summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--src/lib/libcrypto/crypto/Makefile3
-rw-r--r--src/lib/libcrypto/crypto/shlib_version2
-rw-r--r--src/lib/libcrypto/engine/eng_all.c5
-rw-r--r--src/lib/libcrypto/engine/eng_rsax.c695
-rw-r--r--src/lib/libcrypto/engine/engine.h3
-rw-r--r--src/lib/libcrypto/opensslfeatures.h1
-rw-r--r--src/lib/libcrypto/shlib_version2
-rw-r--r--src/lib/libssl/shlib_version2
-rw-r--r--src/lib/libssl/src/crypto/engine/eng_all.c5
-rw-r--r--src/lib/libssl/src/crypto/engine/eng_rsax.c695
-rw-r--r--src/lib/libssl/src/crypto/engine/engine.h3
-rw-r--r--src/lib/libssl/src/crypto/opensslfeatures.h1
-rw-r--r--src/lib/libssl/ssl/shlib_version2
-rw-r--r--src/lib/libtls/shlib_version2
14 files changed, 12 insertions, 1409 deletions
diff --git a/src/lib/libcrypto/crypto/Makefile b/src/lib/libcrypto/crypto/Makefile
index c1905516c2..9eccb901cd 100644
--- a/src/lib/libcrypto/crypto/Makefile
+++ b/src/lib/libcrypto/crypto/Makefile
@@ -1,4 +1,4 @@
1# $OpenBSD: Makefile,v 1.59 2015/06/27 22:42:02 doug Exp $ 1# $OpenBSD: Makefile,v 1.60 2015/07/19 22:34:27 doug Exp $
2 2
3LIB= crypto 3LIB= crypto
4 4
@@ -133,7 +133,6 @@ SRCS+= eng_table.c eng_pkey.c eng_fat.c eng_all.c
133SRCS+= tb_rsa.c tb_dsa.c tb_ecdsa.c tb_dh.c tb_ecdh.c tb_rand.c tb_store.c 133SRCS+= tb_rsa.c tb_dsa.c tb_ecdsa.c tb_dh.c tb_ecdh.c tb_rand.c tb_store.c
134SRCS+= tb_cipher.c tb_digest.c tb_pkmeth.c tb_asnmth.c 134SRCS+= tb_cipher.c tb_digest.c tb_pkmeth.c tb_asnmth.c
135SRCS+= eng_openssl.c eng_cnf.c eng_dyn.c 135SRCS+= eng_openssl.c eng_cnf.c eng_dyn.c
136SRCS+= eng_rsax.c
137# XXX unnecessary? handled in EVP now... 136# XXX unnecessary? handled in EVP now...
138# SRCS+= eng_aesni.c # local addition 137# SRCS+= eng_aesni.c # local addition
139 138
diff --git a/src/lib/libcrypto/crypto/shlib_version b/src/lib/libcrypto/crypto/shlib_version
index 96e1793a1e..db69fac89e 100644
--- a/src/lib/libcrypto/crypto/shlib_version
+++ b/src/lib/libcrypto/crypto/shlib_version
@@ -1,3 +1,3 @@
1# Don't forget to give libssl and libtls the same type of bump! 1# Don't forget to give libssl and libtls the same type of bump!
2major=34 2major=35
3minor=0 3minor=0
diff --git a/src/lib/libcrypto/engine/eng_all.c b/src/lib/libcrypto/engine/eng_all.c
index b428300e76..7640cf7fcd 100644
--- a/src/lib/libcrypto/engine/eng_all.c
+++ b/src/lib/libcrypto/engine/eng_all.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: eng_all.c,v 1.28 2015/06/19 06:05:11 bcook Exp $ */ 1/* $OpenBSD: eng_all.c,v 1.29 2015/07/19 22:34:27 doug Exp $ */
2/* Written by Richard Levitte <richard@levitte.org> for the OpenSSL 2/* Written by Richard Levitte <richard@levitte.org> for the OpenSSL
3 * project 2000. 3 * project 2000.
4 */ 4 */
@@ -67,9 +67,6 @@ ENGINE_load_builtin_engines(void)
67 /* Some ENGINEs need this */ 67 /* Some ENGINEs need this */
68 OPENSSL_cpuid_setup(); 68 OPENSSL_cpuid_setup();
69 69
70#ifndef OPENSSL_NO_RSAX
71 ENGINE_load_rsax();
72#endif
73#ifndef OPENSSL_NO_STATIC_ENGINE 70#ifndef OPENSSL_NO_STATIC_ENGINE
74#ifndef OPENSSL_NO_HW 71#ifndef OPENSSL_NO_HW
75#ifndef OPENSSL_NO_HW_PADLOCK 72#ifndef OPENSSL_NO_HW_PADLOCK
diff --git a/src/lib/libcrypto/engine/eng_rsax.c b/src/lib/libcrypto/engine/eng_rsax.c
deleted file mode 100644
index 784b74a22f..0000000000
--- a/src/lib/libcrypto/engine/eng_rsax.c
+++ /dev/null
@@ -1,695 +0,0 @@
1/* $OpenBSD: eng_rsax.c,v 1.13 2015/02/09 15:49:22 jsing Exp $ */
2/* Copyright (c) 2010-2010 Intel Corp.
3 * Author: Vinodh.Gopal@intel.com
4 * Jim Guilford
5 * Erdinc.Ozturk@intel.com
6 * Maxim.Perminov@intel.com
7 * Ying.Huang@intel.com
8 *
9 * More information about algorithm used can be found at:
10 * http://www.cse.buffalo.edu/srds2009/escs2009_submission_Gopal.pdf
11 */
12/* ====================================================================
13 * Copyright (c) 1999-2001 The OpenSSL Project. All rights reserved.
14 *
15 * Redistribution and use in source and binary forms, with or without
16 * modification, are permitted provided that the following conditions
17 * are met:
18 *
19 * 1. Redistributions of source code must retain the above copyright
20 * notice, this list of conditions and the following disclaimer.
21 *
22 * 2. Redistributions in binary form must reproduce the above copyright
23 * notice, this list of conditions and the following disclaimer in
24 * the documentation and/or other materials provided with the
25 * distribution.
26 *
27 * 3. All advertising materials mentioning features or use of this
28 * software must display the following acknowledgment:
29 * "This product includes software developed by the OpenSSL Project
30 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
31 *
32 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
33 * endorse or promote products derived from this software without
34 * prior written permission. For written permission, please contact
35 * licensing@OpenSSL.org.
36 *
37 * 5. Products derived from this software may not be called "OpenSSL"
38 * nor may "OpenSSL" appear in their names without prior written
39 * permission of the OpenSSL Project.
40 *
41 * 6. Redistributions of any form whatsoever must retain the following
42 * acknowledgment:
43 * "This product includes software developed by the OpenSSL Project
44 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
45 *
46 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
47 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
48 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
49 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
50 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
51 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
52 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
53 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
54 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
55 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
56 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
57 * OF THE POSSIBILITY OF SUCH DAMAGE.
58 * ====================================================================
59 *
60 * This product includes cryptographic software written by Eric Young
61 * (eay@cryptsoft.com). This product includes software written by Tim
62 * Hudson (tjh@cryptsoft.com).
