summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/rsa/rsa_eay.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libcrypto/rsa/rsa_eay.c')
-rw-r--r--src/lib/libcrypto/rsa/rsa_eay.c564
1 files changed, 248 insertions, 316 deletions
diff --git a/src/lib/libcrypto/rsa/rsa_eay.c b/src/lib/libcrypto/rsa/rsa_eay.c
index ffadaab9a4..610889dc80 100644
--- a/src/lib/libcrypto/rsa/rsa_eay.c
+++ b/src/lib/libcrypto/rsa/rsa_eay.c
@@ -56,7 +56,7 @@
56 * [including the GNU Public Licence.] 56 * [including the GNU Public Licence.]
57 */ 57 */
58/* ==================================================================== 58/* ====================================================================
59 * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. 59 * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved.
60 * 60 *
61 * Redistribution and use in source and binary forms, with or without 61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions 62 * modification, are permitted provided that the following conditions
@@ -115,7 +115,7 @@
115#include <openssl/rsa.h> 115#include <openssl/rsa.h>
116#include <openssl/rand.h> 116#include <openssl/rand.h>
117 117
118#ifndef RSA_NULL 118#if !defined(RSA_NULL) && !defined(OPENSSL_FIPS)
119 119
120static int RSA_eay_public_encrypt(int flen, const unsigned char *from, 120static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
121 unsigned char *to, RSA *rsa,int padding); 121 unsigned char *to, RSA *rsa,int padding);
@@ -125,7 +125,7 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
125 unsigned char *to, RSA *rsa,int padding); 125 unsigned char *to, RSA *rsa,int padding);
126static int RSA_eay_private_decrypt(int flen, const unsigned char *from, 126static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
127 unsigned char *to, RSA *rsa,int padding); 127 unsigned char *to, RSA *rsa,int padding);
128static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa, BN_CTX *ctx); 128static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa);
129static int RSA_eay_init(RSA *rsa); 129static int RSA_eay_init(RSA *rsa);
130static int RSA_eay_finish(RSA *rsa); 130static int RSA_eay_finish(RSA *rsa);
131static RSA_METHOD rsa_pkcs1_eay_meth={ 131static RSA_METHOD rsa_pkcs1_eay_meth={
@@ -141,8 +141,7 @@ static RSA_METHOD rsa_pkcs1_eay_meth={
141 0, /* flags */ 141 0, /* flags */
142 NULL, 142 NULL,
143 0, /* rsa_sign */ 143 0, /* rsa_sign */
144 0, /* rsa_verify */ 144 0 /* rsa_verify */
145 NULL /* rsa_keygen */
146 }; 145 };
147 146
148const RSA_METHOD *RSA_PKCS1_SSLeay(void) 147const RSA_METHOD *RSA_PKCS1_SSLeay(void)
@@ -150,53 +149,19 @@ const RSA_METHOD *RSA_PKCS1_SSLeay(void)
150 return(&rsa_pkcs1_eay_meth); 149 return(&rsa_pkcs1_eay_meth);
151 } 150 }
152 151
153/* Usage example;
154 * MONT_HELPER(rsa->_method_mod_p, bn_ctx, rsa->p, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
155 */
156#define MONT_HELPER(method_mod, ctx, m, pre_cond, err_instr) \
157 if ((pre_cond) && ((method_mod) == NULL) && \
158 !BN_MONT_CTX_set_locked(&(method_mod), \
159 CRYPTO_LOCK_RSA, \
160 (m), (ctx))) \
161 err_instr
162
163static int RSA_eay_public_encrypt(int flen, const unsigned char *from, 152static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
164 unsigned char *to, RSA *rsa, int padding) 153 unsigned char *to, RSA *rsa, int padding)
