diff options
| author | Jung-uk Kim <jkim@FreeBSD.org> | 2023-05-30 14:24:15 +0000 |
|---|---|---|
| committer | Jung-uk Kim <jkim@FreeBSD.org> | 2023-05-30 16:51:24 +0000 |
| commit | cb56391c165ebdc10a80545f025a2d8f09106ed5 (patch) | |
| tree | 4cb3618ce17d3f2af2c016da2a61d13c6dc6aad2 | |
| parent | c434383146a264c396d8bcaafd40507f7bf46e56 (diff) | |
| download | src-cb56391c165ebdc10a80545f025a2d8f09106ed5.tar.gz src-cb56391c165ebdc10a80545f025a2d8f09106ed5.zip | |
OpenSSL: Merge OpenSSL 1.1.1u
(cherry picked from commit 8ecb489345f08012fdc92a202a40119891cac330)
(cherry picked from commit 8f1ef87a6b93af292e68f8e33087e2df6325e9bb)
29 files changed, 344 insertions, 772 deletions
diff --git a/crypto/openssl/CHANGES b/crypto/openssl/CHANGES index 459605bf71b6..500b0f653e6a 100644 --- a/crypto/openssl/CHANGES +++ b/crypto/openssl/CHANGES @@ -7,6 +7,64 @@ https://github.com/openssl/openssl/commits/ and pick the appropriate release branch. + Changes between 1.1.1t and 1.1.1u [30 May 2023] + + *) Mitigate for the time it takes for `OBJ_obj2txt` to translate gigantic + OBJECT IDENTIFIER sub-identifiers to canonical numeric text form. + + OBJ_obj2txt() would translate any size OBJECT IDENTIFIER to canonical + numeric text form. For gigantic sub-identifiers, this would take a very + long time, the time complexity being O(n^2) where n is the size of that + sub-identifier. (CVE-2023-2650) + + To mitigitate this, `OBJ_obj2txt()` will only translate an OBJECT + IDENTIFIER to canonical numeric text form if the size of that OBJECT + IDENTIFIER is 586 bytes or less, and fail otherwise. + + The basis for this restriction is RFC 2578 (STD 58), section 3.5. OBJECT + IDENTIFIER values, which stipulates that OBJECT IDENTIFIERS may have at + most 128 sub-identifiers, and that the maximum value that each sub- + identifier may have is 2^32-1 (4294967295 decimal). + + For each byte of every sub-identifier, only the 7 lower bits are part of + the value, so the maximum amount of bytes that an OBJECT IDENTIFIER with + these restrictions may occupy is 32 * 128 / 7, which is approximately 586 + bytes. + + Ref: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5 + + [Richard Levitte] + + *) Reworked the Fix for the Timing Oracle in RSA Decryption (CVE-2022-4304). + The previous fix for this timing side channel turned out to cause + a severe 2-3x performance regression in the typical use case + compared to 1.1.1s. The new fix uses existing constant time + code paths, and restores the previous performance level while + fully eliminating all existing timing side channels. + The fix was developed by Bernd Edlinger with testing support + by Hubert Kario. + [Bernd Edlinger] + + *) Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention + that it does not enable policy checking. Thanks to + David Benjamin for discovering this issue. (CVE-2023-0466) + [Tomas Mraz] + + *) Fixed an issue where invalid certificate policies in leaf certificates are + silently ignored by OpenSSL and other certificate policy checks are skipped + for that certificate. A malicious CA could use this to deliberately assert + invalid certificate policies in order to circumvent policy checking on the + certificate altogether. (CVE-2023-0465) + [Matt Caswell] + + *) Limited the number of nodes created in a policy tree to mitigate + against CVE-2023-0464. The default limit is set to 1000 nodes, which + should be sufficient for most installations. If required, the limit + can be adjusted by setting the OPENSSL_POLICY_TREE_NODES_MAX build + time define to a desired maximum number of nodes or zero to allow + unlimited growth. (CVE-2023-0464) + [Paul Dale] + Changes between 1.1.1s and 1.1.1t [7 Feb 2023] *) Fixed X.400 address type confusion in X.509 GeneralName. diff --git a/crypto/openssl/Configure b/crypto/openssl/Configure index 37a99d14715c..fc9658371a24 100755 --- a/crypto/openssl/Configure +++ b/crypto/openssl/Configure @@ -1246,7 +1246,7 @@ if ($target =~ /^mingw/ && `$config{CC} --target-help 2>&1` =~ m/-mno-cygwin/m) } if ($target =~ /linux.*-mips/ && !$disabled{asm} - && !grep { $_ !~ /-m(ips|arch=)/ } (@{$config{CFLAGS}})) { + && !grep { $_ =~ /-m(ips|arch=)/ } (@{$config{CFLAGS}})) { # minimally required architecture flags for assembly modules my $value; $value = '-mips2' if ($target =~ /mips32/); diff --git a/crypto/openssl/NEWS b/crypto/openssl/NEWS index 2724fc4d85ba..f5a2d5ad33f8 100644 --- a/crypto/openssl/NEWS +++ b/crypto/openssl/NEWS @@ -5,6 +5,15 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Major changes between OpenSSL 1.1.1t and OpenSSL 1.1.1u [30 May 2023] + + o Mitigate for very slow `OBJ_obj2txt()` performance with gigantic + OBJECT IDENTIFIER sub-identities. (CVE-2023-2650) + o Fixed documentation of X509_VERIFY_PARAM_add0_policy() (CVE-2023-0466) + o Fixed handling of invalid certificate policies in leaf certificates + (CVE-2023-0465) + o Limited the number of nodes created in a policy tree ([CVE-2023-0464]) + Major changes between OpenSSL 1.1.1s and OpenSSL 1.1.1t [7 Feb 2023] o Fixed X.400 address type confusion in X.509 GeneralName (CVE-2023-0286) diff --git a/crypto/openssl/README b/crypto/openssl/README index b2f806be3a44..b9bf50f4b1e5 100644 --- a/crypto/openssl/README +++ b/crypto/openssl/README @@ -1,7 +1,7 @@ - OpenSSL 1.1.1t 7 Feb 2023 + OpenSSL 1.1.1u 30 May 2023 - Copyright (c) 1998-2022 The OpenSSL Project + Copyright (c) 1998-2023 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson All rights reserved. diff --git a/crypto/openssl/crypto/aes/asm/bsaes-armv7.pl b/crypto/openssl/crypto/aes/asm/bsaes-armv7.pl index 2b9f241ce8b0..b22db37d4d4c 100755 --- a/crypto/openssl/crypto/aes/asm/bsaes-armv7.pl +++ b/crypto/openssl/crypto/aes/asm/bsaes-armv7.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2012-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2012-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -14,7 +14,7 @@ # details see http://www.openssl.org/~appro/cryptogams/. # # Specific modes and adaptation for Linux kernel by Ard Biesheuvel -# of Linaro. Permission to use under GPL terms is granted. +# of Linaro. # ==================================================================== # Bit-sliced AES for ARM NEON diff --git a/crypto/openssl/crypto/asn1/a_bitstr.c b/crypto/openssl/crypto/asn1/a_bitstr.c index f462dd107368..14b57265d172 100644 --- a/crypto/openssl/crypto/asn1/a_bitstr.c +++ b/crypto/openssl/crypto/asn1/a_bitstr.