63 */
64
65#include <openssl/opensslconf.h>
66
67#include <stdio.h>
68#include <string.h>
69
70#include <openssl/crypto.h>
71#include <openssl/buffer.h>
72#include <openssl/engine.h>
73#ifndef OPENSSL_NO_RSA
74#include <openssl/rsa.h>
75#endif
76#include <openssl/bn.h>
77#include <openssl/err.h>
78
79/* RSAX is available **ONLY* on x86_64 CPUs */
80#undef COMPILE_RSAX
81
82#if !defined(OPENSSL_NO_ASM) && defined(RSA_ASM) && \
83 (defined(__x86_64) || defined(__x86_64__) || \
84 defined(_M_AMD64) || defined (_M_X64))
85#define COMPILE_RSAX
86static ENGINE *ENGINE_rsax (void);
87#endif
88
89void ENGINE_load_rsax (void)
90{
91/* On non-x86 CPUs it just returns. */
92#ifdef COMPILE_RSAX
93 ENGINE *toadd = ENGINE_rsax();
94 if (!toadd)
95 return;
96 ENGINE_add(toadd);
97 ENGINE_free(toadd);
98 ERR_clear_error();
99#endif
100}
101
102#ifdef COMPILE_RSAX
103#define E_RSAX_LIB_NAME "rsax engine"
104
105static int e_rsax_destroy(ENGINE *e);
106static int e_rsax_init(ENGINE *e);
107static int e_rsax_finish(ENGINE *e);
108static int e_rsax_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void));
109
110#ifndef OPENSSL_NO_RSA
111/* RSA stuff */
112static int e_rsax_rsa_mod_exp(BIGNUM *r, const BIGNUM *I, RSA *rsa,
113 BN_CTX *ctx);
114static int e_rsax_rsa_finish(RSA *r);
115#endif
116
117static const ENGINE_CMD_DEFN e_rsax_cmd_defns[] = {
118 {0, NULL, NULL, 0}
119};
120
121#ifndef OPENSSL_NO_RSA
122/* Our internal RSA_METHOD that we provide pointers to */
123static RSA_METHOD e_rsax_rsa = {
124 .name = "Intel RSA-X method",
125 .rsa_mod_exp = e_rsax_rsa_mod_exp,
126 .finish = e_rsax_rsa_finish,
127 .flags = RSA_FLAG_CACHE_PUBLIC|RSA_FLAG_CACHE_PRIVATE,
128};
129#endif
130
131/* Constants used when creating the ENGINE */
132static const char *engine_e_rsax_id = "rsax";
133static const char *engine_e_rsax_name = "RSAX engine support";
134
135/* This internal function is used by ENGINE_rsax() */
136static int
137bind_helper(ENGINE *e)
138{
139#ifndef OPENSSL_NO_RSA
140 const RSA_METHOD *meth1;
141#endif
142 if (!ENGINE_set_id(e, engine_e_rsax_id) ||
143 !ENGINE_set_name(e, engine_e_rsax_name) ||
144#ifndef OPENSSL_NO_RSA
145 !ENGINE_set_RSA(e, &e_rsax_rsa) ||
146#endif
147 !ENGINE_set_destroy_function(e, e_rsax_destroy) ||
148 !ENGINE_set_init_function(e, e_rsax_init) ||
149 !ENGINE_set_finish_function(e, e_rsax_finish) ||
150 !ENGINE_set_ctrl_function(e, e_rsax_ctrl) ||
151 !ENGINE_set_cmd_defns(e, e_rsax_cmd_defns))
152 return 0;
153
154#ifndef OPENSSL_NO_RSA
155 meth1 = RSA_PKCS1_SSLeay();
156 e_rsax_rsa.rsa_pub_enc = meth1->rsa_pub_enc;
157 e_rsax_rsa.rsa_pub_dec = meth1->rsa_pub_dec;
158 e_rsax_rsa.rsa_priv_enc = meth1->rsa_priv_enc;
159 e_rsax_rsa.rsa_priv_dec = meth1->rsa_priv_dec;
160 e_rsax_rsa.bn_mod_exp = meth1->bn_mod_exp;
161#endif
162 return 1;
163}
164
165static ENGINE *
166ENGINE_rsax(void)
167{
168 ENGINE *ret = ENGINE_new();
169
170 if (!ret)
171 return NULL;
172 if (!bind_helper(ret)) {
173 ENGINE_free(ret);
174 return NULL;
175 }
176 return ret;
177}
178
179#ifndef OPENSSL_NO_RSA
180/* Used to attach our own key-data to an RSA structure */
181static int rsax_ex_data_idx = -1;
182#endif
183
184static int
185e_rsax_destroy(ENGINE *e)
186{
187 return 1;
188}
189
190/* (de)initialisation functions. */
191static int
192e_rsax_init(ENGINE *e)
193{
194#ifndef OPENSSL_NO_RSA
195 if (rsax_ex_data_idx == -1)
196 rsax_ex_data_idx = RSA_get_ex_new_index(0, NULL, NULL,
197 NULL, NULL);
198#endif
199 if (rsax_ex_data_idx == -1)
200 return 0;
201 return 1;
202}
203
204static int
205e_rsax_finish(ENGINE *e)
206{
207 return 1;
208}
209
210static int
211e_rsax_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void))
212{
213 int to_return = 1;
214
215 switch (cmd) {
216 /* The command isn't understood by this engine */
217 default:
218 to_return = 0;
219 break;
220 }
221
222 return to_return;
223}
224
225
226#ifndef OPENSSL_NO_RSA
227
228typedef unsigned long long UINT64;
229typedef unsigned short UINT16;
230
231/* Table t is interleaved in the following manner:
232 * The order in memory is t[0][0], t[0][1], ..., t[0][7], t[1][0], ...
233 * A particular 512-bit value is stored in t[][index] rather than the more
234 * normal t[index][]; i.e. the qwords of a particular entry in t are not
235 * adjacent in memory
236 */
237
238/* Init BIGNUM b from the interleaved UINT64 array */
239static int interleaved_array_to_bn_512(BIGNUM* b, UINT64 *array);
240
241/* Extract array elements from BIGNUM b
242 * To set the whole array from b, call with n=8
243 */
244static int bn_extract_to_array_512(const BIGNUM* b, unsigned int n,
245 UINT64 *array);
246
247struct mod_ctx_512 {
248 UINT64 t[8][8];
249 UINT64 m[8];
250 UINT64 m1[8]; /* 2^278 % m */
251 UINT64 m2[8]; /* 2^640 % m */
252 UINT64 k1[2]; /* (- 1/m) % 2^128 */
253};
254
255static int mod_exp_pre_compute_data_512(UINT64 *m, struct mod_ctx_512 *data);
256
257void mod_exp_512(UINT64 *result, /* 512 bits, 8 qwords */
258UINT64 *g, /* 512 bits, 8 qwords */
259UINT64 *exp, /* 512 bits, 8 qwords */
260struct mod_ctx_512 *data);
261
262typedef struct st_e_rsax_mod_ctx {
263 UINT64 type;
264 union {
265 struct mod_ctx_512 b512;
266 } ctx;
267} E_RSAX_MOD_CTX;
268
269static E_RSAX_MOD_CTX *
270e_rsax_get_ctx(RSA *rsa, int idx, BIGNUM* m)
271{
272 E_RSAX_MOD_CTX *hptr;
273
274 if (idx < 0 || idx > 2)
275 return NULL;
276
277 hptr = RSA_get_ex_data(rsa, rsax_ex_data_idx);
278 if (!hptr) {
279 hptr = reallocarray(NULL, 3, sizeof(E_RSAX_MOD_CTX));
280 if (!hptr)
281 return NULL;
282 hptr[2].type = hptr[1].type = hptr[0].type = 0;
283 RSA_set_ex_data(rsa, rsax_ex_data_idx, hptr);
284 }
285
286 if (hptr[idx].type == (UINT64)BN_num_bits(m))
287 return hptr + idx;
288
289 if (BN_num_bits(m) == 512) {
290 UINT64 _m[8];
291 bn_extract_to_array_512(m, 8, _m);
292 memset( &hptr[idx].ctx.b512, 0, sizeof(struct mod_ctx_512));
293 mod_exp_pre_compute_data_512(_m, &hptr[idx].ctx.b512);
294 }
295
296 hptr[idx].type = BN_num_bits(m);
297 return hptr + idx;
298}
299
300static int
301e_rsax_rsa_finish(RSA *rsa)
302{
303 E_RSAX_MOD_CTX *hptr = RSA_get_ex_data(rsa, rsax_ex_data_idx);
304
305 if (hptr) {
306 free(hptr);
307 RSA_set_ex_data(rsa, rsax_ex_data_idx, NULL);
308 }
309 BN_MONT_CTX_free(rsa->_method_mod_n);
310 BN_MONT_CTX_free(rsa->_method_mod_p);
311 BN_MONT_CTX_free(rsa->_method_mod_q);
312 return 1;
313}
314
315static int
316e_rsax_bn_mod_exp(BIGNUM *r, const BIGNUM *g, const BIGNUM *e, const BIGNUM *m,
317 BN_CTX *ctx, BN_MONT_CTX *in_mont, E_RSAX_MOD_CTX* rsax_mod_ctx)
318{
319 if (rsax_mod_ctx && BN_get_flags(e, BN_FLG_CONSTTIME) != 0) {
320 if (BN_num_bits(m) == 512) {
321 UINT64 _r[8];
322 UINT64 _g[8];
323 UINT64 _e[8];
324
325 /* Init the arrays from the BIGNUMs */
326 bn_extract_to_array_512(g, 8, _g);
327 bn_extract_to_array_512(e, 8, _e);
328
329 mod_exp_512(_r, _g, _e, &rsax_mod_ctx->ctx.b512);
330 /* Return the result in the BIGNUM */
331 interleaved_array_to_bn_512(r, _r);
332 return 1;
333 }
334 }
335
336 return BN_mod_exp_mont(r, g, e, m, ctx, in_mont);
337}
338
339/* Declares for the Intel CIAP 512-bit / CRT / 1024 bit RSA modular
340 * exponentiation routine precalculations and a structure to hold the
341 * necessary values. These files are meant to live in crypto/rsa/ in
342 * the target openssl.
