a, unsigned char **pp)
|
|||
if (pp == NULL || objsize == -1)
|
||||
return objsize;
|
||||
|
||||
p = *pp;
|
||||
if (*pp == NULL) {
|
||||
if ((p = allocated = OPENSSL_malloc(objsize)) == NULL) {
|
||||
ASN1err(ASN1_F_I2D_ASN1_OBJECT, ERR_R_MALLOC_FAILURE);
|
||||
return 0;
|
||||
}
|
||||
} else {
|
||||
p = *pp;
|
||||
}
|
||||
|
||||
ASN1_put_object(&p, 0, a->length, V_ASN1_OBJECT, V_ASN1_UNIVERSAL);
|
||||
memcpy(p, a->data, a->length);
|
||||
p += a->length;
|
||||
|
||||
*pp = p;
|
||||
return (objsize);
|
||||
/*
|
||||
* If a new buffer was allocated, just return it back.
|
||||
* If not, return the incremented buffer pointer.
|
||||
*/
|
||||
*pp = allocated != NULL ? allocated : p + a->length;
|
||||
return objsize;
|
||||
}
|
||||
|
||||
int a2d_ASN1_OBJECT(unsigned char *out, int olen, const char *buf, int num)
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
* 2000.
|
||||
*/
|
||||
/* ====================================================================
|
||||
* Copyright (c) 2000 The OpenSSL Project. All rights reserved.
|
||||
* Copyright (c) 2000-2018 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
|
@ -194,18 +194,38 @@ static int do_buf(unsigned char *buf, int buflen,
|
|||
int type, unsigned char flags, char *quotes, char_io *io_ch,
|
||||
void *arg)
|
||||
{
|
||||
int i, outlen, len;
|
||||
int i, outlen, len, charwidth;
|
||||
unsigned char orflags, *p, *q;
|
||||
unsigned long c;
|
||||
p = buf;
|
||||
q = buf + buflen;
|
||||
outlen = 0;
|
||||
charwidth = type & BUF_TYPE_WIDTH_MASK;
|
||||
|
||||
switch (charwidth) {
|
||||
case 4:
|
||||
if (buflen & 3) {
|
||||
ASN1err(ASN1_F_DO_BUF, ASN1_R_INVALID_UNIVERSALSTRING_LENGTH);
|
||||
return -1;
|
||||
}
|
||||
break;
|
||||
case 2:
|
||||
if (buflen & 1) {
|
||||
ASN1err(ASN1_F_DO_BUF, ASN1_R_INVALID_BMPSTRING_LENGTH);
|
||||
return -1;
|
||||
}
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
|
||||
while (p != q) {
|
||||
if (p == buf && flags & ASN1_STRFLGS_ESC_2253)
|
||||
orflags = CHARTYPE_FIRST_ESC_2253;
|
||||
else
|
||||
orflags = 0;
|
||||
switch (type & BUF_TYPE_WIDTH_MASK) {
|
||||
|
||||
switch (charwidth) {
|
||||
case 4:
|
||||
c = ((unsigned long)*p++) << 24;
|
||||
c |= ((unsigned long)*p++) << 16;
|
||||
|
@ -226,6 +246,7 @@ static int do_buf(unsigned char *buf, int buflen,
|
|||
i = UTF8_getc(p, buflen, &c);
|
||||
if (i < 0)
|
||||
return -1; /* Invalid UTF8String */
|
||||
buflen -= i;
|
||||
p += i;
|
||||
break;
|
||||
default:
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
* 2006.
|
||||
*/
|
||||
/* ====================================================================
|
||||
* Copyright (c) 2006 The OpenSSL Project. All rights reserved.
|
||||
* Copyright (c) 2006-2018 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
|
@ -305,6 +305,18 @@ EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_new(int id, int flags,
|
|||
} else
|
||||
ameth->info = NULL;
|
||||
|
||||
/*
|
||||
* One of the following must be true:
|
||||
*
|
||||
* pem_str == NULL AND ASN1_PKEY_ALIAS is set
|
||||
* pem_str != NULL AND ASN1_PKEY_ALIAS is clear
|
||||
*
|
||||
* Anything else is an error and may lead to a corrupt ASN1 method table
|
||||
*/
|
||||
if (!((pem_str == NULL && (flags & ASN1_PKEY_ALIAS) != 0)
|
||||
|| (pem_str != NULL && (flags & ASN1_PKEY_ALIAS) == 0)))
|
||||
goto err;
|
||||
|
||||
if (pem_str) {
|
||||
ameth->pem_str = BUF_strdup(pem_str);
|
||||
if (!ameth->pem_str)
|
||||
|
|
|
@ -166,7 +166,10 @@ static ERR_STRING_DATA ASN1_str_functs[] = {
|
|||
{ERR_FUNC(ASN1_F_D2I_X509), "D2I_X509"},
|
||||
{ERR_FUNC(ASN1_F_D2I_X509_CINF), "D2I_X509_CINF"},
|
||||
{ERR_FUNC(ASN1_F_D2I_X509_PKEY), "d2i_X509_PKEY"},
|
||||
{ERR_FUNC(ASN1_F_DO_BUF), "DO_BUF"},
|
||||
{ERR_FUNC(ASN1_F_I2D_ASN1_BIO_STREAM), "i2d_ASN1_bio_stream"},
|
||||
{ERR_FUNC(ASN1_F_I2D_ASN1_BOOLEAN), "i2d_ASN1_BOOLEAN"},
|
||||
{ERR_FUNC(ASN1_F_I2D_ASN1_OBJECT), "i2d_ASN1_OBJECT"},
|
||||
{ERR_FUNC(ASN1_F_I2D_ASN1_SET), "i2d_ASN1_SET"},
|
||||
{ERR_FUNC(ASN1_F_I2D_ASN1_TIME), "I2D_ASN1_TIME"},
|
||||
{ERR_FUNC(ASN1_F_I2D_DSA_PUBKEY), "i2d_DSA_PUBKEY"},
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
* 2000.
|
||||
*/
|
||||
/* ====================================================================
|
||||
* Copyright (c) 2000-2004 The OpenSSL Project. All rights reserved.
|
||||
* Copyright (c) 2000-2018 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
|
@ -588,6 +588,8 @@ int asn1_ex_i2c(ASN1_VALUE **pval, unsigned char *cout, int *putype,
|
|||
otmp = (ASN1_OBJECT *)*pval;
|
||||
cont = otmp->data;
|
||||
len = otmp->length;
|
||||
if (cont == NULL || len == 0)
|
||||
return -1;
|
||||
break;
|
||||
|
||||
case V_ASN1_NULL:
|
||||
|
|
|
@ -56,6 +56,9 @@
|
|||
* [including the GNU Public Licence.]
|
||||
*/
|
||||
|
||||
#define _DEFAULT_SOURCE
|
||||
#define _BSD_SOURCE
|
||||
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <errno.h>
|
||||
|
@ -83,6 +86,11 @@ NETDB_DEFINE_CONTEXT
|
|||
static int wsa_init_done = 0;
|
||||
# endif
|
||||
|
||||
# if defined(__GLIBC__)
|
||||
# define HAVE_GETHOSTBYNAME_R
|
||||
# define GETHOSTNAME_R_BUF (2 * 1024)
|
||||
# endif
|
||||
|
||||
/*
|
||||
* WSAAPI specifier is required to make indirect calls to run-time
|
||||
* linked WinSock 2 functions used in this module, to be specific
|
||||
|
@ -116,7 +124,12 @@ int BIO_get_host_ip(const char *str, unsigned char *ip)
|
|||
int i;
|
||||
int err = 1;
|
||||
int locked = 0;
|
||||
struct hostent *he;
|
||||
struct hostent *he = NULL;
|
||||
# ifdef HAVE_GETHOSTBYNAME_R
|
||||
char buf[GETHOSTNAME_R_BUF];
|
||||
struct hostent hostent;
|
||||
int h_errnop;
|
||||
# endif
|
||||
|
||||
i = get_ip(str, ip);
|
||||
if (i < 0) {
|
||||
|
@ -138,10 +151,18 @@ int BIO_get_host_ip(const char *str, unsigned char *ip)
|
|||
if (i > 0)
|
||||
return (1);
|
||||
|
||||
/* if gethostbyname_r is supported, use it. */
|
||||
# ifdef HAVE_GETHOSTBYNAME_R
|
||||
memset(&hostent, 0x00, sizeof(hostent));
|
||||
/* gethostbyname_r() sets |he| to NULL on error, we check it further down */
|
||||
gethostbyname_r(str, &hostent, buf, sizeof(buf), &he, &h_errnop);
|
||||
# else
|
||||
/* do a gethostbyname */
|
||||
CRYPTO_w_lock(CRYPTO_LOCK_GETHOSTBYNAME);
|
||||
locked = 1;
|
||||
he = BIO_gethostbyname(str);
|
||||
# endif
|
||||
|
||||
if (he == NULL) {
|
||||
BIOerr(BIO_F_BIO_GET_HOST_IP, BIO_R_BAD_HOSTNAME_LOOKUP);
|
||||
goto err;
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
/* crypto/bio/bss_log.c */
|
||||
/* ====================================================================
|
||||
* Copyright (c) 1999 The OpenSSL Project. All rights reserved.
|
||||
* Copyright (c) 1999-2018 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
|
@ -242,7 +242,7 @@ static int MS_CALLBACK slg_write(BIO *b, const char *in, int inl)
|
|||
if ((buf = (char *)OPENSSL_malloc(inl + 1)) == NULL) {
|
||||
return (0);
|
||||
}
|
||||
strncpy(buf, in, inl);
|
||||
memcpy(buf, in, inl);
|
||||
buf[inl] = '\0';
|
||||
|
||||
i = 0;
|
||||
|
|
|
@ -188,6 +188,8 @@ static int mem_write(BIO *b, const char *in, int inl)
|
|||
}
|
||||
|
||||
BIO_clear_retry_flags(b);
|
||||
if (inl == 0)
|
||||
return 0;
|
||||
blen = bm->length;
|
||||
if (BUF_MEM_grow_clean(bm, blen + inl) != (blen + inl))
|
||||
goto end;
|
||||
|
|
|
@ -55,12 +55,6 @@
|
|||
* machine.
|
||||
*/
|
||||
|
||||
# if defined(_WIN64) || !defined(__LP64__)
|
||||
# define BN_ULONG unsigned long long
|
||||
# else
|
||||
# define BN_ULONG unsigned long
|
||||
# endif
|
||||
|
||||
# undef mul
|
||||
# undef mul_add
|
||||
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
/* crypto/bn/bn_blind.c */
|
||||
/* ====================================================================
|
||||
* Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
|
||||
* Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
|
@ -206,10 +206,15 @@ int BN_BLINDING_update(BN_BLINDING *b, BN_CTX *ctx)
|
|||
if (!BN_BLINDING_create_param(b, NULL, NULL, ctx, NULL, NULL))
|
||||
goto err;
|
||||
} else if (!(b->flags & BN_BLINDING_NO_UPDATE)) {
|
||||
if (!BN_mod_mul(b->A, b->A, b->A, b->mod, ctx))
|
||||
goto err;
|
||||
if (!BN_mod_mul(b->Ai, b->Ai, b->Ai, b->mod, ctx))
|
||||
goto err;
|
||||
if (b->m_ctx != NULL) {
|
||||
if (!bn_mul_mont_fixed_top(b->Ai, b->Ai, b->Ai, b->m_ctx, ctx)
|
||||
|| !bn_mul_mont_fixed_top(b->A, b->A, b->A, b->m_ctx, ctx))
|
||||
goto err;
|
||||
} else {
|
||||
if (!BN_mod_mul(b->Ai, b->Ai, b->Ai, b->mod, ctx)
|
||||
|| !BN_mod_mul(b->A, b->A, b->A, b->mod, ctx))
|
||||
goto err;
|
||||
}
|
||||
}
|
||||
|
||||
ret = 1;
|
||||
|
@ -241,13 +246,13 @@ int BN_BLINDING_convert_ex(BIGNUM *n, BIGNUM *r, BN_BLINDING *b, BN_CTX *ctx)
|
|||
else if (!BN_BLINDING_update(b, ctx))
|
||||
return (0);
|
||||
|
||||
if (r != NULL) {
|
||||
if (!BN_copy(r, b->Ai))
|
||||
ret = 0;
|
||||
}
|
||||
if (r != NULL && (BN_copy(r, b->Ai) == NULL))
|
||||
return 0;
|
||||
|
||||
if (!BN_mod_mul(n, n, b->A, b->mod, ctx))
|
||||
ret = 0;
|
||||
if (b->m_ctx != NULL)
|
||||
ret = BN_mod_mul_montgomery(n, n, b->A, b->m_ctx, ctx);
|
||||
else
|
||||
ret = BN_mod_mul(n, n, b->A, b->mod, ctx);
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
@ -264,14 +269,29 @@ int BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b,
|
|||
|
||||
bn_check_top(n);
|
||||
|
||||
if (r != NULL)
|
||||
ret = BN_mod_mul(n, n, r, b->mod, ctx);
|
||||
else {
|
||||
if (b->Ai == NULL) {
|
||||
BNerr(BN_F_BN_BLINDING_INVERT_EX, BN_R_NOT_INITIALIZED);
|
||||
return (0);
|
||||
if (r == NULL && (r = b->Ai) == NULL) {
|
||||
BNerr(BN_F_BN_BLINDING_INVERT_EX, BN_R_NOT_INITIALIZED);
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (b->m_ctx != NULL) {
|
||||
/* ensure that BN_mod_mul_montgomery takes pre-defined path */
|
||||
if (n->dmax >= r->top) {
|
||||
size_t i, rtop = r->top, ntop = n->top;
|
||||
BN_ULONG mask;
|
||||
|
||||
for (i = 0; i < rtop; i++) {
|
||||
mask = (BN_ULONG)0 - ((i - ntop) >> (8 * sizeof(i) - 1));
|
||||
n->d[i] &= mask;
|
||||
}
|
||||
mask = (BN_ULONG)0 - ((rtop - ntop) >> (8 * sizeof(ntop) - 1));
|
||||
/* always true, if (rtop >= ntop) n->top = r->top; */
|
||||
n->top = (int)(rtop & ~mask) | (ntop & mask);
|
||||
n->flags |= (BN_FLG_FIXED_TOP & ~mask);
|
||||
}
|
||||
ret = BN_mod_mul(n, n, b->Ai, b->mod, ctx);
|
||||
ret = BN_mod_mul_montgomery(n, n, r, b->m_ctx, ctx);
|
||||
} else {
|
||||
ret = BN_mod_mul(n, n, r, b->mod, ctx);
|
||||
}
|
||||
|
||||
bn_check_top(n);
|
||||
|
@ -366,14 +386,19 @@ BN_BLINDING *BN_BLINDING_create_param(BN_BLINDING *b,
|
|||
} while (1);
|
||||
|
||||
if (ret->bn_mod_exp != NULL && ret->m_ctx != NULL) {
|
||||
if (!ret->bn_mod_exp
|
||||
(ret->A, ret->A, ret->e, ret->mod, ctx, ret->m_ctx))
|
||||
if (!ret->bn_mod_exp(ret->A, ret->A, ret->e, ret->mod, ctx, ret->m_ctx))
|
||||
goto err;
|
||||
} else {
|
||||
if (!BN_mod_exp(ret->A, ret->A, ret->e, ret->mod, ctx))
|
||||
goto err;
|
||||
}
|
||||
|
||||
if (ret->m_ctx != NULL) {
|
||||
if (!bn_to_mont_fixed_top(ret->Ai, ret->Ai, ret->m_ctx, ctx)
|
||||
|| !bn_to_mont_fixed_top(ret->A, ret->A, ret->m_ctx, ctx))
|
||||
goto err;
|
||||
}
|
||||
|
||||
return ret;
|
||||
err:
|
||||
if (b == NULL && ret != NULL) {
|
||||
|
|
|
@ -290,6 +290,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
|
|||
wnum.neg = 0;
|
||||
wnum.d = &(snum->d[loop]);
|
||||
wnum.top = div_n;
|
||||
wnum.flags = BN_FLG_STATIC_DATA;
|
||||
/*
|
||||
* only needed when BN_ucmp messes up the values between top and max
|
||||
*/
|
||||
|
|
|
@ -290,8 +290,8 @@ int BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
|
|||
|
||||
bits = BN_num_bits(p);
|
||||
if (bits == 0) {
|
||||
/* x**0 mod 1 is still zero. */
|
||||
if (BN_is_one(m)) {
|
||||
/* x**0 mod 1, or x**0 mod -1 is still zero. */
|
||||
if (BN_abs_is_word(m, 1)) {
|
||||
ret = 1;
|
||||
BN_zero(r);
|
||||
} else {
|
||||
|
@ -432,8 +432,8 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
|
|||
}
|
||||
bits = BN_num_bits(p);
|
||||
if (bits == 0) {
|
||||
/* x**0 mod 1 is still zero. */
|
||||
if (BN_is_one(m)) {
|
||||
/* x**0 mod 1, or x**0 mod -1 is still zero. */
|
||||
if (BN_abs_is_word(m, 1)) {
|
||||
ret = 1;
|
||||
BN_zero(rr);
|
||||
} else {
|
||||
|
@ -473,17 +473,17 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
|
|||
ret = 1;
|
||||
goto err;
|
||||
}
|
||||
if (!BN_to_montgomery(val[0], aa, mont, ctx))
|
||||
if (!bn_to_mont_fixed_top(val[0], aa, mont, ctx))
|
||||
goto err; /* 1 */
|
||||
|
||||
window = BN_window_bits_for_exponent_size(bits);
|
||||
if (window > 1) {
|
||||
if (!BN_mod_mul_montgomery(d, val[0], val[0], mont, ctx))
|
||||
if (!bn_mul_mont_fixed_top(d, val[0], val[0], mont, ctx))
|
||||
goto err; /* 2 */
|
||||
j = 1 << (window - 1);
|
||||
for (i = 1; i < j; i++) {
|
||||
if (((val[i] = BN_CTX_get(ctx)) == NULL) ||
|
||||
!BN_mod_mul_montgomery(val[i], val[i - 1], d, mont, ctx))
|
||||
!bn_mul_mont_fixed_top(val[i], val[i - 1], d, mont, ctx))
|
||||
goto err;
|
||||
}
|
||||
}
|
||||
|
@ -505,19 +505,15 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
|
|||
for (i = 1; i < j; i++)
|
||||
r->d[i] = (~m->d[i]) & BN_MASK2;
|
||||
r->top = j;
|
||||
/*
|
||||
* Upper words will be zero if the corresponding words of 'm' were
|
||||
* 0xfff[...], so decrement r->top accordingly.
|
||||
*/
|
||||
bn_correct_top(r);
|
||||
r->flags |= BN_FLG_FIXED_TOP;
|
||||
} else
|
||||
#endif
|
||||
if (!BN_to_montgomery(r, BN_value_one(), mont, ctx))
|
||||
if (!bn_to_mont_fixed_top(r, BN_value_one(), mont, ctx))
|
||||
goto err;
|
||||
for (;;) {
|
||||
if (BN_is_bit_set(p, wstart) == 0) {
|
||||
if (!start) {
|
||||
if (!BN_mod_mul_montgomery(r, r, r, mont, ctx))
|
||||
if (!bn_mul_mont_fixed_top(r, r, r, mont, ctx))
|
||||
goto err;
|
||||
}
|
||||
if (wstart == 0)
|
||||
|
@ -548,12 +544,12 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
|
|||
/* add the 'bytes above' */
|
||||
if (!start)
|
||||
for (i = 0; i < j; i++) {
|
||||
if (!BN_mod_mul_montgomery(r, r, r, mont, ctx))
|
||||
if (!bn_mul_mont_fixed_top(r, r, r, mont, ctx))
|
||||
goto err;
|
||||
}
|
||||
|
||||
/* wvalue will be an odd number < 2^window */
|
||||
if (!BN_mod_mul_montgomery(r, r, val[wvalue >> 1], mont, ctx))
|
||||
if (!bn_mul_mont_fixed_top(r, r, val[wvalue >> 1], mont, ctx))
|
||||
goto err;
|
||||
|
||||
/* move the 'window' down further */
|
||||
|
@ -563,6 +559,11 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
|
|||
if (wstart < 0)
|
||||
break;
|
||||
}
|
||||
/*
|
||||
* Done with zero-padded intermediate BIGNUMs. Final BN_from_montgomery
|
||||
* removes padding [if any] and makes return value suitable for public
|
||||
* API consumer.
|
||||
*/
|
||||
#if defined(SPARC_T4_MONT)
|
||||
if (OPENSSL_sparcv9cap_P[0] & (SPARCV9_VIS3 | SPARCV9_PREFER_FPU)) {
|
||||
j = mont->N.top; /* borrow j */
|
||||
|
@ -681,7 +682,7 @@ static int MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM *b, int top,
|
|||
}
|
||||
|
||||
b->top = top;
|
||||
bn_correct_top(b);
|
||||
b->flags |= BN_FLG_FIXED_TOP;
|
||||
return 1;
|
||||
}
|
||||
|
||||
|
@ -733,8 +734,8 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
|
|||
*/
|
||||
bits = p->top * BN_BITS2;
|
||||
if (bits == 0) {
|
||||
/* x**0 mod 1 is still zero. */
|
||||
if (BN_is_one(m)) {
|
||||
/* x**0 mod 1, or x**0 mod -1 is still zero. */
|
||||
if (BN_abs_is_word(m, 1)) {
|
||||
ret = 1;
|
||||
BN_zero(rr);
|
||||
} else {
|
||||
|
@ -852,16 +853,16 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
|
|||
tmp.top = top;
|
||||
} else
|
||||
#endif
|
||||
if (!BN_to_montgomery(&tmp, BN_value_one(), mont, ctx))
|
||||
if (!bn_to_mont_fixed_top(&tmp, BN_value_one(), mont, ctx))
|
||||
goto err;
|
||||
|
||||
/* prepare a^1 in Montgomery domain */
|
||||
if (a->neg || BN_ucmp(a, m) >= 0) {
|
||||
if (!BN_mod(&am, a, m, ctx))
|
||||
goto err;
|
||||
if (!BN_to_montgomery(&am, &am, mont, ctx))
|
||||
if (!bn_to_mont_fixed_top(&am, &am, mont, ctx))
|
||||
goto err;
|
||||
} else if (!BN_to_montgomery(&am, a, mont, ctx))
|
||||
} else if (!bn_to_mont_fixed_top(&am, a, mont, ctx))
|
||||
goto err;
|
||||
|
||||
#if defined(SPARC_T4_MONT)
|
||||
|
@ -1128,14 +1129,14 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
|
|||
* performance advantage of sqr over mul).