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -148,6 +148,9 @@ int ASN1_BIT_STRING_set_bit(ASN1_BIT_STRING *a, int n, int value) int w, v, iv; unsigned char *c; + if (n < 0) + return 0; + w = n / 8; v = 1 << (7 - (n & 0x07)); iv = ~v; @@ -182,6 +185,9 @@ int ASN1_BIT_STRING_get_bit(const ASN1_BIT_STRING *a, int n) { int w, v; + if (n < 0) + return 0; + w = n / 8; v = 1 << (7 - (n & 0x07)); if ((a == NULL) || (a->length < (w + 1)) || (a->data == NULL)) diff --git a/crypto/openssl/crypto/bio/b_print.c b/crypto/openssl/crypto/bio/b_print.c index 45d4e9f004b1..c4ed364d72f6 100644 --- a/crypto/openssl/crypto/bio/b_print.c +++ b/crypto/openssl/crypto/bio/b_print.c @@ -305,7 +305,6 @@ _dopr(char **sbuffer, case 'G': case 'g': /* not implemented for UEFI */ - ERR_raise(ERR_LIB_BIO, ERR_R_UNSUPPORTED); return 0; #endif case 'c': diff --git a/crypto/openssl/crypto/bn/bn_asm.c b/crypto/openssl/crypto/bn/bn_asm.c index 4d83a8cf1115..e5fa81b3a1e3 100644 --- a/crypto/openssl/crypto/bn/bn_asm.c +++ b/crypto/openssl/crypto/bn/bn_asm.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -381,25 +381,33 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, #ifndef OPENSSL_SMALL_FOOTPRINT while (n & ~3) { t1 = a[0]; - t2 = b[0]; - r[0] = (t1 - t2 - c) & BN_MASK2; - if (t1 != t2) - c = (t1 < t2); + t2 = (t1 - c) & BN_MASK2; + c = (t2 > t1); + t1 = b[0]; + t1 = (t2 - t1) & BN_MASK2; + r[0] = t1; + c += (t1 > t2); t1 = a[1]; - t2 = b[1]; - r[1] = (t1 - t2 - c) & BN_MASK2; - if (t1 != t2) - c = (t1 < t2); + t2 = (t1 - c) & BN_MASK2; + c = (t2 > t1); + t1 = b[1]; + t1 = (t2 - t1) & BN_MASK2; + r[1] = t1; + c += (t1 > t2); t1 = a[2]; - t2 = b[2]; - r[2] = (t1 - t2 - c) & BN_MASK2; - if (t1 != t2) - c = (t1 < t2); + t2 = (t1 - c) & BN_MASK2; + c = (t2 > t1); + t1 = b[2]; + t1 = (t2 - t1) & BN_MASK2; + r[2] = t1; + c += (t1 > t2); t1 = a[3]; - t2 = b[3]; - r[3] = (t1 - t2 - c) & BN_MASK2; - if (t1 != t2) - c = (t1 < t2); + t2 = (t1 - c) & BN_MASK2; + c = (t2 > t1); + t1 = b[3]; + t1 = (t2 - t1) & BN_MASK2; + r[3] = t1; + c += (t1 > t2); a += 4; b += 4; r += 4; @@ -408,10 +416,12 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, #endif while (n) { t1 = a[0]; - t2 = b[0]; - r[0] = (t1 - t2 - c) & BN_MASK2; - if (t1 != t2) - c = (t1 < t2); + t2 = (t1 - c) & BN_MASK2; + c = (t2 > t1); + t1 = b[0]; + t1 = (t2 - t1) & BN_MASK2; + r[0] = t1; + c += (t1 > t2); a++; b++; r++; @@ -446,7 +456,7 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, t += c0; /* no carry */ \ c0 = (BN_ULONG)Lw(t); \ hi = (BN_ULONG)Hw(t); \ - c1 = (c1+hi)&BN_MASK2; if (c1<hi) c2++; \ + c1 = (c1+hi)&BN_MASK2; c2 += (c1<hi); \ } while(0) # define mul_add_c2(a,b,c0,c1,c2) do { \ @@ -455,11 +465,11 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, BN_ULLONG tt = t+c0; /* no carry */ \ c0 = (BN_ULONG)Lw(tt); \ hi = (BN_ULONG)Hw(tt); \ - c1 = (c1+hi)&BN_MASK2; if (c1<hi) c2++; \ + c1 = (c1+hi)&BN_MASK2; c2 += (c1<hi); \ t += c0; /* no carry */ \ c0 = (BN_ULONG)Lw(t); \ hi = (BN_ULONG)Hw(t); \ - c1 = (c1+hi)&BN_MASK2; if (c1<hi) c2++; \ + c1 = (c1+hi)&BN_MASK2; c2 += (c1<hi); \ } while(0) # define sqr_add_c(a,i,c0,c1,c2) do { \ @@ -468,7 +478,7 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, t += c0; /* no carry */ \ c0 = (BN_ULONG)Lw(t); \ hi = (BN_ULONG)Hw(t); \ - c1 = (c1+hi)&BN_MASK2; if (c1<hi) c2++; \ + c1 = (c1+hi)&BN_MASK2; c2 += (c1<hi); \ } while(0) # define sqr_add_c2(a,i,j,c0,c1,c2) \ @@ -483,26 +493,26 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, BN_ULONG ta = (a), tb = (b); \ BN_ULONG lo, hi; \ BN_UMULT_LOHI(lo,hi,ta,tb); \ - c0 += lo; hi += (c0<lo)?1:0; \ - c1 += hi; c2 += (c1<hi)?1:0; \ + c0 += lo; hi += (c0<lo); \ + c1 += hi; c2 += (c1<hi); \ } while(0) # define mul_add_c2(a,b,c0,c1,c2) do { \ BN_ULONG ta = (a), tb = (b); \ BN_ULONG lo, hi, tt; \ BN_UMULT_LOHI(lo,hi,ta,tb); \ - c0 += lo; tt = hi+((c0<lo)?1:0); \ - c1 += tt; c2 += (c1<tt)?1:0; \ - c0 += lo; hi += (c0<lo)?1:0; \ - c1 += hi; c2 += (c1<hi)?1:0; \ + c0 += lo; tt = hi + (c0<lo); \ + c1 += tt; c2 += (c1<tt); \ + c0 += lo; hi += (c0<lo); \ + c1 += hi; c2 += (c1<hi); \ } while(0) # define sqr_add_c(a,i,c0,c1,c2) do { \ BN_ULONG ta = (a)[i]; \ BN_ULONG lo, hi; \ BN_UMULT_LOHI(lo,hi,ta,ta); \ - c0 += lo; hi += (c0<lo)?1:0; \ - c1 += hi; c2 += (c1<hi)?1:0; \ + c0 += lo; hi += (c0<lo); \ + c1 += hi; c2 += (c1<hi); \ } while(0) # define sqr_add_c2(a,i,j,c0,c1,c2) \ @@ -517,26 +527,26 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, BN_ULONG ta = (a), tb = (b); \ BN_ULONG lo = ta * tb; \ BN_ULONG hi = BN_UMULT_HIGH(ta,tb); \ - c0 += lo; hi += (c0<lo)?1:0; \ - c1 += hi; c2 += (c1<hi)?1:0; \ + c0 += lo; hi += (c0<lo); \ + c1 += hi; c2 += (c1<hi); \ } while(0) # define mul_add_c2(a,b,c0,c1,c2) do { \ BN_ULONG ta = (a), tb = (b), tt; \ BN_ULONG lo = ta * tb; \ BN_ULONG hi = BN_UMULT_HIGH(ta,tb); \ - c0 += lo; tt = hi + ((c0<lo)?1:0); \ - c1 += tt; c2 += (c1<tt)?1:0; \ - c0 += lo; hi += (c0<lo)?1:0; \ - c1 += hi; c2 += (c1<hi)?1:0; \ + c0 += lo; tt = hi + (c0<lo); \ + c1 += tt; c2 += (c1<tt); \ + c0 += lo; hi += (c0<lo); \ + c1 += hi; c2 += (c1<hi); \ } while(0) # define sqr_add_c(a,i,c0,c1,c2) do { \ BN_ULONG ta = (a)[i]; \ BN_ULONG lo = ta * ta; \ BN_ULONG hi = BN_UMULT_HIGH(ta,ta); \ - c0 += lo; hi += (c0<lo)?1:0; \ - c1 += hi; c2 += (c1<hi)?1:0; \ + c0 += lo; hi += (c0<lo); \ + c1 += hi; c2 += (c1<hi); \ } while(0) # define sqr_add_c2(a,i,j,c0,c1,c2) \ @@ -551,8 +561,8 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, BN_ULONG lo = LBITS(a), hi = HBITS(a); \ BN_ULONG bl = LBITS(b), bh = HBITS(b); \ mul64(lo,hi,bl,bh); \ - c0 = (c0+lo)&BN_MASK2; if (c0<lo) hi++; \ - c1 = (c1+hi)&BN_MASK2; if (c1<hi) c2++; \ + c0 = (c0+lo)&BN_MASK2; hi += (c0<lo); \ + c1 = (c1+hi)&BN_MASK2; c2 += (c1<hi); \ } while(0) # define mul_add_c2(a,b,c0,c1,c2) do { \ @@ -561,17 +571,17 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, BN_ULONG bl = LBITS(b), bh = HBITS(b); \ mul64(lo,hi,bl,bh); \ tt = hi; \ - c0 = (c0+lo)&BN_MASK2; if (c0<lo) tt++; \ - c1 = (c1+tt)&BN_MASK2; if (c1<tt) c2++; \ - c0 = (c0+lo)&BN_MASK2; if (c0<lo) hi++; \ - c1 = (c1+hi)&BN_MASK2; if (c1<hi) c2++; \ + c0 = (c0+lo)&BN_MASK2; tt += (c0<lo); \ + c1 = (c1+tt)&BN_MASK2; c2 += (c1<tt); \ + c0 = (c0+lo)&BN_MASK2; hi += (c0<lo); \ + c1 = (c1+hi)&BN_MASK2; c2 += (c1<hi); \ } while(0) # define sqr_add_c(a,i,c0,c1,c2) do { \ BN_ULONG lo, hi; \ sqr64(lo,hi,(a)[i]); \ - c0 = (c0+lo)&BN_MASK2; if (c0<lo) hi++; \ - c1 = (c1+hi)&BN_MASK2; if (c1<hi) c2++; \ + c0 = (c0+lo)&BN_MASK2; hi += (c0<lo); \ + c1 = (c1+hi)&BN_MASK2; c2 += (c1<hi); \ } while(0) # define sqr_add_c2(a,i,j,c0,c1,c2) \ diff --git a/crypto/openssl/crypto/bn/bn_blind.c b/crypto/openssl/crypto/bn/bn_blind.c index dd5beea7c93e..e76f6107a7b5 100644 --- a/crypto/openssl/crypto/bn/bn_blind.c +++ b/crypto/openssl/crypto/bn/bn_blind.c @@ -13,6 +13,20 @@ #define BN_BLINDING_COUNTER 32 +struct bn_blinding_st { + BIGNUM *A; + BIGNUM *Ai; + BIGNUM *e; + BIGNUM *mod; /* just a reference */ + CRYPTO_THREAD_ID tid; + int counter; + unsigned long