165 { 154 {
166 BIGNUM *f,*ret; 155 BIGNUM f,ret;
167 int i,j,k,num=0,r= -1; 156 int i,j,k,num=0,r= -1;
168 unsigned char *buf=NULL; 157 unsigned char *buf=NULL;
169 BN_CTX *ctx=NULL; 158 BN_CTX *ctx=NULL;
170 159
171 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) 160 BN_init(&f);
172 { 161 BN_init(&ret);
173 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE);
174 return -1;
175 }
176
177 if (BN_ucmp(rsa->n, rsa->e) <= 0)
178 {
179 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE);
180 return -1;
181 }
182
183 /* for large moduli, enforce exponent limit */
184 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS)
185 {
186 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS)
187 {
188 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE);
189 return -1;
190 }
191 }
192
193 if ((ctx=BN_CTX_new()) == NULL) goto err; 162 if ((ctx=BN_CTX_new()) == NULL) goto err;
194 BN_CTX_start(ctx);
195 f = BN_CTX_get(ctx);
196 ret = BN_CTX_get(ctx);
197 num=BN_num_bytes(rsa->n); 163 num=BN_num_bytes(rsa->n);
198 buf = OPENSSL_malloc(num); 164 if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL)
199 if (!f || !ret || !buf)
200 { 165 {
201 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,ERR_R_MALLOC_FAILURE); 166 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,ERR_R_MALLOC_FAILURE);
202 goto err; 167 goto err;
@@ -224,34 +189,37 @@ static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
224 } 189 }
225 if (i <= 0) goto err; 190 if (i <= 0) goto err;
226 191
227 if (BN_bin2bn(buf,num,f) == NULL) goto err; 192 if (BN_bin2bn(buf,num,&f) == NULL) goto err;
228 193
229 if (BN_ucmp(f, rsa->n) >= 0) 194 if (BN_ucmp(&f, rsa->n) >= 0)
230 { 195 {
231 /* usually the padding functions would catch this */ 196 /* usually the padding functions would catch this */
232 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 197 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
233 goto err; 198 goto err;
234 } 199 }
235 200
236 MONT_HELPER(rsa->_method_mod_n, ctx, rsa->n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err); 201 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
202 {
203 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
204 CRYPTO_LOCK_RSA, rsa->n, ctx))
205 goto err;
206 }
237 207
238 if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx, 208 if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,
239 rsa->_method_mod_n)) goto err; 209 rsa->_method_mod_n)) goto err;
240 210
241 /* put in leading 0 bytes if the number is less than the 211 /* put in leading 0 bytes if the number is less than the
242 * length of the modulus */ 212 * length of the modulus */
243 j=BN_num_bytes(ret); 213 j=BN_num_bytes(&ret);
244 i=BN_bn2bin(ret,&(to[num-j])); 214 i=BN_bn2bin(&ret,&(to[num-j]));
245 for (k=0; k<(num-i); k++) 215 for (k=0; k<(num-i); k++)
246 to[k]=0; 216 to[k]=0;
247 217
248 r=num; 218 r=num;
249err: 219err:
250 if (ctx != NULL) 220 if (ctx != NULL) BN_CTX_free(ctx);
251 { 221 BN_clear_free(&f);
252 BN_CTX_end(ctx); 222 BN_clear_free(&ret);
253 BN_CTX_free(ctx);
254 }
255 if (buf != NULL) 223 if (buf != NULL)
256 { 224 {
257 OPENSSL_cleanse(buf,num); 225 OPENSSL_cleanse(buf,num);
@@ -260,115 +228,98 @@ err:
260 return(r); 228 return(r);
261 } 229 }
262 230