|
||||
*/
|
||||
if (window > 1) {
|
||||
if (!BN_mod_mul_montgomery(&tmp, &am, &am, mont, ctx))
|
||||
if (!bn_mul_mont_fixed_top(&tmp, &am, &am, mont, ctx))
|
||||
goto err;
|
||||
if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&tmp, top, powerbuf, 2,
|
||||
window))
|
||||
goto err;
|
||||
for (i = 3; i < numPowers; i++) {
|
||||
/* Calculate a^i = a^(i-1) * a */
|
||||
if (!BN_mod_mul_montgomery(&tmp, &am, &tmp, mont, ctx))
|
||||
if (!bn_mul_mont_fixed_top(&tmp, &am, &tmp, mont, ctx))
|
||||
goto err;
|
||||
if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&tmp, top, powerbuf, i,
|
||||
window))
|
||||
|
@ -1159,7 +1160,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
|
|||
|
||||
/* Scan the window, squaring the result as we go */
|
||||
for (i = 0; i < window; i++, bits--) {
|
||||
if (!BN_mod_mul_montgomery(&tmp, &tmp, &tmp, mont, ctx))
|
||||
if (!bn_mul_mont_fixed_top(&tmp, &tmp, &tmp, mont, ctx))
|
||||
goto err;
|
||||
wvalue = (wvalue << 1) + BN_is_bit_set(p, bits);
|
||||
}
|
||||
|
@ -1172,12 +1173,16 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
|
|||
goto err;
|
||||
|
||||
/* Multiply the result into the intermediate result */
|
||||
if (!BN_mod_mul_montgomery(&tmp, &tmp, &am, mont, ctx))
|
||||
if (!bn_mul_mont_fixed_top(&tmp, &tmp, &am, mont, ctx))
|
||||
goto err;
|
||||
}
|
||||
}
|
||||
|
||||
/* Convert the final result from montgomery to standard format */
|
||||
/*
|
||||
* Done with zero-padded intermediate BIGNUMs. Final BN_from_montgomery
|
||||
* removes padding [if any] and makes return value suitable for public
|
||||
* API consumer.
|
||||
*/
|
||||
#if defined(SPARC_T4_MONT)
|
||||
if (OPENSSL_sparcv9cap_P[0] & (SPARCV9_VIS3 | SPARCV9_PREFER_FPU)) {
|
||||
am.d[0] = 1; /* borrow am */
|
||||
|
@ -1247,8 +1252,8 @@ int BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p,
|
|||
|
||||
bits = BN_num_bits(p);
|
||||
if (bits == 0) {
|
||||
/* x**0 mod 1 is still zero. */
|
||||
if (BN_is_one(m)) {
|
||||
/* x**0 mod 1, or x**0 mod -1 is still zero. */
|
||||
if (BN_abs_is_word(m, 1)) {
|
||||
ret = 1;
|
||||
BN_zero(rr);
|
||||
} else {
|
||||
|
@ -1369,9 +1374,9 @@ int BN_mod_exp_simple(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
|
|||
}
|
||||
|
||||
bits = BN_num_bits(p);
|
||||
if (bits == 0) {
|
||||
/* x**0 mod 1 is still zero. */
|
||||
if (BN_is_one(m)) {
|
||||
if (bits == 0) {
|
||||
/* x**0 mod 1, or x**0 mod -1 is still zero. */
|
||||
if (BN_abs_is_word(m, 1)) {
|
||||
ret = 1;
|
||||
BN_zero(r);
|
||||
} else {
|
||||
|
|
|
@ -36,7 +36,7 @@
|
|||
*/
|
||||
|
||||
/* ====================================================================
|
||||
* Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
|
||||
* Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
|
@ -103,30 +103,32 @@
|
|||
*/
|
||||
# define MAX_ITERATIONS 50
|
||||
|
||||
static const BN_ULONG SQR_tb[16] = { 0, 1, 4, 5, 16, 17, 20, 21,
|
||||
64, 65, 68, 69, 80, 81, 84, 85
|
||||
};
|
||||
# define SQR_nibble(w) ((((w) & 8) << 3) \
|
||||
| (((w) & 4) << 2) \
|
||||
| (((w) & 2) << 1) \
|
||||
| ((w) & 1))
|
||||
|
||||
|
||||
/* Platform-specific macros to accelerate squaring. */
|
||||
# if defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG)
|
||||
# define SQR1(w) \
|
||||
SQR_tb[(w) >> 60 & 0xF] << 56 | SQR_tb[(w) >> 56 & 0xF] << 48 | \
|
||||
SQR_tb[(w) >> 52 & 0xF] << 40 | SQR_tb[(w) >> 48 & 0xF] << 32 | \
|
||||
SQR_tb[(w) >> 44 & 0xF] << 24 | SQR_tb[(w) >> 40 & 0xF] << 16 | \
|
||||
SQR_tb[(w) >> 36 & 0xF] << 8 | SQR_tb[(w) >> 32 & 0xF]
|
||||
SQR_nibble((w) >> 60) << 56 | SQR_nibble((w) >> 56) << 48 | \
|
||||
SQR_nibble((w) >> 52) << 40 | SQR_nibble((w) >> 48) << 32 | \
|
||||
SQR_nibble((w) >> 44) << 24 | SQR_nibble((w) >> 40) << 16 | \
|
||||
SQR_nibble((w) >> 36) << 8 | SQR_nibble((w) >> 32)
|
||||
# define SQR0(w) \
|
||||
SQR_tb[(w) >> 28 & 0xF] << 56 | SQR_tb[(w) >> 24 & 0xF] << 48 | \
|
||||
SQR_tb[(w) >> 20 & 0xF] << 40 | SQR_tb[(w) >> 16 & 0xF] << 32 | \
|
||||
SQR_tb[(w) >> 12 & 0xF] << 24 | SQR_tb[(w) >> 8 & 0xF] << 16 | \
|
||||
SQR_tb[(w) >> 4 & 0xF] << 8 | SQR_tb[(w) & 0xF]
|
||||
SQR_nibble((w) >> 28) << 56 | SQR_nibble((w) >> 24) << 48 | \
|
||||
SQR_nibble((w) >> 20) << 40 | SQR_nibble((w) >> 16) << 32 | \
|
||||
SQR_nibble((w) >> 12) << 24 | SQR_nibble((w) >> 8) << 16 | \
|
||||
SQR_nibble((w) >> 4) << 8 | SQR_nibble((w) )
|
||||
# endif
|
||||
# ifdef THIRTY_TWO_BIT
|
||||
# define SQR1(w) \
|
||||
SQR_tb[(w) >> 28 & 0xF] << 24 | SQR_tb[(w) >> 24 & 0xF] << 16 | \
|
||||
SQR_tb[(w) >> 20 & 0xF] << 8 | SQR_tb[(w) >> 16 & 0xF]
|
||||
SQR_nibble((w) >> 28) << 24 | SQR_nibble((w) >> 24) << 16 | \
|
||||
SQR_nibble((w) >> 20) << 8 | SQR_nibble((w) >> 16)
|
||||
# define SQR0(w) \
|
||||
SQR_tb[(w) >> 12 & 0xF] << 24 | SQR_tb[(w) >> 8 & 0xF] << 16 | \
|
||||
SQR_tb[(w) >> 4 & 0xF] << 8 | SQR_tb[(w) & 0xF]
|
||||
SQR_nibble((w) >> 12) << 24 | SQR_nibble((w) >> 8) << 16 | \
|
||||
SQR_nibble((w) >> 4) << 8 | SQR_nibble((w) )
|
||||
# endif
|
||||
|
||||
# if !defined(OPENSSL_BN_ASM_GF2m)
|
||||
|
|
|
@ -56,7 +56,7 @@
|
|||
* [including the GNU Public Licence.]
|
||||
*/
|
||||
/* ====================================================================
|
||||
* Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
|
||||
* Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
|
@ -113,6 +113,7 @@
|
|||
# define HEADER_BN_LCL_H
|
||||
|
||||
# include <openssl/bn.h>
|
||||
# include "bn_int.h"
|
||||
|
||||
#ifdef __cplusplus
|
||||
extern "C" {
|
||||
|
|
|
@ -263,8 +263,6 @@ static BN_ULONG *bn_expand_internal(const BIGNUM *b, int words)
|
|||
const BN_ULONG *B;
|
||||
int i;
|
||||
|
||||
bn_check_top(b);
|
||||
|
||||
if (words > (INT_MAX / (4 * BN_BITS2))) {
|
||||
BNerr(BN_F_BN_EXPAND_INTERNAL, BN_R_BIGNUM_TOO_LONG);
|
||||
return NULL;
|
||||
|
@ -398,8 +396,6 @@ BIGNUM *bn_dup_expand(const BIGNUM *b, int words)
|
|||
|
||||
BIGNUM *bn_expand2(BIGNUM *b, int words)
|
||||
{
|
||||
bn_check_top(b);
|
||||
|
||||
if (words > b->dmax) {
|
||||
BN_ULONG *a = bn_expand_internal(b, words);
|
||||
if (!a)
|
||||
|
@ -433,7 +429,6 @@ BIGNUM *bn_expand2(BIGNUM *b, int words)
|
|||
assert(A == &(b->d[b->dmax]));
|
||||
}
|
||||
#endif
|
||||
bn_check_top(b);
|
||||
return b;
|
||||
}
|
||||
|
||||
|
@ -497,12 +492,18 @@ BIGNUM *BN_copy(BIGNUM *a, const BIGNUM *b)
|
|||
memcpy(a->d, b->d, sizeof(b->d[0]) * b->top);
|
||||
#endif
|
||||
|
||||
a->top = b->top;
|
||||
a->neg = b->neg;
|
||||
a->top = b->top;
|
||||
a->flags |= b->flags & BN_FLG_FIXED_TOP;
|
||||
bn_check_top(a);
|
||||
return (a);
|
||||
}
|
||||
|
||||
#define FLAGS_DATA(flags) ((flags) & (BN_FLG_STATIC_DATA \
|
||||
| BN_FLG_CONSTTIME \
|
||||
| BN_FLG_FIXED_TOP))
|
||||
#define FLAGS_STRUCT(flags) ((flags) & (BN_FLG_MALLOCED))
|
||||
|
||||
void BN_swap(BIGNUM *a, BIGNUM *b)
|
||||
{
|
||||
int flags_old_a, flags_old_b;
|
||||
|
@ -530,10 +531,8 @@ void BN_swap(BIGNUM *a, BIGNUM *b)
|
|||
b->dmax = tmp_dmax;
|
||||
b->neg = tmp_neg;
|
||||
|
||||
a->flags =
|
||||
(flags_old_a & BN_FLG_MALLOCED) | (flags_old_b & BN_FLG_STATIC_DATA);
|
||||
b->flags =
|
||||
(flags_old_b & BN_FLG_MALLOCED) | (flags_old_a & BN_FLG_STATIC_DATA);
|
||||
a->flags = FLAGS_STRUCT(flags_old_a) | FLAGS_DATA(flags_old_b);
|
||||
b->flags = FLAGS_STRUCT(flags_old_b) | FLAGS_DATA(flags_old_a);
|
||||
bn_check_top(a);
|
||||
bn_check_top(b);
|
||||
}
|
||||
|
@ -545,6 +544,7 @@ void BN_clear(BIGNUM *a)
|
|||
OPENSSL_cleanse(a->d, a->dmax * sizeof(a->d[0]));
|
||||
a->top = 0;
|
||||
a->neg = 0;
|
||||
a->flags &= ~BN_FLG_FIXED_TOP;
|
||||
}
|
||||
|
||||
BN_ULONG BN_get_word(const BIGNUM *a)
|
||||
|
@ -565,6 +565,7 @@ int BN_set_word(BIGNUM *a, BN_ULONG w)
|
|||
a->neg = 0;
|
||||
a->d[0] = w;
|
||||
a->top = (w ? 1 : 0);
|
||||
a->flags &= ~BN_FLG_FIXED_TOP;
|
||||
bn_check_top(a);
|
||||
return (1);
|
||||
}
|
||||
|
@ -613,6 +614,55 @@ BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret)
|
|||
}
|
||||
|
||||
/* ignore negative */
|
||||
static int bn2binpad(const BIGNUM *a, unsigned char *to, int tolen)
|
||||
{
|
||||
int n;
|
||||
size_t i, lasti, j, atop, mask;
|
||||
BN_ULONG l;
|
||||
|
||||
/*
|
||||
* In case |a| is fixed-top, BN_num_bytes can return bogus length,
|
||||
* but it's assumed that fixed-top inputs ought to be "nominated"
|
||||
* even for padded output, so it works out...
|
||||
*/
|
||||
n = BN_num_bytes(a);
|
||||
if (tolen == -1) {
|
||||
tolen = n;
|
||||
} else if (tolen < n) { /* uncommon/unlike case */
|
||||
BIGNUM temp = *a;
|
||||
|
||||
bn_correct_top(&temp);
|
||||
n = BN_num_bytes(&temp);
|
||||
if (tolen < n)
|
||||
return -1;
|
||||
}
|
||||
|
||||
/* Swipe through whole available data and don't give away padded zero. */
|
||||
atop = a->dmax * BN_BYTES;
|
||||
if (atop == 0) {
|
||||
OPENSSL_cleanse(to, tolen);
|
||||
return tolen;
|
||||
}
|
||||
|
||||
lasti = atop - 1;
|
||||
atop = a->top * BN_BYTES;
|
||||
for (i = 0, j = 0, to += tolen; j < (size_t)tolen; j++) {
|
||||
l = a->d[i / BN_BYTES];
|
||||
mask = 0 - ((j - atop) >> (8 * sizeof(i) - 1));
|
||||
*--to = (unsigned char)(l >> (8 * (i % BN_BYTES)) & mask);
|
||||
i += (i - lasti) >> (8 * sizeof(i) - 1); /* stay on last limb */
|
||||
}
|
||||
|
||||
return tolen;
|
||||
}
|
||||
|
||||
int bn_bn2binpad(const BIGNUM *a, unsigned char *to, int tolen)
|
||||
{
|
||||
if (tolen < 0)
|
||||
return -1;
|
||||
return bn2binpad(a, to, tolen);
|
||||
}
|
||||
|
||||
int BN_bn2bin(const BIGNUM *a, unsigned char *to)
|
||||
{
|
||||
int n, i;
|
||||
|
@ -711,6 +761,7 @@ int BN_set_bit(BIGNUM *a, int n)
|
|||
for (k = a->top; k < i + 1; k++)
|
||||
a->d[k] = 0;
|
||||
a->top = i + 1;
|
||||
a->flags &= ~BN_FLG_FIXED_TOP;
|
||||
}
|
||||
|
||||
a->d[i] |= (((BN_ULONG)1) << j);
|
||||
|
@ -852,6 +903,38 @@ void BN_consttime_swap(BN_ULONG condition, BIGNUM *a, BIGNUM *b, int nwords)
|
|||
a->top ^= t;
|
||||
b->top ^= t;
|
||||
|
||||
t = (a->neg ^ b->neg) & condition;
|
||||
a->neg ^= t;
|
||||
b->neg ^= t;
|
||||
|
||||
/*-
|
||||
* BN_FLG_STATIC_DATA: indicates that data may not be written to. Intention
|
||||
* is actually to treat it as it's read-only data, and some (if not most)
|
||||
* of it does reside in read-only segment. In other words observation of
|
||||
* BN_FLG_STATIC_DATA in BN_consttime_swap should be treated as fatal
|
||||
* condition. It would either cause SEGV or effectively cause data
|
||||
* corruption.
|
||||
*
|
||||
* BN_FLG_MALLOCED: refers to BN structure itself, and hence must be
|
||||
* preserved.
|
||||
*
|
||||
* BN_FLG_SECURE: must be preserved, because it determines how x->d was
|
||||
* allocated and hence how to free it.
|
||||
*
|
||||
* BN_FLG_CONSTTIME: sufficient to mask and swap
|
||||
*
|
||||
* BN_FLG_FIXED_TOP: indicates that we haven't called bn_correct_top() on
|
||||
* the data, so the d array may be padded with additional 0 values (i.e.
|
||||
* top could be greater than the minimal value that it could be). We should
|
||||
* be swapping it
|
||||
*/
|
||||
|
||||
#define BN_CONSTTIME_SWAP_FLAGS (BN_FLG_CONSTTIME | BN_FLG_FIXED_TOP)
|
||||
|
||||
t = ((a->flags ^ b->flags) & BN_CONSTTIME_SWAP_FLAGS) & condition;
|
||||
a->flags ^= t;
|
||||
b->flags ^= t;
|
||||
|
||||
#define BN_CONSTTIME_SWAP(ind) \
|
||||
do { \
|
||||
t = (a->d[ind] ^ b->d[ind]) & condition; \
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
* for the OpenSSL project.
|
||||
*/
|
||||
/* ====================================================================
|
||||
* Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
|
||||
* Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
|
@ -149,16 +149,72 @@ int BN_mod_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m,
|
|||
|
||||
/*
|
||||
* BN_mod_add variant that may be used if both a and b are non-negative and
|
||||
* less than m
|
||||
* less than m. The original algorithm was
|
||||
*
|
||||
* if (!BN_uadd(r, a, b))
|
||||
* return 0;
|
||||
* if (BN_ucmp(r, m) >= 0)
|
||||
* return BN_usub(r, r, m);
|
||||
*
|
||||
* which is replaced with addition, subtracting modulus, and conditional
|
||||
* move depending on whether or not subtraction borrowed.
|
||||
*/
|
||||
int bn_mod_add_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
|
||||
const BIGNUM *m)
|
||||
{
|
||||
size_t i, ai, bi, mtop = m->top;
|
||||
BN_ULONG storage[1024 / BN_BITS2];
|
||||
BN_ULONG carry, temp, mask, *rp, *tp = storage;
|
||||
const BN_ULONG *ap, *bp;
|
||||
|
||||
if (bn_wexpand(r, m->top) == NULL)
|
||||
return 0;
|
||||
|
||||
if (mtop > sizeof(storage) / sizeof(storage[0])
|
||||
&& (tp = OPENSSL_malloc(mtop * sizeof(BN_ULONG))) == NULL)
|
||||
return 0;
|
||||
|
||||
ap = a->d != NULL ? a->d : tp;
|
||||
bp = b->d != NULL ? b->d : tp;
|
||||
|
||||
for (i = 0, ai = 0, bi = 0, carry = 0; i < mtop;) {
|
||||
mask = (BN_ULONG)0 - ((i - a->top) >> (8 * sizeof(i) - 1));
|
||||
temp = ((ap[ai] & mask) + carry) & BN_MASK2;
|
||||
carry = (temp < carry);
|
||||
|
||||
mask = (BN_ULONG)0 - ((i - b->top) >> (8 * sizeof(i) - 1));
|
||||
tp[i] = ((bp[bi] & mask) + temp) & BN_MASK2;
|
||||
carry += (tp[i] < temp);
|
||||
|
||||
i++;
|
||||
ai += (i - a->dmax) >> (8 * sizeof(i) - 1);
|
||||
bi += (i - b->dmax) >> (8 * sizeof(i) - 1);
|
||||
}
|
||||
rp = r->d;
|
||||
carry -= bn_sub_words(rp, tp, m->d, mtop);
|
||||
for (i = 0; i < mtop; i++) {
|
||||
rp[i] = (carry & tp[i]) | (~carry & rp[i]);
|
||||
((volatile BN_ULONG *)tp)[i] = 0;
|
||||
}
|
||||
r->top = mtop;
|
||||
r->flags |= BN_FLG_FIXED_TOP;
|
||||
r->neg = 0;
|
||||
|
||||
if (tp != storage)
|
||||
OPENSSL_free(tp);
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
int BN_mod_add_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
|
||||
const BIGNUM *m)
|
||||
{
|
||||
if (!BN_uadd(r, a, b))
|
||||
return 0;
|
||||
if (BN_ucmp(r, m) >= 0)
|
||||
return BN_usub(r, r, m);
|
||||
return 1;
|
||||
int ret = bn_mod_add_fixed_top(r, a, b, m);
|
||||
|
||||
if (ret)
|
||||
bn_correct_top(r);
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
int BN_mod_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m,
|
||||
|
@ -169,6 +225,70 @@ int BN_mod_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m,
|
|||
return BN_nnmod(r, r, m, ctx);
|
||||
}
|
||||
|
||||
/*
|
||||
* BN_mod_sub variant that may be used if both a and b are non-negative,
|
||||
* a is less than m, while b is of same bit width as m. It's implemented
|
||||
* as subtraction followed by two conditional additions.
|
||||
*
|
||||
* 0 <= a < m
|
||||
* 0 <= b < 2^w < 2*m
|
||||
*
|
||||
* after subtraction
|
||||
*
|
||||
* -2*m < r = a - b < m
|
||||
*
|
||||
* Thus it takes up to two conditional additions to make |r| positive.
|
||||
*/
|
||||
int bn_mod_sub_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
|
||||
const BIGNUM *m)
|
||||
{
|
||||
size_t i, ai, bi, mtop = m->top;
|
||||
BN_ULONG borrow, carry, ta, tb, mask, *rp;
|
||||
const BN_ULONG *ap, *bp;
|
||||
|
||||
if (bn_wexpand(r, m->top) == NULL)
|
||||
return 0;
|
||||
|
||||
rp = r->d;
|
||||
ap = a->d != NULL ? a->d : rp;
|
||||
bp = b->d != NULL ? b->d : rp;
|
||||
|
||||
for (i = 0, ai = 0, bi = 0, borrow = 0; i < mtop;) {
|
||||
mask = (BN_ULONG)0 - ((i - a->top) >> (8 * sizeof(i) - 1));
|
||||
ta = ap[ai] & mask;
|
||||
|
||||
mask = (BN_ULONG)0 - ((i - b->top) >> (8 * sizeof(i) - 1));
|
||||
tb = bp[bi] & mask;
|
||||
rp[i] = ta - tb - borrow;
|
||||
if (ta != tb)
|
||||
borrow = (ta < tb);
|
||||
|
||||
i++;
|
||||
ai += (i - a->dmax) >> (8 * sizeof(i) - 1);
|
||||
bi += (i - b->dmax) >> (8 * sizeof(i) - 1);
|
||||
}
|
||||
ap = m->d;
|
||||
for (i = 0, mask = 0 - borrow, carry = 0; i < mtop; i++) {
|
||||
ta = ((ap[i] & mask) + carry) & BN_MASK2;
|
||||
carry = (ta < carry);
|
||||
rp[i] = (rp[i] + ta) & BN_MASK2;
|
||||
carry += (rp[i] < ta);
|
||||
}
|
||||
borrow -= carry;
|
||||
for (i = 0, mask = 0 - borrow, carry = 0; i < mtop; i++) {
|
||||
ta = ((ap[i] & mask) + carry) & BN_MASK2;
|
||||
carry = (ta < carry);
|
||||
rp[i] = (rp[i] + ta) & BN_MASK2;
|
||||
carry += (rp[i] < ta);
|
||||
}
|
||||
|
||||
r->top = mtop;
|
||||
r->flags |= BN_FLG_FIXED_TOP;
|
||||
r->neg = 0;
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
/*
|
||||
* BN_mod_sub variant that may be used if both a and b are non-negative and
|
||||
* less than m
|
||||
|
|
|
@ -123,11 +123,22 @@
|
|||
#define MONT_WORD /* use the faster word-based algorithm */
|
||||
|
||||
#ifdef MONT_WORD
|
||||
static int BN_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont);
|
||||
static int bn_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont);
|
||||
#endif
|
||||
|
||||
int BN_mod_mul_montgomery(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
|
||||
BN_MONT_CTX *mont, BN_CTX *ctx)
|
||||
{
|
||||
int ret = bn_mul_mont_fixed_top(r, a, b, mont, ctx);
|
||||
|
||||
bn_correct_top(r);
|
||||
bn_check_top(r);
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
int bn_mul_mont_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
|
||||
BN_MONT_CTX *mont, BN_CTX *ctx)
|
||||
{
|
||||
BIGNUM *tmp;
|
||||
int ret = 0;
|
||||
|
@ -140,8 +151,8 @@ int BN_mod_mul_montgomery(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
|
|||
if (bn_mul_mont(r->d, a->d, b->d, mont->N.d, mont->n0, num)) {
|
||||
r->neg = a->neg ^ b->neg;
|
||||
r->top = num;
|
||||
bn_correct_top(r);
|
||||
return (1);
|
||||
r->flags |= BN_FLG_FIXED_TOP;
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
#endif
|
||||
|
@ -153,21 +164,20 @@ int BN_mod_mul_montgomery(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
|
|||
|
||||
bn_check_top(tmp);
|
||||
if (a == b) {
|
||||
if (!BN_sqr(tmp, a, ctx))
|
||||
if (!bn_sqr_fixed_top(tmp, a, ctx))
|
||||
goto err;
|
||||
} else {
|
||||
if (!BN_mul(tmp, a, b, ctx))
|
||||
if (!bn_mul_fixed_top(tmp, a, b, ctx))
|
||||
goto err;
|
||||
}
|
||||
/* reduce from aRR to aR */
|
||||
#ifdef MONT_WORD
|
||||
if (!BN_from_montgomery_word(r, tmp, mont))
|
||||
if (!bn_from_montgomery_word(r, tmp, mont))
|
||||
goto err;
|
||||
#else
|
||||
if (!BN_from_montgomery(r, tmp, mont, ctx))
|
||||
goto err;
|
||||
#endif
|
||||
bn_check_top(r);
|
||||
ret = 1;
|
||||
err:
|
||||
BN_CTX_end(ctx);
|
||||
|
@ -175,11 +185,12 @@ int BN_mod_mul_montgomery(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
|
|||
}
|
||||
|
||||
#ifdef MONT_WORD
|
||||
static int BN_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont)
|
||||
static int bn_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont)
|
||||
{
|
||||
BIGNUM *n;
|
||||
BN_ULONG *ap, *np, *rp, n0, v, carry;
|
||||
int nl, max, i;
|
||||
unsigned int rtop;
|
||||
|
||||
n = &(mont->N);
|
||||
nl = n->top;
|
||||
|
@ -197,14 +208,13 @@ static int BN_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont)
|
|||
rp = r->d;
|
||||
|
||||
/* clear the top words of T */
|
||||
# if 1
|
||||
for (i = r->top; i < max; i++) /* memset? XXX */
|
||||
rp[i] = 0;
|
||||
# else
|
||||
memset(&(rp[r->top]), 0, (max - r->top) * sizeof(BN_ULONG));
|
||||
# endif
|
||||
for (rtop = r->top, i = 0; i < max; i++) {
|
||||
v = (BN_ULONG)0 - ((i - rtop) >> (8 * sizeof(rtop) - 1));
|
||||
rp[i] &= v;
|
||||
}
|
||||
|
||||
r->top = max;
|
||||
r->flags |= BN_FLG_FIXED_TOP;
|
||||
n0 = mont->n0[0];
|
||||
|
||||
/*
|
||||
|
@ -223,6 +233,7 @@ static int BN_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont)
|
|||
if (bn_wexpand(ret, nl) == NULL)
|
||||
return (0);
|
||||
ret->top = nl;
|
||||
ret->flags |= BN_FLG_FIXED_TOP;
|
||||
ret->neg = r->neg;
|
||||
|
||||
rp = ret->d;
|
||||
|
@ -233,20 +244,16 @@ static int BN_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont)
|
|||
*/
|
||||
ap = &(r->d[nl]);
|
||||
|
||||
carry -= bn_sub_words(rp, ap, np, nl);
|
||||
/*
|
||||
* |v| is one if |ap| - |np| underflowed or zero if it did not. Note |v|
|
||||
* cannot be -1. That would imply the subtraction did not fit in |nl| words,
|
||||
* and we know at most one subtraction is needed.