flags; + BN_MONT_CTX *m_ctx; + int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p, + const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); + CRYPTO_RWLOCK *lock; +}; + BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod) { BN_BLINDING *ret = NULL; @@ -177,7 +191,8 @@ int BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b, n->top = (int)(rtop & ~mask) | (ntop & mask); n->flags |= (BN_FLG_FIXED_TOP & ~mask); } - ret = BN_mod_mul_montgomery(n, n, r, b->m_ctx, ctx); + ret = bn_mul_mont_fixed_top(n, n, r, b->m_ctx, ctx); + bn_correct_top_consttime(n); } else { ret = BN_mod_mul(n, n, r, b->mod, ctx); } diff --git a/crypto/openssl/crypto/bn/bn_err.c b/crypto/openssl/crypto/bn/bn_err.c index 6f5464b54054..6ea5fc3d5cf6 100644 --- a/crypto/openssl/crypto/bn/bn_err.c +++ b/crypto/openssl/crypto/bn/bn_err.c @@ -73,8 +73,6 @@ static const ERR_STRING_DATA BN_str_functs[] = { {ERR_PACK(ERR_LIB_BN, BN_F_BN_SET_WORDS, 0), "bn_set_words"}, {ERR_PACK(ERR_LIB_BN, BN_F_BN_STACK_PUSH, 0), "BN_STACK_push"}, {ERR_PACK(ERR_LIB_BN, BN_F_BN_USUB, 0), "BN_usub"}, - {ERR_PACK(ERR_LIB_BN, BN_F_OSSL_BN_RSA_DO_UNBLIND, 0), - "ossl_bn_rsa_do_unblind"}, {0, NULL} }; diff --git a/crypto/openssl/crypto/bn/bn_lib.c b/crypto/openssl/crypto/bn/bn_lib.c index eb4a31849bef..cd6aa3448afd 100644 --- a/crypto/openssl/crypto/bn/bn_lib.c +++ b/crypto/openssl/crypto/bn/bn_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -1001,6 +1001,28 @@ BIGNUM *bn_wexpand(BIGNUM *a, int words) return (words <= a->dmax) ? a : bn_expand2(a, words); } +void bn_correct_top_consttime(BIGNUM *a) +{ + int j, atop; + BN_ULONG limb; + unsigned int mask; + + for (j = 0, atop = 0; j < a->dmax; j++) { + limb = a->d[j]; + limb |= 0 - limb; + limb >>= BN_BITS2 - 1; + limb = 0 - limb; + mask = (unsigned int)limb; + mask &= constant_time_msb(j - a->top); + atop = constant_time_select_int(mask, j + 1, atop); + } + + mask = constant_time_eq_int(atop, 0); + a->top = atop; + a->neg = constant_time_select_int(mask, 0, a->neg); + a->flags &= ~BN_FLG_FIXED_TOP; +} + void bn_correct_top(BIGNUM *a) { BN_ULONG *ftl; diff --git a/crypto/openssl/crypto/bn/bn_local.h b/crypto/openssl/crypto/bn/bn_local.h index 30b7614fdbb2..818e34348e1b 100644 --- a/crypto/openssl/crypto/bn/bn_local.h +++ b/crypto/openssl/crypto/bn/bn_local.h @@ -283,20 +283,6 @@ struct bn_gencb_st { } cb; }; -struct bn_blinding_st { - BIGNUM *A; - BIGNUM *Ai; - BIGNUM *e; - BIGNUM *mod; /* just a reference */ - CRYPTO_THREAD_ID tid; - int counter; - unsigned long flags; - BN_MONT_CTX *m_ctx; - int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p, - const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); - CRYPTO_RWLOCK *lock; -}; - /*- * BN_window_bits_for_exponent_size -- macro for sliding window mod_exp functions * @@ -529,10 +515,10 @@ unsigned __int64 _umul128(unsigned __int64 a, unsigned __int64 b, ret = (r); \ BN_UMULT_LOHI(low,high,w,tmp); \ ret += (c); \ - (c) = (ret<(c))?1:0; \ + (c) = (ret<(c)); \ (c) += high; \ ret += low; \ - (c) += (ret<low)?1:0; \ + (c) += (ret<low); \ (r) = ret; \ } @@ -541,7 +527,7 @@ unsigned __int64 _umul128(unsigned __int64 a, unsigned __int64 b, BN_UMULT_LOHI(low,high,w,ta); \ ret = low + (c); \ (c) = high; \ - (c) += (ret<low)?1:0; \ + (c) += (ret<low); \ (r) = ret; \ } @@ -557,10 +543,10 @@ unsigned __int64 _umul128(unsigned __int64 a, unsigned __int64 b, high= BN_UMULT_HIGH(w,tmp); \ ret += (c); \ low = (w) * tmp; \ - (c) = (ret<(c))?1:0; \ + (c) = (ret<(c)); \ (c) += high; \ ret += low; \ - (c) += (ret<low)?1:0; \ + (c) += (ret<low); \ (r) = ret; \ } @@ -570,7 +556,7 @@ unsigned __int64 _umul128(unsigned __int64 a, unsigned __int64 b, high= BN_UMULT_HIGH(w,ta); \ ret = low + (c); \ (c) = high; \ - (c) += (ret<low)?1:0; \ + (c) += (ret<low); \ (r) = ret; \ } @@ -603,10 +589,10 @@ unsigned __int64 _umul128(unsigned __int64 a, unsigned __int64 b, lt=(bl)*(lt); \ m1=(bl)*(ht); \ ht =(bh)*(ht); \ - m=(m+m1)&BN_MASK2; if (m < m1) ht+=L2HBITS((BN_ULONG)1); \ + m=(m+m1)&BN_MASK2; ht += L2HBITS((BN_ULONG)(m < m1)); \ ht+=HBITS(m); \ m1=L2HBITS(m); \ - lt=(lt+m1)&BN_MASK2; if (lt < m1) ht++; \ + lt=(lt+m1)&BN_MASK2; ht += (lt < m1); \ (l)=lt; \ (h)=ht; \ } @@ -623,7 +609,7 @@ unsigned __int64 _umul128(unsigned __int64 a, unsigned __int64 b, h*=h; \ h+=(m&BN_MASK2h1)>>(BN_BITS4-1); \ m =(m&BN_MASK2l)<<(BN_BITS4+1); \ - l=(l+m)&BN_MASK2; if (l < m) h++; \ + l=(l+m)&BN_MASK2; h += (l < m); \ (lo)=l; \ (ho)=h; \ } @@ -637,9 +623,9 @@ unsigned __int64 _umul128(unsigned __int64 a, unsigned __int64 b, mul64(l,h,(bl),(bh)); \ \ /* non-multiply part */ \ - l=(l+(c))&BN_MASK2; if (l < (c)) h++; \ + l=(l+(c))&BN_MASK2; h += (l < (c)); \ (c)=(r); \ - l=(l+(c))&BN_MASK2; if (l < (c)) h++; \ + l=(l+(c))&BN_MASK2; h += (l < (c)); \ (c)=h&BN_MASK2; \ (r)=l; \ } @@ -653,7 +639,7 @@ unsigned __int64 _umul128(unsigned __int64 a, unsigned __int64 b, mul64(l,h,(bl),(bh)); \ \ /* non-multiply part */ \ - l+=(c); if ((l&BN_MASK2) < (c)) h++; \ + l+=(c); h += ((l&BN_MASK2) < (c)); \ (c)=h&BN_MASK2; \ (r)=l&BN_MASK2; \ } @@ -683,7 +669,7 @@ BN_ULONG bn_sub_part_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, int cl, int dl); int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, const BN_ULONG *np, const BN_ULONG *n0, int num); - +void bn_correct_top_consttime(BIGNUM *a); BIGNUM *int_bn_mod_inverse(BIGNUM *in, const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx, int *noinv); diff --git a/crypto/openssl/crypto/bn/build.info b/crypto/openssl/crypto/bn/build.info index c9fe2fdada69..b9ed5322fa68 100644 --- a/crypto/openssl/crypto/bn/build.info +++ b/crypto/openssl/crypto/bn/build.info @@ -5,8 +5,7 @@ SOURCE[../../libcrypto]=\ bn_kron.c bn_sqrt.c bn_gcd.c bn_prime.c bn_err.c bn_sqr.c \ {- $target{bn_asm_src} -} \ bn_recp.c bn_mont.c bn_mpi.c bn_exp2.c bn_gf2m.c bn_nist.c \ - bn_depr.c bn_const.c bn_x931p.c bn_intern.c bn_dh.c bn_srp.c \ - rsa_sup_mul.c + bn_depr.c bn_const.c bn_x931p.c bn_intern.c bn_dh.c bn_srp.c INCLUDE[bn_exp.o]=.. diff --git a/crypto/openssl/crypto/bn/rsa_sup_mul.c b/crypto/openssl/crypto/bn/rsa_sup_mul.c deleted file mode 100644 index acafefd5febf..000000000000 --- a/crypto/openssl/crypto/bn/rsa_sup_mul.c +++ /dev/null @@ -1,614 +0,0 @@ -#include <openssl/e_os2.h> -#include <stddef.h> -#include <sys/types.h> -#include <string.h> -#include <openssl/bn.h> -#include <openssl/err.h> -#include <openssl/rsaerr.h> -#include "internal/numbers.h" -#include "internal/constant_time.h" -#include "bn_local.h" - -# if BN_BYTES == 8 -typedef uint64_t limb_t; -# if defined(__SIZEOF_INT128__) && __SIZEOF_INT128__ == 16 -/* nonstandard; implemented by gcc on 64-bit platforms */ -typedef __uint128_t limb2_t; -# define HAVE_LIMB2_T -# endif -# define LIMB_BIT_SIZE 