343 */
344
345/*
346 * Local method: extracts a piece from a BIGNUM, to fit it into
347 * an array. Call with n=8 to extract an entire 512-bit BIGNUM
348 */
349static int
350bn_extract_to_array_512(const BIGNUM* b, unsigned int n, UINT64 *array)
351{
352 int i;
353 UINT64 tmp;
354 unsigned char bn_buff[64];
355
356 memset(bn_buff, 0, 64);
357 if (BN_num_bytes(b) > 64) {
358 printf ("Can't support this byte size\n");
359 return 0;
360 }
361 if (BN_num_bytes(b) != 0) {
362 if (!BN_bn2bin(b, bn_buff + (64 - BN_num_bytes(b)))) {
363 printf ("Error's in bn2bin\n");
364 /* We have to error, here */
365 return 0;
366 }
367 }
368 while (n-- > 0) {
369 array[n] = 0;
370 for (i = 7; i >= 0; i--) {
371 tmp = bn_buff[63 - (n*8 + i)];
372 array[n] |= tmp << (8*i);
373 }
374 }
375 return 1;
376}
377
378/* Init a 512-bit BIGNUM from the UINT64*_ (8 * 64) interleaved array */
379static int
380interleaved_array_to_bn_512(BIGNUM* b, UINT64 *array)
381{
382 unsigned char tmp[64];
383 int n = 8;
384 int i;
385
386 while (n-- > 0) {
387 for (i = 7; i >= 0; i--) {
388 tmp[63 - (n * 8 + i)] =
389 (unsigned char)(array[n] >> (8 * i));
390 }
391 }
392 BN_bin2bn(tmp, 64, b);
393 return 0;
394}
395
396/* The main 512bit precompute call */
397static int
398mod_exp_pre_compute_data_512(UINT64 *m, struct mod_ctx_512 *data)
399{
400 BIGNUM two_768, two_640, two_128, two_512, tmp, _m, tmp2;
401
402 /* We need a BN_CTX for the modulo functions */
403 BN_CTX* ctx;
404 /* Some tmps */
405 UINT64 _t[8];
406 int i, j, ret = 0;
407
408 /* Init _m with m */
409 BN_init(&_m);
410 interleaved_array_to_bn_512(&_m, m);
411 memset(_t, 0, 64);
412
413 /* Inits */
414 BN_init(&two_768);
415 BN_init(&two_640);
416 BN_init(&two_128);
417 BN_init(&two_512);
418 BN_init(&tmp);
419 BN_init(&tmp2);
420
421 /* Create our context */
422 if ((ctx = BN_CTX_new()) == NULL) {
423 goto err;
424 }
425 BN_CTX_start(ctx);
426
427 /*
428 * For production, if you care, these only need to be set once,
429 * and may be made constants.
430 */
431 BN_lshift(&two_768, BN_value_one(), 768);
432 BN_lshift(&two_640, BN_value_one(), 640);
433 BN_lshift(&two_128, BN_value_one(), 128);
434 BN_lshift(&two_512, BN_value_one(), 512);
435
436 if (0 == (m[7] & 0x8000000000000000)) {
437 exit(1);
438 }
439 if (0 == (m[0] & 0x1)) {
440 /* Odd modulus required for Mont */
441 exit(1);
442 }
443
444 /* Precompute m1 */
445 BN_mod(&tmp, &two_768, &_m, ctx);
446 if (!bn_extract_to_array_512(&tmp, 8, &data->m1[0])) {
447 goto err;
448 }
449
450 /* Precompute m2 */
451 BN_mod(&tmp, &two_640, &_m, ctx);
452 if (!bn_extract_to_array_512(&tmp, 8, &data->m2[0])) {
453 goto err;
454 }
455
456 /*
457 * Precompute k1, a 128b number = ((-1)* m-1 ) mod 2128; k1 should
458 * be non-negative.