|
||||
* |carry| is -1 if |ap| - |np| underflowed or zero if it did not. Note
|
||||
* |carry| cannot be 1. That would imply the subtraction did not fit in
|
||||
* |nl| words, and we know at most one subtraction is needed.
|
||||
*/
|
||||
v = bn_sub_words(rp, ap, np, nl) - carry;
|
||||
v = 0 - v;
|
||||
for (i = 0; i < nl; i++) {
|
||||
rp[i] = (v & ap[i]) | (~v & rp[i]);
|
||||
rp[i] = (carry & ap[i]) | (~carry & rp[i]);
|
||||
ap[i] = 0;
|
||||
}
|
||||
bn_correct_top(r);
|
||||
bn_correct_top(ret);
|
||||
bn_check_top(ret);
|
||||
|
||||
return (1);
|
||||
}
|
||||
|
@ -254,14 +261,27 @@ static int BN_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont)
|
|||
|
||||
int BN_from_montgomery(BIGNUM *ret, const BIGNUM *a, BN_MONT_CTX *mont,
|
||||
BN_CTX *ctx)
|
||||
{
|
||||
int retn;
|
||||
|
||||
retn = bn_from_mont_fixed_top(ret, a, mont, ctx);
|
||||
bn_correct_top(ret);
|
||||
bn_check_top(ret);
|
||||
|
||||
return retn;
|
||||
}
|
||||
|
||||
int bn_from_mont_fixed_top(BIGNUM *ret, const BIGNUM *a, BN_MONT_CTX *mont,
|
||||
BN_CTX *ctx)
|
||||
{
|
||||
int retn = 0;
|
||||
#ifdef MONT_WORD
|
||||
BIGNUM *t;
|
||||
|
||||
BN_CTX_start(ctx);
|
||||
if ((t = BN_CTX_get(ctx)) && BN_copy(t, a))
|
||||
retn = BN_from_montgomery_word(ret, t, mont);
|
||||
if ((t = BN_CTX_get(ctx)) && BN_copy(t, a)) {
|
||||
retn = bn_from_montgomery_word(ret, t, mont);
|
||||
}
|
||||
BN_CTX_end(ctx);
|
||||
#else /* !MONT_WORD */
|
||||
BIGNUM *t1, *t2;
|
||||
|
@ -299,6 +319,12 @@ int BN_from_montgomery(BIGNUM *ret, const BIGNUM *a, BN_MONT_CTX *mont,
|
|||
return (retn);
|
||||
}
|
||||
|
||||
int bn_to_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont,
|
||||
BN_CTX *ctx)
|
||||
{
|
||||
return bn_mul_mont_fixed_top(r, a, &(mont->RR), mont, ctx);
|
||||
}
|
||||
|
||||
BN_MONT_CTX *BN_MONT_CTX_new(void)
|
||||
{
|
||||
BN_MONT_CTX *ret;
|
||||
|
@ -335,7 +361,7 @@ void BN_MONT_CTX_free(BN_MONT_CTX *mont)
|
|||
|
||||
int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx)
|
||||
{
|
||||
int ret = 0;
|
||||
int i, ret = 0;
|
||||
BIGNUM *Ri, *R;
|
||||
|
||||
if (BN_is_zero(mod))
|
||||
|
@ -466,6 +492,11 @@ int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx)
|
|||
if (!BN_mod(&(mont->RR), &(mont->RR), &(mont->N), ctx))
|
||||
goto err;
|
||||
|
||||
for (i = mont->RR.top, ret = mont->N.top; i < ret; i++)
|
||||
mont->RR.d[i] = 0;
|
||||
mont->RR.top = ret;
|
||||
mont->RR.flags |= BN_FLG_FIXED_TOP;
|
||||
|
||||
ret = 1;
|
||||
err:
|
||||
BN_CTX_end(ctx);
|
||||
|
|
|
@ -935,6 +935,16 @@ void bn_mul_high(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, BN_ULONG *l, int n2,
|
|||
#endif /* BN_RECURSION */
|
||||
|
||||
int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
|
||||
{
|
||||
int ret = bn_mul_fixed_top(r, a, b, ctx);
|
||||
|
||||
bn_correct_top(r);
|
||||
bn_check_top(r);
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
int bn_mul_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
|
||||
{
|
||||
int ret = 0;
|
||||
int top, al, bl;
|
||||
|
@ -1042,7 +1052,7 @@ int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
|
|||
#if defined(BN_MUL_COMBA) || defined(BN_RECURSION)
|
||||
end:
|
||||
#endif
|
||||
bn_correct_top(rr);
|
||||
rr->flags |= BN_FLG_FIXED_TOP;
|
||||
if (r != rr && BN_copy(r, rr) == NULL)
|
||||
goto err;
|
||||
|
||||
|
|
|
@ -65,6 +65,16 @@
|
|||
* I've just gone over this and it is now %20 faster on x86 - eay - 27 Jun 96
|
||||
*/
|
||||
int BN_sqr(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx)
|
||||
{
|
||||
int ret = bn_sqr_fixed_top(r, a, ctx);
|
||||
|
||||
bn_correct_top(r);
|
||||
bn_check_top(r);
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
int bn_sqr_fixed_top(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx)
|
||||
{
|
||||
int max, al;
|
||||
int ret = 0;
|
||||
|
@ -135,14 +145,8 @@ int BN_sqr(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx)
|
|||
}
|
||||
|
||||
rr->neg = 0;
|
||||
/*
|
||||
* If the most-significant half of the top word of 'a' is zero, then the
|
||||
* square of 'a' will max-1 words.
|
||||
*/
|
||||
if (a->d[al - 1] == (a->d[al - 1] & BN_MASK2l))
|
||||
rr->top = max - 1;
|
||||
else
|
||||
rr->top = max;
|
||||
rr->top = max;
|
||||
rr->flags |= BN_FLG_FIXED_TOP;
|
||||
if (r != rr && BN_copy(r, rr) == NULL)
|
||||
goto err;
|
||||
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
* 2005.
|
||||
*/
|
||||
/* ====================================================================
|
||||
* Copyright (c) 2005 The OpenSSL Project. All rights reserved.
|
||||
* Copyright (c) 2005-2018 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
|
@ -223,8 +223,10 @@ int BN_X931_generate_Xpq(BIGNUM *Xp, BIGNUM *Xq, int nbits, BN_CTX *ctx)
|
|||
for (i = 0; i < 1000; i++) {
|
||||
if (!BN_rand(Xq, nbits, 1, 0))
|
||||
goto err;
|
||||
|
||||
/* Check that |Xp - Xq| > 2^(nbits - 100) */
|
||||
BN_sub(t, Xp, Xq);
|
||||
if (!BN_sub(t, Xp, Xq))
|
||||
goto err;
|
||||
if (BN_num_bits(t) > (nbits - 100))
|
||||
break;
|
||||
}
|
||||
|
|
|
@ -0,0 +1,21 @@
|
|||
/*
|
||||
* Some BIGNUM functions assume most significant limb to be non-zero, which
|
||||
* is customarily arranged by bn_correct_top. Output from below functions
|
||||
* is not processed with bn_correct_top, and for this reason it may not be
|
||||
* returned out of public API. It may only be passed internally into other
|
||||
* functions known to support non-minimal or zero-padded BIGNUMs.
|
||||
*/
|
||||
int bn_mul_mont_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
|
||||
BN_MONT_CTX *mont, BN_CTX *ctx);
|
||||
int bn_from_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont,
|
||||
BN_CTX *ctx);
|
||||
int bn_to_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont,
|
||||
BN_CTX *ctx);
|
||||
int bn_mod_add_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
|
||||
const BIGNUM *m);
|
||||
int bn_mod_sub_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
|
||||
const BIGNUM *m);
|
||||
int bn_mul_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);
|
||||
int bn_sqr_fixed_top(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx);
|
||||
|
||||
int bn_bn2binpad(const BIGNUM *a, unsigned char *to, int tolen);
|
|
@ -66,6 +66,7 @@
|
|||
#include <assert.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include "cryptlib.h"
|
||||
#include <openssl/conf.h>
|
||||
#include <openssl/conf_api.h>
|
||||
#include "e_os.h"
|
||||
|
@ -141,7 +142,7 @@ char *_CONF_get_string(const CONF *conf, const char *section,
|
|||
if (v != NULL)
|
||||
return (v->value);
|
||||
if (strcmp(section, "ENV") == 0) {
|
||||
p = getenv(name);
|
||||
p = ossl_safe_getenv(name);
|
||||
if (p != NULL)
|
||||
return (p);
|
||||
}
|
||||
|
@ -154,7 +155,7 @@ char *_CONF_get_string(const CONF *conf, const char *section,
|
|||
else
|
||||
return (NULL);
|
||||
} else
|
||||
return (getenv(name));
|
||||
return (ossl_safe_getenv(name));
|
||||
}
|
||||
|
||||
#if 0 /* There's no way to provide error checking
|
||||
|
@ -290,6 +291,8 @@ CONF_VALUE *_CONF_new_section(CONF *conf, const char *section)
|
|||
|
||||
vv = lh_CONF_VALUE_insert(conf->data, v);
|
||||
OPENSSL_assert(vv == NULL);
|
||||
if (lh_CONF_VALUE_error(conf->data) > 0)
|
||||
goto err;
|
||||
ok = 1;
|
||||
err:
|
||||
if (!ok) {
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
* 2001.
|
||||
*/
|
||||
/* ====================================================================
|
||||
* Copyright (c) 2001 The OpenSSL Project. All rights reserved.
|
||||
* Copyright (c) 2001-2018 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
|
@ -530,7 +530,7 @@ char *CONF_get1_default_config_file(void)
|
|||
char *file;
|
||||
int len;
|
||||
|
||||
file = getenv("OPENSSL_CONF");
|
||||
file = ossl_safe_getenv("OPENSSL_CONF");
|
||||
if (file)
|
||||
return BUF_strdup(file);
|
||||
|
||||
|
|
|
@ -104,6 +104,8 @@ void OPENSSL_showfatal(const char *fmta, ...);
|
|||
void *OPENSSL_stderr(void);
|
||||
extern int OPENSSL_NONPIC_relocated;
|
||||
|
||||
char *ossl_safe_getenv(const char *);
|
||||
|
||||
#ifdef __cplusplus
|
||||
}
|
||||
#endif
|
||||
|
|
|
@ -130,10 +130,15 @@ static int generate_key(DH *dh)
|
|||
int ok = 0;
|
||||
int generate_new_key = 0;
|
||||
unsigned l;
|
||||
BN_CTX *ctx;
|
||||
BN_CTX *ctx = NULL;
|
||||
BN_MONT_CTX *mont = NULL;
|
||||
BIGNUM *pub_key = NULL, *priv_key = NULL;
|
||||
|
||||
if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) {
|
||||
DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_LARGE);
|
||||
return 0;
|
||||
}
|
||||
|
||||
ctx = BN_CTX_new();
|
||||
if (ctx == NULL)
|
||||
goto err;
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
* 2006.
|
||||
*/
|
||||
/* ====================================================================
|
||||
* Copyright (c) 2006 The OpenSSL Project. All rights reserved.
|
||||
* Copyright (c) 2006-2018 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
|
@ -486,7 +486,7 @@ static int pkey_dh_derive(EVP_PKEY_CTX *ctx, unsigned char *key,
|
|||
return ret;
|
||||
}
|
||||
#endif
|
||||
return 1;
|
||||
return 0;
|
||||
}
|
||||
|
||||
const EVP_PKEY_METHOD dh_pkey_meth = {
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
/* crypto/dsa/dsa_err.c */
|
||||
/* ====================================================================
|
||||
* Copyright (c) 1999-2013 The OpenSSL Project. All rights reserved.
|
||||
* Copyright (c) 1999-2018 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
|
@ -95,6 +95,7 @@ static ERR_STRING_DATA DSA_str_functs[] = {
|
|||
{ERR_FUNC(DSA_F_I2D_DSA_SIG), "i2d_DSA_SIG"},
|
||||
{ERR_FUNC(DSA_F_OLD_DSA_PRIV_DECODE), "OLD_DSA_PRIV_DECODE"},
|
||||
{ERR_FUNC(DSA_F_PKEY_DSA_CTRL), "PKEY_DSA_CTRL"},
|
||||
{ERR_FUNC(DSA_F_PKEY_DSA_CTRL_STR), "PKEY_DSA_CTRL_STR"},
|
||||
{ERR_FUNC(DSA_F_PKEY_DSA_KEYGEN), "PKEY_DSA_KEYGEN"},
|
||||
{ERR_FUNC(DSA_F_SIG_CB), "SIG_CB"},
|
||||
{0, NULL}
|
||||
|
|
|
@ -146,9 +146,16 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
|
|||
/* invalid q size */
|
||||
return 0;
|
||||
|
||||
if (evpmd == NULL)
|
||||
/* use SHA1 as default */
|
||||
evpmd = EVP_sha1();
|
||||
if (evpmd == NULL) {
|
||||
if (qsize == SHA_DIGEST_LENGTH)
|
||||
evpmd = EVP_sha1();
|
||||
else if (qsize == SHA224_DIGEST_LENGTH)
|
||||
evpmd = EVP_sha224();
|
||||
else
|
||||
evpmd = EVP_sha256();
|
||||
} else {
|
||||
qsize = EVP_MD_size(evpmd);
|
||||
}
|
||||
|
||||
if (bits < 512)
|
||||
bits = 512;
|
||||
|
@ -428,6 +435,12 @@ int dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N,
|
|||
|
||||
EVP_MD_CTX_init(&mctx);
|
||||
|
||||
/* make sure L > N, otherwise we'll get trapped in an infinite loop */
|
||||
if (L <= N) {
|
||||
DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN2, DSA_R_INVALID_PARAMETERS);
|
||||
goto err;
|
||||
}
|
||||
|
||||
if (evpmd == NULL) {
|
||||
if (N == 160)
|
||||
evpmd = EVP_sha1();
|
||||
|
|
|
@ -73,6 +73,8 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len,
|
|||
DSA_SIG *sig, DSA *dsa);
|
||||
static int dsa_init(DSA *dsa);
|
||||
static int dsa_finish(DSA *dsa);
|
||||
static BIGNUM *dsa_mod_inverse_fermat(const BIGNUM *k, const BIGNUM *q,
|
||||
BN_CTX *ctx);
|
||||
|
||||
static DSA_METHOD openssl_dsa_meth = {
|
||||
"OpenSSL DSA method",
|
||||
|
@ -133,17 +135,13 @@ const DSA_METHOD *DSA_OpenSSL(void)
|
|||
static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
|
||||
{
|
||||
BIGNUM *kinv = NULL, *r = NULL, *s = NULL;
|
||||
BIGNUM m;
|
||||
BIGNUM xr;
|
||||
BIGNUM *m, *blind, *blindm, *tmp;
|
||||
BN_CTX *ctx = NULL;
|
||||
int reason = ERR_R_BN_LIB;
|
||||
DSA_SIG *ret = NULL;
|
||||
int noredo = 0;
|
||||
|
||||
BN_init(&m);
|
||||
BN_init(&xr);
|
||||
|
||||
if (!dsa->p || !dsa->q || !dsa->g) {
|
||||
if (dsa->p == NULL || dsa->q == NULL || dsa->g == NULL) {
|
||||
reason = DSA_R_MISSING_PARAMETERS;
|
||||
goto err;
|
||||
}
|
||||
|
@ -154,6 +152,13 @@ static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
|
|||
ctx = BN_CTX_new();
|
||||
if (ctx == NULL)
|
||||
goto err;
|
||||
m = BN_CTX_get(ctx);
|
||||
blind = BN_CTX_get(ctx);
|
||||
blindm = BN_CTX_get(ctx);
|
||||
tmp = BN_CTX_get(ctx);
|
||||
if (tmp == NULL)
|
||||
goto err;
|
||||
|
||||
redo:
|
||||
if ((dsa->kinv == NULL) || (dsa->r == NULL)) {
|
||||
if (!DSA_sign_setup(dsa, ctx, &kinv, &r))
|
||||
|
@ -173,20 +178,52 @@ static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
|
|||
* 4.2
|
||||
*/
|
||||
dlen = BN_num_bytes(dsa->q);
|
||||
if (BN_bin2bn(dgst, dlen, &m) == NULL)
|
||||
if (BN_bin2bn(dgst, dlen, m) == NULL)
|
||||
goto err;
|
||||
|
||||
/* Compute s = inv(k) (m + xr) mod q */
|
||||
if (!BN_mod_mul(&xr, dsa->priv_key, r, dsa->q, ctx))
|
||||
goto err; /* s = xr */
|
||||
if (!BN_add(s, &xr, &m))
|
||||
goto err; /* s = m + xr */
|
||||
if (BN_cmp(s, dsa->q) > 0)
|
||||
if (!BN_sub(s, s, dsa->q))
|
||||
/*
|
||||
* The normal signature calculation is:
|
||||
*
|
||||
* s := k^-1 * (m + r * priv_key) mod q
|
||||
*
|
||||
* We will blind this to protect against side channel attacks
|
||||
*
|
||||
* s := blind^-1 * k^-1 * (blind * m + blind * r * priv_key) mod q
|
||||
*/
|
||||
|
||||
/* Generate a blinding value */
|
||||
do {
|
||||
if (!BN_rand(blind, BN_num_bits(dsa->q) - 1, -1, 0))
|
||||
goto err;
|
||||
} while (BN_is_zero(blind));
|
||||
BN_set_flags(blind, BN_FLG_CONSTTIME);
|
||||
BN_set_flags(blindm, BN_FLG_CONSTTIME);
|
||||
BN_set_flags(tmp, BN_FLG_CONSTTIME);
|
||||
|
||||
/* tmp := blind * priv_key * r mod q */
|
||||
if (!BN_mod_mul(tmp, blind, dsa->priv_key, dsa->q, ctx))
|
||||
goto err;
|
||||
if (!BN_mod_mul(tmp, tmp, r, dsa->q, ctx))
|
||||
goto err;
|
||||
|
||||
/* blindm := blind * m mod q */
|
||||
if (!BN_mod_mul(blindm, blind, m, dsa->q, ctx))
|
||||
goto err;
|
||||
|
||||
/* s : = (blind * priv_key * r) + (blind * m) mod q */
|
||||
if (!BN_mod_add_quick(s, tmp, blindm, dsa->q))
|
||||
goto err;
|
||||
|
||||
/* s := s * k^-1 mod q */
|
||||
if (!BN_mod_mul(s, s, kinv, dsa->q, ctx))
|
||||
goto err;
|
||||
|
||||
/* s:= s * blind^-1 mod q */
|
||||
if (BN_mod_inverse(blind, blind, dsa->q, ctx) == NULL)
|
||||
goto err;
|
||||
if (!BN_mod_mul(s, s, blind, dsa->q, ctx))
|
||||
goto err;
|
||||
|
||||
/*
|
||||
* Redo if r or s is zero as required by FIPS 186-3: this is very
|
||||
* unlikely.
|
||||
|
@ -210,13 +247,9 @@ static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
|
|||
BN_free(r);
|
||||
BN_free(s);
|
||||
}
|
||||
if (ctx != NULL)
|
||||
BN_CTX_free(ctx);
|
||||
BN_clear_free(&m);
|
||||
BN_clear_free(&xr);
|
||||
if (kinv != NULL) /* dsa->kinv is NULL now if we used it */
|
||||
BN_clear_free(kinv);
|
||||
return (ret);
|
||||
BN_CTX_free(ctx);
|
||||
BN_clear_free(kinv);
|
||||
return ret;
|
||||
}
|
||||
|
||||
static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
|
||||
|
@ -248,7 +281,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
|
|||
goto err;
|
||||
|
||||
/* Preallocate space */
|
||||
q_bits = BN_num_bits(dsa->q);
|
||||
q_bits = BN_num_bits(dsa->q) + sizeof(dsa->q->d[0]) * 16;
|
||||
if (!BN_set_bit(&k, q_bits)
|
||||
|| !BN_set_bit(&l, q_bits)
|
||||
|| !BN_set_bit(&m, q_bits))
|
||||
|
@ -262,9 +295,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
|
|||
|
||||
if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {
|
||||
BN_set_flags(&k, BN_FLG_CONSTTIME);
|
||||
BN_set_flags(&l, BN_FLG_CONSTTIME);
|
||||
}
|
||||
|
||||
|
||||
if (dsa->flags & DSA_FLAG_CACHE_MONT_P) {
|
||||
if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p,
|
||||
CRYPTO_LOCK_DSA, dsa->p, ctx))
|
||||
|
@ -302,8 +335,8 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
|
|||
if (!BN_mod(r, r, dsa->q, ctx))
|
||||
goto err;
|
||||
|
||||
/* Compute part of 's = inv(k) (m + xr) mod q' */
|
||||
if ((kinv = BN_mod_inverse(NULL, &k, dsa->q, ctx)) == NULL)
|
||||
/* Compute part of 's = inv(k) (m + xr) mod q' */
|
||||
if ((kinv = dsa_mod_inverse_fermat(&k, dsa->q, ctx)) == NULL)
|
||||
goto err;
|
||||
|
||||
if (*kinvp != NULL)
|
||||
|
@ -437,3 +470,31 @@ static int dsa_finish(DSA *dsa)
|
|||
BN_MONT_CTX_free(dsa->method_mont_p);
|
||||
return (1);
|
||||
}
|
||||
|
||||
/*
|
||||
* Compute the inverse of k modulo q.