263static BN_BLINDING *rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx) 231static int rsa_eay_blinding(RSA *rsa, BN_CTX *ctx)
264{ 232 {
265 BN_BLINDING *ret; 233 int ret = 1;
266 int got_write_lock = 0; 234 CRYPTO_w_lock(CRYPTO_LOCK_RSA);
235 /* Check again inside the lock - the macro's check is racey */
236 if(rsa->blinding == NULL)
237 ret = RSA_blinding_on(rsa, ctx);
238 CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
239 return ret;
240 }
267 241
268 CRYPTO_r_lock(CRYPTO_LOCK_RSA); 242#define BLINDING_HELPER(rsa, ctx, err_instr) \
243 do { \
244 if((!((rsa)->flags & RSA_FLAG_NO_BLINDING)) && \
245 ((rsa)->blinding == NULL) && \
246 !rsa_eay_blinding(rsa, ctx)) \
247 err_instr \
248 } while(0)
269 249
270 if (rsa->blinding == NULL) 250static BN_BLINDING *setup_blinding(RSA *rsa, BN_CTX *ctx)
271 { 251 {
272 CRYPTO_r_unlock(CRYPTO_LOCK_RSA); 252 BIGNUM *A, *Ai;
273 CRYPTO_w_lock(CRYPTO_LOCK_RSA); 253 BN_BLINDING *ret = NULL;
274 got_write_lock = 1;
275 254
276 if (rsa->blinding == NULL) 255 /* added in OpenSSL 0.9.6j and 0.9.7b */
277 rsa->blinding = RSA_setup_blinding(rsa, ctx);
278 }
279 256
280 ret = rsa->blinding; 257 /* NB: similar code appears in RSA_blinding_on (rsa_lib.c);
281 if (ret == NULL) 258 * this should be placed in a new function of its own, but for reasons
282 goto err; 259 * of binary compatibility can't */
283 260
284 if (BN_BLINDING_get_thread_id(ret) == CRYPTO_thread_id()) 261 BN_CTX_start(ctx);
262 A = BN_CTX_get(ctx);
263 if ((RAND_status() == 0) && rsa->d != NULL && rsa->d->d != NULL)
285 { 264 {
286 /* rsa->blinding is ours! */ 265 /* if PRNG is not properly seeded, resort to secret exponent as unpredictable seed */
287 266 RAND_add(rsa->d->d, rsa->d->dmax * sizeof rsa->d->d[0], 0);
288 *local = 1; 267 if (!BN_pseudo_rand_range(A,rsa->n)) goto err;
289 } 268 }
290 else 269 else
291 { 270 {
292 /* resort to rsa->mt_blinding instead */ 271 if (!BN_rand_range(A,rsa->n)) goto err;
293
294 *local = 0; /* instructs rsa_blinding_convert(), rsa_blinding_invert()
295 * that the BN_BLINDING is shared, meaning that accesses
296 * require locks, and that the blinding factor must be
297 * stored outside the BN_BLINDING
298 */
299
300 if (rsa->mt_blinding == NULL)
301 {
302 if (!got_write_lock)
303 {
304 CRYPTO_r_unlock(CRYPTO_LOCK_RSA);
305 CRYPTO_w_lock(CRYPTO_LOCK_RSA);
306 got_write_lock = 1;
307 }
308
309 if (rsa->mt_blinding == NULL)
310 rsa->mt_blinding = RSA_setup_blinding(rsa, ctx);
311 }
312 ret = rsa->mt_blinding;
313 } 272 }
273 if ((Ai=BN_mod_inverse(NULL,A,rsa->n,ctx)) == NULL) goto err;
314 274
315 err: 275 if (!rsa->meth->bn_mod_exp(A,A,rsa->e,rsa->n,ctx,rsa->_method_mod_n))
316 if (got_write_lock) 276 goto err;
317 CRYPTO_w_unlock(CRYPTO_LOCK_RSA); 277 ret = BN_BLINDING_new(A,Ai,rsa->n);
318 else 278 BN_free(Ai);
319 CRYPTO_r_unlock(CRYPTO_LOCK_RSA); 279err:
280 BN_CTX_end(ctx);
320 return ret; 281 return ret;
321} 282 }
322
323static int rsa_blinding_convert(BN_BLINDING *b, int local, BIGNUM *f,
324 BIGNUM *r, BN_CTX *ctx)
325{
326 if (local)
327 return BN_BLINDING_convert_ex(f, NULL, b, ctx);
328 else
329 {
330 int ret;
331 CRYPTO_r_lock(CRYPTO_LOCK_RSA_BLINDING);
332 ret = BN_BLINDING_convert_ex(f, r, b, ctx);
333 CRYPTO_r_unlock(CRYPTO_LOCK_RSA_BLINDING);
334 return ret;
335 }
336}
337
338static int rsa_blinding_invert(BN_BLINDING *b, int local, BIGNUM *f,