459 */
460 BN_mod_inverse(&tmp, &_m, &two_128, ctx);
461 if (!BN_is_zero(&tmp)) {
462 BN_sub(&tmp, &two_128, &tmp);
463 }
464 if (!bn_extract_to_array_512(&tmp, 2, &data->k1[0])) {
465 goto err;
466 }
467
468 /* Precompute t */
469 for (i = 0; i < 8; i++) {
470 BN_zero(&tmp);
471 if (i & 1) {
472 BN_add(&tmp, &two_512, &tmp);
473 }
474 if (i & 2) {
475 BN_add(&tmp, &two_512, &tmp);
476 }
477 if (i & 4) {
478 BN_add(&tmp, &two_640, &tmp);
479 }
480
481 BN_nnmod(&tmp2, &tmp, &_m, ctx);
482 if (!bn_extract_to_array_512(&tmp2, 8, _t)) {
483 goto err;
484 }
485 for (j = 0; j < 8; j++)
486 data->t[j][i] = _t[j];
487 }
488
489 /* Precompute m */
490 for (i = 0; i < 8; i++) {
491 data->m[i] = m[i];
492 }
493
494 ret = 1;
495
496err:
497 /* Cleanup */
498 if (ctx != NULL) {
499 BN_CTX_end(ctx);
500 BN_CTX_free(ctx);
501 }
502 BN_free(&two_768);
503 BN_free(&two_640);
504 BN_free(&two_128);
505 BN_free(&two_512);
506 BN_free(&tmp);
507 BN_free(&tmp2);
508 BN_free(&_m);
509
510 return ret;
511}
512
513static int
514e_rsax_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
515{
516 BIGNUM *r1, *m1, *vrfy;
517 BIGNUM local_dmp1, local_dmq1, local_c, local_r1;
518 BIGNUM *dmp1, *dmq1, *c, *pr1;
519 int ret = 0;
520
521 BN_CTX_start(ctx);
522 if ((r1 = BN_CTX_get(ctx)) == NULL)
523 goto err;
524 if ((m1 = BN_CTX_get(ctx)) == NULL)
525 goto err;
526 if ((vrfy = BN_CTX_get(ctx)) == NULL)
527 goto err;
528
529 {
530 BIGNUM local_p, local_q;
531 BIGNUM *p = NULL, *q = NULL;
532 int error = 0;
533
534 /* Make sure BN_mod_inverse in Montgomery
535 * intialization uses the BN_FLG_CONSTTIME flag
536 * (unless RSA_FLAG_NO_CONSTTIME is set)
537 */
538 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
539 BN_init(&local_p);
540 p = &local_p;
541 BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
542
543 BN_init(&local_q);
544 q = &local_q;
545 BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME);
546 } else {
547 p = rsa->p;
548 q = rsa->q;
549 }
550
551 if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) {
552 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p,
553 CRYPTO_LOCK_RSA, p, ctx))
554 error = 1;
555 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q,
556 CRYPTO_LOCK_RSA, q, ctx))
557 error = 1;
558 }
559
560 /* clean up */
561 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
562 BN_free(&local_p);
563 BN_free(&local_q);
564 }
565 if (error )
566 goto err;
567 }
568
569 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
570 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
571 CRYPTO_LOCK_RSA, rsa->n, ctx))
572 goto err;
573
574 /* compute I mod q */
575 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
576 c = &local_c;
577 BN_with_flags(c, I, BN_FLG_CONSTTIME);
578 if (!BN_mod(r1, c, rsa->q, ctx))
579 goto err;
580 } else {
581 if (!BN_mod(r1, I, rsa->q, ctx))
582 goto err;
583 }
584
585 /* compute r1^dmq1 mod q */
586 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
587 dmq1 = &local_dmq1;
588 BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
589 } else
590 dmq1 = rsa->dmq1;
591
592 if (!e_rsax_bn_mod_exp(m1, r1, dmq1, rsa->q, ctx, rsa->_method_mod_q,
593 e_rsax_get_ctx(rsa, 0, rsa->q)))
594 goto err;
595
596 /* compute I mod p */
597 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
598 c = &local_c;
599 BN_with_flags(c, I, BN_FLG_CONSTTIME);
600 if (!BN_mod(r1, c, rsa->p, ctx))
601 goto err;
602 } else {
603 if (!BN_mod(r1, I, rsa->p, ctx))
604 goto err;
605 }
606
607 /* compute r1^dmp1 mod p */
608 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
609 dmp1 = &local_dmp1;
610 BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
611 } else
612 dmp1 = rsa->dmp1;
613
614 if (!e_rsax_bn_mod_exp(r0, r1, dmp1, rsa->p, ctx, rsa->_method_mod_p,
615 e_rsax_get_ctx(rsa, 1, rsa->p)))
616 goto err;
617
618 if (!BN_sub(r0, r0, m1))
619 goto err;
620 /* This will help stop the size of r0 increasing, which does
621 * affect the multiply if it optimised for a power of 2 size */
622 if (BN_is_negative(r0))
623 if (!BN_add(r0, r0, rsa->p))
624 goto err;
625
626 if (!BN_mul(r1, r0, rsa->iqmp, ctx))
627 goto err;
628
629 /* Turn BN_FLG_CONSTTIME flag on before division operation */
630 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
631 pr1 = &local_r1;
632 BN_with_flags(pr1, r1, BN_FLG_CONSTTIME);
633 } else
634 pr1 = r1;
635 if (!BN_mod(r0, pr1, rsa->p, ctx))
636 goto err;
637
638 /* If p < q it is occasionally possible for the correction of
639 * adding 'p' if r0 is negative above to leave the result still
640 * negative. This can break the private key operations: the following
641 * second correction should *always* correct this rare occurrence.
642 * This will *never* happen with OpenSSL generated keys because
643 * they ensure p > q [steve]
644 */
645 if (BN_is_negative(r0))
646 if (!BN_add(r0, r0, rsa->p))
647 goto err;
648 if (!BN_mul(r1, r0, rsa->q, ctx))
649 goto err;
650 if (!BN_add(r0, r1, m1))
651 goto err;
652
653 if (rsa->e && rsa->n) {
654 if (!e_rsax_bn_mod_exp(vrfy, r0, rsa->e, rsa->n, ctx,
655 rsa->_method_mod_n, e_rsax_get_ctx(rsa, 2, rsa->n)))
656 goto err;
657
658 /* If 'I' was greater than (or equal to) rsa->n, the operation
659 * will be equivalent to using 'I mod n'. However, the result of
660 * the verify will *always* be less than 'n' so we don't check
661 * for absolute equality, just congruency. */
662 if (!BN_sub(vrfy, vrfy, I))
663 goto err;
664 if (!BN_mod(vrfy, vrfy, rsa->n, ctx))
665 goto err;
666 if (BN_is_negative(vrfy))
667 if (!BN_add(vrfy, vrfy, rsa->n))
668 goto err;
669 if (!BN_is_zero(vrfy)) {
670 /* 'I' and 'vrfy' aren't congruent mod n. Don't leak
671 * miscalculated CRT output, just do a raw (slower)
672 * mod_exp and return that instead. */
673
674 BIGNUM local_d;
675 BIGNUM *d = NULL;
676
677 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
678 d = &local_d;
679 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
680 } else
681 d = rsa->d;
682 if (!e_rsax_bn_mod_exp(r0, I,d, rsa->n, ctx,
683 rsa->_method_mod_n, e_rsax_get_ctx(rsa, 2, rsa->n)))
684 goto err;
685 }
686 }
687 ret = 1;
688
689err:
690 BN_CTX_end(ctx);
691
692 return ret;
693}
694#endif /* !OPENSSL_NO_RSA */
695#endif /* !COMPILE_RSAX */
diff --git a/src/lib/libcrypto/engine/engine.h b/src/lib/libcrypto/engine/engine.h
index dd1015f8af..30d1bde4ae 100644
--- a/src/lib/libcrypto/engine/engine.h
+++ b/src/lib/libcrypto/engine/engine.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: engine.h,v 1.30 2014/10/18 17:20:40 jsing Exp $ */ 1/* $OpenBSD: engine.h,v 1.31 2015/07/19 22:34:27 doug Exp $ */
2/* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL 2/* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL
3 * project 2000. 3 * project 2000.
