summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authordoug <>2015-07-19 22:34:27 +0000
committerdoug <>2015-07-19 22:34:27 +0000
commit4f92bf3803a057f24c8fda4c2ce12e559c845602 (patch)
tree5d81c4075008ce8aa7366b738750cfc75eda9286
parente1b84c43076222a250e436e71045972c584515ce (diff)
downloadopenbsd-4f92bf3803a057f24c8fda4c2ce12e559c845602.tar.gz
openbsd-4f92bf3803a057f24c8fda4c2ce12e559c845602.tar.bz2
openbsd-4f92bf3803a057f24c8fda4c2ce12e559c845602.zip
Remove OpenSSL engine RSAX.
OpenSSL stopped building it last year and removed it this year. Based on OpenSSL commit c436e05bdc7f49985a750df64122c960240b3ae1. Also cranked major version in libcrypto, libssl and libtls. "fine with me" bcook@ miod@
Diffstat
-rw-r--r--src/lib/libcrypto/crypto/Makefile3
-rw-r--r--src/lib/libcrypto/crypto/shlib_version2
-rw-r--r--src/lib/libcrypto/engine/eng_all.c5
-rw-r--r--src/lib/libcrypto/engine/eng_rsax.c695
-rw-r--r--src/lib/libcrypto/engine/engine.h3
-rw-r--r--src/lib/libcrypto/opensslfeatures.h1
-rw-r--r--src/lib/libcrypto/shlib_version2
-rw-r--r--src/lib/libssl/shlib_version2
-rw-r--r--src/lib/libssl/src/crypto/engine/eng_all.c5
-rw-r--r--src/lib/libssl/src/crypto/engine/eng_rsax.c695
-rw-r--r--src/lib/libssl/src/crypto/engine/engine.h3
-rw-r--r--src/lib/libssl/src/crypto/opensslfeatures.h1
-rw-r--r--src/lib/libssl/ssl/shlib_version2
-rw-r--r--src/lib/libtls/shlib_version2
14 files changed, 12 insertions, 1409 deletions
diff --git a/src/lib/libcrypto/crypto/Makefile b/src/lib/libcrypto/crypto/Makefile
index c1905516c2..9eccb901cd 100644
--- a/src/lib/libcrypto/crypto/Makefile
+++ b/src/lib/libcrypto/crypto/Makefile
@@ -1,4 +1,4 @@
1# $OpenBSD: Makefile,v 1.59 2015/06/27 22:42:02 doug Exp $ 1# $OpenBSD: Makefile,v 1.60 2015/07/19 22:34:27 doug Exp $
2 2
3LIB= crypto 3LIB= crypto
4 4
@@ -133,7 +133,6 @@ SRCS+= eng_table.c eng_pkey.c eng_fat.c eng_all.c
133SRCS+= tb_rsa.c tb_dsa.c tb_ecdsa.c tb_dh.c tb_ecdh.c tb_rand.c tb_store.c 133SRCS+= tb_rsa.c tb_dsa.c tb_ecdsa.c tb_dh.c tb_ecdh.c tb_rand.c tb_store.c
134SRCS+= tb_cipher.c tb_digest.c tb_pkmeth.c tb_asnmth.c 134SRCS+= tb_cipher.c tb_digest.c tb_pkmeth.c tb_asnmth.c
135SRCS+= eng_openssl.c eng_cnf.c eng_dyn.c 135SRCS+= eng_openssl.c eng_cnf.c eng_dyn.c
136SRCS+= eng_rsax.c
137# XXX unnecessary? handled in EVP now... 136# XXX unnecessary? handled in EVP now...
138# SRCS+= eng_aesni.c # local addition 137# SRCS+= eng_aesni.c # local addition
139 138
diff --git a/src/lib/libcrypto/crypto/shlib_version b/src/lib/libcrypto/crypto/shlib_version
index 96e1793a1e..db69fac89e 100644
--- a/src/lib/libcrypto/crypto/shlib_version
+++ b/src/lib/libcrypto/crypto/shlib_version
@@ -1,3 +1,3 @@
1# Don't forget to give libssl and libtls the same type of bump! 1# Don't forget to give libssl and libtls the same type of bump!
2major=34 2major=35
3minor=0 3minor=0
diff --git a/src/lib/libcrypto/engine/eng_all.c b/src/lib/libcrypto/engine/eng_all.c
index b428300e76..7640cf7fcd 100644
--- a/src/lib/libcrypto/engine/eng_all.c
+++ b/src/lib/libcrypto/engine/eng_all.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: eng_all.c,v 1.28 2015/06/19 06:05:11 bcook Exp $ */ 1/* $OpenBSD: eng_all.c,v 1.29 2015/07/19 22:34:27 doug Exp $ */
2/* Written by Richard Levitte <richard@levitte.org> for the OpenSSL 2/* Written by Richard Levitte <richard@levitte.org> for the OpenSSL
3 * project 2000. 3 * project 2000.
4 */ 4 */
@@ -67,9 +67,6 @@ ENGINE_load_builtin_engines(void)
67 /* Some ENGINEs need this */ 67 /* Some ENGINEs need this */
68 OPENSSL_cpuid_setup(); 68 OPENSSL_cpuid_setup();
69 69
70#ifndef OPENSSL_NO_RSAX
71 ENGINE_load_rsax();
72#endif
73#ifndef OPENSSL_NO_STATIC_ENGINE 70#ifndef OPENSSL_NO_STATIC_ENGINE
74#ifndef OPENSSL_NO_HW 71#ifndef OPENSSL_NO_HW
75#ifndef OPENSSL_NO_HW_PADLOCK 72#ifndef OPENSSL_NO_HW_PADLOCK
diff --git a/src/lib/libcrypto/engine/eng_rsax.c b/src/lib/libcrypto/engine/eng_rsax.c
deleted file mode 100644
index 784b74a22f..0000000000
--- a/src/lib/libcrypto/engine/eng_rsax.c
+++ /dev/null
@@ -1,695 +0,0 @@
1/* $OpenBSD: eng_rsax.c,v 1.13 2015/02/09 15:49:22 jsing Exp $ */
2/* Copyright (c) 2010-2010 Intel Corp.
3 * Author: Vinodh.Gopal@intel.com
4 * Jim Guilford
5 * Erdinc.Ozturk@intel.com
6 * Maxim.Perminov@intel.com
7 * Ying.Huang@intel.com
8 *
9 * More information about algorithm used can be found at:
10 * http://www.cse.buffalo.edu/srds2009/escs2009_submission_Gopal.pdf
11 */
12/* ====================================================================
13 * Copyright (c) 1999-2001 The OpenSSL Project. All rights reserved.
14 *
15 * Redistribution and use in source and binary forms, with or without
16 * modification, are permitted provided that the following conditions
17 * are met:
18 *
19 * 1. Redistributions of source code must retain the above copyright
20 * notice, this list of conditions and the following disclaimer.
21 *
22 * 2. Redistributions in binary form must reproduce the above copyright
23 * notice, this list of conditions and the following disclaimer in
24 * the documentation and/or other materials provided with the
25 * distribution.
26 *
27 * 3. All advertising materials mentioning features or use of this
28 * software must display the following acknowledgment:
29 * "This product includes software developed by the OpenSSL Project
30 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
31 *
32 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
33 * endorse or promote products derived from this software without
34 * prior written permission. For written permission, please contact
35 * licensing@OpenSSL.org.
36 *
37 * 5. Products derived from this software may not be called "OpenSSL"
38 * nor may "OpenSSL" appear in their names without prior written
39 * permission of the OpenSSL Project.