|
||||
* Since q is prime, Fermat's Little Theorem applies, which reduces this to
|
||||
* mod-exp operation. Both the exponent and modulus are public information
|
||||
* so a mod-exp that doesn't leak the base is sufficient. A newly allocated
|
||||
* BIGNUM is returned which the caller must free.
|
||||
*/
|
||||
static BIGNUM *dsa_mod_inverse_fermat(const BIGNUM *k, const BIGNUM *q,
|
||||
BN_CTX *ctx)
|
||||
{
|
||||
BIGNUM *res = NULL;
|
||||
BIGNUM *r, e;
|
||||
|
||||
if ((r = BN_new()) == NULL)
|
||||
return NULL;
|
||||
|
||||
BN_init(&e);
|
||||
|
||||
if (BN_set_word(r, 2)
|
||||
&& BN_sub(&e, q, r)
|
||||
&& BN_mod_exp_mont(r, k, &e, q, ctx, NULL))
|
||||
res = r;
|
||||
else
|
||||
BN_free(r);
|
||||
BN_free(&e);
|
||||
return res;
|
||||
}
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
* 2006.
|
||||
*/
|
||||
/* ====================================================================
|
||||
* Copyright (c) 2006 The OpenSSL Project. All rights reserved.
|
||||
* Copyright (c) 2006-2018 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
|
@ -230,10 +230,16 @@ static int pkey_dsa_ctrl_str(EVP_PKEY_CTX *ctx,
|
|||
EVP_PKEY_CTRL_DSA_PARAMGEN_Q_BITS, qbits,
|
||||
NULL);
|
||||
}
|
||||
if (!strcmp(type, "dsa_paramgen_md")) {
|
||||
if (strcmp(type, "dsa_paramgen_md") == 0) {
|
||||
const EVP_MD *md = EVP_get_digestbyname(value);
|
||||
|
||||
if (md == NULL) {
|
||||
DSAerr(DSA_F_PKEY_DSA_CTRL_STR, DSA_R_INVALID_DIGEST_TYPE);
|
||||
return 0;
|
||||
}
|
||||
return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DSA, EVP_PKEY_OP_PARAMGEN,
|
||||
EVP_PKEY_CTRL_DSA_PARAMGEN_MD, 0,
|
||||
(void *)EVP_get_digestbyname(value));
|
||||
(void *)md);
|
||||
}
|
||||
return -2;
|
||||
}
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
* 2006.
|
||||
*/
|
||||
/* ====================================================================
|
||||
* Copyright (c) 2006 The OpenSSL Project. All rights reserved.
|
||||
* Copyright (c) 2006-2018 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
|
@ -143,19 +143,19 @@ static int eckey_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
|
|||
static EC_KEY *eckey_type2param(int ptype, void *pval)
|
||||
{
|
||||
EC_KEY *eckey = NULL;
|
||||
EC_GROUP *group = NULL;
|
||||
|
||||
if (ptype == V_ASN1_SEQUENCE) {
|
||||
ASN1_STRING *pstr = pval;
|
||||
const unsigned char *pm = NULL;
|
||||
int pmlen;
|
||||
pm = pstr->data;
|
||||
pmlen = pstr->length;
|
||||
if (!(eckey = d2i_ECParameters(NULL, &pm, pmlen))) {
|
||||
const ASN1_STRING *pstr = pval;
|
||||
const unsigned char *pm = pstr->data;
|
||||
int pmlen = pstr->length;
|
||||
|
||||
if ((eckey = d2i_ECParameters(NULL, &pm, pmlen)) == NULL) {
|
||||
ECerr(EC_F_ECKEY_TYPE2PARAM, EC_R_DECODE_ERROR);
|
||||
goto ecerr;
|
||||
}
|
||||
} else if (ptype == V_ASN1_OBJECT) {
|
||||
ASN1_OBJECT *poid = pval;
|
||||
EC_GROUP *group;
|
||||
const ASN1_OBJECT *poid = pval;
|
||||
|
||||
/*
|
||||
* type == V_ASN1_OBJECT => the parameters are given by an asn1 OID
|
||||
|
@ -179,8 +179,8 @@ static EC_KEY *eckey_type2param(int ptype, void *pval)
|
|||
return eckey;
|
||||
|
||||
ecerr:
|
||||
if (eckey)
|
||||
EC_KEY_free(eckey);
|
||||
EC_KEY_free(eckey);
|
||||
EC_GROUP_free(group);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
* Originally written by Bodo Moeller for the OpenSSL project.
|
||||
*/
|
||||
/* ====================================================================
|
||||
* Copyright (c) 1998-2010 The OpenSSL Project. All rights reserved.
|
||||
* Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
|
@ -214,7 +214,7 @@ struct ec_group_st {
|
|||
int asn1_flag; /* flag to control the asn1 encoding */
|
||||
/*
|
||||
* Kludge: upper bit of ans1_flag is used to denote structure
|
||||
* version. Is set, then last field is present. This is done
|
||||
* version. If set, then last field is present. This is done
|
||||
* for interoperation with FIPS code.
|
||||
*/
|
||||
#define EC_GROUP_ASN1_FLAG_MASK 0x7fffffff
|
||||
|
@ -549,7 +549,6 @@ void ec_GFp_nistp_points_make_affine_internal(size_t num, void *point_array,
|
|||
void ec_GFp_nistp_recode_scalar_bits(unsigned char *sign,
|
||||
unsigned char *digit, unsigned char in);
|
||||
#endif
|
||||
int ec_precompute_mont_data(EC_GROUP *);
|
||||
|
||||
#ifdef ECP_NISTZ256_ASM
|
||||
/** Returns GFp methods using montgomery multiplication, with x86-64 optimized
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
* Originally written by Bodo Moeller for the OpenSSL project.
|
||||
*/
|
||||
/* ====================================================================
|
||||
* Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved.
|
||||
* Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
|
@ -70,6 +70,10 @@
|
|||
|
||||
const char EC_version[] = "EC" OPENSSL_VERSION_PTEXT;
|
||||
|
||||
/* local function prototypes */
|
||||
|
||||
static int ec_precompute_mont_data(EC_GROUP *group);
|
||||
|
||||
/* functions for EC_GROUP objects */
|
||||
|
||||
EC_GROUP *EC_GROUP_new(const EC_METHOD *meth)
|
||||
|
@ -318,12 +322,24 @@ int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator,
|
|||
} else
|
||||
BN_zero(&group->cofactor);
|
||||
|
||||
/*
|
||||
* We ignore the return value because some groups have an order with
|
||||
* factors of two, which makes the Montgomery setup fail.
|
||||
* |group->mont_data| will be NULL in this case.
|
||||
/*-
|
||||
* Access to the `mont_data` field of an EC_GROUP struct should always be
|
||||
* guarded by an EC_GROUP_VERSION(group) check to avoid OOB accesses, as the
|
||||
* group might come from the FIPS module, which does not define the
|
||||
* `mont_data` field inside the EC_GROUP structure.
|
||||
*/
|
||||
ec_precompute_mont_data(group);
|
||||
if (EC_GROUP_VERSION(group)) {
|
||||
/*-
|
||||
* Some groups have an order with
|
||||
* factors of two, which makes the Montgomery setup fail.
|
||||
* |group->mont_data| will be NULL in this case.
|
||||
*/
|
||||
if (BN_is_odd(&group->order))
|
||||
return ec_precompute_mont_data(group);
|
||||
|
||||
BN_MONT_CTX_free(group->mont_data);
|
||||
group->mont_data = NULL;
|
||||
}
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
@ -1094,18 +1110,23 @@ int EC_GROUP_have_precompute_mult(const EC_GROUP *group)
|
|||
* been performed */
|
||||
}
|
||||
|
||||
/*
|
||||
/*-
|
||||
* ec_precompute_mont_data sets |group->mont_data| from |group->order| and
|
||||
* returns one on success. On error it returns zero.
|
||||
*
|
||||
* Note: this function must be called only after verifying that
|
||||
* EC_GROUP_VERSION(group) returns true.
|
||||
* The reason for this is that access to the `mont_data` field of an EC_GROUP
|
||||
* struct should always be guarded by an EC_GROUP_VERSION(group) check to avoid
|
||||
* OOB accesses, as the group might come from the FIPS module, which does not
|
||||
* define the `mont_data` field inside the EC_GROUP structure.
|
||||
*/
|
||||
static
|
||||
int ec_precompute_mont_data(EC_GROUP *group)
|
||||
{
|
||||
BN_CTX *ctx = BN_CTX_new();
|
||||
int ret = 0;
|
||||
|
||||
if (!EC_GROUP_VERSION(group))
|
||||
goto err;
|
||||
|
||||
if (group->mont_data) {
|
||||
BN_MONT_CTX_free(group->mont_data);
|
||||
group->mont_data = NULL;
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
* Originally written by Bodo Moeller and Nils Larsch for the OpenSSL project.
|
||||
*/
|
||||
/* ====================================================================
|
||||
* Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
|
||||
* Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
|
@ -310,6 +310,224 @@ static signed char *compute_wNAF(const BIGNUM *scalar, int w, size_t *ret_len)
|
|||
return r;
|
||||
}
|
||||
|
||||
#define EC_POINT_BN_set_flags(P, flags) do { \
|
||||
BN_set_flags(&(P)->X, (flags)); \
|
||||
BN_set_flags(&(P)->Y, (flags)); \
|
||||
BN_set_flags(&(P)->Z, (flags)); \
|
||||
} while(0)
|
||||
|
||||
/*-
|
||||
* This functions computes (in constant time) a point multiplication over the
|
||||
* EC group.
|
||||
*
|
||||
* At a high level, it is Montgomery ladder with conditional swaps.
|
||||
*
|
||||
* It performs either a fixed scalar point multiplication
|
||||
* (scalar * generator)
|
||||
* when point is NULL, or a generic scalar point multiplication
|
||||
* (scalar * point)
|
||||
* when point is not NULL.
|
||||
*
|
||||
* scalar should be in the range [0,n) otherwise all constant time bets are off.
|
||||
*
|
||||
* NB: This says nothing about EC_POINT_add and EC_POINT_dbl,
|
||||
* which of course are not constant time themselves.
|
||||
*
|
||||
* The product is stored in r.
|
||||
*
|
||||
* Returns 1 on success, 0 otherwise.
|
||||
*/
|
||||
static int ec_mul_consttime(const EC_GROUP *group, EC_POINT *r,
|
||||
const BIGNUM *scalar, const EC_POINT *point,
|
||||
BN_CTX *ctx)
|
||||
{
|
||||
int i, cardinality_bits, group_top, kbit, pbit, Z_is_one;
|
||||
EC_POINT *s = NULL;
|
||||
BIGNUM *k = NULL;
|
||||
BIGNUM *lambda = NULL;
|
||||
BIGNUM *cardinality = NULL;
|
||||
BN_CTX *new_ctx = NULL;
|
||||
int ret = 0;
|
||||
|
||||
if (ctx == NULL && (ctx = new_ctx = BN_CTX_new()) == NULL)
|
||||
return 0;
|
||||
|
||||
BN_CTX_start(ctx);
|
||||
|
||||
s = EC_POINT_new(group);
|
||||
if (s == NULL)
|
||||
goto err;
|
||||
|
||||
if (point == NULL) {
|
||||
if (!EC_POINT_copy(s, group->generator))
|
||||
goto err;
|
||||
} else {
|
||||
if (!EC_POINT_copy(s, point))
|
||||
goto err;
|
||||
}
|
||||
|
||||
EC_POINT_BN_set_flags(s, BN_FLG_CONSTTIME);
|
||||
|
||||
cardinality = BN_CTX_get(ctx);
|
||||
lambda = BN_CTX_get(ctx);
|
||||
k = BN_CTX_get(ctx);
|
||||
if (k == NULL || !BN_mul(cardinality, &group->order, &group->cofactor, ctx))
|
||||
goto err;
|
||||
|
||||
/*
|
||||
* Group cardinalities are often on a word boundary.
|
||||
* So when we pad the scalar, some timing diff might
|
||||
* pop if it needs to be expanded due to carries.
|
||||
* So expand ahead of time.
|
||||
*/
|
||||
cardinality_bits = BN_num_bits(cardinality);
|
||||
group_top = cardinality->top;
|
||||
if ((bn_wexpand(k, group_top + 2) == NULL)
|
||||
|| (bn_wexpand(lambda, group_top + 2) == NULL))
|
||||
goto err;
|
||||
|
||||
if (!BN_copy(k, scalar))
|
||||
goto err;
|
||||
|
||||
BN_set_flags(k, BN_FLG_CONSTTIME);
|
||||
|
||||
if ((BN_num_bits(k) > cardinality_bits) || (BN_is_negative(k))) {
|
||||
/*-
|
||||
* this is an unusual input, and we don't guarantee
|
||||
* constant-timeness
|
||||
*/
|
||||
if (!BN_nnmod(k, k, cardinality, ctx))
|
||||
goto err;
|
||||
}
|
||||
|
||||
if (!BN_add(lambda, k, cardinality))
|
||||
goto err;
|
||||
BN_set_flags(lambda, BN_FLG_CONSTTIME);
|
||||
if (!BN_add(k, lambda, cardinality))
|
||||
goto err;
|
||||
/*
|
||||
* lambda := scalar + cardinality
|
||||
* k := scalar + 2*cardinality
|
||||
*/
|
||||
kbit = BN_is_bit_set(lambda, cardinality_bits);
|
||||
BN_consttime_swap(kbit, k, lambda, group_top + 2);
|
||||
|
||||
group_top = group->field.top;
|
||||
if ((bn_wexpand(&s->X, group_top) == NULL)
|
||||
|| (bn_wexpand(&s->Y, group_top) == NULL)
|
||||
|| (bn_wexpand(&s->Z, group_top) == NULL)
|
||||
|| (bn_wexpand(&r->X, group_top) == NULL)
|
||||
|| (bn_wexpand(&r->Y, group_top) == NULL)
|
||||
|| (bn_wexpand(&r->Z, group_top) == NULL))
|
||||
goto err;
|
||||
|
||||
/* top bit is a 1, in a fixed pos */
|
||||
if (!EC_POINT_copy(r, s))
|
||||
goto err;
|
||||
|
||||
EC_POINT_BN_set_flags(r, BN_FLG_CONSTTIME);
|
||||
|
||||
if (!EC_POINT_dbl(group, s, s, ctx))
|
||||
goto err;
|
||||
|
||||
pbit = 0;
|
||||
|
||||
#define EC_POINT_CSWAP(c, a, b, w, t) do { \
|
||||
BN_consttime_swap(c, &(a)->X, &(b)->X, w); \
|
||||
BN_consttime_swap(c, &(a)->Y, &(b)->Y, w); \
|
||||
BN_consttime_swap(c, &(a)->Z, &(b)->Z, w); \
|
||||
t = ((a)->Z_is_one ^ (b)->Z_is_one) & (c); \
|
||||
(a)->Z_is_one ^= (t); \
|
||||
(b)->Z_is_one ^= (t); \
|
||||
} while(0)
|
||||
|
||||
/*-
|
||||
* The ladder step, with branches, is
|
||||
*
|
||||
* k[i] == 0: S = add(R, S), R = dbl(R)
|
||||
* k[i] == 1: R = add(S, R), S = dbl(S)
|
||||
*
|
||||
* Swapping R, S conditionally on k[i] leaves you with state
|
||||
*
|
||||
* k[i] == 0: T, U = R, S
|
||||
* k[i] == 1: T, U = S, R
|
||||
*
|
||||
* Then perform the ECC ops.
|
||||
*
|
||||
* U = add(T, U)
|
||||
* T = dbl(T)
|
||||
*
|
||||
* Which leaves you with state
|
||||
*
|
||||
* k[i] == 0: U = add(R, S), T = dbl(R)
|
||||
* k[i] == 1: U = add(S, R), T = dbl(S)
|
||||
*
|
||||
* Swapping T, U conditionally on k[i] leaves you with state
|
||||
*
|
||||
* k[i] == 0: R, S = T, U
|
||||
* k[i] == 1: R, S = U, T
|
||||
*
|
||||
* Which leaves you with state
|
||||
*
|
||||
* k[i] == 0: S = add(R, S), R = dbl(R)
|
||||
* k[i] == 1: R = add(S, R), S = dbl(S)
|
||||
*
|
||||
* So we get the same logic, but instead of a branch it's a
|
||||
* conditional swap, followed by ECC ops, then another conditional swap.
|
||||
*
|
||||
* Optimization: The end of iteration i and start of i-1 looks like
|
||||
*
|
||||
* ...
|
||||
* CSWAP(k[i], R, S)
|
||||
* ECC
|
||||
* CSWAP(k[i], R, S)
|
||||
* (next iteration)
|
||||
* CSWAP(k[i-1], R, S)
|
||||
* ECC
|
||||
* CSWAP(k[i-1], R, S)
|
||||
* ...
|
||||
*
|
||||
* So instead of two contiguous swaps, you can merge the condition
|
||||
* bits and do a single swap.
|
||||
*
|
||||
* k[i] k[i-1] Outcome
|
||||
* 0 0 No Swap
|
||||
* 0 1 Swap
|
||||
* 1 0 Swap
|
||||
* 1 1 No Swap
|
||||
*
|
||||
* This is XOR. pbit tracks the previous bit of k.
|
||||
*/
|
||||
|
||||
for (i = cardinality_bits - 1; i >= 0; i--) {
|
||||
kbit = BN_is_bit_set(k, i) ^ pbit;
|
||||
EC_POINT_CSWAP(kbit, r, s, group_top, Z_is_one);
|
||||
if (!EC_POINT_add(group, s, r, s, ctx))
|
||||
goto err;
|
||||
if (!EC_POINT_dbl(group, r, r, ctx))
|
||||
goto err;
|
||||
/*
|
||||
* pbit logic merges this cswap with that of the
|
||||
* next iteration
|
||||
*/
|
||||
pbit ^= kbit;
|
||||
}
|
||||
/* one final cswap to move the right value into r */
|
||||
EC_POINT_CSWAP(pbit, r, s, group_top, Z_is_one);
|
||||
#undef EC_POINT_CSWAP
|
||||
|
||||
ret = 1;
|
||||
|
||||
err:
|
||||
EC_POINT_free(s);
|
||||
BN_CTX_end(ctx);
|
||||
BN_CTX_free(new_ctx);
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
#undef EC_POINT_BN_set_flags
|
||||
|
||||
/*
|
||||
* TODO: table should be optimised for the wNAF-based implementation,
|
||||
* sometimes smaller windows will give better performance (thus the
|
||||
|
@ -369,6 +587,34 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
|
|||
return EC_POINT_set_to_infinity(group, r);
|
||||
}
|
||||
|
||||
if (!BN_is_zero(&group->order) && !BN_is_zero(&group->cofactor)) {
|
||||
/*-
|
||||
* Handle the common cases where the scalar is secret, enforcing a constant
|
||||
* time scalar multiplication algorithm.
|
||||
*/
|
||||
if ((scalar != NULL) && (num == 0)) {
|
||||
/*-
|
||||
* In this case we want to compute scalar * GeneratorPoint: this
|
||||
* codepath is reached most prominently by (ephemeral) key generation
|
||||
* of EC cryptosystems (i.e. ECDSA keygen and sign setup, ECDH
|
||||
* keygen/first half), where the scalar is always secret. This is why
|
||||
* we ignore if BN_FLG_CONSTTIME is actually set and we always call the
|
||||
* constant time version.
|
||||
*/
|
||||
return ec_mul_consttime(group, r, scalar, NULL, ctx);
|
||||
}
|
||||
if ((scalar == NULL) && (num == 1)) {
|
||||
/*-
|
||||
* In this case we want to compute scalar * GenericPoint: this codepath
|
||||
* is reached most prominently by the second half of ECDH, where the
|
||||
* secret scalar is multiplied by the peer's public point. To protect
|
||||
* the secret scalar, we ignore if BN_FLG_CONSTTIME is actually set and
|
||||
* we always call the constant time version.
|
||||
*/
|
||||
return ec_mul_consttime(group, r, scalars[0], points[0], ctx);
|
||||
}
|
||||
}
|
||||
|
||||
for (i = 0; i < num; i++) {
|
||||
if (group->meth != points[i]->meth) {
|
||||
ECerr(EC_F_EC_WNAF_MUL, EC_R_INCOMPATIBLE_OBJECTS);
|
||||
|
|
|
@ -1118,23 +1118,32 @@ static int ecp_nistz256_set_from_affine(EC_POINT *out, const EC_GROUP *group,
|
|||
const P256_POINT_AFFINE *in,
|
||||
BN_CTX *ctx)
|
||||
{
|
||||
BIGNUM x, y;
|
||||
BN_ULONG d_x[P256_LIMBS], d_y[P256_LIMBS];
|
||||
BIGNUM x, y, z;
|
||||
int ret = 0;
|
||||
|
||||
memcpy(d_x, in->X, sizeof(d_x));
|
||||
x.d = d_x;
|
||||
/*
|
||||
* |const| qualifier omission is compensated by BN_FLG_STATIC_DATA
|
||||
* flag, which effectively means "read-only data".
|
||||
*/
|
||||
x.d = (BN_ULONG *)in->X;
|
||||
x.dmax = x.top = P256_LIMBS;
|
||||
x.neg = 0;
|
||||
x.flags = BN_FLG_STATIC_DATA;
|
||||
|
||||
memcpy(d_y, in->Y, sizeof(d_y));
|
||||
y.d = d_y;
|
||||
y.d = (BN_ULONG *)in->Y;
|
||||
y.dmax = y.top = P256_LIMBS;
|
||||
y.neg = 0;
|
||||
y.flags = BN_FLG_STATIC_DATA;
|
||||
|
||||
ret = EC_POINT_set_affine_coordinates_GFp(group, out, &x, &y, ctx);
|
||||
z.d = (BN_ULONG *)ONE;
|
||||
z.dmax = z.top = P256_LIMBS;
|
||||
z.neg = 0;
|
||||
z.flags = BN_FLG_STATIC_DATA;
|
||||
|
||||
if ((ret = (BN_copy(&out->X, &x) != NULL))
|
||||
&& (ret = (BN_copy(&out->Y, &y) != NULL))
|
||||
&& (ret = (BN_copy(&out->Z, &z) != NULL)))
|
||||
out->Z_is_one = 1;
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
* Written by Nils Larsch for the OpenSSL project
|
||||
*/
|
||||
/* ====================================================================
|
||||
* Copyright (c) 1998-2004 The OpenSSL Project. All rights reserved.