339 BIGNUM *r, BN_CTX *ctx)
340{
341 if (local)
342 return BN_BLINDING_invert_ex(f, NULL, b, ctx);
343 else
344 {
345 int ret;
346 CRYPTO_w_lock(CRYPTO_LOCK_RSA_BLINDING);
347 ret = BN_BLINDING_invert_ex(f, r, b, ctx);
348 CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING);
349 return ret;
350 }
351}
352 283
353/* signing */ 284/* signing */
354static int RSA_eay_private_encrypt(int flen, const unsigned char *from, 285static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
355 unsigned char *to, RSA *rsa, int padding) 286 unsigned char *to, RSA *rsa, int padding)
356 { 287 {
357 BIGNUM *f, *ret, *br, *res; 288 BIGNUM f,ret, *res;
358 int i,j,k,num=0,r= -1; 289 int i,j,k,num=0,r= -1;
359 unsigned char *buf=NULL; 290 unsigned char *buf=NULL;
360 BN_CTX *ctx=NULL; 291 BN_CTX *ctx=NULL;
361 int local_blinding = 0; 292 int local_blinding = 0;
362 BN_BLINDING *blinding = NULL; 293 BN_BLINDING *blinding = NULL;
363 294
295 BN_init(&f);
296 BN_init(&ret);
297
298 if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS)
299 {
300 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE);
301 return -1;
302 }
303
304 if (BN_ucmp(rsa->n, rsa->e) <= 0)
305 {
306 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE);
307 return -1;
308 }
309
310 /* for large moduli, enforce exponent limit */
311 if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS)
312 {
313 if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS)
314 {
315 RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE);
316 return -1;
317 }
318 }
319
364 if ((ctx=BN_CTX_new()) == NULL) goto err; 320 if ((ctx=BN_CTX_new()) == NULL) goto err;
365 BN_CTX_start(ctx); 321 num=BN_num_bytes(rsa->n);
366 f = BN_CTX_get(ctx); 322 if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL)
367 br = BN_CTX_get(ctx);
368 ret = BN_CTX_get(ctx);
369 num = BN_num_bytes(rsa->n);
370 buf = OPENSSL_malloc(num);
371 if(!f || !ret || !buf)
372 { 323 {
373 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE); 324 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE);
374 goto err; 325 goto err;
@@ -379,9 +330,6 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
379 case RSA_PKCS1_PADDING: 330 case RSA_PKCS1_PADDING:
380 i=RSA_padding_add_PKCS1_type_1(buf,num,from,flen); 331 i=RSA_padding_add_PKCS1_type_1(buf,num,from,flen);
381 break; 332 break;
382 case RSA_X931_PADDING:
383 i=RSA_padding_add_X931(buf,num,from,flen);
384 break;
385 case RSA_NO_PADDING: 333 case RSA_NO_PADDING:
386 i=RSA_padding_add_none(buf,num,from,flen); 334 i=RSA_padding_add_none(buf,num,from,flen);
387 break; 335 break;
@@ -392,18 +340,26 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
392 } 340 }
393 if (i <= 0) goto err; 341 if (i <= 0) goto err;
394 342
395 if (BN_bin2bn(buf,num,f) == NULL) goto err; 343 if (BN_bin2bn(buf,num,&f) == NULL) goto err;
396 344
397 if (BN_ucmp(f, rsa->n) >= 0) 345 if (BN_ucmp(&f, rsa->n) >= 0)
398 { 346 {
399 /* usually the padding functions would catch this */ 347 /* usually the padding functions would catch this */
400 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 348 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
401 goto err; 349 goto err;
402 } 350 }
403 351
352 BLINDING_HELPER(rsa, ctx, goto err;);
353 blinding = rsa->blinding;
354
355 /* Now unless blinding is disabled, 'blinding' is non-NULL.