40 *
41 * 6. Redistributions of any form whatsoever must retain the following
42 * acknowledgment:
43 * "This product includes software developed by the OpenSSL Project
44 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
45 *
46 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
47 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
48 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
49 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
50 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
51 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
52 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
53 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
54 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
55 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
56 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
57 * OF THE POSSIBILITY OF SUCH DAMAGE.
58 * ====================================================================
59 *
60 * This product includes cryptographic software written by Eric Young
61 * (eay@cryptsoft.com). This product includes software written by Tim
62 * Hudson (tjh@cryptsoft.com).
63 */
64
65#include <openssl/opensslconf.h>
66
67#include <stdio.h>
68#include <string.h>
69
70#include <openssl/crypto.h>
71#include <openssl/buffer.h>
72#include <openssl/engine.h>
73#ifndef OPENSSL_NO_RSA
74#include <openssl/rsa.h>
75#endif
76#include <openssl/bn.h>
77#include <openssl/err.h>
78
79/* RSAX is available **ONLY* on x86_64 CPUs */
80#undef COMPILE_RSAX
81
82#if !defined(OPENSSL_NO_ASM) && defined(RSA_ASM) && \
83 (defined(__x86_64) || defined(__x86_64__) || \
84 defined(_M_AMD64) || defined (_M_X64))
85#define COMPILE_RSAX
86static ENGINE *ENGINE_rsax (void);
87#endif
88
89void ENGINE_load_rsax (void)
90{
91/* On non-x86 CPUs it just returns. */
92#ifdef COMPILE_RSAX
93 ENGINE *toadd = ENGINE_rsax();
94 if (!toadd)
95 return;
96 ENGINE_add(toadd);
97 ENGINE_free(toadd);
98 ERR_clear_error();
99#endif
100}
101
102#ifdef COMPILE_RSAX
103#define E_RSAX_LIB_NAME "rsax engine"
104
105static int e_rsax_destroy(ENGINE *e);
106static int e_rsax_init(ENGINE *e);
107static int e_rsax_finish(ENGINE *e);
108static int e_rsax_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void));
109
110#ifndef OPENSSL_NO_RSA
111/* RSA stuff */
112static int e_rsax_rsa_mod_exp(BIGNUM *r, const BIGNUM *I, RSA *rsa,
113 BN_CTX *ctx);
114static int e_rsax_rsa_finish(RSA *r);
115#endif
116
117static const ENGINE_CMD_DEFN e_rsax_cmd_defns[] = {
118 {0, NULL, NULL, 0}
119};
120
121#ifndef OPENSSL_NO_RSA
122/* Our internal RSA_METHOD that we provide pointers to */
123static RSA_METHOD e_rsax_rsa = {
124 .name = "Intel RSA-X method",
125 .rsa_mod_exp = e_rsax_rsa_mod_exp,
126 .finish = e_rsax_rsa_finish,
127 .flags = RSA_FLAG_CACHE_PUBLIC|RSA_FLAG_CACHE_PRIVATE,
128};
129#endif
130
131/* Constants used when creating the ENGINE */
132static const char *engine_e_rsax_id = "rsax";
133static const char *engine_e_rsax_name = "RSAX engine support";
134
135/* This internal function is used by ENGINE_rsax() */
136static int
137bind_helper(ENGINE *e)
138{
139#ifndef OPENSSL_NO_RSA
140 const RSA_METHOD *meth1;
141#endif
142 if (!ENGINE_set_id(e, engine_e_rsax_id) ||
143 !ENGINE_set_name(e, engine_e_rsax_name) ||
144#ifndef OPENSSL_NO_RSA
145 !ENGINE_set_RSA(e, &e_rsax_rsa) ||
146#endif
147 !ENGINE_set_destroy_function(e, e_rsax_destroy) ||
148 !ENGINE_set_init_function(e, e_rsax_init) ||
149 !ENGINE_set_finish_function(e, e_rsax_finish) ||
150 !ENGINE_set_ctrl_function(e, e_rsax_ctrl) ||
151 !ENGINE_set_cmd_defns(e, e_rsax_cmd_defns))
152 return 0;
153
154#ifndef OPENSSL_NO_RSA
155 meth1 = RSA_PKCS1_SSLeay();
156 e_rsax_rsa.rsa_pub_enc = meth1->rsa_pub_enc;
157 e_rsax_rsa.rsa_pub_dec = meth1->rsa_pub_dec;
158 e_rsax_rsa.rsa_priv_enc = meth1->rsa_priv_enc;
159 e_rsax_rsa.rsa_priv_dec = meth1->rsa_priv_dec;
160 e_rsax_rsa.bn_mod_exp = meth1->bn_mod_exp;
161#endif
162 return 1;
163}
164
165static ENGINE *
166ENGINE_rsax(void)
167{
168 ENGINE *ret = ENGINE_new();
169
170 if (!ret)
171 return NULL;
172 if (!bind_helper(ret)) {
173 ENGINE_free(ret);
174 return NULL;
175 }
176 return ret;
177}
178
179#ifndef OPENSSL_NO_RSA
180/* Used to attach our own key-data to an RSA structure */
181static int rsax_ex_data_idx = -1;
182#endif
183
184static int
185e_rsax_destroy(ENGINE *e)
186{
187 return 1;
188}
189
190/* (de)initialisation functions. */
191static int
192e_rsax_init(ENGINE *e)
193{
194#ifndef OPENSSL_NO_RSA
195 if (rsax_ex_data_idx == -1)
196 rsax_ex_data_idx = RSA_get_ex_new_index(0, NULL, NULL,
197 NULL, NULL);
198#endif
199 if (rsax_ex_data_idx == -1)
200 return 0;
201 return 1;
202}
203
204static int
205e_rsax_finish(ENGINE *e)
206{
207 return 1;
208}
209
210static int
211e_rsax_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void))
212{
213 int to_return = 1;
214
215 switch (cmd) {
216 /* The command isn't understood by this engine */
217 default:
218 to_return = 0;
219 break;
220 }
221
222 return to_return;
223}
224
225
226#ifndef OPENSSL_NO_RSA
227
228typedef unsigned long long UINT64;
229typedef unsigned short UINT16;
230
231/* Table t is interleaved in the following manner:
232 * The order in memory is t[0][0], t[0][1], ..., t[0][7], t[1][0], ...