|
||||
* Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
|
@ -60,6 +60,7 @@
|
|||
#include <openssl/err.h>
|
||||
#include <openssl/obj_mac.h>
|
||||
#include <openssl/bn.h>
|
||||
#include "bn_int.h"
|
||||
|
||||
static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dlen,
|
||||
const BIGNUM *, const BIGNUM *,
|
||||
|
@ -251,13 +252,14 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
|
|||
EC_KEY *eckey)
|
||||
{
|
||||
int ok = 0, i;
|
||||
BIGNUM *kinv = NULL, *s, *m = NULL, *tmp = NULL, *order = NULL;
|
||||
BIGNUM *kinv = NULL, *s, *m = NULL, *order = NULL;
|
||||
const BIGNUM *ckinv;
|
||||
BN_CTX *ctx = NULL;
|
||||
const EC_GROUP *group;
|
||||
ECDSA_SIG *ret;
|
||||
ECDSA_DATA *ecdsa;
|
||||
const BIGNUM *priv_key;
|
||||
BN_MONT_CTX *mont_data;
|
||||
|
||||
ecdsa = ecdsa_check(eckey);
|
||||
group = EC_KEY_get0_group(eckey);
|
||||
|
@ -276,7 +278,7 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
|
|||
s = ret->s;
|
||||
|
||||
if ((ctx = BN_CTX_new()) == NULL || (order = BN_new()) == NULL ||
|
||||
(tmp = BN_new()) == NULL || (m = BN_new()) == NULL) {
|
||||
(m = BN_new()) == NULL) {
|
||||
ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_MALLOC_FAILURE);
|
||||
goto err;
|
||||
}
|
||||
|
@ -285,6 +287,8 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
|
|||
ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_EC_LIB);
|
||||
goto err;
|
||||
}
|
||||
mont_data = EC_GROUP_get_mont_data(group);
|
||||
|
||||
i = BN_num_bits(order);
|
||||
/*
|
||||
* Need to truncate digest if it is too long: first truncate whole bytes.
|
||||
|
@ -315,15 +319,27 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
|
|||
}
|
||||
}
|
||||
|
||||
if (!BN_mod_mul(tmp, priv_key, ret->r, order, ctx)) {
|
||||
/*
|
||||
* With only one multiplicant being in Montgomery domain
|
||||
* multiplication yields real result without post-conversion.
|
||||
* Also note that all operations but last are performed with
|
||||
* zero-padded vectors. Last operation, BN_mod_mul_montgomery
|
||||
* below, returns user-visible value with removed zero padding.
|
||||
*/
|
||||
if (!bn_to_mont_fixed_top(s, ret->r, mont_data, ctx)
|
||||
|| !bn_mul_mont_fixed_top(s, s, priv_key, mont_data, ctx)) {
|
||||
goto err;
|
||||
}
|
||||
if (!bn_mod_add_fixed_top(s, s, m, order)) {
|
||||
ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
|
||||
goto err;
|
||||
}
|
||||
if (!BN_mod_add_quick(s, tmp, m, order)) {
|
||||
ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
|
||||
goto err;
|
||||
}
|
||||
if (!BN_mod_mul(s, s, ckinv, order, ctx)) {
|
||||
/*
|
||||
* |s| can still be larger than modulus, because |m| can be. In
|
||||
* such case we count on Montgomery reduction to tie it up.
|
||||
*/
|
||||
if (!bn_to_mont_fixed_top(s, s, mont_data, ctx)
|
||||
|| !BN_mod_mul_montgomery(s, s, ckinv, mont_data, ctx)) {
|
||||
ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
|
||||
goto err;
|
||||
}
|
||||
|
@ -353,8 +369,6 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
|
|||
BN_CTX_free(ctx);
|
||||
if (m)
|
||||
BN_clear_free(m);
|
||||
if (tmp)
|
||||
BN_clear_free(tmp);
|
||||
if (order)
|
||||
BN_free(order);
|
||||
if (kinv)
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
* 2000.
|
||||
*/
|
||||
/* ====================================================================
|
||||
* Copyright (c) 1999-2001 The OpenSSL Project. All rights reserved.
|
||||
* Copyright (c) 1999-2018 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
|
@ -188,8 +188,10 @@ void engine_cleanup_add_last(ENGINE_CLEANUP_CB *cb)
|
|||
if (!int_cleanup_check(1))
|
||||
return;
|
||||
item = int_cleanup_item(cb);
|
||||
if (item)
|
||||
sk_ENGINE_CLEANUP_ITEM_push(cleanup_stack, item);
|
||||
if (item != NULL) {
|
||||
if (sk_ENGINE_CLEANUP_ITEM_push(cleanup_stack, item) <= 0)
|
||||
OPENSSL_free(item);
|
||||
}
|
||||
}
|
||||
|
||||
/* The API function that performs all cleanup */
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
* 2000.
|
||||
*/
|
||||
/* ====================================================================
|
||||
* Copyright (c) 1999-2001 The OpenSSL Project. All rights reserved.
|
||||
* Copyright (c) 1999-2018 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
|
@ -62,6 +62,7 @@
|
|||
* SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
|
||||
*/
|
||||
|
||||
#include "cryptlib.h"
|
||||
#include "eng_int.h"
|
||||
|
||||
/*
|
||||
|
@ -369,10 +370,10 @@ ENGINE *ENGINE_by_id(const char *id)
|
|||
*/
|
||||
if (strcmp(id, "dynamic")) {
|
||||
# ifdef OPENSSL_SYS_VMS
|
||||
if ((load_dir = getenv("OPENSSL_ENGINES")) == 0)
|
||||
if ((load_dir = ossl_safe_getenv("OPENSSL_ENGINES")) == 0)
|
||||
load_dir = "SSLROOT:[ENGINES]";
|
||||
# else
|
||||
if ((load_dir = getenv("OPENSSL_ENGINES")) == 0)
|
||||
if ((load_dir = ossl_safe_getenv("OPENSSL_ENGINES")) == 0)
|
||||
load_dir = ENGINESDIR;
|
||||
# endif
|
||||
iterator = ENGINE_by_id("dynamic");
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/* ====================================================================
|
||||
* Copyright (c) 2006 The OpenSSL Project. All rights reserved.
|
||||
* Copyright (c) 2006-2018 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
|
@ -215,7 +215,7 @@ static void look_str_cb(int nid, STACK_OF(ENGINE) *sk, ENGINE *def, void *arg)
|
|||
ENGINE *e = sk_ENGINE_value(sk, i);
|
||||
EVP_PKEY_ASN1_METHOD *ameth;
|
||||
e->pkey_asn1_meths(e, &ameth, NULL, nid);
|
||||
if (((int)strlen(ameth->pem_str) == lk->len) &&
|
||||
if (ameth != NULL && ((int)strlen(ameth->pem_str) == lk->len) &&
|
||||
!strncasecmp(ameth->pem_str, lk->str, lk->len)) {
|
||||
lk->e = e;
|
||||
lk->ameth = ameth;
|
||||
|
|
|
@ -0,0 +1,31 @@
|
|||
/*
|
||||
* Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
#ifndef _GNU_SOURCE
|
||||
# define _GNU_SOURCE
|
||||
#endif
|
||||
|
||||
#include <stdlib.h>
|
||||
#include "cryptlib.h"
|
||||
|
||||
char *ossl_safe_getenv(const char *name)
|
||||
{
|
||||
#if defined(__GLIBC__) && defined(__GLIBC_PREREQ)
|
||||
# if __GLIBC_PREREQ(2, 17)
|
||||
# define SECURE_GETENV
|
||||
return secure_getenv(name);
|
||||
# endif
|
||||
#endif
|
||||
|
||||
#ifndef SECURE_GETENV
|
||||
if (OPENSSL_issetugid())
|
||||
return NULL;
|
||||
return getenv(name);
|
||||
#endif
|
||||
}
|
|
@ -109,6 +109,10 @@ struct tm *OPENSSL_gmtime(const time_t *timer, struct tm *result)
|
|||
if (gmtime_r(timer, result) == NULL)
|
||||
return NULL;
|
||||
ts = result;
|
||||
#elif defined (OPENSSL_SYS_WINDOWS) && defined(_MSC_VER) && _MSC_VER >= 1400
|
||||
if (gmtime_s(result, timer))
|
||||
return NULL;
|
||||
ts = result;
|
||||
#elif !defined(OPENSSL_SYS_VMS) || defined(VMS_GMTIME_OK)
|
||||
ts = gmtime(timer);
|
||||
if (ts == NULL)
|
||||
|
|
|
@ -82,51 +82,39 @@ static int load_iv(char **fromp, unsigned char *to, int num);
|
|||
static int check_pem(const char *nm, const char *name);
|
||||
int pem_check_suffix(const char *pem_str, const char *suffix);
|
||||
|
||||
int PEM_def_callback(char *buf, int num, int w, void *key)
|
||||
int PEM_def_callback(char *buf, int num, int rwflag, void *userdata)
|
||||
{
|
||||
#ifdef OPENSSL_NO_FP_API
|
||||
/*
|
||||
* We should not ever call the default callback routine from windows.
|
||||
*/
|
||||
PEMerr(PEM_F_PEM_DEF_CALLBACK, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
|
||||
return (-1);
|
||||
#else
|
||||
int i, j;
|
||||
int i, min_len;
|
||||
const char *prompt;
|
||||
if (key) {
|
||||
i = strlen(key);
|
||||
|
||||
/* We assume that the user passes a default password as userdata */
|
||||
if (userdata) {
|
||||
i = strlen(userdata);
|
||||
i = (i > num) ? num : i;
|
||||
memcpy(buf, key, i);
|
||||
return (i);
|
||||
memcpy(buf, userdata, i);
|
||||
return i;
|
||||
}
|
||||
|
||||
prompt = EVP_get_pw_prompt();
|
||||
if (prompt == NULL)
|
||||
prompt = "Enter PEM pass phrase:";
|
||||
|
||||
for (;;) {
|
||||
/*
|
||||
* We assume that w == 0 means decryption,
|
||||
* while w == 1 means encryption
|
||||
*/
|
||||
int min_len = w ? MIN_LENGTH : 0;
|
||||
/*
|
||||
* rwflag == 0 means decryption
|
||||
* rwflag == 1 means encryption
|
||||
*
|
||||
* We assume that for encryption, we want a minimum length, while for
|
||||
* decryption, we cannot know any minimum length, so we assume zero.
|
||||
*/
|
||||
min_len = rwflag ? MIN_LENGTH : 0;
|
||||
|
||||
i = EVP_read_pw_string_min(buf, min_len, num, prompt, w);
|
||||
if (i != 0) {
|
||||
PEMerr(PEM_F_PEM_DEF_CALLBACK, PEM_R_PROBLEMS_GETTING_PASSWORD);
|
||||
memset(buf, 0, (unsigned int)num);
|
||||
return (-1);
|
||||
}
|
||||
j = strlen(buf);
|
||||
if (min_len && j < min_len) {
|
||||
fprintf(stderr,
|
||||
"phrase is too short, needs to be at least %d chars\n",
|
||||
min_len);
|
||||
} else
|
||||
break;
|
||||
i = EVP_read_pw_string_min(buf, min_len, num, prompt, rwflag);
|
||||
if (i != 0) {
|
||||
PEMerr(PEM_F_PEM_DEF_CALLBACK, PEM_R_PROBLEMS_GETTING_PASSWORD);
|
||||
memset(buf, 0, (unsigned int)num);
|
||||
return -1;
|
||||
}
|
||||
return (j);
|
||||
#endif
|
||||
return strlen(buf);
|
||||
}
|
||||
|
||||
void PEM_proc_type(char *buf, int type)
|
||||
|
@ -459,7 +447,7 @@ int PEM_do_header(EVP_CIPHER_INFO *cipher, unsigned char *data, long *plen,
|
|||
klen = PEM_def_callback(buf, PEM_BUFSIZE, 0, u);
|
||||
else
|
||||
klen = callback(buf, PEM_BUFSIZE, 0, u);
|
||||
if (klen <= 0) {
|
||||
if (klen < 0) {
|
||||
PEMerr(PEM_F_PEM_DO_HEADER, PEM_R_BAD_PASSWORD_READ);
|
||||
return (0);
|
||||
}
|
||||
|
@ -499,6 +487,7 @@ int PEM_get_EVP_CIPHER_INFO(char *header, EVP_CIPHER_INFO *cipher)
|
|||
char **header_pp = &header;
|
||||
|
||||
cipher->cipher = NULL;
|
||||
memset(cipher->iv, 0, sizeof(cipher->iv));
|
||||
if ((header == NULL) || (*header == '\0') || (*header == '\n'))
|
||||
return (1);
|
||||
if (strncmp(header, "Proc-Type: ", 11) != 0) {
|
||||
|
|
|
@ -171,7 +171,7 @@ EVP_PKEY *d2i_PKCS8PrivateKey_bio(BIO *bp, EVP_PKEY **x, pem_password_cb *cb,
|
|||
klen = cb(psbuf, PEM_BUFSIZE, 0, u);
|
||||
else
|
||||
klen = PEM_def_callback(psbuf, PEM_BUFSIZE, 0, u);
|
||||
if (klen <= 0) {
|
||||
if (klen < 0) {
|
||||
PEMerr(PEM_F_D2I_PKCS8PRIVATEKEY_BIO, PEM_R_BAD_PASSWORD_READ);
|
||||
X509_SIG_free(p8);
|
||||
return NULL;
|
||||
|
|
|
@ -113,7 +113,7 @@ EVP_PKEY *PEM_read_bio_PrivateKey(BIO *bp, EVP_PKEY **x, pem_password_cb *cb,
|
|||
klen = cb(psbuf, PEM_BUFSIZE, 0, u);
|
||||
else
|
||||
klen = PEM_def_callback(psbuf, PEM_BUFSIZE, 0, u);
|
||||
if (klen <= 0) {
|
||||
if (klen < 0) {
|
||||
PEMerr(PEM_F_PEM_READ_BIO_PRIVATEKEY, PEM_R_BAD_PASSWORD_READ);
|
||||
X509_SIG_free(p8);
|
||||
goto err;
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
* 2005.
|
||||
*/
|
||||
/* ====================================================================
|
||||
* Copyright (c) 2005 The OpenSSL Project. All rights reserved.
|
||||
* Copyright (c) 2005-2018 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
|
@ -702,7 +702,7 @@ static EVP_PKEY *do_PVK_body(const unsigned char **in,
|
|||
inlen = cb(psbuf, PEM_BUFSIZE, 0, u);
|
||||
else
|
||||
inlen = PEM_def_callback(psbuf, PEM_BUFSIZE, 0, u);
|
||||
if (inlen <= 0) {
|
||||
if (inlen < 0) {
|
||||
PEMerr(PEM_F_DO_PVK_BODY, PEM_R_BAD_PASSWORD_READ);
|
||||
goto err;
|
||||
}
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
* 1999.
|
||||
*/
|
||||
/* ====================================================================
|
||||
* Copyright (c) 1999 The OpenSSL Project. All rights reserved.
|
||||
* Copyright (c) 1999-2018 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
|
@ -100,7 +100,7 @@ ASN1_ADB_TEMPLATE(safebag_default) = ASN1_EXP(PKCS12_SAFEBAG, value.other, ASN1_
|
|||
ASN1_ADB(PKCS12_SAFEBAG) = {
|
||||
ADB_ENTRY(NID_keyBag, ASN1_EXP(PKCS12_SAFEBAG, value.keybag, PKCS8_PRIV_KEY_INFO, 0)),
|
||||
ADB_ENTRY(NID_pkcs8ShroudedKeyBag, ASN1_EXP(PKCS12_SAFEBAG, value.shkeybag, X509_SIG, 0)),
|
||||
ADB_ENTRY(NID_safeContentsBag, ASN1_EXP_SET_OF(PKCS12_SAFEBAG, value.safes, PKCS12_SAFEBAG, 0)),
|
||||
ADB_ENTRY(NID_safeContentsBag, ASN1_EXP_SEQUENCE_OF(PKCS12_SAFEBAG, value.safes, PKCS12_SAFEBAG, 0)),
|
||||
ADB_ENTRY(NID_certBag, ASN1_EXP(PKCS12_SAFEBAG, value.bag, PKCS12_BAGS, 0)),
|
||||
ADB_ENTRY(NID_crlBag, ASN1_EXP(PKCS12_SAFEBAG, value.bag, PKCS12_BAGS, 0)),
|
||||
ADB_ENTRY(NID_secretBag, ASN1_EXP(PKCS12_SAFEBAG, value.bag, PKCS12_BAGS, 0))
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
* 1999.
|
||||
*/
|
||||
/* ====================================================================
|
||||
* Copyright (c) 1999 The OpenSSL Project. All rights reserved.
|
||||
* Copyright (c) 1999-2018 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
|
@ -70,7 +70,8 @@ PKCS12 *PKCS12_init(int mode)
|
|||
PKCS12err(PKCS12_F_PKCS12_INIT, ERR_R_MALLOC_FAILURE);
|
||||
return NULL;
|
||||
}
|
||||
ASN1_INTEGER_set(pkcs12->version, 3);
|
||||
if (!ASN1_INTEGER_set(pkcs12->version, 3))
|
||||
goto err;
|
||||
pkcs12->authsafes->type = OBJ_nid2obj(mode);
|
||||
switch (mode) {
|
||||
case NID_pkcs7_data:
|
||||
|
|
|
@ -185,7 +185,6 @@ int PKCS7_set_type(PKCS7 *p7, int type)
|
|||
if ((p7->d.signed_and_enveloped = PKCS7_SIGN_ENVELOPE_new())
|
||||
== NULL)
|
||||
goto err;
|
||||
ASN1_INTEGER_set(p7->d.signed_and_enveloped->version, 1);
|
||||
if (!ASN1_INTEGER_set(p7->d.signed_and_enveloped->version, 1))
|
||||
goto err;
|
||||
p7->d.signed_and_enveloped->enc_data->content_type
|
||||
|
|
|
@ -56,7 +56,7 @@
|
|||
* [including the GNU Public Licence.]
|
||||
*/
|
||||
/* ====================================================================
|
||||
* Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
|
||||
* Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
|
@ -345,7 +345,6 @@ int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo, int lock)
|
|||
static volatile int stirred_pool = 0;
|
||||
int i, j, k;
|
||||
size_t num_ceil, st_idx, st_num;
|
||||
int ok;
|
||||
long md_c[2];
|
||||
unsigned char local_md[MD_DIGEST_LENGTH];
|
||||
EVP_MD_CTX m;
|
||||
|
@ -400,14 +399,13 @@ int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo, int lock)
|
|||
|
||||
if (!initialized) {
|
||||
RAND_poll();
|
||||
initialized = 1;
|
||||
initialized = (entropy >= ENTROPY_NEEDED);
|
||||
}
|
||||
|
||||
if (!stirred_pool)
|
||||
do_stir_pool = 1;
|
||||
|
||||
ok = (entropy >= ENTROPY_NEEDED);
|
||||
if (!ok) {
|
||||
if (!initialized) {
|
||||
/*
|
||||
* If the PRNG state is not yet unpredictable, then seeing the PRNG
|
||||
* output may help attackers to determine the new state; thus we have
|
||||
|
@ -446,7 +444,7 @@ int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo, int lock)
|
|||
ssleay_rand_add(DUMMY_SEED, MD_DIGEST_LENGTH, 0.0);
|
||||
n -= MD_DIGEST_LENGTH;
|
||||
}
|
||||
if (ok)
|
||||
if (initialized)
|
||||
stirred_pool = 1;
|
||||
}
|
||||
|
||||
|
@ -539,7 +537,7 @@ int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo, int lock)
|
|||
CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
|
||||
|
||||
EVP_MD_CTX_cleanup(&m);
|
||||
if (ok)
|
||||
if (initialized)
|
||||
return (1);
|
||||
else if (pseudo)
|
||||
return 0;
|
||||
|
@ -555,6 +553,18 @@ int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo, int lock)
|
|||
return (0);
|
||||
}
|
||||
|
||||
/*
|
||||
* Returns ssleay_rand_bytes(), enforcing a reseeding from the
|
||||
* system entropy sources using RAND_poll() before generating
|
||||
`* the random bytes.
|
||||
*/
|
||||
|
||||
int ssleay_rand_bytes_from_system(unsigned char *buf, int num)
|
||||
{
|
||||
initialized = 0;
|
||||
return ssleay_rand_bytes(buf, num, 0, 0);
|
||||
}
|
||||
|
||||
static int ssleay_rand_nopseudo_bytes(unsigned char *buf, int num)
|
||||
{
|
||||
return ssleay_rand_bytes(buf, num, 0, 1);
|
||||
|
@ -600,10 +610,10 @@ static int ssleay_rand_status(void)
|
|||
|
||||
if (!initialized) {
|
||||
RAND_poll();
|
||||
initialized = 1;
|
||||
initialized = (entropy >= ENTROPY_NEEDED);
|
||||
}
|
||||
|
||||
ret = entropy >= ENTROPY_NEEDED;
|
||||
ret = initialized;
|
||||
|
||||
if (!do_not_lock) {
|
||||
/* before unlocking, we must clear 'crypto_lock_rand' */
|
||||
|
|
|
@ -56,7 +56,7 @@
|
|||
* [including the GNU Public Licence.]
|
||||
*/
|
||||
/* ====================================================================
|
||||
* Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
|
||||
* Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
|
@ -154,5 +154,5 @@
|
|||
# endif
|
||||
|
||||
int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo, int lock);
|
||||
|
||||
int ssleay_rand_bytes_from_system(unsigned char *buf, int num);
|
||||
#endif
|
||||
|
|
|
@ -185,11 +185,29 @@ int RAND_status(void)
|
|||
|
||||
/*
|
||||
* Entropy gatherer: use standard OpenSSL PRNG to seed (this will gather
|
||||
* entropy internally through RAND_poll().
|
||||
* entropy internally through RAND_poll()).
|
||||
*/
|
||||
|
||||
static size_t drbg_get_entropy(DRBG_CTX *ctx, unsigned char **pout,
|
||||
int entropy, size_t min_len, size_t max_len)
|
||||
{
|
||||
/* Round up request to multiple of block size */
|
||||
min_len = ((min_len + 19) / 20) * 20;
|
||||
*pout = OPENSSL_malloc(min_len);
|
||||
if (!*pout)
|
||||
return 0;
|
||||
|
||||
/* Enforces a reseed of the SSLEAY PRNG before generating random bytes */
|
||||
if (ssleay_rand_bytes_from_system(*pout, min_len) <= 0) {
|
||||
OPENSSL_free(*pout);
|
||||
*pout = NULL;
|
||||
return 0;
|
||||
}
|
||||
return min_len;
|
||||
}
|
||||
|
||||
static size_t drbg_get_nonce(DRBG_CTX *ctx, unsigned char **pout,
|
||||
int entropy, size_t min_len, size_t max_len)
|
||||
{
|
||||
/* Round up request to multiple of block size */
|
||||
min_len = ((min_len + 19) / 20) * 20;
|
||||
|
@ -281,7 +299,7 @@ int RAND_init_fips(void)
|
|||
|
||||
FIPS_drbg_set_callbacks(dctx,
|
||||
drbg_get_entropy, drbg_free_entropy, 20,
|
||||
drbg_get_entropy, drbg_free_entropy);
|
||||
drbg_get_nonce, drbg_free_entropy);
|
||||
FIPS_drbg_set_rand_callbacks(dctx, drbg_get_adin, 0,
|
||||
drbg_rand_seed, drbg_rand_add);
|
||||
/* Personalisation string: a string followed by date time vector */
|
||||
|
|
|
@ -61,6 +61,7 @@
|
|||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
|
||||
#include "cryptlib.h"
|
||||
#include "e_os.h"
|
||||
#include <openssl/crypto.h>
|
||||
#include <openssl/rand.h>
|
||||
|
@ -327,14 +328,12 @@ const char *RAND_file_name(char *buf, size_t size)
|
|||
struct stat sb;
|
||||
#endif
|
||||
|
||||
if (OPENSSL_issetugid() == 0)
|
||||
s = getenv("RANDFILE");
|
||||
s = ossl_safe_getenv("RANDFILE");
|
||||
if (s != NULL && *s && strlen(s) + 1 < size) {
|
||||
if (BUF_strlcpy(buf, s, size) >= size)
|
||||
return NULL;
|
||||
} else {
|
||||
if (OPENSSL_issetugid() == 0)
|
||||
s = getenv("HOME");
|
||||
s = ossl_safe_getenv("HOME");
|
||||
#ifdef DEFAULT_HOME
|
||||
if (s == NULL) {
|
||||
s = DEFAULT_HOME;
|
||||
|
|
|
@ -56,7 +56,7 @@
|
|||
* [including the GNU Public Licence.]