356 * But the BN_BLINDING object may be owned by some other thread
357 * (we don't want to keep it constant and we don't want to use
358 * lots of locking to avoid race conditions, so only a single
359 * thread can use it; other threads have to use local blinding
360 * factors) */
404 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) 361 if (!(rsa->flags & RSA_FLAG_NO_BLINDING))
405 { 362 {
406 blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
407 if (blinding == NULL) 363 if (blinding == NULL)
408 { 364 {
409 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR); 365 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_INTERNAL_ERROR);
@@ -412,8 +368,20 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
412 } 368 }
413 369
414 if (blinding != NULL) 370 if (blinding != NULL)
415 if (!rsa_blinding_convert(blinding, local_blinding, f, br, ctx)) 371 {
416 goto err; 372 if (blinding->thread_id != CRYPTO_thread_id())
373 {
374 /* we need a local one-time blinding factor */
375
376 blinding = setup_blinding(rsa, ctx);
377 if (blinding == NULL)
378 goto err;
379 local_blinding = 1;
380 }
381 }
382
383 if (blinding)
384 if (!BN_BLINDING_convert(&f, blinding, ctx)) goto err;
417 385
418 if ( (rsa->flags & RSA_FLAG_EXT_PKEY) || 386 if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
419 ((rsa->p != NULL) && 387 ((rsa->p != NULL) &&
@@ -422,42 +390,37 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
422 (rsa->dmq1 != NULL) && 390 (rsa->dmq1 != NULL) &&
423 (rsa->iqmp != NULL)) ) 391 (rsa->iqmp != NULL)) )
424 { 392 {
425 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) goto err; 393 if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err;
426 } 394 }
427 else 395 else
428 { 396 {
429 BIGNUM local_d; 397 BIGNUM local_d;
430 BIGNUM *d = NULL; 398 BIGNUM *d = NULL;
431 399
432 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 400 if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME))
433 { 401 {
434 BN_init(&local_d); 402 BN_init(&local_d);
435 d = &local_d; 403 d = &local_d;
436 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); 404 BN_with_flags(d, rsa->d, BN_FLG_EXP_CONSTTIME);
437 } 405 }
438 else 406 else
439 d= rsa->d; 407 d = rsa->d;
440 408 if (!rsa->meth->bn_mod_exp(&ret,&f,d,rsa->n,ctx,NULL)) goto err;
441 MONT_HELPER(rsa->_method_mod_n, ctx, rsa->n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
442
443 if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx,
444 rsa->_method_mod_n)) goto err;
445 } 409 }
446 410
447 if (blinding) 411 if (blinding)
448 if (!rsa_blinding_invert(blinding, local_blinding, ret, br, ctx)) 412 if (!BN_BLINDING_invert(&ret, blinding, ctx)) goto err;
449 goto err;
450 413
451 if (padding == RSA_X931_PADDING) 414 if (padding == RSA_X931_PADDING)
452 { 415 {
453 BN_sub(f, rsa->n, ret); 416 BN_sub(&f, rsa->n, &ret);
454 if (BN_cmp(ret, f)) 417 if (BN_cmp(&ret, &f))
455 res = f; 418 res = &f;
456 else 419 else
457 res = ret; 420 res = &ret;
458 } 421 }
459 else 422 else
460 res = ret; 423 res = &ret;
461 424
462 /* put in leading 0 bytes if the number is less than the 425 /* put in leading 0 bytes if the number is less than the
463 * length of the modulus */ 426 * length of the modulus */
@@ -468,11 +431,11 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
468 431
469 r=num; 432 r=num;
470err: 433err:
471 if (ctx != NULL) 434 if (ctx != NULL) BN_CTX_free(ctx);
472 { 435 BN_clear_free(&ret);
473 BN_CTX_end(ctx); 436 BN_clear_free(&f);
474 BN_CTX_free(ctx); 437 if (local_blinding)