233 * A particular 512-bit value is stored in t[][index] rather than the more
234 * normal t[index][]; i.e. the qwords of a particular entry in t are not
235 * adjacent in memory
236 */
237
238/* Init BIGNUM b from the interleaved UINT64 array */
239static int interleaved_array_to_bn_512(BIGNUM* b, UINT64 *array);
240
241/* Extract array elements from BIGNUM b
242 * To set the whole array from b, call with n=8
243 */
244static int bn_extract_to_array_512(const BIGNUM* b, unsigned int n,
245 UINT64 *array);
246
247struct mod_ctx_512 {
248 UINT64 t[8][8];
249 UINT64 m[8];
250 UINT64 m1[8]; /* 2^278 % m */
251 UINT64 m2[8]; /* 2^640 % m */
252 UINT64 k1[2]; /* (- 1/m) % 2^128 */
253};
254
255static int mod_exp_pre_compute_data_512(UINT64 *m, struct mod_ctx_512 *data);
256
257void mod_exp_512(UINT64 *result, /* 512 bits, 8 qwords */
258UINT64 *g, /* 512 bits, 8 qwords */
259UINT64 *exp, /* 512 bits, 8 qwords */
260struct mod_ctx_512 *data);
261
262typedef struct st_e_rsax_mod_ctx {
263 UINT64 type;
264 union {
265 struct mod_ctx_512 b512;
266 } ctx;
267} E_RSAX_MOD_CTX;
268
269static E_RSAX_MOD_CTX *
270e_rsax_get_ctx(RSA *rsa, int idx, BIGNUM* m)
271{
272 E_RSAX_MOD_CTX *hptr;
273
274 if (idx < 0 || idx > 2)
275 return NULL;
276
277 hptr = RSA_get_ex_data(rsa, rsax_ex_data_idx);
278 if (!hptr) {
279 hptr = reallocarray(NULL, 3, sizeof(E_RSAX_MOD_CTX));
280 if (!hptr)
281 return NULL;
282 hptr[2].type = hptr[1].type = hptr[0].type = 0;
283 RSA_set_ex_data(rsa, rsax_ex_data_idx, hptr);
284 }
285
286 if (hptr[idx].type == (UINT64)BN_num_bits(m))
287 return hptr + idx;
288
289 if (BN_num_bits(m) == 512) {
290 UINT64 _m[8];
291 bn_extract_to_array_512(m, 8, _m);
292 memset( &hptr[idx].ctx.b512, 0, sizeof(struct mod_ctx_512));
293 mod_exp_pre_compute_data_512(_m, &hptr[idx].ctx.b512);
294 }
295
296 hptr[idx].type = BN_num_bits(m);
297 return hptr + idx;
298}
299
300static int
301e_rsax_rsa_finish(RSA *rsa)
302{
303 E_RSAX_MOD_CTX *hptr = RSA_get_ex_data(rsa, rsax_ex_data_idx);
304
305 if (hptr) {
306 free(hptr);
307 RSA_set_ex_data(rsa, rsax_ex_data_idx, NULL);
308 }
309 BN_MONT_CTX_free(rsa->_method_mod_n);
310 BN_MONT_CTX_free(rsa->_method_mod_p);
311 BN_MONT_CTX_free(rsa->_method_mod_q);
312 return 1;
313}
314
315static int
316e_rsax_bn_mod_exp(BIGNUM *r, const BIGNUM *g, const BIGNUM *e, const BIGNUM *m,
317 BN_CTX *ctx, BN_MONT_CTX *in_mont, E_RSAX_MOD_CTX* rsax_mod_ctx)
318{
319 if (rsax_mod_ctx && BN_get_flags(e, BN_FLG_CONSTTIME) != 0) {
320 if (BN_num_bits(m) == 512) {
321 UINT64 _r[8];
322 UINT64 _g[8];
323 UINT64 _e[8];
324
325 /* Init the arrays from the BIGNUMs */
326 bn_extract_to_array_512(g, 8, _g);
327 bn_extract_to_array_512(e, 8, _e);
328
329 mod_exp_512(_r, _g, _e, &rsax_mod_ctx->ctx.b512);
330 /* Return the result in the BIGNUM */
331 interleaved_array_to_bn_512(r, _r);
332 return 1;
333 }
334 }
335
336 return BN_mod_exp_mont(r, g, e, m, ctx, in_mont);
337}
338
339/* Declares for the Intel CIAP 512-bit / CRT / 1024 bit RSA modular
340 * exponentiation routine precalculations and a structure to hold the
341 * necessary values. These files are meant to live in crypto/rsa/ in
342 * the target openssl.
343 */
344
345/*
346 * Local method: extracts a piece from a BIGNUM, to fit it into
347 * an array. Call with n=8 to extract an entire 512-bit BIGNUM
348 */
349static int
350bn_extract_to_array_512(const BIGNUM* b, unsigned int n, UINT64 *array)
351{
352 int i;
353 UINT64 tmp;
354 unsigned char bn_buff[64];
355
356 memset(bn_buff, 0, 64);
357 if (BN_num_bytes(b) > 64) {
358 printf ("Can't support this byte size\n");
359 return 0;
360 }
361 if (BN_num_bytes(b) != 0) {
362 if (!BN_bn2bin(b, bn_buff + (64 - BN_num_bytes(b)))) {
363 printf ("Error's in bn2bin\n");
364 /* We have to error, here */
365 return 0;
366 }
367 }
368 while (n-- > 0) {
369 array[n] = 0;
370 for (i = 7; i >= 0; i--) {
371 tmp = bn_buff[63 - (n*8 + i)];
372 array[n] |= tmp << (8*i);
373 }
374 }
375 return 1;
376}
377
378/* Init a 512-bit BIGNUM from the UINT64*_ (8 * 64) interleaved array */
379static int
380interleaved_array_to_bn_512(BIGNUM* b, UINT64 *array)
381{
382 unsigned char tmp[64];
383 int n = 8;
384 int i;
385
386 while (n-- > 0) {
387 for (i = 7; i >= 0; i--) {
388 tmp[63 - (n * 8 + i)] =
389 (unsigned char)(array[n] >> (8 * i));
390 }
391 }
392 BN_bin2bn(tmp, 64, b);
393 return 0;
394}
395
396/* The main 512bit precompute call */
397static int
398mod_exp_pre_compute_data_512(UINT64 *m, struct mod_ctx_512 *data)
399{
400 BIGNUM two_768, two_640, two_128, two_512, tmp, _m, tmp2;
401
402 /* We need a BN_CTX for the modulo functions */
403 BN_CTX* ctx;
404 /* Some tmps */
405 UINT64 _t[8];
406 int i, j, ret = 0;
407
408 /* Init _m with m */
409 BN_init(&_m);
410 interleaved_array_to_bn_512(&_m, m);
411 memset(_t, 0, 64);
412
413 /* Inits */
414 BN_init(&two_768);
415 BN_init(&two_640);
416 BN_init(&two_128);
417 BN_init(&two_512);
418 BN_init(&tmp);
419 BN_init(&tmp2);
420
421 /* Create our context */
422 if ((ctx = BN_CTX_new()) == NULL) {
423 goto err;
424 }
425 BN_CTX_start(ctx);
426
427 /*
428 * For production, if you care, these only need to be set once,
429 * and may be made constants.
430 */
431 BN_lshift(&two_768, BN_value_one(), 768);
432 BN_lshift(&two_640, BN_value_one(), 640);
433 BN_lshift(&two_128, BN_value_one(), 128);
434 BN_lshift(&two_512, BN_value_one(), 512);
435
436 if (0 == (m[7] & 0x8000000000000000)) {
437 exit(1);
438 }
439 if (0 == (m[0] & 0x1)) {
440 /* Odd modulus required for Mont */
441 exit(1);
442 }
443
444 /* Precompute m1 */
445 BN_mod(&tmp, &two_768, &_m, ctx);
446 if (!bn_extract_to_array_512(&tmp, 8, &data->m1[0])) {
447 goto err;
448 }
449
450 /* Precompute m2 */
451 BN_mod(&tmp, &two_640, &_m, ctx);
452 if (!bn_extract_to_array_512(&tmp, 8, &data->m2[0])) {
453 goto err;
454 }
455
456 /*
457 * Precompute k1, a 128b number = ((-1)* m-1 ) mod 2128; k1 should
458 * be non-negative.