64 -# define LIMB_BYTE_SIZE 8 -# elif BN_BYTES == 4 -typedef uint32_t limb_t; -typedef uint64_t limb2_t; -# define LIMB_BIT_SIZE 32 -# define LIMB_BYTE_SIZE 4 -# define HAVE_LIMB2_T -# else -# error "Not supported" -# endif - -/* - * For multiplication we're using schoolbook multiplication, - * so if we have two numbers, each with 6 "digits" (words) - * the multiplication is calculated as follows: - * A B C D E F - * x I J K L M N - * -------------- - * N*F - * N*E - * N*D - * N*C - * N*B - * N*A - * M*F - * M*E - * M*D - * M*C - * M*B - * M*A - * L*F - * L*E - * L*D - * L*C - * L*B - * L*A - * K*F - * K*E - * K*D - * K*C - * K*B - * K*A - * J*F - * J*E - * J*D - * J*C - * J*B - * J*A - * I*F - * I*E - * I*D - * I*C - * I*B - * + I*A - * ========================== - * N*B N*D N*F - * + N*A N*C N*E - * + M*B M*D M*F - * + M*A M*C M*E - * + L*B L*D L*F - * + L*A L*C L*E - * + K*B K*D K*F - * + K*A K*C K*E - * + J*B J*D J*F - * + J*A J*C J*E - * + I*B I*D I*F - * + I*A I*C I*E - * - * 1+1 1+3 1+5 - * 1+0 1+2 1+4 - * 0+1 0+3 0+5 - * 0+0 0+2 0+4 - * - * 0 1 2 3 4 5 6 - * which requires n^2 multiplications and 2n full length additions - * as we can keep every other result of limb multiplication in two separate - * limbs - */ - -#if defined HAVE_LIMB2_T -static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b) -{ - limb2_t t; - /* - * this is idiomatic code to tell compiler to use the native mul - * those three lines will actually compile to single instruction - */ - - t = (limb2_t)a * b; - *hi = t >> LIMB_BIT_SIZE; - *lo = (limb_t)t; -} -#elif (BN_BYTES == 8) && (defined _MSC_VER) -/* https://learn.microsoft.com/en-us/cpp/intrinsics/umul128?view=msvc-170 */ -#pragma intrinsic(_umul128) -static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b) -{ - *lo = _umul128(a, b, hi); -} -#else -/* - * if the compiler doesn't have either a 128bit data type nor a "return - * high 64 bits of multiplication" - */ -static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b) -{ - limb_t a_low = (limb_t)(uint32_t)a; - limb_t a_hi = a >> 32; - limb_t b_low = (limb_t)(uint32_t)b; - limb_t b_hi = b >> 32; - - limb_t p0 = a_low * b_low; - limb_t p1 = a_low * b_hi; - limb_t p2 = a_hi * b_low; - limb_t p3 = a_hi * b_hi; - - uint32_t cy = (uint32_t)(((p0 >> 32) + (uint32_t)p1 + (uint32_t)p2) >> 32); - - *lo = p0 + (p1 << 32) + (p2 << 32); - *hi = p3 + (p1 >> 32) + (p2 >> 32) + cy; -} -#endif - -/* add two limbs with carry in, return carry out */ -static ossl_inline limb_t _add_limb(limb_t *ret, limb_t a, limb_t b, limb_t carry) -{ - limb_t carry1, carry2, t; - /* - * `c = a + b; if (c < a)` is idiomatic code that makes compilers - * use add with carry on assembly level - */ - - *ret = a + carry; - if (*ret < a) - carry1 = 1; - else - carry1 = 0; - - t = *ret; - *ret = t + b; - if (*ret < t) - carry2 = 1; - else - carry2 = 0; - - return carry1 + carry2; -} - -/* - * add two numbers of the same size, return overflow - * - * add a to b, place result in ret; all arrays need to be n limbs long - * return overflow from addition (0 or 1) - */ -static ossl_inline limb_t add(limb_t *ret, limb_t *a, limb_t *b, size_t n) -{ - limb_t c = 0; - ossl_ssize_t i; - - for(i = n - 1; i > -1; i--) - c = _add_limb(&ret[i], a[i], b[i], c); - - return c; -} - -/* - * return number of limbs necessary for temporary values - * when multiplying numbers n limbs large - */ -static ossl_inline size_t mul_limb_numb(size_t n) -{ - return 2 * n * 2; -} - -/* - * multiply two numbers of the same size - * - * multiply a by b, place result in ret; a and b need to be n limbs long - * ret needs to be 2*n limbs long, tmp needs to be mul_limb_numb(n) limbs - * long - */ -static void limb_mul(limb_t *ret, limb_t *a, limb_t *b, size_t n, limb_t *tmp) -{ - limb_t *r_odd, *r_even; - size_t i, j, k; - - r_odd = tmp; - r_even = &tmp[2 * n]; - - memset(ret, 0, 2 * n * sizeof(limb_t)); - - for (i = 0; i < n; i++) { - for (k = 0; k < i + n + 1; k++) { - r_even[k] = 0; - r_odd[k] = 0; - } - for (j = 0; j < n; j++) { - /* - * place results from even and odd limbs in separate arrays so that - * we don't have to calculate overflow every time we get individual - * limb multiplication result - */ - if (j % 2 == 0) - _mul_limb(&r_even[i + j], &r_even[i + j + 1], a[i], b[j]); - else - _mul_limb(&r_odd[i + j], &r_odd[i + j + 1], a[i], b[j]); - } - /* - * skip the least significant limbs when adding multiples of - * more significant limbs (they're zero anyway) - */ - add(ret, ret, r_even, n + i + 1); - add(ret, ret, r_odd, n + i + 1); - } -} - -/* modifies the value in place by performing a right shift by one bit */ -static ossl_inline void rshift1(limb_t *val, size_t n) -{ - limb_t shift_in = 0, shift_out = 0; - size_t i; - - for (i = 0; i < n; i++) { - shift_out = val[i] & 1; - val[i] = shift_in << (LIMB_BIT_SIZE - 1) | (val[i] >> 1); - shift_in = shift_out; - } -} - -/* extend the LSB of flag to all bits of limb */ -static ossl_inline limb_t mk_mask(limb_t flag) -{ - flag |= flag << 1; - flag |= flag << 2; - flag |= flag << 4; - flag |= flag << 8; - flag |= flag << 16; -#if (LIMB_BYTE_SIZE == 8) - flag |= flag << 32; -#endif - return flag; -} - -/* - * copy from either a or b to ret based on flag - * when flag == 0, then copies from b - * when flag == 1, then copies from a - */ -static ossl_inline void cselect(limb_t flag, limb_t *ret, limb_t *a, limb_t *b, size_t n) -{ - /* - * would be more efficient with non volatile mask, but then gcc - * generates code with jumps - */ - volatile limb_t mask; - size_t i; - - mask = mk_mask(flag); - for (i = 0; i < n; i++) { -#if (LIMB_BYTE_SIZE == 8) - ret[i] = constant_time_select_64(mask, a[i], b[i]); -#else - ret[i] = constant_time_select_32(mask, a[i], b[i]); -#endif - } -} - -static limb_t _sub_limb(limb_t *ret, limb_t a, limb_t b, limb_t borrow) -{ - limb_t borrow1, borrow2, t; - /* - * while it doesn't look constant-time, this is idiomatic code - * to tell compilers to use the carry bit from subtraction - */ - - *ret = a - borrow; - if (*ret > a) - borrow1 = 1; - else - borrow1 = 0; - - t = *ret; - *ret = t - b; - if (*ret > t) - borrow2 = 1; - else - borrow2 = 0; - - return borrow1 + borrow2; -} - -/* - * place the result of a - b into ret, return the borrow bit. - * All arrays need to be n limbs long - */ -static limb_t sub(limb_t *ret, limb_t *a, limb_t *b, size_t n) -{ - limb_t borrow = 0; - ossl_ssize_t i; - - for (i = n - 1; i > -1; i--) - borrow = _sub_limb(&ret[i], a[i], b[i], borrow); - - return borrow; -} - -/* return the number of limbs necessary to allocate for the mod() tmp operand */ -static ossl_inline size_t mod_limb_numb(size_t anum, size_t modnum) -{ - return (anum + modnum) * 3; -} - -/* - * calculate a % mod, place