|
||||
*/
|
||||
/* ====================================================================
|
||||
* Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
|
||||
* Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
|
@ -114,6 +114,7 @@
|
|||
#include <openssl/bn.h>
|
||||
#include <openssl/rsa.h>
|
||||
#include <openssl/rand.h>
|
||||
#include "bn_int.h"
|
||||
|
||||
#ifndef RSA_NULL
|
||||
|
||||
|
@ -156,7 +157,7 @@ static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
|
|||
unsigned char *to, RSA *rsa, int padding)
|
||||
{
|
||||
BIGNUM *f, *ret;
|
||||
int i, j, k, num = 0, r = -1;
|
||||
int i, num = 0, r = -1;
|
||||
unsigned char *buf = NULL;
|
||||
BN_CTX *ctx = NULL;
|
||||
|
||||
|
@ -223,8 +224,8 @@ static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
|
|||
}
|
||||
|
||||
if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
|
||||
if (!BN_MONT_CTX_set_locked
|
||||
(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
|
||||
if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA,
|
||||
rsa->n, ctx))
|
||||
goto err;
|
||||
|
||||
if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx,
|
||||
|
@ -232,15 +233,10 @@ static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
|
|||
goto err;
|
||||
|
||||
/*
|
||||
* put in leading 0 bytes if the number is less than the length of the
|
||||
* modulus
|
||||
* BN_bn2binpad puts in leading 0 bytes if the number is less than
|
||||
* the length of the modulus.
|
||||
*/
|
||||
j = BN_num_bytes(ret);
|
||||
i = BN_bn2bin(ret, &(to[num - j]));
|
||||
for (k = 0; k < (num - i); k++)
|
||||
to[k] = 0;
|
||||
|
||||
r = num;
|
||||
r = bn_bn2binpad(ret, to, num);
|
||||
err:
|
||||
if (ctx != NULL) {
|
||||
BN_CTX_end(ctx);
|
||||
|
@ -349,7 +345,7 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
|
|||
unsigned char *to, RSA *rsa, int padding)
|
||||
{
|
||||
BIGNUM *f, *ret, *res;
|
||||
int i, j, k, num = 0, r = -1;
|
||||
int i, num = 0, r = -1;
|
||||
unsigned char *buf = NULL;
|
||||
BN_CTX *ctx = NULL;
|
||||
int local_blinding = 0;
|
||||
|
@ -436,8 +432,8 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
|
|||
d = rsa->d;
|
||||
|
||||
if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
|
||||
if (!BN_MONT_CTX_set_locked
|
||||
(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
|
||||
if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA,
|
||||
rsa->n, ctx))
|
||||
goto err;
|
||||
|
||||
if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,
|
||||
|
@ -459,15 +455,10 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
|
|||
res = ret;
|
||||
|
||||
/*
|
||||
* put in leading 0 bytes if the number is less than the length of the
|
||||
* modulus
|
||||
* BN_bn2binpad puts in leading 0 bytes if the number is less than
|
||||
* the length of the modulus.
|
||||
*/
|
||||
j = BN_num_bytes(res);
|
||||
i = BN_bn2bin(res, &(to[num - j]));
|
||||
for (k = 0; k < (num - i); k++)
|
||||
to[k] = 0;
|
||||
|
||||
r = num;
|
||||
r = bn_bn2binpad(res, to, num);
|
||||
err:
|
||||
if (ctx != NULL) {
|
||||
BN_CTX_end(ctx);
|
||||
|
@ -485,7 +476,6 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
|
|||
{
|
||||
BIGNUM *f, *ret;
|
||||
int j, num = 0, r = -1;
|
||||
unsigned char *p;
|
||||
unsigned char *buf = NULL;
|
||||
BN_CTX *ctx = NULL;
|
||||
int local_blinding = 0;
|
||||
|
@ -564,8 +554,8 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
|
|||
d = rsa->d;
|
||||
|
||||
if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
|
||||
if (!BN_MONT_CTX_set_locked
|
||||
(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
|
||||
if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA,
|
||||
rsa->n, ctx))
|
||||
goto err;
|
||||
if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,
|
||||
rsa->_method_mod_n))
|
||||
|
@ -576,8 +566,7 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
|
|||
if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
|
||||
goto err;
|
||||
|
||||
p = buf;
|
||||
j = BN_bn2bin(ret, p); /* j is only used with no-padding mode */
|
||||
j = bn_bn2binpad(ret, buf, num);
|
||||
|
||||
switch (padding) {
|
||||
case RSA_PKCS1_PADDING:
|
||||
|
@ -592,7 +581,7 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
|
|||
r = RSA_padding_check_SSLv23(to, num, buf, j, num);
|
||||
break;
|
||||
case RSA_NO_PADDING:
|
||||
r = RSA_padding_check_none(to, num, buf, j, num);
|
||||
memcpy(to, buf, (r = j));
|
||||
break;
|
||||
default:
|
||||
RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
|
||||
|
@ -619,7 +608,6 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
|
|||
{
|
||||
BIGNUM *f, *ret;
|
||||
int i, num = 0, r = -1;
|
||||
unsigned char *p;
|
||||
unsigned char *buf = NULL;
|
||||
BN_CTX *ctx = NULL;
|
||||
|
||||
|
@ -672,8 +660,8 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
|
|||
}
|
||||
|
||||
if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
|
||||
if (!BN_MONT_CTX_set_locked
|
||||
(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
|
||||
if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA,
|
||||
rsa->n, ctx))
|
||||
goto err;
|
||||
|
||||
if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx,
|
||||
|
@ -684,8 +672,7 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
|
|||
if (!BN_sub(ret, rsa->n, ret))
|
||||
goto err;
|
||||
|
||||
p = buf;
|
||||
i = BN_bn2bin(ret, p);
|
||||
i = bn_bn2binpad(ret, buf, num);
|
||||
|
||||
switch (padding) {
|
||||
case RSA_PKCS1_PADDING:
|
||||
|
@ -695,7 +682,7 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
|
|||
r = RSA_padding_check_X931(to, num, buf, i, num);
|
||||
break;
|
||||
case RSA_NO_PADDING:
|
||||
r = RSA_padding_check_none(to, num, buf, i, num);
|
||||
memcpy(to, buf, (r = i));
|
||||
break;
|
||||
default:
|
||||
RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
|
||||
|
@ -721,7 +708,7 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
|
|||
BIGNUM *r1, *m1, *vrfy;
|
||||
BIGNUM local_dmp1, local_dmq1, local_c, local_r1;
|
||||
BIGNUM *dmp1, *dmq1, *c, *pr1;
|
||||
int ret = 0;
|
||||
int ret = 0, smooth = 0;
|
||||
|
||||
BN_CTX_start(ctx);
|
||||
r1 = BN_CTX_get(ctx);
|
||||
|
@ -750,20 +737,64 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
|
|||
}
|
||||
|
||||
if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) {
|
||||
if (!BN_MONT_CTX_set_locked
|
||||
(&rsa->_method_mod_p, CRYPTO_LOCK_RSA, p, ctx))
|
||||
if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p, CRYPTO_LOCK_RSA,
|
||||
p, ctx))
|
||||
goto err;
|
||||
if (!BN_MONT_CTX_set_locked
|
||||
(&rsa->_method_mod_q, CRYPTO_LOCK_RSA, q, ctx))
|
||||
if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q, CRYPTO_LOCK_RSA,
|
||||
q, ctx))
|
||||
goto err;
|
||||
|
||||
smooth = (rsa->meth->bn_mod_exp == BN_mod_exp_mont)
|
||||
&& (BN_num_bits(q) == BN_num_bits(p));
|
||||
}
|
||||
}
|
||||
|
||||
if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
|
||||
if (!BN_MONT_CTX_set_locked
|
||||
(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
|
||||
if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA,
|
||||
rsa->n, ctx))
|
||||
goto err;
|
||||
|
||||
if (smooth) {
|
||||
/*
|
||||
* Conversion from Montgomery domain, a.k.a. Montgomery reduction,
|
||||
* accepts values in [0-m*2^w) range. w is m's bit width rounded up
|
||||
* to limb width. So that at the very least if |I| is fully reduced,
|
||||
* i.e. less than p*q, we can count on from-to round to perform
|
||||
* below modulo operations on |I|. Unlike BN_mod it's constant time.
|
||||
*/
|
||||
if (/* m1 = I moq q */
|
||||
!bn_from_mont_fixed_top(m1, I, rsa->_method_mod_q, ctx)
|
||||
|| !bn_to_mont_fixed_top(m1, m1, rsa->_method_mod_q, ctx)
|
||||
/* m1 = m1^dmq1 mod q */
|
||||
|| !BN_mod_exp_mont_consttime(m1, m1, rsa->dmq1, rsa->q, ctx,
|
||||
rsa->_method_mod_q)
|
||||
/* r1 = I mod p */
|
||||
|| !bn_from_mont_fixed_top(r1, I, rsa->_method_mod_p, ctx)
|
||||
|| !bn_to_mont_fixed_top(r1, r1, rsa->_method_mod_p, ctx)
|
||||
/* r1 = r1^dmp1 mod p */
|
||||
|| !BN_mod_exp_mont_consttime(r1, r1, rsa->dmp1, rsa->p, ctx,
|
||||
rsa->_method_mod_p)
|
||||
/* r1 = (r1 - m1) mod p */
|
||||
/*
|
||||
* bn_mod_sub_fixed_top is not regular modular subtraction,
|
||||
* it can tolerate subtrahend to be larger than modulus, but
|
||||
* not bit-wise wider. This makes up for uncommon q>p case,
|
||||
* when |m1| can be larger than |rsa->p|.
|
||||
*/
|
||||
|| !bn_mod_sub_fixed_top(r1, r1, m1, rsa->p)
|
||||
|
||||
/* r1 = r1 * iqmp mod p */
|
||||
|| !bn_to_mont_fixed_top(r1, r1, rsa->_method_mod_p, ctx)
|
||||
|| !bn_mul_mont_fixed_top(r1, r1, rsa->iqmp, rsa->_method_mod_p,
|
||||
ctx)
|
||||
/* r0 = r1 * q + m1 */
|
||||
|| !bn_mul_fixed_top(r0, r1, rsa->q, ctx)
|
||||
|| !bn_mod_add_fixed_top(r0, r0, m1, rsa->n))
|
||||
goto err;
|
||||
|
||||
goto tail;
|
||||
}
|
||||
|
||||
/* compute I mod q */
|
||||
if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
|
||||
c = &local_c;
|
||||
|
@ -841,10 +872,18 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
|
|||
if (!BN_add(r0, r1, m1))
|
||||
goto err;
|
||||
|
||||
tail:
|
||||
if (rsa->e && rsa->n) {
|
||||
if (!rsa->meth->bn_mod_exp(vrfy, r0, rsa->e, rsa->n, ctx,
|
||||
rsa->_method_mod_n))
|
||||
goto err;
|
||||
if (rsa->meth->bn_mod_exp == BN_mod_exp_mont) {
|
||||
if (!BN_mod_exp_mont(vrfy, r0, rsa->e, rsa->n, ctx,
|
||||
rsa->_method_mod_n))
|
||||
goto err;
|
||||
} else {
|
||||
bn_correct_top(r0);
|
||||
if (!rsa->meth->bn_mod_exp(vrfy, r0, rsa->e, rsa->n, ctx,
|
||||
rsa->_method_mod_n))
|
||||
goto err;
|
||||
}
|
||||
/*
|
||||
* If 'I' was greater than (or equal to) rsa->n, the operation will
|
||||
* be equivalent to using 'I mod n'. However, the result of the
|
||||
|
@ -853,6 +892,11 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
|
|||
*/
|
||||
if (!BN_sub(vrfy, vrfy, I))
|
||||
goto err;
|
||||
if (BN_is_zero(vrfy)) {
|
||||
bn_correct_top(r0);
|
||||
ret = 1;
|
||||
goto err; /* not actually error */
|
||||
}
|
||||
if (!BN_mod(vrfy, vrfy, rsa->n, ctx))
|
||||
goto err;
|
||||
if (BN_is_negative(vrfy))
|
||||
|
@ -878,6 +922,15 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
|
|||
goto err;
|
||||
}
|
||||
}
|
||||
/*
|
||||
* It's unfortunate that we have to bn_correct_top(r0). What hopefully
|
||||
* saves the day is that correction is highly unlike, and private key
|
||||
* operations are customarily performed on blinded message. Which means
|
||||
* that attacker won't observe correlation with chosen plaintext.
|
||||
* Secondly, remaining code would still handle it in same computational
|
||||
* time and even conceal memory access pattern around corrected top.
|
||||
*/
|
||||
bn_correct_top(r0);
|
||||
ret = 1;
|
||||
err:
|
||||
BN_CTX_end(ctx);
|
||||
|
|
|
@ -156,6 +156,8 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value,
|
|||
if (BN_copy(rsa->e, e_value) == NULL)
|
||||
goto err;
|
||||
|
||||
BN_set_flags(rsa->p, BN_FLG_CONSTTIME);
|
||||
BN_set_flags(rsa->q, BN_FLG_CONSTTIME);
|
||||
BN_set_flags(r2, BN_FLG_CONSTTIME);
|
||||
/* generate p and q */
|
||||
for (;;) {
|
||||
|
|
|
@ -120,7 +120,7 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
|
|||
int plen, const EVP_MD *md,
|
||||
const EVP_MD *mgf1md)
|
||||
{
|
||||
int i, dblen, mlen = -1, one_index = 0, msg_index;
|
||||
int i, dblen = 0, mlen = -1, one_index = 0, msg_index;
|
||||
unsigned int good, found_one_byte;
|
||||
const unsigned char *maskedseed, *maskeddb;
|
||||
/*
|
||||
|
@ -153,32 +153,41 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
|
|||
|
||||
dblen = num - mdlen - 1;
|
||||
db = OPENSSL_malloc(dblen);
|
||||
em = OPENSSL_malloc(num);
|
||||
if (db == NULL || em == NULL) {
|
||||
if (db == NULL) {
|
||||
RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1, ERR_R_MALLOC_FAILURE);
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
/*
|
||||
* Always do this zero-padding copy (even when num == flen) to avoid
|
||||
* leaking that information. The copy still leaks some side-channel
|
||||
* information, but it's impossible to have a fixed memory access
|
||||
* pattern since we can't read out of the bounds of |from|.
|
||||
*
|
||||
* TODO(emilia): Consider porting BN_bn2bin_padded from BoringSSL.
|
||||
*/
|
||||
memset(em, 0, num);
|
||||
memcpy(em + num - flen, from, flen);
|
||||
if (flen != num) {
|
||||
em = OPENSSL_malloc(num);
|
||||
if (em == NULL) {
|
||||
RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1,
|
||||
ERR_R_MALLOC_FAILURE);
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
/*
|
||||
* Caller is encouraged to pass zero-padded message created with
|
||||
* BN_bn2binpad, but if it doesn't, we do this zero-padding copy
|
||||
* to avoid leaking that information. The copy still leaks some
|
||||
* side-channel information, but it's impossible to have a fixed
|
||||
* memory access pattern since we can't read out of the bounds of
|
||||
* |from|.
|
||||
*/
|
||||
memset(em, 0, num);
|
||||
memcpy(em + num - flen, from, flen);
|
||||
from = em;
|
||||
}
|
||||
|
||||
/*
|
||||
* The first byte must be zero, however we must not leak if this is
|
||||
* true. See James H. Manger, "A Chosen Ciphertext Attack on RSA
|
||||
* Optimal Asymmetric Encryption Padding (OAEP) [...]", CRYPTO 2001).
|
||||
*/
|
||||
good = constant_time_is_zero(em[0]);
|
||||
good = constant_time_is_zero(from[0]);
|
||||
|
||||
maskedseed = em + 1;
|
||||
maskeddb = em + 1 + mdlen;
|
||||
maskedseed = from + 1;
|
||||
maskeddb = from + 1 + mdlen;
|
||||
|
||||
if (PKCS1_MGF1(seed, mdlen, maskeddb, dblen, mgf1md))
|
||||
goto cleanup;
|
||||
|
|
|
@ -98,6 +98,27 @@ int RSA_padding_check_PKCS1_type_1(unsigned char *to, int tlen,
|
|||
const unsigned char *p;
|
||||
|
||||
p = from;
|
||||
|
||||
/*
|
||||
* The format is
|
||||
* 00 || 01 || PS || 00 || D
|
||||
* PS - padding string, at least 8 bytes of FF
|
||||
* D - data.
|
||||
*/
|
||||
|
||||
if (num < 11)
|
||||
return -1;
|
||||
|
||||
/* Accept inputs with and without the leading 0-byte. */
|
||||
if (num == flen) {
|
||||
if ((*p++) != 0x00) {
|
||||
RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,
|
||||
RSA_R_INVALID_PADDING);
|
||||
return -1;
|
||||
}
|
||||
flen--;
|
||||
}
|
||||
|
||||
if ((num != (flen + 1)) || (*(p++) != 01)) {
|
||||
RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,
|
||||
RSA_R_BLOCK_TYPE_IS_NOT_01);
|
||||
|
@ -203,28 +224,31 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
|
|||
if (num < 11)
|
||||
goto err;
|
||||
|
||||
em = OPENSSL_malloc(num);
|
||||
if (em == NULL) {
|
||||
RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2, ERR_R_MALLOC_FAILURE);
|
||||
return -1;
|
||||
if (flen != num) {
|
||||
em = OPENSSL_malloc(num);
|
||||
if (em == NULL) {
|
||||
RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2, ERR_R_MALLOC_FAILURE);
|
||||
return -1;
|
||||
}
|
||||
/*
|
||||
* Caller is encouraged to pass zero-padded message created with
|
||||
* BN_bn2binpad, but if it doesn't, we do this zero-padding copy
|
||||
* to avoid leaking that information. The copy still leaks some
|
||||
* side-channel information, but it's impossible to have a fixed
|
||||
* memory access pattern since we can't read out of the bounds of
|
||||
* |from|.
|
||||
*/
|
||||
memset(em, 0, num);
|
||||
memcpy(em + num - flen, from, flen);
|
||||
from = em;
|
||||
}
|
||||
memset(em, 0, num);
|
||||
/*
|
||||
* Always do this zero-padding copy (even when num == flen) to avoid
|
||||
* leaking that information. The copy still leaks some side-channel
|
||||
* information, but it's impossible to have a fixed memory access
|
||||
* pattern since we can't read out of the bounds of |from|.
|
||||
*
|
||||
* TODO(emilia): Consider porting BN_bn2bin_padded from BoringSSL.
|
||||
*/
|
||||
memcpy(em + num - flen, from, flen);
|
||||
|
||||
good = constant_time_is_zero(em[0]);
|
||||
good &= constant_time_eq(em[1], 2);
|
||||
good = constant_time_is_zero(from[0]);
|
||||
good &= constant_time_eq(from[1], 2);
|
||||
|
||||
found_zero_byte = 0;
|
||||
for (i = 2; i < num; i++) {
|
||||
unsigned int equals0 = constant_time_is_zero(em[i]);
|
||||
unsigned int equals0 = constant_time_is_zero(from[i]);
|
||||
zero_index =
|
||||
constant_time_select_int(~found_zero_byte & equals0, i,
|
||||
zero_index);
|
||||
|
@ -232,7 +256,7 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
|
|||
}
|
||||
|
||||
/*
|
||||
* PS must be at least 8 bytes long, and it starts two bytes into |em|.
|
||||
* PS must be at least 8 bytes long, and it starts two bytes into |from|.
|
||||
* If we never found a 0-byte, then |zero_index| is 0 and the check
|
||||
* also fails.
|
||||
*/
|
||||
|
@ -261,7 +285,7 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
|
|||
goto err;
|
||||
}
|
||||
|
||||
memcpy(to, em + msg_index, mlen);
|
||||
memcpy(to, from + msg_index, mlen);
|
||||
|
||||
err:
|
||||
if (em != NULL) {
|
||||
|
|
|
@ -84,7 +84,7 @@ int RSA_sign(int type, const unsigned char *m, unsigned int m_len,
|
|||
return 0;
|
||||
}
|
||||
#endif
|
||||
if ((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_sign) {
|
||||
if ((rsa->meth->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_sign) {
|
||||
return rsa->meth->rsa_sign(type, m, m_len, sigret, siglen, rsa);
|
||||
}
|
||||
/* Special case: SSL signature, just check the length */
|
||||
|
@ -293,7 +293,7 @@ int RSA_verify(int dtype, const unsigned char *m, unsigned int m_len,
|
|||
const unsigned char *sigbuf, unsigned int siglen, RSA *rsa)
|
||||
{
|
||||
|
||||
if ((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_verify) {
|
||||
if ((rsa->meth->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_verify) {
|
||||
return rsa->meth->rsa_verify(dtype, m, m_len, sigbuf, siglen, rsa);
|
||||
}
|
||||
|
||||
|
|
|
@ -112,6 +112,14 @@ int RSA_padding_check_SSLv23(unsigned char *to, int tlen,
|
|||
RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_DATA_TOO_SMALL);
|
||||
return (-1);
|
||||
}
|
||||
/* Accept even zero-padded input */
|
||||
if (flen == num) {
|
||||
if (*(p++) != 0) {
|
||||
RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_BLOCK_TYPE_IS_NOT_02);
|
||||
return -1;
|
||||
}
|
||||
flen--;
|
||||
}
|
||||
if ((num != (flen + 1)) || (*(p++) != 02)) {
|
||||
RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_BLOCK_TYPE_IS_NOT_02);
|
||||
return (-1);
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
* OpenSSL project 2001.
|
||||
*/
|
||||
/* ====================================================================
|
||||
* Copyright (c) 2001 The OpenSSL Project. All rights reserved.
|
||||
* Copyright (c) 2001-2018 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
|
@ -509,6 +509,24 @@ static int open_console(UI *ui)
|
|||
is_a_tty = 0;
|
||||
else
|
||||
# endif
|
||||
# ifdef ENXIO
|
||||
/*
|
||||
* Solaris can return ENXIO.
|
||||
* This should be ok
|
||||
*/
|
||||
if (errno == ENXIO)
|
||||
is_a_tty = 0;
|
||||
else
|
||||
# endif
|
||||
# ifdef EIO
|
||||
/*
|
||||
* Linux can return EIO.