459 */
460 BN_mod_inverse(&tmp, &_m, &two_128, ctx);
461 if (!BN_is_zero(&tmp)) {
462 BN_sub(&tmp, &two_128, &tmp);
463 }
464 if (!bn_extract_to_array_512(&tmp, 2, &data->k1[0])) {
465 goto err;
466 }
467
468 /* Precompute t */
469 for (i = 0; i < 8; i++) {
470 BN_zero(&tmp);
471 if (i & 1) {
472 BN_add(&tmp, &two_512, &tmp);
473 }
474 if (i & 2) {
475 BN_add(&tmp, &two_512, &tmp);
476 }
477 if (i & 4) {
478 BN_add(&tmp, &two_640, &tmp);
479 }
480
481 BN_nnmod(&tmp2, &tmp, &_m, ctx);
482 if (!bn_extract_to_array_512(&tmp2, 8, _t)) {
483 goto err;
484 }
485 for (j = 0; j < 8; j++)
486 data->t[j][i] = _t[j];
487 }
488
489 /* Precompute m */
490 for (i = 0; i < 8; i++) {
491 data->m[i] = m[i];
492 }
493
494 ret = 1;
495
496err:
497 /* Cleanup */
498 if (ctx != NULL) {
499 BN_CTX_end(ctx);
500 BN_CTX_free(ctx);
501 }
502 BN_free(&two_768);
503 BN_free(&two_640);
504 BN_free(&two_128);
505 BN_free(&two_512);
506 BN_free(&tmp);
507 BN_free(&tmp2);
508 BN_free(&_m);
509
510 return ret;
511}
512
513static int
514e_rsax_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
515{
516 BIGNUM *r1, *m1, *vrfy;
517 BIGNUM local_dmp1, local_dmq1, local_c, local_r1;
518 BIGNUM *dmp1, *dmq1, *c, *pr1;
519 int ret = 0;
520
521 BN_CTX_start(ctx);
522 if ((r1 = BN_CTX_get(ctx)) == NULL)
523 goto err;
524 if ((m1 = BN_CTX_get(ctx)) == NULL)
525 goto err;
526 if ((vrfy = BN_CTX_get(ctx)) == NULL)
527 goto err;
528
529 {
530 BIGNUM local_p, local_q;
531 BIGNUM *p = NULL, *q = NULL;
532 int error = 0;
533
534 /* Make sure BN_mod_inverse in Montgomery
535 * intialization uses the BN_FLG_CONSTTIME flag
536 * (unless RSA_FLAG_NO_CONSTTIME is set)
537 */
538 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
539 BN_init(&local_p);
540 p = &local_p;
541 BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
542
543 BN_init(&local_q);
544 q = &local_q;
545 BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME);
546 } else {
547 p = rsa->p;
548 q = rsa->q;
549 }
550
551 if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) {
552 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p,
553 CRYPTO_LOCK_RSA, p, ctx))
554 error = 1;
555 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q,
556 CRYPTO_LOCK_RSA, q, ctx))
557 error = 1;
558 }
559
560 /* clean up */
561 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
562 BN_free(&local_p);
563 BN_free(&local_q);
564 }
565 if (error )
566 goto err;
567 }
568
569 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
570 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
571 CRYPTO_LOCK_RSA, rsa->n, ctx))
572 goto err;
573
574 /* compute I mod q */
575 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
576 c = &local_c;
577 BN_with_flags(c, I, BN_FLG_CONSTTIME);
578 if (!BN_mod(r1, c, rsa->q, ctx))
579 goto err;
580 } else {
581 if (!BN_mod(r1, I, rsa->q, ctx))
582 goto err;
583 }
584
585 /* compute r1^dmq1 mod q */
586 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
587 dmq1 = &local_dmq1;
588 BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
589 } else
590 dmq1 = rsa->dmq1;
591
592 if (!e_rsax_bn_mod_exp(m1, r1, dmq1, rsa->q, ctx, rsa->_method_mod_q,
593 e_rsax_get_ctx(rsa, 0, rsa->q)))
594 goto err;
595
596 /* compute I mod p */
597 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
598 c = &local_c;
599 BN_with_flags(c, I, BN_FLG_CONSTTIME);
600 if (!BN_mod(r1, c, rsa->p, ctx))
601 goto err;
602 } else {
603 if (!BN_mod(r1, I, rsa->p, ctx))
604 goto err;
605 }
606
607 /* compute r1^dmp1 mod p */
608 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
609 dmp1 = &local_dmp1;
610 BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
611 } else
612 dmp1 = rsa->dmp1;
613
614 if (!e_rsax_bn_mod_exp(r0, r1, dmp1, rsa->p, ctx, rsa->_method_mod_p,
615 e_rsax_get_ctx(rsa, 1, rsa->p)))
616 goto err;
617
618 if (!BN_sub(r0, r0, m1))
619 goto err;
620 /* This will help stop the size of r0 increasing, which does
621 * affect the multiply if it optimised for a power of 2 size */
622 if (BN_is_negative(r0))
623 if (!BN_add(r0, r0, rsa->p))
624 goto err;
625
626 if (!BN_mul(r1, r0, rsa->iqmp, ctx))
627 goto err;
628
629 /* Turn BN_FLG_CONSTTIME flag on before division operation */
630 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
631 pr1 = &local_r1;
632 BN_with_flags(pr1, r1, BN_FLG_CONSTTIME);
633 } else
634 pr1 = r1;
635 if (!BN_mod(r0, pr1, rsa->p, ctx))
636 goto err;
637
638 /* If p < q it is occasionally possible for the correction of
639 * adding 'p' if r0 is negative above to leave the result still
640 * negative. This can break the private key operations: the following
641 * second correction should *always* correct this rare occurrence.
642 * This will *never* happen with OpenSSL generated keys because
643 * they ensure p > q [steve]
644 */
645 if (BN_is_negative(r0))
646 if (!BN_add(r0, r0, rsa->p))
647 goto err;
648 if (!BN_mul(r1, r0, rsa->q, ctx))
649 goto err;
650 if (!BN_add(r0, r1, m1))
651 goto err;
652
653 if (rsa->e && rsa->n) {
654 if (!e_rsax_bn_mod_exp(vrfy, r0, rsa->e, rsa->n, ctx,
655 rsa->_method_mod_n, e_rsax_get_ctx(rsa, 2, rsa->n)))
656 goto err;
657
658 /* If 'I' was greater than (or equal to) rsa->n, the operation
659 * will be equivalent to using 'I mod n'. However, the result of
660 * the verify will *always* be less than 'n' so we don't check
661 * for absolute equality, just congruency. */
662 if (!BN_sub(vrfy, vrfy, I))
663 goto err;
664 if (!BN_mod(vrfy, vrfy, rsa->n, ctx))
665 goto err;
666 if (BN_is_negative(vrfy))
667 if (!BN_add(vrfy, vrfy, rsa->n))
668 goto err;
669 if (!BN_is_zero(vrfy)) {
670 /* 'I' and 'vrfy' aren't congruent mod n. Don't leak
671 * miscalculated CRT output, just do a raw (slower)
672 * mod_exp and return that instead. */
673
674 BIGNUM local_d;
675 BIGNUM *d = NULL;
676
677 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
678 d = &local_d;
679 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
680 } else
681 d = rsa->d;
682 if (!e_rsax_bn_mod_exp(r0, I,d, rsa->n, ctx,
683 rsa->_method_mod_n, e_rsax_get_ctx(rsa, 2, rsa->n)))
684 goto err;
685 }
686 }
687 ret = 1;
688
689err:
690 BN_CTX_end(ctx);
691
692 return ret;
693}
694#endif /* !OPENSSL_NO_RSA */
695#endif /* !COMPILE_RSAX */
diff --git a/src/lib/libcrypto/engine/engine.h b/src/lib/libcrypto/engine/engine.h
index dd1015f8af..30d1bde4ae 100644
--- a/src/lib/libcrypto/engine/engine.h
+++ b/src/lib/libcrypto/engine/engine.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: engine.h,v 1.30 2014/10/18 17:20:40 jsing Exp $ */ 1/* $OpenBSD: engine.h,v 1.31 2015/07/19 22:34:27 doug Exp $ */
2/* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL 2/* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL
3 * project 2000. 3 * project 2000.