4 */ 4 */
@@ -322,7 +322,6 @@ void ENGINE_load_dynamic(void);
322#ifndef OPENSSL_NO_STATIC_ENGINE 322#ifndef OPENSSL_NO_STATIC_ENGINE
323void ENGINE_load_padlock(void); 323void ENGINE_load_padlock(void);
324#endif 324#endif
325void ENGINE_load_rsax(void);
326void ENGINE_load_builtin_engines(void); 325void ENGINE_load_builtin_engines(void);
327 326
328/* Get and set global flags (ENGINE_TABLE_FLAG_***) for the implementation 327/* Get and set global flags (ENGINE_TABLE_FLAG_***) for the implementation
diff --git a/src/lib/libcrypto/opensslfeatures.h b/src/lib/libcrypto/opensslfeatures.h
index a0fcc0078e..45848c5a35 100644
--- a/src/lib/libcrypto/opensslfeatures.h
+++ b/src/lib/libcrypto/opensslfeatures.h
@@ -10,6 +10,7 @@
10# define OPENSSL_NO_PSK 10# define OPENSSL_NO_PSK
11# define OPENSSL_NO_RC5 11# define OPENSSL_NO_RC5
12# define OPENSSL_NO_RFC3779 12# define OPENSSL_NO_RFC3779
13# define OPENSSL_NO_RSAX
13# define OPENSSL_NO_SCTP 14# define OPENSSL_NO_SCTP
14# define OPENSSL_NO_SEED 15# define OPENSSL_NO_SEED
15# define OPENSSL_NO_SRP 16# define OPENSSL_NO_SRP
diff --git a/src/lib/libcrypto/shlib_version b/src/lib/libcrypto/shlib_version
index 96e1793a1e..db69fac89e 100644
--- a/src/lib/libcrypto/shlib_version
+++ b/src/lib/libcrypto/shlib_version
@@ -1,3 +1,3 @@
1# Don't forget to give libssl and libtls the same type of bump! 1# Don't forget to give libssl and libtls the same type of bump!
2major=34 2major=35
3minor=0 3minor=0
diff --git a/src/lib/libssl/shlib_version b/src/lib/libssl/shlib_version
index 63004f487f..ca85d7e741 100644
--- a/src/lib/libssl/shlib_version
+++ b/src/lib/libssl/shlib_version
@@ -1,3 +1,3 @@
1# Don't forget to give libtls the same type of bump! 1# Don't forget to give libtls the same type of bump!
2major=34 2major=35
3minor=0 3minor=0
diff --git a/src/lib/libssl/src/crypto/engine/eng_all.c b/src/lib/libssl/src/crypto/engine/eng_all.c
index b428300e76..7640cf7fcd 100644
--- a/src/lib/libssl/src/crypto/engine/eng_all.c
+++ b/src/lib/libssl/src/crypto/engine/eng_all.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: eng_all.c,v 1.28 2015/06/19 06:05:11 bcook Exp $ */ 1/* $OpenBSD: eng_all.c,v 1.29 2015/07/19 22:34:27 doug Exp $ */
2/* Written by Richard Levitte <richard@levitte.org> for the OpenSSL 2/* Written by Richard Levitte <richard@levitte.org> for the OpenSSL
3 * project 2000. 3 * project 2000.
4 */ 4 */
@@ -67,9 +67,6 @@ ENGINE_load_builtin_engines(void)
67 /* Some ENGINEs need this */ 67 /* Some ENGINEs need this */
68 OPENSSL_cpuid_setup(); 68 OPENSSL_cpuid_setup();
69 69
70#ifndef OPENSSL_NO_RSAX
71 ENGINE_load_rsax();
72#endif
73#ifndef OPENSSL_NO_STATIC_ENGINE 70#ifndef OPENSSL_NO_STATIC_ENGINE
74#ifndef OPENSSL_NO_HW 71#ifndef OPENSSL_NO_HW
75#ifndef OPENSSL_NO_HW_PADLOCK 72#ifndef OPENSSL_NO_HW_PADLOCK
diff --git a/src/lib/libssl/src/crypto/engine/eng_rsax.c b/src/lib/libssl/src/crypto/engine/eng_rsax.c
deleted file mode 100644
index 784b74a22f..0000000000
--- a/src/lib/libssl/src/crypto/engine/eng_rsax.c
+++ /dev/null
@@ -1,695 +0,0 @@
1/* $OpenBSD: eng_rsax.c,v 1.13 2015/02/09 15:49:22 jsing Exp $ */
2/* Copyright (c) 2010-2010 Intel Corp.
3 * Author: Vinodh.Gopal@intel.com
4 * Jim Guilford
5 * Erdinc.Ozturk@intel.com
6 * Maxim.Perminov@intel.com
7 * Ying.Huang@intel.com
8 *
9 * More information about algorithm used can be found at:
10 * http://www.cse.buffalo.edu/srds2009/escs2009_submission_Gopal.pdf
11 */
12/* ====================================================================
13 * Copyright (c) 1999-2001 The OpenSSL Project. All rights reserved.
14 *
15 * Redistribution and use in source and binary forms, with or without
16 * modification, are permitted provided that the following conditions
17 * are met:
18 *
19 * 1. Redistributions of source code must retain the above copyright
20 * notice, this list of conditions and the following disclaimer.
21 *
22 * 2. Redistributions in binary form must reproduce the above copyright
23 * notice, this list of conditions and the following disclaimer in
24 * the documentation and/or other materials provided with the
25 * distribution.
26 *
27 * 3. All advertising materials mentioning features or use of this
28 * software must display the following acknowledgment:
29 * "This product includes software developed by the OpenSSL Project
30 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
31 *
32 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
33 * endorse or promote products derived from this software without
34 * prior written permission. For written permission, please contact
35 * licensing@OpenSSL.org.
36 *
37 * 5. Products derived from this software may not be called "OpenSSL"
38 * nor may "OpenSSL" appear in their names without prior written
39 * permission of the OpenSSL Project.
40 *
41 * 6. Redistributions of any form whatsoever must retain the following
42 * acknowledgment:
43 * "This product includes software developed by the OpenSSL Project
44 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
45 *
46 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
47 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
48 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
49 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
50 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
51 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
52 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
53 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
54 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
55 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
56 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
57 * OF THE POSSIBILITY OF SUCH DAMAGE.
58 * ====================================================================
59 *
60 * This product includes cryptographic software written by Eric Young
61 * (eay@cryptsoft.com). This product includes software written by Tim
62 * Hudson (tjh@cryptsoft.com).