|
||||
* This should be ok
|
||||
*/
|
||||
if (errno == EIO)
|
||||
is_a_tty = 0;
|
||||
else
|
||||
# endif
|
||||
# ifdef ENODEV
|
||||
/*
|
||||
* MacOS X returns ENODEV (Operation not supported by device),
|
||||
|
@ -567,17 +585,13 @@ static int echo_console(UI *ui)
|
|||
{
|
||||
#if defined(TTY_set) && !defined(OPENSSL_SYS_VMS)
|
||||
memcpy(&(tty_new), &(tty_orig), sizeof(tty_orig));
|
||||
tty_new.TTY_FLAGS |= ECHO;
|
||||
#endif
|
||||
|
||||
#if defined(TTY_set) && !defined(OPENSSL_SYS_VMS)
|
||||
if (is_a_tty && (TTY_set(fileno(tty_in), &tty_new) == -1))
|
||||
return 0;
|
||||
#endif
|
||||
#ifdef OPENSSL_SYS_VMS
|
||||
if (is_a_tty) {
|
||||
tty_new[0] = tty_orig[0];
|
||||
tty_new[1] = tty_orig[1] & ~TT$M_NOECHO;
|
||||
tty_new[1] = tty_orig[1];
|
||||
tty_new[2] = tty_orig[2];
|
||||
status = sys$qiow(0, channel, IO$_SETMODE, &iosb, 0, 0, tty_new, 12,
|
||||
0, 0, 0, 0);
|
||||
|
|
|
@ -128,7 +128,7 @@ static int dir_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl,
|
|||
switch (cmd) {
|
||||
case X509_L_ADD_DIR:
|
||||
if (argl == X509_FILETYPE_DEFAULT) {
|
||||
dir = (char *)getenv(X509_get_default_cert_dir_env());
|
||||
dir = (char *)ossl_safe_getenv(X509_get_default_cert_dir_env());
|
||||
if (dir)
|
||||
ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM);
|
||||
else
|
||||
|
|
|
@ -97,7 +97,8 @@ static int by_file_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp,
|
|||
switch (cmd) {
|
||||
case X509_L_FILE_LOAD:
|
||||
if (argl == X509_FILETYPE_DEFAULT) {
|
||||
file = getenv(X509_get_default_cert_file_env());
|
||||
file = ossl_safe_getenv(X509_get_default_cert_file_env());
|
||||
|
||||
if (file)
|
||||
ok = (X509_load_cert_crl_file(ctx, file,
|
||||
X509_FILETYPE_PEM) != 0);
|
||||
|
|
|
@ -219,7 +219,7 @@ int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b)
|
|||
|
||||
ret = a->canon_enclen - b->canon_enclen;
|
||||
|
||||
if (ret)
|
||||
if (ret != 0 || a->canon_enclen == 0)
|
||||
return ret;
|
||||
|
||||
return memcmp(a->canon_enc, b->canon_enc, a->canon_enclen);
|
||||
|
|
|
@ -311,7 +311,11 @@ int X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name,
|
|||
X509_OBJECT stmp, *tmp;
|
||||
int i, j;
|
||||
|
||||
if (ctx == NULL)
|
||||
return 0;
|
||||
|
||||
CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
|
||||
|
||||
tmp = X509_OBJECT_retrieve_by_subject(ctx->objs, type, name);
|
||||
CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
|
||||
|
||||
|
@ -506,6 +510,10 @@ STACK_OF(X509) *X509_STORE_get1_certs(X509_STORE_CTX *ctx, X509_NAME *nm)
|
|||
STACK_OF(X509) *sk;
|
||||
X509 *x;
|
||||
X509_OBJECT *obj;
|
||||
|
||||
if (ctx->ctx == NULL)
|
||||
return NULL;
|
||||
|
||||
sk = sk_X509_new_null();
|
||||
CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
|
||||
idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_X509, nm, &cnt);
|
||||
|
@ -551,6 +559,11 @@ STACK_OF(X509_CRL) *X509_STORE_get1_crls(X509_STORE_CTX *ctx, X509_NAME *nm)
|
|||
STACK_OF(X509_CRL) *sk;
|
||||
X509_CRL *x;
|
||||
X509_OBJECT *obj, xobj;
|
||||
|
||||
|
||||
if (ctx->ctx == NULL)
|
||||
return NULL;
|
||||
|
||||
sk = sk_X509_CRL_new_null();
|
||||
CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
|
||||
|
||||
|
@ -651,6 +664,9 @@ int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
|
|||
}
|
||||
X509_OBJECT_free_contents(&obj);
|
||||
|
||||
if (ctx->ctx == NULL)
|
||||
return 0;
|
||||
|
||||
/* Else find index of first cert accepted by 'check_issued' */
|
||||
ret = 0;
|
||||
CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
|
||||
|
|
|
@ -56,6 +56,7 @@
|
|||
* [including the GNU Public Licence.]
|
||||
*/
|
||||
|
||||
#include <ctype.h>
|
||||
#include <stdio.h>
|
||||
#include <time.h>
|
||||
#include <errno.h>
|
||||
|
@ -620,7 +621,7 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
|
|||
* A hack to keep people who don't want to modify their software
|
||||
* happy
|
||||
*/
|
||||
if (getenv("OPENSSL_ALLOW_PROXY_CERTS"))
|
||||
if (ossl_safe_getenv("OPENSSL_ALLOW_PROXY_CERTS"))
|
||||
allow_proxy_certs = 1;
|
||||
purpose = ctx->param->purpose;
|
||||
}
|
||||
|
@ -693,10 +694,9 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
|
|||
goto end;
|
||||
}
|
||||
}
|
||||
/* Check pathlen if not self issued */
|
||||
if ((i > 1) && !(x->ex_flags & EXFLAG_SI)
|
||||
&& (x->ex_pathlen != -1)
|
||||
&& (plen > (x->ex_pathlen + proxy_path_length + 1))) {
|
||||
/* Check pathlen */
|
||||
if ((i > 1) && (x->ex_pathlen != -1)
|
||||
&& (plen > (x->ex_pathlen + proxy_path_length))) {
|
||||
ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED;
|
||||
ctx->error_depth = i;
|
||||
ctx->current_cert = x;
|
||||
|
@ -704,8 +704,8 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
|
|||
if (!ok)
|
||||
goto end;
|
||||
}
|
||||
/* Increment path length if not self issued */
|
||||
if (!(x->ex_flags & EXFLAG_SI))
|
||||
/* Increment path length if not a self issued intermediate CA */
|
||||
if (i > 0 && (x->ex_flags & EXFLAG_SI) == 0)
|
||||
plen++;
|
||||
/*
|
||||
* If this certificate is a proxy certificate, the next certificate
|
||||
|
@ -1937,119 +1937,67 @@ int X509_cmp_current_time(const ASN1_TIME *ctm)
|
|||
|
||||
int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time)
|
||||
{
|
||||
char *str;
|
||||
ASN1_TIME atm;
|
||||
long offset;
|
||||
char buff1[24], buff2[24], *p;
|
||||
int i, j, remaining;
|
||||
static const size_t utctime_length = sizeof("YYMMDDHHMMSSZ") - 1;
|
||||
static const size_t generalizedtime_length = sizeof("YYYYMMDDHHMMSSZ") - 1;
|
||||
ASN1_TIME *asn1_cmp_time = NULL;
|
||||
int i, day, sec, ret = 0;
|
||||
|
||||
p = buff1;
|
||||
remaining = ctm->length;
|
||||
str = (char *)ctm->data;
|
||||
/*
|
||||
* Note that the following (historical) code allows much more slack in the
|
||||
* time format than RFC5280. In RFC5280, the representation is fixed:
|
||||
* Note that ASN.1 allows much more slack in the time format than RFC5280.
|
||||
* In RFC5280, the representation is fixed:
|
||||
* UTCTime: YYMMDDHHMMSSZ
|
||||
* GeneralizedTime: YYYYMMDDHHMMSSZ
|
||||
*
|
||||
* We do NOT currently enforce the following RFC 5280 requirement:
|
||||
* "CAs conforming to this profile MUST always encode certificate
|
||||
* validity dates through the year 2049 as UTCTime; certificate validity
|
||||
* dates in 2050 or later MUST be encoded as GeneralizedTime."
|
||||
*/
|
||||
if (ctm->type == V_ASN1_UTCTIME) {
|
||||
/* YYMMDDHHMM[SS]Z or YYMMDDHHMM[SS](+-)hhmm */
|
||||
int min_length = sizeof("YYMMDDHHMMZ") - 1;
|
||||
int max_length = sizeof("YYMMDDHHMMSS+hhmm") - 1;
|
||||
if (remaining < min_length || remaining > max_length)
|
||||
switch (ctm->type) {
|
||||
case V_ASN1_UTCTIME:
|
||||
if (ctm->length != (int)(utctime_length))
|
||||
return 0;
|
||||
memcpy(p, str, 10);
|
||||
p += 10;
|
||||
str += 10;
|
||||
remaining -= 10;
|
||||
} else {
|
||||
/* YYYYMMDDHHMM[SS[.fff]]Z or YYYYMMDDHHMM[SS[.f[f[f]]]](+-)hhmm */
|
||||
int min_length = sizeof("YYYYMMDDHHMMZ") - 1;
|
||||
int max_length = sizeof("YYYYMMDDHHMMSS.fff+hhmm") - 1;
|
||||
if (remaining < min_length || remaining > max_length)
|
||||
break;
|
||||
case V_ASN1_GENERALIZEDTIME:
|
||||
if (ctm->length != (int)(generalizedtime_length))
|
||||
return 0;
|
||||
memcpy(p, str, 12);
|
||||
p += 12;
|
||||
str += 12;
|
||||
remaining -= 12;
|
||||
}
|
||||
|
||||
if ((*str == 'Z') || (*str == '-') || (*str == '+')) {
|
||||
*(p++) = '0';
|
||||
*(p++) = '0';
|
||||
} else {
|
||||
/* SS (seconds) */
|
||||
if (remaining < 2)
|
||||
return 0;
|
||||
*(p++) = *(str++);
|
||||
*(p++) = *(str++);
|
||||
remaining -= 2;
|
||||
/*
|
||||
* Skip any (up to three) fractional seconds...
|
||||
* TODO(emilia): in RFC5280, fractional seconds are forbidden.
|
||||
* Can we just kill them altogether?
|
||||
*/
|
||||
if (remaining && *str == '.') {
|
||||
str++;
|
||||
remaining--;
|
||||
for (i = 0; i < 3 && remaining; i++, str++, remaining--) {
|
||||
if (*str < '0' || *str > '9')
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
*(p++) = 'Z';
|
||||
*(p++) = '\0';
|
||||
|
||||
/* We now need either a terminating 'Z' or an offset. */
|
||||
if (!remaining)
|
||||
break;
|
||||
default:
|
||||
return 0;
|
||||
if (*str == 'Z') {
|
||||
if (remaining != 1)
|
||||
return 0;
|
||||
offset = 0;
|
||||
} else {
|
||||
/* (+-)HHMM */
|
||||
if ((*str != '+') && (*str != '-'))
|
||||
return 0;
|
||||
/* Historical behaviour: the (+-)hhmm offset is forbidden in RFC5280. */
|
||||
if (remaining != 5)
|
||||
return 0;
|
||||
if (str[1] < '0' || str[1] > '9' || str[2] < '0' || str[2] > '9' ||
|
||||
str[3] < '0' || str[3] > '9' || str[4] < '0' || str[4] > '9')
|
||||
return 0;
|
||||
offset = ((str[1] - '0') * 10 + (str[2] - '0')) * 60;
|
||||
offset += (str[3] - '0') * 10 + (str[4] - '0');
|
||||
if (*str == '-')
|
||||
offset = -offset;
|
||||
}
|
||||
atm.type = ctm->type;
|
||||
atm.flags = 0;
|
||||
atm.length = sizeof(buff2);
|
||||
atm.data = (unsigned char *)buff2;
|
||||
|
||||
if (X509_time_adj(&atm, offset * 60, cmp_time) == NULL)
|
||||
/**
|
||||
* Verify the format: the ASN.1 functions we use below allow a more
|
||||
* flexible format than what's mandated by RFC 5280.
|
||||
* Digit and date ranges will be verified in the conversion methods.
|
||||
*/
|
||||
for (i = 0; i < ctm->length - 1; i++) {
|
||||
if (!isdigit(ctm->data[i]))
|
||||
return 0;
|
||||
}
|
||||
if (ctm->data[ctm->length - 1] != 'Z')
|
||||
return 0;
|
||||
|
||||
if (ctm->type == V_ASN1_UTCTIME) {
|
||||
i = (buff1[0] - '0') * 10 + (buff1[1] - '0');
|
||||
if (i < 50)
|
||||
i += 100; /* cf. RFC 2459 */
|
||||
j = (buff2[0] - '0') * 10 + (buff2[1] - '0');
|
||||
if (j < 50)
|
||||
j += 100;
|
||||
/*
|
||||
* There is ASN1_UTCTIME_cmp_time_t but no
|
||||
* ASN1_GENERALIZEDTIME_cmp_time_t or ASN1_TIME_cmp_time_t,
|
||||
* so we go through ASN.1
|
||||
*/
|
||||
asn1_cmp_time = X509_time_adj(NULL, 0, cmp_time);
|
||||
if (asn1_cmp_time == NULL)
|
||||
goto err;
|
||||
if (!ASN1_TIME_diff(&day, &sec, ctm, asn1_cmp_time))
|
||||
goto err;
|
||||
|
||||
if (i < j)
|
||||
return -1;
|
||||
if (i > j)
|
||||
return 1;
|
||||
}
|
||||
i = strcmp(buff1, buff2);
|
||||
if (i == 0) /* wait a second then return younger :-) */
|
||||
return -1;
|
||||
else
|
||||
return i;
|
||||
/*
|
||||
* X509_cmp_time comparison is <=.
|
||||
* The return value 0 is reserved for errors.
|
||||
*/
|
||||
ret = (day >= 0 && sec >= 0) ? -1 : 1;
|
||||
|
||||
err:
|
||||
ASN1_TIME_free(asn1_cmp_time);
|
||||
return ret;
|
||||
}
|
||||
|
||||
ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj)
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
* 2001.
|
||||
*/
|
||||
/* ====================================================================
|
||||
* Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved.
|
||||
* Copyright (c) 1999-2018 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
|
@ -128,11 +128,10 @@ int X509_check_purpose(X509 *x, int id, int ca)
|
|||
{
|
||||
int idx;
|
||||
const X509_PURPOSE *pt;
|
||||
if (!(x->ex_flags & EXFLAG_SET)) {
|
||||
CRYPTO_w_lock(CRYPTO_LOCK_X509);
|
||||
x509v3_cache_extensions(x);
|
||||
CRYPTO_w_unlock(CRYPTO_LOCK_X509);
|
||||
}
|
||||
|
||||
x509v3_cache_extensions(x);
|
||||
|
||||
/* Return if side-effect only call */
|
||||
if (id == -1)
|
||||
return 1;
|
||||
idx = X509_PURPOSE_get_by_id(id);
|
||||
|
@ -397,10 +396,14 @@ static void x509v3_cache_extensions(X509 *x)
|
|||
ASN1_BIT_STRING *ns;
|
||||
EXTENDED_KEY_USAGE *extusage;
|
||||
X509_EXTENSION *ex;
|
||||
|
||||
int i;
|
||||
if (x->ex_flags & EXFLAG_SET)
|
||||
|
||||
CRYPTO_w_lock(CRYPTO_LOCK_X509);
|
||||
if (x->ex_flags & EXFLAG_SET) {
|
||||
CRYPTO_w_unlock(CRYPTO_LOCK_X509);
|
||||
return;
|
||||
}
|
||||
|
||||
#ifndef OPENSSL_NO_SHA
|
||||
X509_digest(x, EVP_sha1(), x->sha1_hash, NULL);
|
||||
#endif
|
||||
|
@ -536,6 +539,7 @@ static void x509v3_cache_extensions(X509 *x)
|
|||
}
|
||||
}
|
||||
x->ex_flags |= EXFLAG_SET;
|
||||
CRYPTO_w_unlock(CRYPTO_LOCK_X509);
|
||||
}
|
||||
|
||||
/*-
|
||||
|
@ -578,11 +582,7 @@ static int check_ca(const X509 *x)
|
|||
|
||||
int X509_check_ca(X509 *x)
|
||||
{
|
||||
if (!(x->ex_flags & EXFLAG_SET)) {
|
||||
CRYPTO_w_lock(CRYPTO_LOCK_X509);
|
||||
x509v3_cache_extensions(x);
|
||||
CRYPTO_w_unlock(CRYPTO_LOCK_X509);
|
||||
}
|
||||
x509v3_cache_extensions(x);
|
||||
|
||||
return check_ca(x);
|
||||
}
|
||||
|
@ -796,6 +796,7 @@ int X509_check_issued(X509 *issuer, X509 *subject)
|
|||
if (X509_NAME_cmp(X509_get_subject_name(issuer),
|
||||
X509_get_issuer_name(subject)))
|
||||
return X509_V_ERR_SUBJECT_ISSUER_MISMATCH;
|
||||
|
||||
x509v3_cache_extensions(issuer);
|
||||
x509v3_cache_extensions(subject);
|
||||
|
||||
|
|
|
@ -1164,6 +1164,7 @@ int SMIME_text(BIO *in, BIO *out);
|
|||
* The following lines are auto generated by the script mkerr.pl. Any changes
|
||||
* made after this point may be overwritten when the script is next run.
|
||||
*/
|
||||
|
||||
void ERR_load_ASN1_strings(void);
|
||||
|
||||
/* Error codes for the ASN1 functions. */
|
||||
|
@ -1264,7 +1265,10 @@ void ERR_load_ASN1_strings(void);
|
|||
# define ASN1_F_D2I_X509 156
|
||||
# define ASN1_F_D2I_X509_CINF 157
|
||||
# define ASN1_F_D2I_X509_PKEY 159
|
||||
# define ASN1_F_DO_BUF 221
|
||||
# define ASN1_F_I2D_ASN1_BIO_STREAM 211
|
||||
# define ASN1_F_I2D_ASN1_BOOLEAN 223
|
||||
# define ASN1_F_I2D_ASN1_OBJECT 222
|
||||
# define ASN1_F_I2D_ASN1_SET 188
|
||||
# define ASN1_F_I2D_ASN1_TIME 160
|
||||
# define ASN1_F_I2D_DSA_PUBKEY 161
|
||||
|
@ -1414,7 +1418,7 @@ void ERR_load_ASN1_strings(void);
|
|||
# define ASN1_R_WRONG_TAG 168
|
||||
# define ASN1_R_WRONG_TYPE 169
|
||||
|
||||
#ifdef __cplusplus
|
||||
# ifdef __cplusplus
|
||||
}
|
||||
#endif
|
||||
# endif
|
||||
#endif
|
||||
|
|
|
@ -56,7 +56,7 @@
|
|||
* [including the GNU Public Licence.]
|
||||
*/
|
||||
/* ====================================================================
|
||||
* Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
|
||||
* Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
|
@ -375,25 +375,76 @@ int BN_GENCB_call(BN_GENCB *cb, int a, int b);
|
|||
* on the size of the number */
|
||||
|
||||
/*
|
||||
* number of Miller-Rabin iterations for an error rate of less than 2^-80 for
|
||||
* random 'b'-bit input, b >= 100 (taken from table 4.4 in the Handbook of
|
||||
* Applied Cryptography [Menezes, van Oorschot, Vanstone; CRC Press 1996];
|
||||
* original paper: Damgaard, Landrock, Pomerance: Average case error
|
||||
* estimates for the strong probable prime test. -- Math. Comp. 61 (1993)
|
||||
* 177-194)
|
||||
* BN_prime_checks_for_size() returns the number of Miller-Rabin iterations
|
||||
* that will be done for checking that a random number is probably prime. The
|
||||
* error rate for accepting a composite number as prime depends on the size of
|
||||
* the prime |b|. The error rates used are for calculating an RSA key with 2 primes,
|
||||
* and so the level is what you would expect for a key of double the size of the
|
||||
* prime.
|
||||
*
|
||||
* This table is generated using the algorithm of FIPS PUB 186-4
|
||||
* Digital Signature Standard (DSS), section F.1, page 117.
|
||||
* (https://dx.doi.org/10.6028/NIST.FIPS.186-4)
|
||||
*
|
||||
* The following magma script was used to generate the output:
|
||||
* securitybits:=125;
|
||||
* k:=1024;
|
||||
* for t:=1 to 65 do
|
||||
* for M:=3 to Floor(2*Sqrt(k-1)-1) do
|
||||
* S:=0;
|
||||
* // Sum over m
|
||||
* for m:=3 to M do
|
||||
* s:=0;
|
||||
* // Sum over j
|
||||
* for j:=2 to m do
|
||||
* s+:=(RealField(32)!2)^-(j+(k-1)/j);
|
||||
* end for;
|
||||
* S+:=2^(m-(m-1)*t)*s;
|
||||
* end for;
|
||||
* A:=2^(k-2-M*t);
|
||||
* B:=8*(Pi(RealField(32))^2-6)/3*2^(k-2)*S;
|
||||
* pkt:=2.00743*Log(2)*k*2^-k*(A+B);
|
||||
* seclevel:=Floor(-Log(2,pkt));
|
||||
* if seclevel ge securitybits then
|
||||
* printf "k: %5o, security: %o bits (t: %o, M: %o)\n",k,seclevel,t,M;
|
||||
* break;
|
||||
* end if;
|
||||
* end for;
|
||||
* if seclevel ge securitybits then break; end if;
|
||||
* end for;
|
||||
*
|
||||
* It can be run online at:
|
||||
* http://magma.maths.usyd.edu.au/calc
|
||||
*
|
||||
* And will output:
|
||||
* k: 1024, security: 129 bits (t: 6, M: 23)
|
||||
*
|
||||
* k is the number of bits of the prime, securitybits is the level we want to
|
||||
* reach.
|
||||
*
|
||||
* prime length | RSA key size | # MR tests | security level
|
||||
* -------------+--------------|------------+---------------
|
||||
* (b) >= 6394 | >= 12788 | 3 | 256 bit
|
||||
* (b) >= 3747 | >= 7494 | 3 | 192 bit
|
||||
* (b) >= 1345 | >= 2690 | 4 | 128 bit
|
||||
* (b) >= 1080 | >= 2160 | 5 | 128 bit
|
||||
* (b) >= 852 | >= 1704 | 5 | 112 bit
|
||||
* (b) >= 476 | >= 952 | 5 | 80 bit
|
||||
* (b) >= 400 | >= 800 | 6 | 80 bit
|
||||
* (b) >= 347 | >= 694 | 7 | 80 bit
|
||||
* (b) >= 308 | >= 616 | 8 | 80 bit
|
||||
* (b) >= 55 | >= 110 | 27 | 64 bit
|
||||
* (b) >= 6 | >= 12 | 34 | 64 bit
|
||||
*/
|
||||
# define BN_prime_checks_for_size(b) ((b) >= 1300 ? 2 : \
|
||||
(b) >= 850 ? 3 : \
|
||||
(b) >= 650 ? 4 : \
|
||||
(b) >= 550 ? 5 : \
|
||||
(b) >= 450 ? 6 : \
|
||||
(b) >= 400 ? 7 : \
|
||||
(b) >= 350 ? 8 : \
|
||||
(b) >= 300 ? 9 : \
|
||||
(b) >= 250 ? 12 : \
|
||||
(b) >= 200 ? 15 : \
|
||||
(b) >= 150 ? 18 : \
|
||||
/* b >= 100 */ 27)
|
||||
|
||||
# define BN_prime_checks_for_size(b) ((b) >= 3747 ? 3 : \
|
||||
(b) >= 1345 ? 4 : \
|
||||
(b) >= 476 ? 5 : \
|
||||
(b) >= 400 ? 6 : \
|
||||
(b) >= 347 ? 7 : \
|
||||
(b) >= 308 ? 8 : \
|
||||
(b) >= 55 ? 27 : \
|
||||
/* b >= 6 */ 34)
|
||||
|
||||
# define BN_num_bytes(a) ((BN_num_bits(a)+7)/8)
|
||||
|
||||
|
@ -773,6 +824,16 @@ BIGNUM *bn_dup_expand(const BIGNUM *a, int words); /* unused */
|
|||
/* We only need assert() when debugging */
|
||||
# include <assert.h>
|
||||
|
||||
/*
|
||||
* The new BN_FLG_FIXED_TOP flag marks vectors that were not treated with
|
||||
* bn_correct_top, in other words such vectors are permitted to have zeros
|
||||
* in most significant limbs. Such vectors are used internally to achieve
|
||||
* execution time invariance for critical operations with private keys.