4 */ 4 */
@@ -322,7 +322,6 @@ void ENGINE_load_dynamic(void);
322#ifndef OPENSSL_NO_STATIC_ENGINE 322#ifndef OPENSSL_NO_STATIC_ENGINE
323void ENGINE_load_padlock(void); 323void ENGINE_load_padlock(void);
324#endif 324#endif
325void ENGINE_load_rsax(void);
326void ENGINE_load_builtin_engines(void); 325void ENGINE_load_builtin_engines(void);
327 326
328/* Get and set global flags (ENGINE_TABLE_FLAG_***) for the implementation 327/* Get and set global flags (ENGINE_TABLE_FLAG_***) for the implementation
diff --git a/src/lib/libcrypto/opensslfeatures.h b/src/lib/libcrypto/opensslfeatures.h
index a0fcc0078e..45848c5a35 100644
--- a/src/lib/libcrypto/opensslfeatures.h
+++ b/src/lib/libcrypto/opensslfeatures.h
@@ -10,6 +10,7 @@
10# define OPENSSL_NO_PSK 10# define OPENSSL_NO_PSK
11# define OPENSSL_NO_RC5 11# define OPENSSL_NO_RC5
12# define OPENSSL_NO_RFC3779 12# define OPENSSL_NO_RFC3779
13# define OPENSSL_NO_RSAX
13# define OPENSSL_NO_SCTP 14# define OPENSSL_NO_SCTP
14# define OPENSSL_NO_SEED 15# define OPENSSL_NO_SEED
15# define OPENSSL_NO_SRP 16# define OPENSSL_NO_SRP
diff --git a/src/lib/libcrypto/shlib_version b/src/lib/libcrypto/shlib_version
index 96e1793a1e..db69fac89e 100644
--- a/src/lib/libcrypto/shlib_version
+++ b/src/lib/libcrypto/shlib_version
@@ -1,3 +1,3 @@
1# Don't forget to give libssl and libtls the same type of bump! 1# Don't forget to give libssl and libtls the same type of bump!
2major=34 2major=35
3minor=0 3minor=0
diff --git a/src/lib/libssl/shlib_version b/src/lib/libssl/shlib_version
index 63004f487f..ca85d7e741 100644
--- a/src/lib/libssl/shlib_version
+++ b/src/lib/libssl/shlib_version
@@ -1,3 +1,3 @@
1# Don't forget to give libtls the same type of bump! 1# Don't forget to give libtls the same type of bump!
2major=34 2major=35
3minor=0 3minor=0
diff --git a/src/lib/libssl/src/crypto/engine/eng_all.c b/src/lib/libssl/src/crypto/engine/eng_all.c
index b428300e76..7640cf7fcd 100644
--- a/src/lib/libssl/src/crypto/engine/eng_all.c
+++ b/src/lib/libssl/src/crypto/engine/eng_all.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: eng_all.c,v 1.28 2015/06/19 06:05:11 bcook Exp $ */ 1/* $OpenBSD: eng_all.c,v 1.29 2015/07/19 22:34:27 doug Exp $ */
2/* Written by Richard Levitte <richard@levitte.org> for the OpenSSL 2/* Written by Richard Levitte <richard@levitte.org> for the OpenSSL
3 * project 2000. 3 * project 2000.
4 */ 4 */
@@ -67,9 +67,6 @@ ENGINE_load_builtin_engines(void)
67 /* Some ENGINEs need this */ 67 /* Some ENGINEs need this */
68 OPENSSL_cpuid_setup(); 68 OPENSSL_cpuid_setup();
69 69
70#ifndef OPENSSL_NO_RSAX
71 ENGINE_load_rsax();
72#endif
73#ifndef OPENSSL_NO_STATIC_ENGINE 70#ifndef OPENSSL_NO_STATIC_ENGINE
74#ifndef OPENSSL_NO_HW 71#ifndef OPENSSL_NO_HW
75#ifndef OPENSSL_NO_HW_PADLOCK 72#ifndef OPENSSL_NO_HW_PADLOCK
diff --git a/src/lib/libssl/src/crypto/engine/eng_rsax.c b/src/lib/libssl/src/crypto/engine/eng_rsax.c
deleted file mode 100644
index 784b74a22f..0000000000
--- a/src/lib/libssl/src/crypto/engine/eng_rsax.c
+++ /dev/null
@@ -1,695 +0,0 @@
1/* $OpenBSD: eng_rsax.c,v 1.13 2015/02/09 15:49:22 jsing Exp $ */
2/* Copyright (c) 2010-2010 Intel Corp.
3 * Author: Vinodh.Gopal@intel.com
4 * Jim Guilford
5 * Erdinc.Ozturk@intel.com
6 * Maxim.Perminov@intel.com
7 * Ying.Huang@intel.com
8 *
9 * More information about algorithm used can be found at:
10 * http://www.cse.buffalo.edu/srds2009/escs2009_submission_Gopal.pdf
11 */
12/* ====================================================================
13 * Copyright (c) 1999-2001 The OpenSSL Project. All rights reserved.
14 *
15 * Redistribution and use in source and binary forms, with or without
16 * modification, are permitted provided that the following conditions
17 * are met:
18 *
19 * 1. Redistributions of source code must retain the above copyright
20 * notice, this list of conditions and the following disclaimer.
21 *
22 * 2. Redistributions in binary form must reproduce the above copyright
23 * notice, this list of conditions and the following disclaimer in
24 * the documentation and/or other materials provided with the
25 * distribution.
26 *
27 * 3. All advertising materials mentioning features or use of this
28 * software must display the following acknowledgment:
29 * "This product includes software developed by the OpenSSL Project
30 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
31 *
32 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
33 * endorse or promote products derived from this software without
34 * prior written permission. For written permission, please contact
35 * licensing@OpenSSL.org.
36 *
37 * 5. Products derived from this software may not be called "OpenSSL"
38 * nor may "OpenSSL" appear in their names without prior written
39 * permission of the OpenSSL Project.
40 *
41 * 6. Redistributions of any form whatsoever must retain the following
42 * acknowledgment:
43 * "This product includes software developed by the OpenSSL Project
44 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
45 *
46 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
47 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
48 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
49 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
50 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
51 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
52 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
53 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
54 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
55 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
56 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
57 * OF THE POSSIBILITY OF SUCH DAMAGE.
58 * ====================================================================
59 *
60 * This product includes cryptographic software written by Eric Young
61 * (eay@cryptsoft.com). This product includes software written by Tim
62 * Hudson (tjh@cryptsoft.com).