475 } 438 BN_BLINDING_free(blinding);
476 if (buf != NULL) 439 if (buf != NULL)
477 { 440 {
478 OPENSSL_cleanse(buf,num); 441 OPENSSL_cleanse(buf,num);
@@ -484,7 +447,7 @@ err:
484static int RSA_eay_private_decrypt(int flen, const unsigned char *from, 447static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
485 unsigned char *to, RSA *rsa, int padding) 448 unsigned char *to, RSA *rsa, int padding)
486 { 449 {
487 BIGNUM *f, *ret, *br; 450 BIGNUM f,ret;
488 int j,num=0,r= -1; 451 int j,num=0,r= -1;
489 unsigned char *p; 452 unsigned char *p;
490 unsigned char *buf=NULL; 453 unsigned char *buf=NULL;
@@ -492,14 +455,14 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
492 int local_blinding = 0; 455 int local_blinding = 0;
493 BN_BLINDING *blinding = NULL; 456 BN_BLINDING *blinding = NULL;
494 457
495 if((ctx = BN_CTX_new()) == NULL) goto err; 458 BN_init(&f);
496 BN_CTX_start(ctx); 459 BN_init(&ret);
497 f = BN_CTX_get(ctx); 460 ctx=BN_CTX_new();
498 br = BN_CTX_get(ctx); 461 if (ctx == NULL) goto err;
499 ret = BN_CTX_get(ctx); 462
500 num = BN_num_bytes(rsa->n); 463 num=BN_num_bytes(rsa->n);
501 buf = OPENSSL_malloc(num); 464
502 if(!f || !ret || !buf) 465 if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL)
503 { 466 {
504 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE); 467 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE);
505 goto err; 468 goto err;
@@ -514,17 +477,25 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
514 } 477 }
515 478
516 /* make data into a big number */ 479 /* make data into a big number */
517 if (BN_bin2bn(from,(int)flen,f) == NULL) goto err; 480 if (BN_bin2bn(from,(int)flen,&f) == NULL) goto err;
518 481
519 if (BN_ucmp(f, rsa->n) >= 0) 482 if (BN_ucmp(&f, rsa->n) >= 0)
520 { 483 {
521 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 484 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
522 goto err; 485 goto err;
523 } 486 }
524 487
488 BLINDING_HELPER(rsa, ctx, goto err;);
489 blinding = rsa->blinding;
490
491 /* Now unless blinding is disabled, 'blinding' is non-NULL.
492 * But the BN_BLINDING object may be owned by some other thread
493 * (we don't want to keep it constant and we don't want to use
494 * lots of locking to avoid race conditions, so only a single
495 * thread can use it; other threads have to use local blinding
496 * factors) */
525 if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) 497 if (!(rsa->flags & RSA_FLAG_NO_BLINDING))
526 { 498 {
527 blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
528 if (blinding == NULL) 499 if (blinding == NULL)
529 { 500 {
530 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_INTERNAL_ERROR); 501 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_INTERNAL_ERROR);
@@ -533,8 +504,20 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
533 } 504 }
534 505
535 if (blinding != NULL) 506 if (blinding != NULL)
536 if (!rsa_blinding_convert(blinding, local_blinding, f, br, ctx)) 507 {
537 goto err; 508 if (blinding->thread_id != CRYPTO_thread_id())
509 {
510 /* we need a local one-time blinding factor */
511
512 blinding = setup_blinding(rsa, ctx);
513 if (blinding == NULL)
514 goto err;
515 local_blinding = 1;
516 }
517 }
518
519 if (blinding)
520 if (!BN_BLINDING_convert(&f, blinding, ctx)) goto err;
538 521
539 /* do the decrypt */ 522 /* do the decrypt */
540 if ( (rsa->flags & RSA_FLAG_EXT_PKEY) || 523 if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
@@ -544,33 +527,29 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