63 */
64
65#include <openssl/opensslconf.h>
66
67#include <stdio.h>
68#include <string.h>
69
70#include <openssl/crypto.h>
71#include <openssl/buffer.h>
72#include <openssl/engine.h>
73#ifndef OPENSSL_NO_RSA
74#include <openssl/rsa.h>
75#endif
76#include <openssl/bn.h>
77#include <openssl/err.h>
78
79/* RSAX is available **ONLY* on x86_64 CPUs */
80#undef COMPILE_RSAX
81
82#if !defined(OPENSSL_NO_ASM) && defined(RSA_ASM) && \
83 (defined(__x86_64) || defined(__x86_64__) || \
84 defined(_M_AMD64) || defined (_M_X64))
85#define COMPILE_RSAX
86static ENGINE *ENGINE_rsax (void);
87#endif
88
89void ENGINE_load_rsax (void)
90{
91/* On non-x86 CPUs it just returns. */
92#ifdef COMPILE_RSAX
93 ENGINE *toadd = ENGINE_rsax();
94 if (!toadd)
95 return;
96 ENGINE_add(toadd);
97 ENGINE_free(toadd);
98 ERR_clear_error();
99#endif
100}
101
102#ifdef COMPILE_RSAX
103#define E_RSAX_LIB_NAME "rsax engine"
104
105static int e_rsax_destroy(ENGINE *e);
106static int e_rsax_init(ENGINE *e);
107static int e_rsax_finish(ENGINE *e);
108static int e_rsax_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void));
109
110#ifndef OPENSSL_NO_RSA
111/* RSA stuff */
112static int e_rsax_rsa_mod_exp(BIGNUM *r, const BIGNUM *I, RSA *rsa,
113 BN_CTX *ctx);
114static int e_rsax_rsa_finish(RSA *r);
115#endif
116
117static const ENGINE_CMD_DEFN e_rsax_cmd_defns[] = {
118 {0, NULL, NULL, 0}
119};
120
121#ifndef OPENSSL_NO_RSA
122/* Our internal RSA_METHOD that we provide pointers to */
123static RSA_METHOD e_rsax_rsa = {
124 .name = "Intel RSA-X method",
125 .rsa_mod_exp = e_rsax_rsa_mod_exp,
126 .finish = e_rsax_rsa_finish,
127 .flags = RSA_FLAG_CACHE_PUBLIC|RSA_FLAG_CACHE_PRIVATE,
128};
129#endif
130
131/* Constants used when creating the ENGINE */
132static const char *engine_e_rsax_id = "rsax";
133static const char *engine_e_rsax_name = "RSAX engine support";
134
135/* This internal function is used by ENGINE_rsax() */
136static int
137bind_helper(ENGINE *e)
138{
139#ifndef OPENSSL_NO_RSA
140 const RSA_METHOD *meth1;
141#endif
142 if (!ENGINE_set_id(e, engine_e_rsax_id) ||
143 !ENGINE_set_name(e, engine_e_rsax_name) ||
144#ifndef OPENSSL_NO_RSA
145 !ENGINE_set_RSA(e, &e_rsax_rsa) ||
146#endif
147 !ENGINE_set_destroy_function(e, e_rsax_destroy) ||
148 !ENGINE_set_init_function(e, e_rsax_init) ||
149 !ENGINE_set_finish_function(e, e_rsax_finish) ||
150 !ENGINE_set_ctrl_function(e, e_rsax_ctrl) ||
151 !ENGINE_set_cmd_defns(e, e_rsax_cmd_defns))
152 return 0;
153
154#ifndef OPENSSL_NO_RSA
155 meth1 = RSA_PKCS1_SSLeay();
156 e_rsax_rsa.rsa_pub_enc = meth1->rsa_pub_enc;
157 e_rsax_rsa.rsa_pub_dec = meth1->rsa_pub_dec;
158 e_rsax_rsa.rsa_priv_enc = meth1->rsa_priv_enc;
159 e_rsax_rsa.rsa_priv_dec = meth1->rsa_priv_dec;
160 e_rsax_rsa.bn_mod_exp = meth1->bn_mod_exp;
161#endif
162 return 1;
163}
164
165static ENGINE *
166ENGINE_rsax(void)
167{
168 ENGINE *ret = ENGINE_new();
169
170 if (!ret)
171 return NULL;
172 if (!bind_helper(ret)) {
173 ENGINE_free(ret);
174 return NULL;
175 }
176 return ret;
177}
178
179#ifndef OPENSSL_NO_RSA
180/* Used to attach our own key-data to an RSA structure */
181static int rsax_ex_data_idx = -1;
182#endif
183
184static int
185e_rsax_destroy(ENGINE *e)
186{
187 return 1;
188}
189
190/* (de)initialisation functions. */
191static int
192e_rsax_init(ENGINE *e)
193{
194#ifndef OPENSSL_NO_RSA
195 if (rsax_ex_data_idx == -1)
196 rsax_ex_data_idx = RSA_get_ex_new_index(0, NULL, NULL,
197 NULL, NULL);
198#endif
199 if (rsax_ex_data_idx == -1)
200 return 0;
201 return 1;
202}
203
204static int
205e_rsax_finish(ENGINE *e)
206{
207 return 1;
208}
209
210static int
211e_rsax_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void))
212{
213 int to_return = 1;
214
215 switch (cmd) {
216 /* The command isn't understood by this engine */
217 default:
218 to_return = 0;
219 break;
220 }
221
222 return to_return;
223}
224
225
226#ifndef OPENSSL_NO_RSA
227
228typedef unsigned long long UINT64;
229typedef unsigned short UINT16;
230
231/* Table t is interleaved in the following manner:
232 * The order in memory is t[0][0], t[0][1], ..., t[0][7], t[1][0], ...
233 * A particular 512-bit value is stored in t[][index] rather than the more
234 * normal t[index][]; i.e. the qwords of a particular entry in t are not
235 * adjacent in memory
236 */
237
238/* Init BIGNUM b from the interleaved UINT64 array */
239static int interleaved_array_to_bn_512(BIGNUM* b, UINT64 *array);
240
241/* Extract array elements from BIGNUM b
242 * To set the whole array from b, call with n=8
243 */
244static int bn_extract_to_array_512(const BIGNUM* b, unsigned int n,
245 UINT64 *array);
246
247struct mod_ctx_512 {
248 UINT64 t[8][8];
249 UINT64 m[8];
250 UINT64 m1[8]; /* 2^278 % m */
251 UINT64 m2[8]; /* 2^640 % m */
252 UINT64 k1[2]; /* (- 1/m) % 2^128 */
253};
254
255static int mod_exp_pre_compute_data_512(UINT64 *m, struct mod_ctx_512 *data);
256
257void mod_exp_512(UINT64 *result, /* 512 bits, 8 qwords */
258UINT64 *g, /* 512 bits, 8 qwords */
259UINT64 *exp, /* 512 bits, 8 qwords */
260struct mod_ctx_512 *data);
261
262typedef struct st_e_rsax_mod_ctx {
263 UINT64 type;
264 union {
265 struct mod_ctx_512 b512;
266 } ctx;
267} E_RSAX_MOD_CTX;
268
269static E_RSAX_MOD_CTX *
270e_rsax_get_ctx(RSA *rsa, int idx, BIGNUM* m)
271{
272 E_RSAX_MOD_CTX *hptr;
273
274 if (idx < 0 || idx > 2)
275 return NULL;
276
277 hptr = RSA_get_ex_data(rsa, rsax_ex_data_idx);
278 if (!hptr) {
279 hptr = reallocarray(NULL, 3, sizeof(E_RSAX_MOD_CTX));
280 if (!hptr)
281 return NULL;
282 hptr[2].type = hptr[1].type = hptr[0].type = 0;
283 RSA_set_ex_data(rsa, rsax_ex_data_idx, hptr);
284 }
285
286 if (hptr[idx].type == (UINT64)BN_num_bits(m))
287 return hptr + idx;
288
289 if (BN_num_bits(m) == 512) {
290 UINT64 _m[8];
291 bn_extract_to_array_512(m, 8, _m);
292 memset( &hptr[idx].ctx.b512, 0, sizeof(struct mod_ctx_512));
293 mod_exp_pre_compute_data_512(_m, &hptr[idx].ctx.b512);
294 }
295
296 hptr[idx].type = BN_num_bits(m);
297 return hptr + idx;
298}
299
300static int
301e_rsax_rsa_finish(RSA *rsa)
302{
303 E_RSAX_MOD_CTX *hptr = RSA_get_ex_data(rsa, rsax_ex_data_idx);
304
305 if (hptr) {
306 free(hptr);
307 RSA_set_ex_data(rsa, rsax_ex_data_idx, NULL);
308 }
309 BN_MONT_CTX_free(rsa->_method_mod_n);
310 BN_MONT_CTX_free(rsa->_method_mod_p);
311 BN_MONT_CTX_free(rsa->_method_mod_q);
312 return 1;
313}
314
315static int
316e_rsax_bn_mod_exp(BIGNUM *r, const BIGNUM *g, const BIGNUM *e, const BIGNUM *m,
317 BN_CTX *ctx, BN_MONT_CTX *in_mont, E_RSAX_MOD_CTX* rsax_mod_ctx)
318{
319 if (rsax_mod_ctx && BN_get_flags(e, BN_FLG_CONSTTIME) != 0) {
320 if (BN_num_bits(m) == 512) {
321 UINT64 _r[8];
322 UINT64 _g[8];
323 UINT64 _e[8];
324
325 /* Init the arrays from the BIGNUMs */
326 bn_extract_to_array_512(g, 8, _g);
327 bn_extract_to_array_512(e, 8, _e);
328
329 mod_exp_512(_r, _g, _e, &rsax_mod_ctx->ctx.b512);
330 /* Return the result in the BIGNUM */
331 interleaved_array_to_bn_512(r, _r);
332 return 1;
333 }
334 }
335
336 return BN_mod_exp_mont(r, g, e, m, ctx, in_mont);
337}
338
339/* Declares for the Intel CIAP 512-bit / CRT / 1024 bit RSA modular
340 * exponentiation routine precalculations and a structure to hold the
341 * necessary values. These files are meant to live in crypto/rsa/ in
342 * the target openssl.