63 */
64
65#include <openssl/opensslconf.h>
66
67#include <stdio.h>
68#include <string.h>
69
70#include <openssl/crypto.h>
71#include <openssl/buffer.h>
72#include <openssl/engine.h>
73#ifndef OPENSSL_NO_RSA
74#include <openssl/rsa.h>
75#endif
76#include <openssl/bn.h>
77#include <openssl/err.h>
78
79/* RSAX is available **ONLY* on x86_64 CPUs */
80#undef COMPILE_RSAX
81
82#if !defined(OPENSSL_NO_ASM) && defined(RSA_ASM) && \
83 (defined(__x86_64) || defined(__x86_64__) || \
84 defined(_M_AMD64) || defined (_M_X64))
85#define COMPILE_RSAX
86static ENGINE *ENGINE_rsax (void);
87#endif
88
89void ENGINE_load_rsax (void)
90{
91/* On non-x86 CPUs it just returns. */
92#ifdef COMPILE_RSAX
93 ENGINE *toadd = ENGINE_rsax();
94 if (!toadd)
95 return;
96 ENGINE_add(toadd);
97 ENGINE_free(toadd);
98 ERR_clear_error();
99#endif
100}
101
102#ifdef COMPILE_RSAX
103#define E_RSAX_LIB_NAME "rsax engine"
104
105static int e_rsax_destroy(ENGINE *e);
106static int e_rsax_init(ENGINE *e);
107static int e_rsax_finish(ENGINE *e);
108static int e_rsax_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void));
109
110#ifndef OPENSSL_NO_RSA
111/* RSA stuff */
112static int e_rsax_rsa_mod_exp(BIGNUM *r, const BIGNUM *I, RSA *rsa,
113 BN_CTX *ctx);
114static int e_rsax_rsa_finish(RSA *r);
115#endif
116
117static const ENGINE_CMD_DEFN e_rsax_cmd_defns[] = {
118 {0, NULL, NULL, 0}
119};
120
121#ifndef OPENSSL_NO_RSA
122/* Our internal RSA_METHOD that we provide pointers to */
123static RSA_METHOD e_rsax_rsa = {
124 .name = "Intel RSA-X method",
125 .rsa_mod_exp = e_rsax_rsa_mod_exp,
126 .finish = e_rsax_rsa_finish,
127 .flags = RSA_FLAG_CACHE_PUBLIC|RSA_FLAG_CACHE_PRIVATE,
128};
129#endif
130
131/* Constants used when creating the ENGINE */
132static const char *engine_e_rsax_id = "rsax";
133static const char *engine_e_rsax_name = "RSAX engine support";
134
135/* This internal function is used by ENGINE_rsax() */
136static int
137bind_helper(ENGINE *e)
138{
139#ifndef OPENSSL_NO_RSA
140 const RSA_METHOD *meth1;
141#endif
142 if (!ENGINE_set_id(e, engine_e_rsax_id) ||
143 !ENGINE_set_name(e, engine_e_rsax_name) ||
144#ifndef OPENSSL_NO_RSA
145 !ENGINE_set_RSA(e, &e_rsax_rsa) ||
146#endif
147 !ENGINE_set_destroy_function(e, e_rsax_destroy) ||
148 !ENGINE_set_init_function(e, e_rsax_init) ||
149 !ENGINE_set_finish_function(e, e_rsax_finish) ||
150 !ENGINE_set_ctrl_function(e, e_rsax_ctrl) ||
151 !ENGINE_set_cmd_defns(e, e_rsax_cmd_defns))
152 return 0;
153
154#ifndef OPENSSL_NO_RSA
155 meth1 = RSA_PKCS1_SSLeay();
156 e_rsax_rsa.rsa_pub_enc = meth1->rsa_pub_enc;
157 e_rsax_rsa.rsa_pub_dec = meth1->rsa_pub_dec;
158 e_rsax_rsa.rsa_priv_enc = meth1->rsa_priv_enc;
159 e_rsax_rsa.rsa_priv_dec = meth1->rsa_priv_dec;
160 e_rsax_rsa.bn_mod_exp = meth1->bn_mod_exp;
161#endif
162 return 1;
163}
164
165static ENGINE *
166ENGINE_rsax(void)
167{
168 ENGINE *ret = ENGINE_new();
169
170 if (!ret)
171 return NULL;
172 if (!bind_helper(ret)) {
173 ENGINE_free(ret);
174 return NULL;
175 }
176 return ret;
177}
178
179#ifndef OPENSSL_NO_RSA
180/* Used to attach our own key-data to an RSA structure */
181static int rsax_ex_data_idx = -1;
182#endif
183
184static int
185e_rsax_destroy(ENGINE *e)
186{
187 return 1;
188}
189
190/* (de)initialisation functions. */
191static int
192e_rsax_init(ENGINE *e)
193{
194#ifndef OPENSSL_NO_RSA
195 if (rsax_ex_data_idx == -1)
196 rsax_ex_data_idx = RSA_get_ex_new_index(0, NULL, NULL,
197 NULL, NULL);
198#endif
199 if (rsax_ex_data_idx == -1)
200 return 0;
201 return 1;
202}
203
204static int
205e_rsax_finish(ENGINE *e)
206{
207 return 1;
208}
209
210static int
211e_rsax_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void))
212{
213 int to_return = 1;
214
215 switch (cmd) {
216 /* The command isn't understood by this engine */
217 default:
218 to_return = 0;
219 break;
220 }
221
222 return to_return;
223}
224
225
226#ifndef OPENSSL_NO_RSA
227
228typedef unsigned long long UINT64;
229typedef unsigned short UINT16;
230
231/* Table t is interleaved in the following manner:
232 * The order in memory is t[0][0], t[0][1], ..., t[0][7], t[1][0], ...
233 * A particular 512-bit value is stored in t[][index] rather than the more
234 * normal t[index][]; i.e. the qwords of a particular entry in t are not
235 * adjacent in memory
236 */
237
238/* Init BIGNUM b from the interleaved UINT64 array */
239static int interleaved_array_to_bn_512(BIGNUM* b, UINT64 *array);
240
241/* Extract array elements from BIGNUM b
242 * To set the whole array from b, call with n=8
243 */
244static int bn_extract_to_array_512(const BIGNUM* b, unsigned int n,
245 UINT64 *array);
246
247struct mod_ctx_512 {
248 UINT64 t[8][8];
249 UINT64 m[8];
250 UINT64 m1[8]; /* 2^278 % m */
251 UINT64 m2[8]; /* 2^640 % m */
252 UINT64 k1[2]; /* (- 1/m) % 2^128 */
253};
254
255static int mod_exp_pre_compute_data_512(UINT64 *m, struct mod_ctx_512 *data);
256
257void mod_exp_512(UINT64 *result, /* 512 bits, 8 qwords */
258UINT64 *g, /* 512 bits, 8 qwords */
259UINT64 *exp, /* 512 bits, 8 qwords */
260struct mod_ctx_512 *data);
261
262typedef struct st_e_rsax_mod_ctx {
263 UINT64 type;
264 union {
265 struct mod_ctx_512 b512;
266 } ctx;
267} E_RSAX_MOD_CTX;
268
269static E_RSAX_MOD_CTX *
270e_rsax_get_ctx(RSA *rsa, int idx, BIGNUM* m)
271{
272 E_RSAX_MOD_CTX *hptr;
273
274 if (idx < 0 || idx > 2)
275 return NULL;
276
277 hptr = RSA_get_ex_data(rsa, rsax_ex_data_idx);
278 if (!hptr) {
279 hptr = reallocarray(NULL, 3, sizeof(E_RSAX_MOD_CTX));
280 if (!hptr)
281 return NULL;
282 hptr[2].type = hptr[1].type = hptr[0].type = 0;
283 RSA_set_ex_data(rsa, rsax_ex_data_idx, hptr);
284 }
285
286 if (hptr[idx].type == (UINT64)BN_num_bits(m))
287 return hptr + idx;
288
289 if (BN_num_bits(m) == 512) {
290 UINT64 _m[8];
291 bn_extract_to_array_512(m, 8, _m);
292 memset( &hptr[idx].ctx.b512, 0, sizeof(struct mod_ctx_512));
293 mod_exp_pre_compute_data_512(_m, &hptr[idx].ctx.b512);
294 }
295
296 hptr[idx].type = BN_num_bits(m);
297 return hptr + idx;
298}
299
300static int
301e_rsax_rsa_finish(RSA *rsa)
302{
303 E_RSAX_MOD_CTX *hptr = RSA_get_ex_data(rsa, rsax_ex_data_idx);
304
305 if (hptr) {
306 free(hptr);
307 RSA_set_ex_data(rsa, rsax_ex_data_idx, NULL);
308 }
309 BN_MONT_CTX_free(rsa->_method_mod_n);
310 BN_MONT_CTX_free(rsa->_method_mod_p);
311 BN_MONT_CTX_free(rsa->_method_mod_q);
312 return 1;
313}
314
315static int
316e_rsax_bn_mod_exp(BIGNUM *r, const BIGNUM *g, const BIGNUM *e, const BIGNUM *m,
317 BN_CTX *ctx, BN_MONT_CTX *in_mont, E_RSAX_MOD_CTX* rsax_mod_ctx)
318{
319 if (rsax_mod_ctx && BN_get_flags(e, BN_FLG_CONSTTIME) != 0) {
320 if (BN_num_bits(m) == 512) {
321 UINT64 _r[8];
322 UINT64 _g[8];
323 UINT64 _e[8];
324
325 /* Init the arrays from the BIGNUMs */
326 bn_extract_to_array_512(g, 8, _g);
327 bn_extract_to_array_512(e, 8, _e);
328
329 mod_exp_512(_r, _g, _e, &rsax_mod_ctx->ctx.b512);
330 /* Return the result in the BIGNUM */
331 interleaved_array_to_bn_512(r, _r);
332 return 1;
333 }
334 }
335
336 return BN_mod_exp_mont(r, g, e, m, ctx, in_mont);
337}
338
339/* Declares for the Intel CIAP 512-bit / CRT / 1024 bit RSA modular
340 * exponentiation routine precalculations and a structure to hold the
341 * necessary values. These files are meant to live in crypto/rsa/ in
342 * the target openssl.