the result in ret - * size of a is defined by anum, size of ret and mod is modnum, - * size of tmp is returned by mod_limb_numb() - */ -static void mod(limb_t *ret, limb_t *a, size_t anum, limb_t *mod, - size_t modnum, limb_t *tmp) -{ - limb_t *atmp, *modtmp, *rettmp; - limb_t res; - size_t i; - - memset(tmp, 0, mod_limb_numb(anum, modnum) * LIMB_BYTE_SIZE); - - atmp = tmp; - modtmp = &tmp[anum + modnum]; - rettmp = &tmp[(anum + modnum) * 2]; - - for (i = modnum; i <modnum + anum; i++) - atmp[i] = a[i-modnum]; - - for (i = 0; i < modnum; i++) - modtmp[i] = mod[i]; - - for (i = 0; i < anum * LIMB_BIT_SIZE; i++) { - rshift1(modtmp, anum + modnum); - res = sub(rettmp, atmp, modtmp, anum+modnum); - cselect(res, atmp, atmp, rettmp, anum+modnum); - } - - memcpy(ret, &atmp[anum], sizeof(limb_t) * modnum); -} - -/* necessary size of tmp for a _mul_add_limb() call with provided anum */ -static ossl_inline size_t _mul_add_limb_numb(size_t anum) -{ - return 2 * (anum + 1); -} - -/* multiply a by m, add to ret, return carry */ -static limb_t _mul_add_limb(limb_t *ret, limb_t *a, size_t anum, - limb_t m, limb_t *tmp) -{ - limb_t carry = 0; - limb_t *r_odd, *r_even; - size_t i; - - memset(tmp, 0, sizeof(limb_t) * (anum + 1) * 2); - - r_odd = tmp; - r_even = &tmp[anum + 1]; - - for (i = 0; i < anum; i++) { - /* - * place the results from even and odd limbs in separate arrays - * so that we have to worry about carry just once - */ - if (i % 2 == 0) - _mul_limb(&r_even[i], &r_even[i + 1], a[i], m); - else - _mul_limb(&r_odd[i], &r_odd[i + 1], a[i], m); - } - /* assert: add() carry here will be equal zero */ - add(r_even, r_even, r_odd, anum + 1); - /* - * while here it will not overflow as the max value from multiplication - * is -2 while max overflow from addition is 1, so the max value of - * carry is -1 (i.e. max int) - */ - carry = add(ret, ret, &r_even[1], anum) + r_even[0]; - - return carry; -} - -static ossl_inline size_t mod_montgomery_limb_numb(size_t modnum) -{ - return modnum * 2 + _mul_add_limb_numb(modnum); -} - -/* - * calculate a % mod, place result in ret - * assumes that a is in Montgomery form with the R (Montgomery modulus) being - * smallest power of two big enough to fit mod and that's also a power - * of the count of number of bits in limb_t (B). - * For calculation, we also need n', such that mod * n' == -1 mod B. - * anum must be <= 2 * modnum - * ret needs to be modnum words long - * tmp needs to be mod_montgomery_limb_numb(modnum) limbs long - */ -static void mod_montgomery(limb_t *ret, limb_t *a, size_t anum, limb_t *mod, - size_t modnum, limb_t ni0, limb_t *tmp) -{ - limb_t carry, v; - limb_t *res, *rp, *tmp2; - ossl_ssize_t i; - - res = tmp; - /* - * for intermediate result we need an integer twice as long as modulus - * but keep the input in the least significant limbs - */ - memset(res, 0, sizeof(limb_t) * (modnum * 2)); - memcpy(&res[modnum * 2 - anum], a, sizeof(limb_t) * anum); - rp = &res[modnum]; - tmp2 = &res[modnum * 2]; - - carry = 0; - - /* add multiples of the modulus to the value until R divides it cleanly */ - for (i = modnum; i > 0; i--, rp--) { - v = _mul_add_limb(rp, mod, modnum, rp[modnum - 1] * ni0, tmp2); - v = v + carry + rp[-1]; - carry |= (v != rp[-1]); - carry &= (v <= rp[-1]); - rp[-1] = v; - } - - /* perform the final reduction by mod... */ - carry -= sub(ret, rp, mod, modnum); - - /* ...conditionally */ - cselect(carry, ret, rp, ret, modnum); -} - -/* allocated buffer should be freed afterwards */ -static void BN_to_limb(const BIGNUM *bn, limb_t *buf, size_t limbs) -{ - int i; - int real_limbs = (BN_num_bytes(bn) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE; - limb_t *ptr = buf + (limbs - real_limbs); - - for (i = 0; i < real_limbs; i++) - ptr[i] = bn->d[real_limbs - i - 1]; -} - -#if LIMB_BYTE_SIZE == 8 -static ossl_inline uint64_t be64(uint64_t host) -{ - const union { - long one; - char little; - } is_endian = { 1 }; - - if (is_endian.little) { - uint64_t big = 0; - - big |= (host & 0xff00000000000000) >> 56; - big |= (host & 0x00ff000000000000) >> 40; - big |= (host & 0x0000ff0000000000) >> 24; - big |= (host & 0x000000ff00000000) >> 8; - big |= (host & 0x00000000ff000000) << 8; - big |= (host & 0x0000000000ff0000) << 24; - big |= (host & 0x000000000000ff00) << 40; - big |= (host & 0x00000000000000ff) << 56; - return big; - } else { - return host; - } -} - -#else -/* Not all platforms have htobe32(). */ -static ossl_inline uint32_t be32(uint32_t host) -{ - const union { - long one; - char little; - } is_endian = { 1 }; - - if (is_endian.little) { - uint32_t big = 0; - - big |= (host & 0xff000000) >> 24; - big |= (host & 0x00ff0000) >> 8; - big |= (host & 0x0000ff00) << 8; - big |= (host & 0x000000ff) << 24; - return big; - } else { - return host; - } -} -#endif - -/* - * We assume that intermediate, possible_arg2, blinding, and ctx are used - * similar to BN_BLINDING_invert_ex() arguments. - * to_mod is RSA modulus. - * buf and num is the serialization buffer and its length. - * - * Here we use classic/Montgomery multiplication and modulo. After the calculation finished - * we serialize the new structure instead of BIGNUMs taking endianness into account. - */ -int ossl_bn_rsa_do_unblind(const BIGNUM *intermediate, - const BN_BLINDING *blinding, - const BIGNUM *possible_arg2, - const BIGNUM *to_mod, BN_CTX *ctx, - unsigned char *buf, int num) -{ - limb_t *l_im = NULL, *l_mul = NULL, *l_mod = NULL; - limb_t *l_ret = NULL, *l_tmp = NULL, l_buf; - size_t l_im_count = 0, l_mul_count = 0, l_size = 0, l_mod_count = 0; - size_t l_tmp_count = 0; - int ret = 0; - size_t i; - unsigned char *tmp; - const BIGNUM *arg1 = intermediate; - const BIGNUM *arg2 = (possible_arg2 == NULL) ? blinding->Ai : possible_arg2; - - l_im_count = (BN_num_bytes(arg1) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE; - l_mul_count = (BN_num_bytes(arg2) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE; - l_mod_count = (BN_num_bytes(to_mod) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE; - - l_size = l_im_count > l_mul_count ? l_im_count : l_mul_count; - l_im = OPENSSL_zalloc(l_size * LIMB_BYTE_SIZE); - l_mul = OPENSSL_zalloc(l_size * LIMB_BYTE_SIZE); - l_mod = OPENSSL_zalloc(l_mod_count * LIMB_BYTE_SIZE); - - if ((l_im == NULL) || (l_mul == NULL) || (l_mod == NULL)) - goto err; - - BN_to_limb(arg1, l_im, l_size); - BN_to_limb(arg2, l_mul, l_size); - BN_to_limb(to_mod, l_mod, l_mod_count); - - l_ret = OPENSSL_malloc(2 * l_size * LIMB_BYTE_SIZE); - - if (blinding->m_ctx != NULL) { - l_tmp_count = mul_limb_numb(l_size) > mod_montgomery_limb_numb(l_mod_count) ? - mul_limb_numb(l_size) : mod_montgomery_limb_numb(l_mod_count); - l_tmp = OPENSSL_malloc(l_tmp_count * LIMB_BYTE_SIZE); - } else { - l_tmp_count = mul_limb_numb(l_size) > mod_limb_numb(2 * l_size, l_mod_count) ? - mul_limb_numb(l_size) : mod_limb_numb(2 * l_size, l_mod_count); - l_tmp = OPENSSL_malloc(l_tmp_count * LIMB_BYTE_SIZE); - } - - if ((l_ret == NULL) || (l_tmp == NULL)) - goto err; - - if (blinding->m_ctx != NULL) { - limb_mul(l_ret, l_im, l_mul, l_size, l_tmp); - mod_montgomery(l_ret, l_ret, 2 * l_size, l_mod, l_mod_count, - blinding->m_ctx->n0[0], l_tmp); - } else { - limb_mul(l_ret, l_im, l_mul, l_size, l_tmp); - mod(l_ret, l_ret, 2 * l_size, l_mod, l_mod_count, l_tmp); - } - - /* modulus size in bytes can be equal to num but after limbs conversion it becomes bigger */ - if (num < BN_num_bytes(to_mod)) { - BNerr(BN_F_OSSL_BN_RSA_DO_UNBLIND, ERR_R_PASSED_INVALID_ARGUMENT); - goto err; - } - - memset(buf, 0, num); - tmp = buf + num - BN_num_bytes(to_mod); - for (i = 0; i < l_mod_count; i++) { -#if LIMB_BYTE_SIZE == 8 - l_buf = be64(l_ret[i]); -#else - l_buf = be32(l_ret[i]); -#endif - if (i == 0) { - int delta = LIMB_BYTE_SIZE - ((l_mod_count * LIMB_BYTE_SIZE) - num); - - memcpy(tmp, ((char *)&l_buf) + LIMB_BYTE_SIZE - delta, delta); - tmp += delta; - } else { - memcpy(tmp, &l_buf, LIMB_BYTE_SIZE); - tmp += LIMB_BYTE_SIZE; - } - } - ret = num; - - err: - OPENSSL_free(l_im); - OPENSSL_free(l_mul); - OPENSSL_free(l_mod); - OPENSSL_free(l_tmp); - OPENSSL_free(l_ret); - - return ret; -} diff --git a/crypto/openssl/crypto/conf/conf_sap.c b/crypto/openssl/crypto/conf/conf_sap.c index 82105de748ed..db4f94ed93d3 100644 --- a/crypto/openssl/crypto/conf/conf_sap.c +++ b/crypto/openssl/crypto/conf/conf_sap.c @@ -1,5 +1,5 @@ /* - * Copyright 2002-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -43,16 +43,19 @@ void OPENSSL_config(const char *appname) int openssl_config_int(const OPENSSL_INIT_SETTINGS *settings) { int ret = 0; +#if defined(OPENSSL_INIT_DEBUG) || !defined(OPENSSL_SYS_UEFI) const char *filename; const char *appname; unsigned long flags; +#endif if (openssl_configured) return 1; - +#if defined(OPENSSL_INIT_DEBUG) || !defined(OPENSSL_SYS_UEFI) filename = settings ? settings->filename : NULL; appname = settings ? settings->appname : NULL; flags = settings ? settings->flags : DEFAULT_CONF_MFLAGS; +#endif #ifdef OPENSSL_INIT_DEBUG fprintf(stderr, "OPENSSL_INIT: openssl_config_int(%s, %s, %lu)\n", diff --git a/crypto/openssl/crypto/err/openssl.txt b/crypto/openssl/crypto/err/openssl.txt index 775a72006c26..8db8b00301aa 100644 --- a/crypto/openssl/crypto/err/openssl.txt +++ b/crypto/openssl/crypto/err/openssl.txt @@ -1,4 +1,4 @@ -# Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -232,7 +232,6 @@ BN_F_BN_RSHIFT:146:BN_rshift BN_F_BN_SET_WORDS:144:bn_set_words BN_F_BN_STACK_PUSH:148:BN_STACK_push BN_F_BN_USUB:115:BN_usub -BN_F_OSSL_BN_RSA_DO_UNBLIND:151:ossl_bn_rsa_do_unblind BUF_F_BUF_MEM_GROW:100:BUF_MEM_grow BUF_F_BUF_MEM_GROW_CLEAN:105:BUF_MEM_grow_clean BUF_F_BUF_MEM_NEW:101:BUF_MEM_new diff --git a/crypto/openssl/crypto/objects/obj_dat.c b/crypto/openssl/crypto/objects/obj_dat.c index 7e8de727f310..e1b4c589dbd3 100644 --- a/crypto/openssl/crypto/objects/obj_dat.c +++ b/crypto/openssl/crypto/objects/obj_dat.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -428,6 +428,25 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name) first = 1; bl = NULL; + /* + * RFC 2578 (STD 58) says this about OBJECT IDENTIFIERs: + * + * > 3.5. OBJECT IDENTIFIER values + * > + * > An OBJECT IDENTIFIER value is an ordered list of non-negative + * > numbers. For the SMIv2, each number in the list is referred to as a + * > sub-identifier, there are at most 128 sub-identifiers in a value, + * > and each sub-identifier has a maximum value of 2^32-1 (4294967295 + * > decimal). + * + * So a legitimate OID according to this RFC is at most (32 * 128 / 7), + * i.e. 586 bytes long. + * + * Ref: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5 + */ + if (len > 586) + goto err; + while (len > 0) { l = 0; use_bn = 0; diff --git a/crypto/openssl/crypto/rsa/rsa_ossl.c b/crypto/openssl/crypto/rsa/rsa_ossl.c index 2e3ee4ab33dc..cf5a10ab435f 100644 --- a/crypto/openssl/crypto/rsa/rsa_ossl.c +++ b/crypto/openssl/crypto/rsa/rsa_ossl.c @@ -226,6 +226,7 @@ static int rsa_blinding_invert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind, * will only read the modulus from BN_BLINDING. In both cases it's safe * to access the blinding without a lock. */ + BN_set_flags(f, BN_FLG_CONSTTIME); return BN_BLINDING_invert_ex(f, unblind, b, ctx); } @@ -412,6 +413,11 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, goto err; } + if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) + if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock, + rsa->n, ctx)) + goto err; + if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) { blinding = rsa_get_blinding(rsa, &local_blinding, ctx); if (blinding == NULL) { @@ -449,13 +455,6 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, goto err; } BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); - - if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) - if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock, - rsa->n, ctx)) { - BN_free(d); - goto err; - } if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx, rsa->_method_mod_n)) { BN_free(d); @@ -465,20 +464,11 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, BN_free(d); } - if (blinding) { - /* - * ossl_bn_rsa_do_unblind() combines blinding inversion and - * 0-padded BN BE serialization - */ - j = ossl_bn_rsa_do_unblind(ret, blinding, unblind, rsa->n, ctx, - buf, num); - if (j == 0) - goto err; - } else { - j = BN_bn2binpad(ret, buf, num); - if (j < 0) + if (blinding) + if (!rsa_blinding_invert(blinding, ret, unblind, ctx)) goto err; - } + + j = BN_bn2binpad(ret, buf, num); switch (padding) { case RSA_PKCS1_PADDING: diff --git a/crypto/openssl/crypto/ui/ui_lib.c b/crypto/openssl/crypto/ui/ui_lib.c index 49cc45057c4c..335a3d3d2044 100644 --- a/crypto/openssl/crypto/ui/ui_lib.c +++ b/crypto/openssl/crypto/ui/ui_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -529,6 +529,10 @@ int UI_process(UI *ui) ok = 0; break; } + } else { + ui->flags &= ~UI_FLAG_REDOABLE; + ok = -2; + goto err; } } diff --git a/crypto/openssl/crypto/ui/ui_util.c b/crypto/openssl/crypto/ui/ui_util.c index 32a3c4e38de2..754c75671faf 100644 --- a/crypto/openssl/crypto/ui/ui_util.c +++ b/crypto/openssl/crypto/ui/ui_util.c @@ -1,5 +1,5 @@ /* - * Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -32,7 +32,7 @@ int UI_UTIL_read_pw_string(char *buf, int length, const char *prompt, int UI_UTIL_read_pw(char *buf, char *buff, int size, const char *prompt, int verify) { - int ok = 0; + int ok = -2; UI *ui; if (size < 1) @@ -47,8 +47,6 @@ int UI_UTIL_read_pw(char *buf, char *buff, int size, const char *prompt, ok = UI_process(ui); UI_free(ui); } - if (ok > 0) - ok = 0; return ok; } diff --git a/crypto/openssl/crypto/x509/x509_vfy.c b/crypto/openssl/crypto/x509/x509_vfy.c index 925fbb541258..66b532a16571 100644 --- a/crypto/openssl/crypto/x509/x509_vfy.c +++ b/crypto/openssl/crypto/x509/x509_vfy.