343 */
344
345/*
346 * Local method: extracts a piece from a BIGNUM, to fit it into
347 * an array. Call with n=8 to extract an entire 512-bit BIGNUM
348 */
349static int
350bn_extract_to_array_512(const BIGNUM* b, unsigned int n, UINT64 *array)
351{
352 int i;
353 UINT64 tmp;
354 unsigned char bn_buff[64];
355
356 memset(bn_buff, 0, 64);
357 if (BN_num_bytes(b) > 64) {
358 printf ("Can't support this byte size\n");
359 return 0;
360 }
361 if (BN_num_bytes(b) != 0) {
362 if (!BN_bn2bin(b, bn_buff + (64 - BN_num_bytes(b)))) {
363 printf ("Error's in bn2bin\n");
364 /* We have to error, here */
365 return 0;
366 }
367 }
368 while (n-- > 0) {
369 array[n] = 0;
370 for (i = 7; i >= 0; i--) {
371 tmp = bn_buff[63 - (n*8 + i)];
372 array[n] |= tmp << (8*i);
373 }
374 }
375 return 1;
376}
377
378/* Init a 512-bit BIGNUM from the UINT64*_ (8 * 64) interleaved array */
379static int
380interleaved_array_to_bn_512(BIGNUM* b, UINT64 *array)
381{
382 unsigned char tmp[64];
383 int n = 8;
384 int i;
385
386 while (n-- > 0) {
387 for (i = 7; i >= 0; i--) {
388 tmp[63 - (n * 8 + i)] =
389 (unsigned char)(array[n] >> (8 * i));
390 }
391 }
392 BN_bin2bn(tmp, 64, b);
393 return 0;
394}
395
396/* The main 512bit precompute call */
397static int
398mod_exp_pre_compute_data_512(UINT64 *m, struct mod_ctx_512 *data)
399{
400 BIGNUM two_768, two_640, two_128, two_512, tmp, _m, tmp2;
401
402 /* We need a BN_CTX for the modulo functions */
403 BN_CTX* ctx;
404 /* Some tmps */
405 UINT64 _t[8];
406 int i, j, ret = 0;
407
408 /* Init _m with m */
409 BN_init(&_m);
410 interleaved_array_to_bn_512(&_m, m);
411 memset(_t, 0, 64);
412
413 /* Inits */
414 BN_init(&two_768);
415 BN_init(&two_640);
416 BN_init(&two_128);
417 BN_init(&two_512);
418 BN_init(&tmp);
419 BN_init(&tmp2);
420
421 /* Create our context */
422 if ((ctx = BN_CTX_new()) == NULL) {
423 goto err;
424 }
425 BN_CTX_start(ctx);
426
427 /*
428 * For production, if you care, these only need to be set once,
429 * and may be made constants.
430 */
431 BN_lshift(&two_768, BN_value_one(), 768);
432 BN_lshift(&two_640, BN_value_one(), 640);
433 BN_lshift(&two_128, BN_value_one(), 128);
434 BN_lshift(&two_512, BN_value_one(), 512);
435
436 if (0 == (m[7] & 0x8000000000000000)) {
437 exit(1);
438 }
439 if (0 == (m[0] & 0x1)) {
440 /* Odd modulus required for Mont */
441 exit(1);
442 }
443
444 /* Precompute m1 */
445 BN_mod(&tmp, &two_768, &_m, ctx);
446 if (!bn_extract_to_array_512(&tmp, 8, &data->m1[0])) {
447 goto err;
448 }
449
450 /* Precompute m2 */
451 BN_mod(&tmp, &two_640, &_m, ctx);
452 if (!bn_extract_to_array_512(&tmp, 8, &data->m2[0])) {
453 goto err;
454 }
455
456 /*
457 * Precompute k1, a 128b number = ((-1)* m-1 ) mod 2128; k1 should
458 * be non-negative.
459 */
460 BN_mod_inverse(&tmp, &_m, &two_128, ctx);
461 if (!BN_is_zero(&tmp)) {
462 BN_sub(&tmp, &two_128, &tmp);
463 }
464 if (!bn_extract_to_array_512(&tmp, 2, &data->k1[0])) {
465 goto err;
466 }
467
468 /* Precompute t */
469 for (i = 0; i < 8; i++) {
470 BN_zero(&tmp);
471 if (i & 1) {
472 BN_add(&tmp, &two_512, &tmp);
473 }
474 if (i & 2) {
475 BN_add(&tmp, &two_512, &tmp);
476 }
477 if (i & 4) {
478 BN_add(&tmp, &two_640, &tmp);
479 }
480
481 BN_nnmod(&tmp2, &tmp, &_m, ctx);
482 if (!bn_extract_to_array_512(&tmp2, 8, _t)) {
483 goto err;
484 }
485 for (j = 0; j < 8; j++)
486 data->t[j][i] = _t[j];
487 }
488
489 /* Precompute m */
490 for (i = 0; i < 8; i++) {
491 data->m[i] = m[i];
492 }
493
494 ret = 1;
495
496err:
497 /* Cleanup */
498 if (ctx != NULL) {
499 BN_CTX_end(ctx);
500 BN_CTX_free(ctx);
501 }
502 BN_free(&two_768);
503 BN_free(&two_640);
504 BN_free(&two_128);
505 BN_free(&two_512);
506 BN_free(&tmp);
507 BN_free(&tmp2);
508 BN_free(&_m);
509
510 return ret;
511}
512
513static int
514e_rsax_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
515{
516 BIGNUM *r1, *m1, *vrfy;
517 BIGNUM local_dmp1, local_dmq1, local_c, local_r1;
518 BIGNUM *dmp1, *dmq1, *c, *pr1;
519 int ret = 0;
520
521 BN_CTX_start(ctx);
522 if ((r1 = BN_CTX_get(ctx)) == NULL)
523 goto err;
524 if ((m1 = BN_CTX_get(ctx)) == NULL)
525 goto err;
526 if ((vrfy = BN_CTX_get(ctx)) == NULL)
527 goto err;
528
529 {
530 BIGNUM local_p, local_q;
531 BIGNUM *p = NULL, *q = NULL;
532 int error = 0;
533
534 /* Make sure BN_mod_inverse in Montgomery
535 * intialization uses the BN_FLG_CONSTTIME flag
536 * (unless RSA_FLAG_NO_CONSTTIME is set)
537 */
538 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
539 BN_init(&local_p);
540 p = &local_p;
541 BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
542
543 BN_init(&local_q);
544 q = &local_q;
545 BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME);
546 } else {
547 p = rsa->p;
548 q = rsa->q;
549 }
550
551 if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) {
552 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p,
553 CRYPTO_LOCK_RSA, p, ctx))
554 error = 1;
555 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q,
556 CRYPTO_LOCK_RSA, q, ctx))
557 error = 1;
558 }
559
560 /* clean up */
561 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
562 BN_free(&local_p);
563 BN_free(&local_q);
564 }
565 if (error )
566 goto err;
567 }
568
569 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
570 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
571 CRYPTO_LOCK_RSA, rsa->n, ctx))
572 goto err;
573
574 /* compute I mod q */
575 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
576 c = &local_c;
577 BN_with_flags(c, I, BN_FLG_CONSTTIME);
578 if (!BN_mod(r1, c, rsa->q, ctx))
579 goto err;
580 } else {
581 if (!BN_mod(r1, I, rsa->q, ctx))
582 goto err;
583 }
584
585 /* compute r1^dmq1 mod q */