343 */
344
345/*
346 * Local method: extracts a piece from a BIGNUM, to fit it into
347 * an array. Call with n=8 to extract an entire 512-bit BIGNUM
348 */
349static int
350bn_extract_to_array_512(const BIGNUM* b, unsigned int n, UINT64 *array)
351{
352 int i;
353 UINT64 tmp;
354 unsigned char bn_buff[64];
355
356 memset(bn_buff, 0, 64);
357 if (BN_num_bytes(b) > 64) {
358 printf ("Can't support this byte size\n");
359 return 0;
360 }
361 if (BN_num_bytes(b) != 0) {
362 if (!BN_bn2bin(b, bn_buff + (64 - BN_num_bytes(b)))) {
363 printf ("Error's in bn2bin\n");
364 /* We have to error, here */
365 return 0;
366 }
367 }
368 while (n-- > 0) {
369 array[n] = 0;
370 for (i = 7; i >= 0; i--) {
371 tmp = bn_buff[63 - (n*8 + i)];
372 array[n] |= tmp << (8*i);
373 }
374 }
375 return 1;
376}
377
378/* Init a 512-bit BIGNUM from the UINT64*_ (8 * 64) interleaved array */
379static int
380interleaved_array_to_bn_512(BIGNUM* b, UINT64 *array)
381{
382 unsigned char tmp[64];
383 int n = 8;
384 int i;
385
386 while (n-- > 0) {
387 for (i = 7; i >= 0; i--) {
388 tmp[63 - (n * 8 + i)] =
389 (unsigned char)(array[n] >> (8 * i));
390 }
391 }
392 BN_bin2bn(tmp, 64, b);
393 return 0;
394}
395
396/* The main 512bit precompute call */
397static int
398mod_exp_pre_compute_data_512(UINT64 *m, struct mod_ctx_512 *data)
399{
400 BIGNUM two_768, two_640, two_128, two_512, tmp, _m, tmp2;
401
402 /* We need a BN_CTX for the modulo functions */
403 BN_CTX* ctx;
404 /* Some tmps */
405 UINT64 _t[8];
406 int i, j, ret = 0;
407
408 /* Init _m with m */
409 BN_init(&_m);
410 interleaved_array_to_bn_512(&_m, m);
411 memset(_t, 0, 64);
412
413 /* Inits */
414 BN_init(&two_768);
415 BN_init(&two_640);
416 BN_init(&two_128);
417 BN_init(&two_512);
418 BN_init(&tmp);
419 BN_init(&tmp2);
420
421 /* Create our context */
422 if ((ctx = BN_CTX_new()) == NULL) {
423 goto err;
424 }
425 BN_CTX_start(ctx);
426
427 /*
428 * For production, if you care, these only need to be set once,
429 * and may be made constants.
430 */
431 BN_lshift(&two_768, BN_value_one(), 768);
432 BN_lshift(&two_640, BN_value_one(), 640);
433 BN_lshift(&two_128, BN_value_one(), 128);
434 BN_lshift(&two_512, BN_value_one(), 512);
435
436 if (0 == (m[7] & 0x8000000000000000)) {
437 exit(1);
438 }
439 if (0 == (m[0] & 0x1)) {
440 /* Odd modulus required for Mont */
441 exit(1);
442 }
443
444 /* Precompute m1 */
445 BN_mod(&tmp, &two_768, &_m, ctx);
446 if (!bn_extract_to_array_512(&tmp, 8, &data->m1[0])) {
447 goto err;
448 }
449
450 /* Precompute m2 */
451 BN_mod(&tmp, &two_640, &_m, ctx);
452 if (!bn_extract_to_array_512(&tmp, 8, &data->m2[0])) {
453 goto err;
454 }
455
456 /*
457 * Precompute k1, a 128b number = ((-1)* m-1 ) mod 2128; k1 should
458 * be non-negative.
459 */
460 BN_mod_inverse(&tmp, &_m, &two_128, ctx);
461 if (!BN_is_zero(&tmp)) {
462 BN_sub(&tmp, &two_128, &tmp);
463 }
464 if (!bn_extract_to_array_512(&tmp, 2, &data->k1[0])) {
465 goto err;
466 }
467
468 /* Precompute t */
469 for (i = 0; i < 8; i++) {
470 BN_zero(&tmp);
471 if (i & 1) {
472 BN_add(&tmp, &two_512, &tmp);
473 }
474 if (i & 2) {
475 BN_add(&tmp, &two_512, &tmp);
476 }
477 if (i & 4) {
478 BN_add(&tmp, &two_640, &tmp);
479 }
480
481 BN_nnmod(&tmp2, &tmp, &_m, ctx);
482 if (!bn_extract_to_array_512(&tmp2, 8, _t)) {
483 goto err;
484 }
485 for (j = 0; j < 8; j++)
486 data->t[j][i] = _t[j];
487 }
488
489 /* Precompute m */
490 for (i = 0; i < 8; i++) {
491 data->m[i] = m[i];
492 }
493
494 ret = 1;
495
496err:
497 /* Cleanup */
498 if (ctx != NULL) {
499 BN_CTX_end(ctx);
500 BN_CTX_free(ctx);
501 }
502 BN_free(&two_768);
503 BN_free(&two_640);
504 BN_free(&two_128);
505 BN_free(&two_512);
506 BN_free(&tmp);
507 BN_free(&tmp2);
508 BN_free(&_m);
509
510 return ret;
511}
512
513static int
514e_rsax_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
515{
516 BIGNUM *r1, *m1, *vrfy;
517 BIGNUM local_dmp1, local_dmq1, local_c, local_r1;
518 BIGNUM *dmp1, *dmq1, *c, *pr1;
519 int ret = 0;
520
521 BN_CTX_start(ctx);
522 if ((r1 = BN_CTX_get(ctx)) == NULL)
523 goto err;
524 if ((m1 = BN_CTX_get(ctx)) == NULL)
525 goto err;
526 if ((vrfy = BN_CTX_get(ctx)) == NULL)
527 goto err;
528
529 {
530 BIGNUM local_p, local_q;
531 BIGNUM *p = NULL, *q = NULL;
532 int error = 0;
533
534 /* Make sure BN_mod_inverse in Montgomery
535 * intialization uses the BN_FLG_CONSTTIME flag
536 * (unless RSA_FLAG_NO_CONSTTIME is set)
537 */
538 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
539 BN_init(&local_p);
540 p = &local_p;
541 BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
542
543 BN_init(&local_q);
544 q = &local_q;
545 BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME);
546 } else {
547 p = rsa->p;
548 q = rsa->q;
549 }
550
551 if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) {
552 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p,
553 CRYPTO_LOCK_RSA, p, ctx))
554 error = 1;
555 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q,
556 CRYPTO_LOCK_RSA, q, ctx))
557 error = 1;
558 }
559
560 /* clean up */
561 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
562 BN_free(&local_p);
563 BN_free(&local_q);
564 }
565 if (error )
566 goto err;
567 }
568
569 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
570 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
571 CRYPTO_LOCK_RSA, rsa->n, ctx))
572 goto err;
573
574 /* compute I mod q */
575 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
576 c = &local_c;
577 BN_with_flags(c, I, BN_FLG_CONSTTIME);
578 if (!BN_mod(r1, c, rsa->q, ctx))
579 goto err;
580 } else {
581 if (!BN_mod(r1, I, rsa->q, ctx))
582 goto err;
583 }
584
585 /* compute r1^dmq1 mod q */