|
||||
* It's BN_DEBUG-only flag, because user application is not supposed to
|
||||
* observe it anyway. Moreover, optimizing compiler would actually remove
|
||||
* all operations manipulating the bit in question in non-BN_DEBUG build.
|
||||
*/
|
||||
# define BN_FLG_FIXED_TOP 0x10000
|
||||
# ifdef BN_DEBUG_RAND
|
||||
/* To avoid "make update" cvs wars due to BN_DEBUG, use some tricks */
|
||||
# ifndef RAND_pseudo_bytes
|
||||
|
@ -805,8 +866,10 @@ int RAND_pseudo_bytes(unsigned char *buf, int num);
|
|||
do { \
|
||||
const BIGNUM *_bnum2 = (a); \
|
||||
if (_bnum2 != NULL) { \
|
||||
assert((_bnum2->top == 0) || \
|
||||
(_bnum2->d[_bnum2->top - 1] != 0)); \
|
||||
int _top = _bnum2->top; \
|
||||
assert((_top == 0) || \
|
||||
(_bnum2->flags & BN_FLG_FIXED_TOP) || \
|
||||
(_bnum2->d[_top - 1] != 0)); \
|
||||
bn_pollute(_bnum2); \
|
||||
} \
|
||||
} while(0)
|
||||
|
@ -824,6 +887,7 @@ int RAND_pseudo_bytes(unsigned char *buf, int num);
|
|||
|
||||
# else /* !BN_DEBUG */
|
||||
|
||||
# define BN_FLG_FIXED_TOP 0
|
||||
# define bn_pollute(a)
|
||||
# define bn_check_top(a)
|
||||
# define bn_fix_top(a) bn_correct_top(a)
|
||||
|
|
|
@ -249,10 +249,12 @@ int DSAparams_print_fp(FILE *fp, const DSA *x);
|
|||
int DSA_print_fp(FILE *bp, const DSA *x, int off);
|
||||
# endif
|
||||
|
||||
# define DSS_prime_checks 50
|
||||
# define DSS_prime_checks 64
|
||||
/*
|
||||
* Primality test according to FIPS PUB 186[-1], Appendix 2.1: 50 rounds of
|
||||
* Rabin-Miller
|
||||
* Primality test according to FIPS PUB 186-4, Appendix C.3. Since we only
|
||||
* have one value here we set the number of checks to 64 which is the 128 bit
|
||||
* security level that is the highest level and valid for creating a 3072 bit
|
||||
* DSA key.
|
||||
*/
|
||||
# define DSA_is_prime(n, callback, cb_arg) \
|
||||
BN_is_prime(n, DSS_prime_checks, callback, NULL, cb_arg)
|
||||
|
@ -307,6 +309,7 @@ void ERR_load_DSA_strings(void);
|
|||
# define DSA_F_I2D_DSA_SIG 111
|
||||
# define DSA_F_OLD_DSA_PRIV_DECODE 122
|
||||
# define DSA_F_PKEY_DSA_CTRL 120
|
||||
# define DSA_F_PKEY_DSA_CTRL_STR 127
|
||||
# define DSA_F_PKEY_DSA_KEYGEN 121
|
||||
# define DSA_F_SIG_CB 114
|
||||
|
||||
|
|
|
@ -67,6 +67,9 @@ extern "C" {
|
|||
|
||||
#endif /* OPENSSL_DOING_MAKEDEPEND */
|
||||
|
||||
#ifndef OPENSSL_THREADS
|
||||
# define OPENSSL_THREADS
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_DYNAMIC_ENGINE
|
||||
# define OPENSSL_NO_DYNAMIC_ENGINE
|
||||
#endif
|
||||
|
|
|
@ -30,11 +30,11 @@ extern "C" {
|
|||
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
|
||||
* major minor fix final patch/beta)
|
||||
*/
|
||||
# define OPENSSL_VERSION_NUMBER 0x100020ffL
|
||||
# define OPENSSL_VERSION_NUMBER 0x1000211fL
|
||||
# ifdef OPENSSL_FIPS
|
||||
# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2o-fips 27 Mar 2018"
|
||||
# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2q-fips 20 Nov 2018"
|
||||
# else
|
||||
# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2o 27 Mar 2018"
|
||||
# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2q 20 Nov 2018"
|
||||
# endif
|
||||
# define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT
|
||||
|
||||
|
|
|
@ -442,7 +442,8 @@ void PEM_SignUpdate(EVP_MD_CTX *ctx, unsigned char *d, unsigned int cnt);
|
|||
int PEM_SignFinal(EVP_MD_CTX *ctx, unsigned char *sigret,
|
||||
unsigned int *siglen, EVP_PKEY *pkey);
|
||||
|
||||
int PEM_def_callback(char *buf, int num, int w, void *key);
|
||||
/* The default pem_password_cb that's used internally */
|
||||
int PEM_def_callback(char *buf, int num, int rwflag, void *userdata);
|
||||
void PEM_proc_type(char *buf, int type);
|
||||
void PEM_dek_info(char *buf, const char *type, int len, char *str);
|
||||
|
||||
|
|
|
@ -56,7 +56,7 @@
|
|||
* [including the GNU Public Licence.]
|
||||
*/
|
||||
/* ====================================================================
|
||||
* Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
|
||||
* Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
|
@ -548,7 +548,7 @@ struct ssl_session_st {
|
|||
const SSL_CIPHER *cipher;
|
||||
unsigned long cipher_id; /* when ASN.1 loaded, this needs to be used
|
||||
* to load the 'cipher' structure */
|
||||
STACK_OF(SSL_CIPHER) *ciphers; /* shared ciphers? */
|
||||
STACK_OF(SSL_CIPHER) *ciphers; /* ciphers offered by the client */
|
||||
CRYPTO_EX_DATA ex_data; /* application specific data */
|
||||
/*
|
||||
* These are used to make removal of session-ids more efficient and to
|
||||
|
@ -2149,7 +2149,7 @@ int SSL_get_fd(const SSL *s);
|
|||
int SSL_get_rfd(const SSL *s);
|
||||
int SSL_get_wfd(const SSL *s);
|
||||
const char *SSL_get_cipher_list(const SSL *s, int n);
|
||||
char *SSL_get_shared_ciphers(const SSL *s, char *buf, int len);
|
||||
char *SSL_get_shared_ciphers(const SSL *s, char *buf, int size);
|
||||
int SSL_get_read_ahead(const SSL *s);
|
||||
int SSL_pending(const SSL *s);
|
||||
# ifndef OPENSSL_NO_SOCK
|
||||
|
@ -2954,6 +2954,7 @@ void ERR_load_SSL_strings(void);
|
|||
# define SSL_R_KRB5_S_TKT_NYV 294
|
||||
# define SSL_R_KRB5_S_TKT_SKEW 295
|
||||
# define SSL_R_LENGTH_MISMATCH 159
|
||||
# define SSL_R_LENGTH_TOO_LONG 404
|
||||
# define SSL_R_LENGTH_TOO_SHORT 160
|
||||
# define SSL_R_LIBRARY_BUG 274
|
||||
# define SSL_R_LIBRARY_HAS_NO_CIPHERS 161
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
* (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
|
||||
*/
|
||||
/* ====================================================================
|
||||
* Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved.
|
||||
* Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
|
@ -656,7 +656,8 @@ static int dtls1_retrieve_buffered_fragment(SSL *s, long max, int *ok)
|
|||
|
||||
al = dtls1_preprocess_fragment(s, &frag->msg_header, max);
|
||||
|
||||
if (al == 0) { /* no alert */
|
||||
/* al will be 0 if no alert */
|
||||
if (al == 0 && frag->msg_header.frag_len > 0) {
|
||||
unsigned char *p =
|
||||
(unsigned char *)s->init_buf->data + DTLS1_HM_HEADER_LENGTH;
|
||||
memcpy(&p[frag->msg_header.frag_off], frag->fragment,
|
||||
|
|
|
@ -293,14 +293,12 @@ dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority)
|
|||
return (-1);
|
||||
}
|
||||
|
||||
/* insert should not fail, since duplicates are dropped */
|
||||
if (pqueue_insert(queue->q, item) == NULL) {
|
||||
SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR);
|
||||
/* Must be a duplicate so ignore it */
|
||||
if (rdata->rbuf.buf != NULL)
|
||||
OPENSSL_free(rdata->rbuf.buf);
|
||||
OPENSSL_free(rdata);
|
||||
pitem_free(item);
|
||||
return (-1);
|
||||
}
|
||||
|
||||
return (1);
|
||||
|
|
|
@ -56,7 +56,7 @@
|
|||
* [including the GNU Public Licence.]
|
||||
*/
|
||||
/* ====================================================================
|
||||
* Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
|
||||
* Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
|
@ -4228,8 +4228,13 @@ int ssl3_get_req_cert_type(SSL *s, unsigned char *p)
|
|||
#ifndef OPENSSL_NO_ECDSA
|
||||
int have_ecdsa_sign = 0;
|
||||
#endif
|
||||
#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_ECDH)
|
||||
int nostrict = 1;
|
||||
#endif
|
||||
#if !defined(OPENSSL_NO_GOST) || !defined(OPENSSL_NO_DH) || \
|
||||
!defined(OPENSSL_NO_ECDH)
|
||||
unsigned long alg_k;
|
||||
#endif
|
||||
|
||||
/* If we have custom certificate types set, use them */
|
||||
if (s->cert->ctypes) {
|
||||
|
@ -4238,8 +4243,10 @@ int ssl3_get_req_cert_type(SSL *s, unsigned char *p)
|
|||
}
|
||||
/* get configured sigalgs */
|
||||
siglen = tls12_get_psigalgs(s, 1, &sig);
|
||||
#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_ECDH)
|
||||
if (s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)
|
||||
nostrict = 0;
|
||||
#endif
|
||||
for (i = 0; i < siglen; i += 2, sig += 2) {
|
||||
switch (sig[1]) {
|
||||
case TLSEXT_signature_rsa:
|
||||
|
@ -4257,7 +4264,10 @@ int ssl3_get_req_cert_type(SSL *s, unsigned char *p)
|
|||
}
|
||||
}
|
||||
|
||||
#if !defined(OPENSSL_NO_GOST) || !defined(OPENSSL_NO_DH) || \
|
||||
!defined(OPENSSL_NO_ECDH)
|
||||
alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
|
||||
#endif
|
||||
|
||||
#ifndef OPENSSL_NO_GOST
|
||||
if (s->version >= TLS1_VERSION) {
|
||||
|
|
|
@ -56,7 +56,7 @@
|
|||
* [including the GNU Public Licence.]
|
||||
*/
|
||||
/* ====================================================================
|
||||
* Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
|
||||
* Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
|
@ -1959,11 +1959,12 @@ int ssl3_send_server_key_exchange(SSL *s)
|
|||
|
||||
#ifndef OPENSSL_NO_PSK
|
||||
if (type & SSL_kPSK) {
|
||||
size_t len = strlen(s->ctx->psk_identity_hint);
|
||||
|
||||
/* copy PSK identity hint */
|
||||
s2n(strlen(s->ctx->psk_identity_hint), p);
|
||||
strncpy((char *)p, s->ctx->psk_identity_hint,
|
||||
strlen(s->ctx->psk_identity_hint));
|
||||
p += strlen(s->ctx->psk_identity_hint);
|
||||
s2n(len, p);
|
||||
memcpy(p, s->ctx->psk_identity_hint, len);
|
||||
p += len;
|
||||
}
|
||||
#endif
|
||||
|
||||
|
@ -2090,6 +2091,11 @@ int ssl3_send_certificate_request(SSL *s)
|
|||
if (SSL_USE_SIGALGS(s)) {
|
||||
const unsigned char *psigs;
|
||||
nl = tls12_get_psigalgs(s, 1, &psigs);
|
||||
if (nl > SSL_MAX_2_BYTE_LEN) {
|
||||
SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,
|
||||
SSL_R_LENGTH_TOO_LONG);
|
||||
goto err;
|
||||
}
|
||||
s2n(nl, p);
|
||||
memcpy(p, psigs, nl);
|
||||
p += nl;
|
||||
|
@ -2106,6 +2112,11 @@ int ssl3_send_certificate_request(SSL *s)
|
|||
for (i = 0; i < sk_X509_NAME_num(sk); i++) {
|
||||
name = sk_X509_NAME_value(sk, i);
|
||||
j = i2d_X509_NAME(name, NULL);
|
||||
if (j > SSL_MAX_2_BYTE_LEN) {
|
||||
SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,
|
||||
SSL_R_LENGTH_TOO_LONG);
|
||||
goto err;
|
||||
}
|
||||
if (!BUF_MEM_grow_clean
|
||||
(buf, SSL_HM_HEADER_LENGTH(s) + n + j + 2)) {
|
||||
SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,
|
||||
|
@ -2127,6 +2138,11 @@ int ssl3_send_certificate_request(SSL *s)
|
|||
n += j;
|
||||
nl += j;
|
||||
}
|
||||
if (nl > SSL_MAX_2_BYTE_LEN) {
|
||||
SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,
|
||||
SSL_R_LENGTH_TOO_LONG);
|
||||
goto err;
|
||||
}
|
||||
}
|
||||
}
|
||||
/* else no CA names */
|
||||
|
|
|
@ -56,7 +56,7 @@
|
|||
* [including the GNU Public Licence.]
|
||||
*/
|
||||
/* ====================================================================
|
||||
* Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
|
||||
* Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
|
@ -1406,11 +1406,17 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
|
|||
static int check_suiteb_cipher_list(const SSL_METHOD *meth, CERT *c,
|
||||
const char **prule_str)
|
||||
{
|
||||
unsigned int suiteb_flags = 0, suiteb_comb2 = 0;
|
||||
unsigned int suiteb_flags = 0;
|
||||
# ifndef OPENSSL_NO_ECDH
|
||||
unsigned int suiteb_comb2 = 0;
|
||||
#endif
|
||||
|
||||
if (strncmp(*prule_str, "SUITEB128ONLY", 13) == 0) {
|
||||
suiteb_flags = SSL_CERT_FLAG_SUITEB_128_LOS_ONLY;
|
||||
} else if (strncmp(*prule_str, "SUITEB128C2", 11) == 0) {
|
||||
# ifndef OPENSSL_NO_ECDH
|
||||
suiteb_comb2 = 1;
|
||||
# endif
|
||||
suiteb_flags = SSL_CERT_FLAG_SUITEB_128_LOS;
|
||||
} else if (strncmp(*prule_str, "SUITEB128", 9) == 0) {
|
||||
suiteb_flags = SSL_CERT_FLAG_SUITEB_128_LOS;
|
||||
|
|
|
@ -58,7 +58,7 @@
|
|||
* [including the GNU Public Licence.]
|
||||
*/
|
||||
/* ====================================================================
|
||||
* Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
|
||||
* Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
|
@ -1404,28 +1404,37 @@ int SSL_set_cipher_list(SSL *s, const char *str)
|
|||
}
|
||||
|
||||
/* works well for SSLv2, not so good for SSLv3 */
|
||||
char *SSL_get_shared_ciphers(const SSL *s, char *buf, int len)
|
||||
char *SSL_get_shared_ciphers(const SSL *s, char *buf, int size)
|
||||
{
|
||||
char *p;
|
||||
STACK_OF(SSL_CIPHER) *sk;
|
||||
STACK_OF(SSL_CIPHER) *clntsk, *srvrsk;
|
||||
SSL_CIPHER *c;
|
||||
int i;
|
||||
|
||||
if ((s->session == NULL) || (s->session->ciphers == NULL) || (len < 2))
|
||||
return (NULL);
|
||||
|
||||
p = buf;
|
||||
sk = s->session->ciphers;
|
||||
|
||||
if (sk_SSL_CIPHER_num(sk) == 0)
|
||||
if (!s->server
|
||||
|| s->session == NULL
|
||||
|| s->session->ciphers == NULL
|
||||
|| size < 2)
|
||||
return NULL;
|
||||
|
||||
for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
|
||||
p = buf;
|
||||
clntsk = s->session->ciphers;
|
||||
srvrsk = SSL_get_ciphers(s);
|
||||
if (clntsk == NULL || srvrsk == NULL)
|
||||
return NULL;
|
||||
|
||||
if (sk_SSL_CIPHER_num(clntsk) == 0 || sk_SSL_CIPHER_num(srvrsk) == 0)
|
||||
return NULL;
|
||||
|
||||
for (i = 0; i < sk_SSL_CIPHER_num(clntsk); i++) {
|
||||
int n;
|
||||
|
||||
c = sk_SSL_CIPHER_value(sk, i);
|
||||
c = sk_SSL_CIPHER_value(clntsk, i);
|
||||
if (sk_SSL_CIPHER_find(srvrsk, c) < 0)
|
||||
continue;
|
||||
|
||||
n = strlen(c->name);
|
||||
if (n + 1 > len) {
|
||||
if (n + 1 > size) {
|
||||
if (p != buf)
|
||||
--p;
|
||||
*p = '\0';
|
||||
|
@ -1434,7 +1443,7 @@ char *SSL_get_shared_ciphers(const SSL *s, char *buf, int len)
|
|||
strcpy(p, c->name);
|
||||
p += n;
|
||||
*(p++) = ':';
|
||||
len -= n + 1;
|
||||
size -= n + 1;
|
||||
}
|
||||
p[-1] = '\0';
|
||||
return (buf);
|
||||
|
@ -2250,10 +2259,10 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
|
|||
int rsa_tmp_export, dh_tmp_export, kl;
|
||||
unsigned long mask_k, mask_a, emask_k, emask_a;
|
||||
#ifndef OPENSSL_NO_ECDSA
|
||||
int have_ecc_cert, ecdsa_ok, ecc_pkey_size;
|
||||
int have_ecc_cert, ecdsa_ok;
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_ECDH
|
||||
int have_ecdh_tmp, ecdh_ok;
|
||||
int have_ecdh_tmp, ecdh_ok, ecc_pkey_size;
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_EC
|
||||
X509 *x = NULL;
|
||||
|
@ -2396,7 +2405,9 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
|
|||
if (!(cpk->valid_flags & CERT_PKEY_SIGN))
|
||||
ecdsa_ok = 0;
|
||||
ecc_pkey = X509_get_pubkey(x);
|
||||
# ifndef OPENSSL_NO_ECDH
|
||||
ecc_pkey_size = (ecc_pkey != NULL) ? EVP_PKEY_bits(ecc_pkey) : 0;
|
||||
# endif
|
||||
EVP_PKEY_free(ecc_pkey);
|
||||
if ((x->sig_alg) && (x->sig_alg->algorithm)) {
|
||||
signature_nid = OBJ_obj2nid(x->sig_alg->algorithm);
|
||||
|
@ -2458,7 +2469,7 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
|
|||
#define ku_reject(x, usage) \
|
||||
(((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
|
||||
|
||||
#ifndef OPENSSL_NO_EC
|
||||
#ifndef OPENSSL_NO_ECDH
|
||||
|
||||
int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
|
||||
{
|
||||
|
|
|
@ -56,7 +56,7 @@
|
|||
* [including the GNU Public Licence.]
|
||||
*/
|
||||
/* ====================================================================
|
||||
* Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
|
||||
* Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
|
@ -259,6 +259,8 @@
|
|||
c[1]=(unsigned char)(((l)>> 8)&0xff), \
|
||||
c[2]=(unsigned char)(((l) )&0xff)),c+=3)
|
||||
|
||||
# define SSL_MAX_2_BYTE_LEN (0xffff)
|
||||
|
||||
/* LOCAL STUFF */
|
||||
|
||||
# define SSL_DECRYPT 0
|
||||
|
|
|
@ -500,7 +500,11 @@ static int tls1_get_curvelist(SSL *s, int sess,
|
|||
} else
|
||||
# endif
|
||||
{
|
||||
if (!s->server || s->cert->ecdh_tmp_auto) {
|
||||
if (!s->server
|
||||
# ifndef OPENSSL_NO_ECDH
|
||||
|| s->cert->ecdh_tmp_auto
|
||||
# endif
|
||||
) {
|
||||
*pcurves = eccurves_auto;
|
||||
pcurveslen = sizeof(eccurves_auto);
|
||||
} else {
|
||||
|
@ -2408,8 +2412,7 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
|
|||
goto err;
|
||||
if (!tls1_save_sigalgs(s, data, dsize))
|
||||
goto err;
|
||||
} else if (type == TLSEXT_TYPE_status_request) {
|
||||
|
||||
} else if (type == TLSEXT_TYPE_status_request && !s->hit) {
|
||||
if (size < 5)
|
||||
goto err;
|
||||
|
||||
|
@ -3166,7 +3169,7 @@ int tls1_set_server_sigalgs(SSL *s)
|
|||
if (!s->cert->shared_sigalgs) {
|
||||
SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS,
|
||||
SSL_R_NO_SHARED_SIGATURE_ALGORITHMS);
|
||||
al = SSL_AD_ILLEGAL_PARAMETER;
|
||||
al = SSL_AD_HANDSHAKE_FAILURE;
|
||||
goto err;
|
||||
}
|
||||
} else
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
* project.
|
||||
*/
|
||||
/* ====================================================================
|
||||
* Copyright (c) 2012 The OpenSSL Project. All rights reserved.
|
||||
* Copyright (c) 2012-2018 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
|
@ -645,6 +645,8 @@ static int ssl_print_extensions(BIO *bio, int indent, int server,
|
|||
BIO_puts(bio, "No Extensions\n");
|
||||
return 1;
|
||||
}
|
||||
if (msglen < 2)
|
||||
return 0;
|
||||
extslen = (msg[0] << 8) | msg[1];
|
||||
if (extslen != msglen - 2)
|
||||
return 0;
|
||||
|
@ -1021,6 +1023,8 @@ static int ssl_print_cert_request(BIO *bio, int indent, SSL *s,
|
|||
msglen -= xlen + 2;
|
||||
|
||||
skip_sig:
|
||||
if (msglen < 2)
|
||||
return 0;
|
||||
xlen = (msg[0] << 8) | msg[1];
|
||||
BIO_indent(bio, indent, 80);
|
||||
if (msglen < xlen + 2)
|
||||
|
@ -1209,7 +1213,15 @@ void SSL_trace(int write_p, int version, int content_type,
|
|||
switch (content_type) {
|
||||
case SSL3_RT_HEADER:
|
||||
{
|
||||
int hvers = msg[1] << 8 | msg[2];
|
||||
int hvers;
|
||||
|
||||
/* avoid overlapping with length at the end of buffer */
|
||||
if (msglen < (SSL_IS_DTLS(ssl) ? 13 : 5)) {
|
||||
BIO_puts(bio, write_p ? "Sent" : "Received");
|
||||
ssl_print_hex(bio, 0, " too short message", msg, msglen);
|
||||
break;
|
||||
}
|
||||
hvers = msg[1] << 8 | msg[2];
|
||||
BIO_puts(bio, write_p ? "Sent" : "Received");
|
||||
BIO_printf(bio, " Record\nHeader:\n Version = %s (0x%x)\n",
|
||||
ssl_trace_str(hvers, ssl_version_tbl), hvers);
|
||||
|
|
Loading…
Reference in New Issue