586 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
587 dmq1 = &local_dmq1;
588 BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
589 } else
590 dmq1 = rsa->dmq1;
591
592 if (!e_rsax_bn_mod_exp(m1, r1, dmq1, rsa->q, ctx, rsa->_method_mod_q,
593 e_rsax_get_ctx(rsa, 0, rsa->q)))
594 goto err;
595
596 /* compute I mod p */
597 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
598 c = &local_c;
599 BN_with_flags(c, I, BN_FLG_CONSTTIME);
600 if (!BN_mod(r1, c, rsa->p, ctx))
601 goto err;
602 } else {
603 if (!BN_mod(r1, I, rsa->p, ctx))
604 goto err;
605 }
606
607 /* compute r1^dmp1 mod p */
608 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
609 dmp1 = &local_dmp1;
610 BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
611 } else
612 dmp1 = rsa->dmp1;
613
614 if (!e_rsax_bn_mod_exp(r0, r1, dmp1, rsa->p, ctx, rsa->_method_mod_p,
615 e_rsax_get_ctx(rsa, 1, rsa->p)))
616 goto err;
617
618 if (!BN_sub(r0, r0, m1))
619 goto err;
620 /* This will help stop the size of r0 increasing, which does
621 * affect the multiply if it optimised for a power of 2 size */
622 if (BN_is_negative(r0))
623 if (!BN_add(r0, r0, rsa->p))
624 goto err;
625
626 if (!BN_mul(r1, r0, rsa->iqmp, ctx))
627 goto err;
628
629 /* Turn BN_FLG_CONSTTIME flag on before division operation */
630 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
631 pr1 = &local_r1;
632 BN_with_flags(pr1, r1, BN_FLG_CONSTTIME);
633 } else
634 pr1 = r1;
635 if (!BN_mod(r0, pr1, rsa->p, ctx))
636 goto err;
637
638 /* If p < q it is occasionally possible for the correction of
639 * adding 'p' if r0 is negative above to leave the result still
640 * negative. This can break the private key operations: the following
641 * second correction should *always* correct this rare occurrence.
642 * This will *never* happen with OpenSSL generated keys because
643 * they ensure p > q [steve]
644 */
645 if (BN_is_negative(r0))
646 if (!BN_add(r0, r0, rsa->p))
647 goto err;
648 if (!BN_mul(r1, r0, rsa->q, ctx))
649 goto err;
650 if (!BN_add(r0, r1, m1))
651 goto err;
652
653 if (rsa->e && rsa->n) {
654 if (!e_rsax_bn_mod_exp(vrfy, r0, rsa->e, rsa->n, ctx,
655 rsa->_method_mod_n, e_rsax_get_ctx(rsa, 2, rsa->n)))
656 goto err;
657
658 /* If 'I' was greater than (or equal to) rsa->n, the operation
659 * will be equivalent to using 'I mod n'. However, the result of
660 * the verify will *always* be less than 'n' so we don't check
661 * for absolute equality, just congruency. */
662 if (!BN_sub(vrfy, vrfy, I))
663 goto err;
664 if (!BN_mod(vrfy, vrfy, rsa->n, ctx))
665 goto err;
666 if (BN_is_negative(vrfy))
667 if (!BN_add(vrfy, vrfy, rsa->n))
668 goto err;
669 if (!BN_is_zero(vrfy)) {
670 /* 'I' and 'vrfy' aren't congruent mod n. Don't leak
671 * miscalculated CRT output, just do a raw (slower)
672 * mod_exp and return that instead. */
673
674 BIGNUM local_d;
675 BIGNUM *d = NULL;
676
677 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
678 d = &local_d;
679 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
680 } else
681 d = rsa->d;
682 if (!e_rsax_bn_mod_exp(r0, I,d, rsa->n, ctx,
683 rsa->_method_mod_n, e_rsax_get_ctx(rsa, 2, rsa->n)))
684 goto err;
685 }
686 }
687 ret = 1;
688
689err:
690 BN_CTX_end(ctx);
691
692 return ret;
693}
694#endif /* !OPENSSL_NO_RSA */
695#endif /* !COMPILE_RSAX */
diff --git a/src/lib/libssl/src/crypto/engine/engine.h b/src/lib/libssl/src/crypto/engine/engine.h
index dd1015f8af..30d1bde4ae 100644
--- a/src/lib/libssl/src/crypto/engine/engine.h
+++ b/src/lib/libssl/src/crypto/engine/engine.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: engine.h,v 1.30 2014/10/18 17:20:40 jsing Exp $ */ 1/* $OpenBSD: engine.h,v 1.31 2015/07/19 22:34:27 doug Exp $ */
2/* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL 2/* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL
3 * project 2000. 3 * project 2000.
4 */ 4 */
@@ -322,7 +322,6 @@ void ENGINE_load_dynamic(void);
322#ifndef OPENSSL_NO_STATIC_ENGINE 322#ifndef OPENSSL_NO_STATIC_ENGINE
323void ENGINE_load_padlock(void); 323void ENGINE_load_padlock(void);
324#endif 324#endif
325void ENGINE_load_rsax(void);
326void ENGINE_load_builtin_engines(void); 325void ENGINE_load_builtin_engines(void);
327 326
328/* Get and set global flags (ENGINE_TABLE_FLAG_***) for the implementation 327/* Get and set global flags (ENGINE_TABLE_FLAG_***) for the implementation
diff --git a/src/lib/libssl/src/crypto/opensslfeatures.h b/src/lib/libssl/src/crypto/opensslfeatures.h
index a0fcc0078e..45848c5a35 100644
--- a/src/lib/libssl/src/crypto/opensslfeatures.h
+++ b/src/lib/libssl/src/crypto/opensslfeatures.h
@@ -10,6 +10,7 @@
10# define OPENSSL_NO_PSK 10# define OPENSSL_NO_PSK
11# define OPENSSL_NO_RC5 11# define OPENSSL_NO_RC5
12# define OPENSSL_NO_RFC3779 12# define OPENSSL_NO_RFC3779
13# define OPENSSL_NO_RSAX
13# define OPENSSL_NO_SCTP 14# define OPENSSL_NO_SCTP
14# define OPENSSL_NO_SEED 15# define OPENSSL_NO_SEED
15# define OPENSSL_NO_SRP 16# define OPENSSL_NO_SRP
diff --git a/src/lib/libssl/ssl/shlib_version b/src/lib/libssl/ssl/shlib_version
index 63004f487f..ca85d7e741 100644
--- a/src/lib/libssl/ssl/shlib_version
+++ b/src/lib/libssl/ssl/shlib_version
@@ -1,3 +1,3 @@
1# Don't forget to give libtls the same type of bump! 1# Don't forget to give libtls the same type of bump!
2major=34 2major=35
3minor=0 3minor=0
diff --git a/src/lib/libtls/shlib_version b/src/lib/libtls/shlib_version
index 3066b9771e..9c1551636c 100644
--- a/src/lib/libtls/shlib_version
+++ b/src/lib/libtls/shlib_version
@@ -1,2 +1,2 @@
1major=5 1major=6
2minor=0 2minor=0
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-10-26 17:04:20 +0000