586 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
587 dmq1 = &local_dmq1;
588 BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
589 } else
590 dmq1 = rsa->dmq1;
591
592 if (!e_rsax_bn_mod_exp(m1, r1, dmq1, rsa->q, ctx, rsa->_method_mod_q,
593 e_rsax_get_ctx(rsa, 0, rsa->q)))
594 goto err;
595
596 /* compute I mod p */
597 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
598 c = &local_c;
599 BN_with_flags(c, I, BN_FLG_CONSTTIME);
600 if (!BN_mod(r1, c, rsa->p, ctx))
601 goto err;
602 } else {
603 if (!BN_mod(r1, I, rsa->p, ctx))
604 goto err;
605 }
606
607 /* compute r1^dmp1 mod p */
608 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
609 dmp1 = &local_dmp1;
610 BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
611 } else
612 dmp1 = rsa->dmp1;
613
614 if (!e_rsax_bn_mod_exp(r0, r1, dmp1, rsa->p, ctx, rsa->_method_mod_p,
615 e_rsax_get_ctx(rsa, 1, rsa->p)))
616 goto err;
617
618 if (!BN_sub(r0, r0, m1))
619 goto err;
620 /* This will help stop the size of r0 increasing, which does
621 * affect the multiply if it optimised for a power of 2 size */
622 if (BN_is_negative(r0))
623 if (!BN_add(r0, r0, rsa->p))
624 goto err;
625
626 if (!BN_mul(r1, r0, rsa->iqmp, ctx))
627 goto err;
628
629 /* Turn BN_FLG_CONSTTIME flag on before division operation */
630 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
631 pr1 = &local_r1;
632 BN_with_flags(pr1, r1, BN_FLG_CONSTTIME);
633 } else
634 pr1 = r1;
635 if (!BN_mod(r0, pr1, rsa->p, ctx))
636 goto err;
637
638 /* If p < q it is occasionally possible for the correction of
639 * adding 'p' if r0 is negative above to leave the result still
640 * negative. This can break the private key operations: the following
641 * second correction should *always* correct this rare occurrence.
642 * This will *never* happen with OpenSSL generated keys because
643 * they ensure p > q [steve]
644 */
645 if (BN_is_negative(r0))
646 if (!BN_add(r0, r0, rsa->p))
647 goto err;
648 if (!BN_mul(r1, r0, rsa->q, ctx))
649 goto err;
650 if (!BN_add(r0, r1, m1))
651 goto err;
652
653 if (rsa->e && rsa->n) {
654 if (!e_rsax_bn_mod_exp(vrfy, r0, rsa->e, rsa->n, ctx,
655 rsa->_method_mod_n, e_rsax_get_ctx(rsa, 2, rsa->n)))
656 goto err;
657
658 /* If 'I' was greater than (or equal to) rsa->n, the operation
659 * will be equivalent to using 'I mod n'. However, the result of
660 * the verify will *always* be less than 'n' so we don't check
661 * for absolute equality, just congruency. */
662 if (!BN_sub(vrfy, vrfy, I))
663 goto err;
664 if (!BN_mod(vrfy, vrfy, rsa->n, ctx))
665 goto err;
666 if (BN_is_negative(vrfy))
667 if (!BN_add(vrfy, vrfy, rsa->n))
668 goto err;
669 if (!BN_is_zero(vrfy)) {
670 /* 'I' and 'vrfy' aren't congruent mod n. Don't leak
671 * miscalculated CRT output, just do a raw (slower)
672 * mod_exp and return that instead. */
673
674 BIGNUM local_d;
675 BIGNUM *d = NULL;
676
677 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
678 d = &local_d;
679 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
680 } else
681 d = rsa->d;
682 if (!e_rsax_bn_mod_exp(r0, I,d, rsa->n, ctx,
683 rsa->_method_mod_n, e_rsax_get_ctx(rsa, 2, rsa->n)))
684 goto err;
685 }
686 }
687 ret = 1;
688
689err:
690 BN_CTX_end(ctx);
691
692 return ret;
693}
694#endif /* !OPENSSL_NO_RSA */
695#endif /* !COMPILE_RSAX */
diff --git a/src/lib/libssl/src/crypto/engine/engine.h b/src/lib/libssl/src/crypto/engine/engine.h
index dd1015f8af..30d1bde4ae 100644
--- a/src/lib/libssl/src/crypto/engine/engine.h
+++ b/src/lib/libssl/src/crypto/engine/engine.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: engine.h,v 1.30 2014/10/18 17:20:40 jsing Exp $ */ 1/* $OpenBSD: engine.h,v 1.31 2015/07/19 22:34:27 doug Exp $ */
2/* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL 2/* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL
3 * project 2000. 3 * project 2000.
4 */ 4 */
@@ -322,7 +322,6 @@ void ENGINE_load_dynamic(void);
322#ifndef OPENSSL_NO_STATIC_ENGINE 322#ifndef OPENSSL_NO_STATIC_ENGINE
323void ENGINE_load_padlock(void); 323void ENGINE_load_padlock(void);
324#endif 324#endif
325void ENGINE_load_rsax(void);
326void ENGINE_load_builtin_engines(void); 325void ENGINE_load_builtin_engines(void);
327 326
328/* Get and set global flags (ENGINE_TABLE_FLAG_***) for the implementation 327/* Get and set global flags (ENGINE_TABLE_FLAG_***) for the implementation
diff --git a/src/lib/libssl/src/crypto/opensslfeatures.h b/src/lib/libssl/src/crypto/opensslfeatures.h
index a0fcc0078e..45848c5a35 100644
--- a/src/lib/libssl/src/crypto/opensslfeatures.h
+++ b/src/lib/libssl/src/crypto/opensslfeatures.h
@@ -10,6 +10,7 @@
10# define OPENSSL_NO_PSK 10# define OPENSSL_NO_PSK
11# define OPENSSL_NO_RC5 11# define OPENSSL_NO_RC5
12# define OPENSSL_NO_RFC3779 12# define OPENSSL_NO_RFC3779
13# define OPENSSL_NO_RSAX
13# define OPENSSL_NO_SCTP 14# define OPENSSL_NO_SCTP
14# define OPENSSL_NO_SEED 15# define OPENSSL_NO_SEED
15# define OPENSSL_NO_SRP 16# define OPENSSL_NO_SRP
diff --git a/src/lib/libssl/ssl/shlib_version b/src/lib/libssl/ssl/shlib_version
index 63004f487f..ca85d7e741 100644
--- a/src/lib/libssl/ssl/shlib_version
+++ b/src/lib/libssl/ssl/shlib_version
@@ -1,3 +1,3 @@
1# Don't forget to give libtls the same type of bump! 1# Don't forget to give libtls the same type of bump!
2major=34 2major=35
3minor=0 3minor=0
diff --git a/src/lib/libtls/shlib_version b/src/lib/libtls/shlib_version
index 3066b9771e..9c1551636c 100644
--- a/src/lib/libtls/shlib_version
+++ b/src/lib/libtls/shlib_version
@@ -1,2 +1,2 @@
1major=5 1major=6
2minor=0 2minor=0
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-20 15:18:04 +0000