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -1649,18 +1649,25 @@ static int check_policy(X509_STORE_CTX *ctx) } /* Invalid or inconsistent extensions */ if (ret == X509_PCY_TREE_INVALID) { - int i; + int i, cbcalled = 0; /* Locate certificates with bad extensions and notify callback. */ - for (i = 1; i < sk_X509_num(ctx->chain); i++) { + for (i = 0; i < sk_X509_num(ctx->chain); i++) { X509 *x = sk_X509_value(ctx->chain, i); if (!(x->ex_flags & EXFLAG_INVALID_POLICY)) continue; + cbcalled = 1; if (!verify_cb_cert(ctx, x, i, X509_V_ERR_INVALID_POLICY_EXTENSION)) return 0; } + if (!cbcalled) { + /* Should not be able to get here */ + X509err(X509_F_CHECK_POLICY, ERR_R_INTERNAL_ERROR); + return 0; + } + /* The callback ignored the error so we return success */ return 1; } if (ret == X509_PCY_TREE_FAILURE) { diff --git a/crypto/openssl/crypto/x509v3/pcy_local.h b/crypto/openssl/crypto/x509v3/pcy_local.h index 5daf78de4585..70d77bfb0b64 100644 --- a/crypto/openssl/crypto/x509v3/pcy_local.h +++ b/crypto/openssl/crypto/x509v3/pcy_local.h @@ -1,5 +1,5 @@ /* - * Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -111,6 +111,11 @@ struct X509_POLICY_LEVEL_st { }; struct X509_POLICY_TREE_st { + /* The number of nodes in the tree */ + size_t node_count; + /* The maximum number of nodes in the tree */ + size_t node_maximum; + /* This is the tree 'level' data */ X509_POLICY_LEVEL *levels; int nlevel; @@ -159,7 +164,8 @@ X509_POLICY_NODE *tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk, X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level, X509_POLICY_DATA *data, X509_POLICY_NODE *parent, - X509_POLICY_TREE *tree); + X509_POLICY_TREE *tree, + int extra_data); void policy_node_free(X509_POLICY_NODE *node); int policy_node_match(const X509_POLICY_LEVEL *lvl, const X509_POLICY_NODE *node, const ASN1_OBJECT *oid); diff --git a/crypto/openssl/crypto/x509v3/pcy_node.c b/crypto/openssl/crypto/x509v3/pcy_node.c index e2d7b1532236..78bf8b62f8e4 100644 --- a/crypto/openssl/crypto/x509v3/pcy_node.c +++ b/crypto/openssl/crypto/x509v3/pcy_node.c @@ -1,5 +1,5 @@ /* - * Copyright 2004-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -59,10 +59,15 @@ X509_POLICY_NODE *level_find_node(const X509_POLICY_LEVEL *level, X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level, X509_POLICY_DATA *data, X509_POLICY_NODE *parent, - X509_POLICY_TREE *tree) + X509_POLICY_TREE *tree, + int extra_data) { X509_POLICY_NODE *node; + /* Verify that the tree isn't too large. This mitigates CVE-2023-0464 */ + if (tree->node_maximum > 0 && tree->node_count >= tree->node_maximum) + return NULL; + node = OPENSSL_zalloc(sizeof(*node)); if (node == NULL) { X509V3err(X509V3_F_LEVEL_ADD_NODE, ERR_R_MALLOC_FAILURE); @@ -70,7 +75,7 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level, } node->data = data; node->parent = parent; - if (level) { + if (level != NULL) { if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) { if (level->anyPolicy) goto node_error; @@ -90,24 +95,33 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level, } } - if (tree) { + if (extra_data) { if (tree->extra_data == NULL) tree->extra_data = sk_X509_POLICY_DATA_new_null(); if (tree->extra_data == NULL){ X509V3err(X509V3_F_LEVEL_ADD_NODE, ERR_R_MALLOC_FAILURE); - goto node_error; + goto extra_data_error; } if (!sk_X509_POLICY_DATA_push(tree->extra_data, data)) { X509V3err(X509V3_F_LEVEL_ADD_NODE, ERR_R_MALLOC_FAILURE); - goto node_error; + goto extra_data_error; } } + tree->node_count++; if (parent) parent->nchild++; return node; + extra_data_error: + if (level != NULL) { + if (level->anyPolicy == node) + level->anyPolicy = NULL; + else + (void) sk_X509_POLICY_NODE_pop(level->nodes); + } + node_error: policy_node_free(node); return NULL; diff --git a/crypto/openssl/crypto/x509v3/pcy_tree.c b/crypto/openssl/crypto/x509v3/pcy_tree.c index 6e8322cbc5e3..8f09c9d095d3 100644 --- a/crypto/openssl/crypto/x509v3/pcy_tree.c +++ b/crypto/openssl/crypto/x509v3/pcy_tree.c @@ -1,5 +1,5 @@ /* - * Copyright 2004-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -14,6 +14,20 @@ #include "pcy_local.h" /* + * If the maximum number of nodes in the policy tree isn't defined, set it to + * a generous default of 1000 nodes. + * + * Defining this to be zero means unlimited policy tree growth which opens the + * door on CVE-2023-0464. + */ + +#ifndef OPENSSL_POLICY_TREE_NODES_MAX +# define OPENSSL_POLICY_TREE_NODES_MAX 1000 +#endif + +static void exnode_free(X509_POLICY_NODE *node); + +/* * Enable this to print out the complete policy tree at various point during * evaluation. */ @@ -168,6 +182,9 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, return X509_PCY_TREE_INTERNAL; } + /* Limit the growth of the tree to mitigate CVE-2023-0464 */ + tree->node_maximum = OPENSSL_POLICY_TREE_NODES_MAX; + /* * http://tools.ietf.org/html/rfc5280#section-6.1.2, figure 3. * @@ -184,7 +201,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, level = tree->levels; if ((data = policy_data_new(NULL, OBJ_nid2obj(NID_any_policy), 0)) == NULL) goto bad_tree; - if (level_add_node(level, data, NULL, tree) == NULL) { + if (level_add_node(level, data, NULL, tree, 1) == NULL) { policy_data_free(data); goto bad_tree; } @@ -243,7 +260,8 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, * Return value: 1 on success, 0 otherwise */ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr, - X509_POLICY_DATA *data) + X509_POLICY_DATA *data, + X509_POLICY_TREE *tree) { X509_POLICY_LEVEL *last = curr - 1; int i, matched = 0; @@ -253,13 +271,13 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr, X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(last->nodes, i); if (policy_node_match(last, node, data->valid_policy)) { - if (level_add_node(curr, data, node, NULL) == NULL) + if (level_add_node(curr, data, node, tree, 0) == NULL) return 0; matched = 1; } } if (!matched && last->anyPolicy) { - if (level_add_node(curr, data, last->anyPolicy, NULL) == NULL) + if (level_add_node(curr, data, last->anyPolicy, tree, 0) == NULL) return 0; } return 1; @@ -272,7 +290,8 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr, * Return value: 1 on success, 0 otherwise. */ static int tree_link_nodes(X509_POLICY_LEVEL *curr, - const X509_POLICY_CACHE *cache) + const X509_POLICY_CACHE *cache, + X509_POLICY_TREE *tree) { int i; @@ -280,7 +299,7 @@ static int tree_link_nodes(X509_POLICY_LEVEL *curr, X509_POLICY_DATA *data = sk_X509_POLICY_DATA_value(cache->data, i); /* Look for matching nodes in previous level */ - if (!tree_link_matching_nodes(curr, data)) + if (!tree_link_matching_nodes(curr, data, tree)) return 0; } return 1; @@ -311,7 +330,7 @@ static int tree_add_unmatched(X509_POLICY_LEVEL *curr, /* Curr may not have anyPolicy */ data->qualifier_set = cache->anyPolicy->qualifier_set; data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS; - if (level_add_node(curr, data, node, tree) == NULL) { + if (level_add_node(curr, data, node, tree, 1) == NULL) { policy_data_free(data); return 0; } @@ -373,7 +392,7 @@ static int tree_link_any(X509_POLICY_LEVEL *curr, } /* Finally add link to anyPolicy */ if (last->anyPolicy && - level_add_node(curr, cache->anyPolicy, last->anyPolicy, NULL) == NULL) + level_add_node(curr, cache->anyPolicy, last->anyPolicy, tree, 0) == NULL) return 0; return 1; } @@ -555,15 +574,24 @@ static int tree_calculate_user_set(X509_POLICY_TREE *tree, extra->qualifier_set = anyPolicy->data->qualifier_set; extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS | POLICY_DATA_FLAG_EXTRA_NODE; - node = level_add_node(NULL, extra, anyPolicy->parent, tree); + node = level_add_node(NULL, extra, anyPolicy->parent, + tree, 1); + if (node == NULL) { + policy_data_free(extra); + return 0; + } } if (!tree->user_policies) { tree->user_policies = sk_X509_POLICY_NODE_new_null(); - if (!tree->user_policies) - return 1; + if (!tree->user_policies) { + exnode_free(node); + return 0; + } } - if (!sk_X509_POLICY_NODE_push(tree->user_policies, node)) + if (!sk_X509_POLICY_NODE_push(tree->user_policies, node)) { + exnode_free(node); return 0; + } } return 1; } @@ -582,7 +610,7 @@ static int tree_evaluate(X509_POLICY_TREE *tree) for (i = 1; i < tree->nlevel; i++, curr++) { cache = policy_cache_set(curr->cert); - if (!tree_link_nodes(curr, cache)) + if (!tree_link_nodes(curr, cache, tree)) return X509_PCY_TREE_INTERNAL; if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY) diff --git a/crypto/openssl/doc/fingerprints.txt b/crypto/openssl/doc/fingerprints.txt index 3604fbdc658c..0655df2fd76a 100644 --- a/crypto/openssl/doc/fingerprints.txt +++ b/crypto/openssl/doc/fingerprints.txt @@ -12,6 +12,11 @@ in the file named openssl-1.0.1h.tar.gz.asc. The following is the list of fingerprints for the keys that are currently in use to sign OpenSSL distributions: +pub rsa4096 2014-10-04 + Key fingerprint = EFC0 A467 D613 CB83 C7ED 6D30 D894 E2CE 8B3D 79F5 +uid OpenSSL OMC <openssl-omc@openssl.org> +uid OpenSSL Security <openssl-security@openssl.org> + pub 4096R/7DF9EE8C 2014-10-04 Key fingerprint = 7953 AC1F BC3D C8B3 B292 393E D5E9 E43F 7DF9 EE8C uid Richard Levitte <richard@opensslfoundation.com> diff --git a/crypto/openssl/doc/man3/X509_VERIFY_PARAM_set_flags.pod b/crypto/openssl/doc/man3/X509_VERIFY_PARAM_set_flags.pod index f6f304bf7bd0..6c79b4296823 100644 --- a/crypto/openssl/doc/man3/X509_VERIFY_PARAM_set_flags.pod +++ b/crypto/openssl/doc/man3/X509_VERIFY_PARAM_set_flags.pod @@ -92,8 +92,9 @@ B<trust>. X509_VERIFY_PARAM_set_time() sets the verification time in B<param> to B<t>. Normally the current time is used. -X509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled -by default) and adds B<policy> to the acceptable policy set. +X509_VERIFY_PARAM_add0_policy() adds B<policy> to the acceptable policy set. +Contrary to preexisting documentation of this function it does not enable +policy checking. X509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled by default) and sets the acceptable policy set to B<policies>. Any existing @@ -377,9 +378,13 @@ and has no effect. The X509_VERIFY_PARAM_get_hostflags() function was added in OpenSSL 1.1.0i. +The function X509_VERIFY_PARAM_add0_policy() was historically documented as +enabling policy checking however the implementation has never done this. +The documentation was changed to align with the implementation. + =head1 COPYRIGHT -Copyright 2009-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2009-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/crypto/openssl/engines/e_padlock.c b/crypto/openssl/engines/e_padlock.c index a82c07e81373..80756e82be82 100644 --- a/crypto/openssl/engines/e_padlock.c +++ b/crypto/openssl/engines/e_padlock.c @@ -1,5 +1,5 @@ /* - * Copyright 2004-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -144,6 +144,19 @@ static int padlock_init(ENGINE *e) return (padlock_use_rng || padlock_use_ace); } +# ifndef AES_ASM +static int padlock_aes_set_encrypt_key(const unsigned char *userKey, + const int bits, + AES_KEY *key); +static int padlock_aes_set_decrypt_key(const unsigned char *userKey, + const int bits, + AES_KEY *key); +# define AES_ASM +# define AES_set_encrypt_key padlock_aes_set_encrypt_key +# define AES_set_decrypt_key padlock_aes_set_decrypt_key +# include "../crypto/aes/aes_core.c" +# endif + /* * This stuff is needed if this ENGINE is being compiled into a * self-contained shared-library. @@ -639,12 +652,10 @@ padlock_aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, AES_set_decrypt_key(key, key_len, &cdata->ks); else AES_set_encrypt_key(key, key_len, &cdata->ks); -# ifndef AES_ASM /* * OpenSSL C functions use byte-swapped extended key. */ padlock_key_bswap(&cdata->ks); -# endif cdata->cword.b.keygen = 1; break; diff --git a/crypto/openssl/include/crypto/bn.h b/crypto/openssl/include/crypto/bn.h index 9f866ed71abf..250914c46a28 100644 --- a/crypto/openssl/include/crypto/bn.h +++ b/crypto/openssl/include/crypto/bn.h @@ -86,10 +86,5 @@ int bn_lshift_fixed_top(BIGNUM *r, const BIGNUM *a, int n); int bn_rshift_fixed_top(BIGNUM *r, const BIGNUM *a, int n); int bn_div_fixed_top(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, const BIGNUM *d, BN_CTX *ctx); -int ossl_bn_rsa_do_unblind(const BIGNUM *intermediate, - const BN_BLINDING *blinding, - const BIGNUM *possible_arg2, - const BIGNUM *to_mod, BN_CTX *ctx, - unsigned char *buf, int num); #endif diff --git a/crypto/openssl/include/openssl/opensslv.h b/crypto/openssl/include/openssl/opensslv.h index 6d65f72d9b85..027de5fa9490 100644 --- a/crypto/openssl/include/openssl/opensslv.h +++ b/crypto/openssl/include/openssl/opensslv.h @@ -1,5 +1,5 @@ /* - * Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -39,8 +39,8 @@ extern "C" { * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -# define OPENSSL_VERSION_NUMBER 0x1010114fL -# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1t-freebsd 7 Feb 2023" +# define OPENSSL_VERSION_NUMBER 0x1010115fL +# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1u-freebsd 30 May 2023" /*- * The macros below are to be used for shared library (.so, .dll, ...) |