544 (rsa->dmq1 != NULL) && 527 (rsa->dmq1 != NULL) &&
545 (rsa->iqmp != NULL)) ) 528 (rsa->iqmp != NULL)) )
546 { 529 {
547 if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx)) goto err; 530 if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err;
548 } 531 }
549 else 532 else
550 { 533 {
551 BIGNUM local_d; 534 BIGNUM local_d;
552 BIGNUM *d = NULL; 535 BIGNUM *d = NULL;
553 536
554 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 537 if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME))
555 { 538 {
556 d = &local_d; 539 d = &local_d;
557 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); 540 BN_with_flags(d, rsa->d, BN_FLG_EXP_CONSTTIME);
558 } 541 }
559 else 542 else
560 d = rsa->d; 543 d = rsa->d;
561 544 if (!rsa->meth->bn_mod_exp(&ret,&f,d,rsa->n,ctx,NULL))
562 MONT_HELPER(rsa->_method_mod_n, ctx, rsa->n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err); 545 goto err;
563 if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx,
564 rsa->_method_mod_n))
565 goto err;
566 } 546 }
567 547
568 if (blinding) 548 if (blinding)
569 if (!rsa_blinding_invert(blinding, local_blinding, ret, br, ctx)) 549 if (!BN_BLINDING_invert(&ret, blinding, ctx)) goto err;
570 goto err;
571 550
572 p=buf; 551 p=buf;
573 j=BN_bn2bin(ret,p); /* j is only used with no-padding mode */ 552 j=BN_bn2bin(&ret,p); /* j is only used with no-padding mode */
574 553
575 switch (padding) 554 switch (padding)
576 { 555 {
@@ -596,11 +575,11 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
596 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_PADDING_CHECK_FAILED); 575 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_PADDING_CHECK_FAILED);
597 576
598err: 577err:
599 if (ctx != NULL) 578 if (ctx != NULL) BN_CTX_free(ctx);
600 { 579 BN_clear_free(&f);
601 BN_CTX_end(ctx); 580 BN_clear_free(&ret);
602 BN_CTX_free(ctx); 581 if (local_blinding)
603 } 582 BN_BLINDING_free(blinding);
604 if (buf != NULL) 583 if (buf != NULL)
605 { 584 {
606 OPENSSL_cleanse(buf,num); 585 OPENSSL_cleanse(buf,num);
@@ -613,7 +592,7 @@ err:
613static int RSA_eay_public_decrypt(int flen, const unsigned char *from, 592static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
614 unsigned char *to, RSA *rsa, int padding) 593 unsigned char *to, RSA *rsa, int padding)
615 { 594 {
616 BIGNUM *f,*ret; 595 BIGNUM f,ret;
617 int i,num=0,r= -1; 596 int i,num=0,r= -1;
618 unsigned char *p; 597 unsigned char *p;
619 unsigned char *buf=NULL; 598 unsigned char *buf=NULL;
@@ -640,14 +619,15 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
640 return -1; 619 return -1;
641 } 620 }
642 } 621 }
643 622
644 if((ctx = BN_CTX_new()) == NULL) goto err; 623 BN_init(&f);
645 BN_CTX_start(ctx); 624 BN_init(&ret);
646 f = BN_CTX_get(ctx); 625 ctx=BN_CTX_new();
647 ret = BN_CTX_get(ctx); 626 if (ctx == NULL) goto err;
627
648 num=BN_num_bytes(rsa->n); 628 num=BN_num_bytes(rsa->n);
649 buf = OPENSSL_malloc(num); 629 buf=(unsigned char *)OPENSSL_malloc(num);
650 if(!f || !ret || !buf) 630 if (buf == NULL)
651 { 631 {
652 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,ERR_R_MALLOC_FAILURE); 632 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,ERR_R_MALLOC_FAILURE);
653 goto err; 633 goto err;
@@ -661,33 +641,37 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
661 goto err; 641 goto err;
662 } 642 }
663 643
664 if (BN_bin2bn(from,flen,f) == NULL) goto err; 644 if (BN_bin2bn(from,flen,&f) == NULL) goto err;
665 645
666 if (BN_ucmp(f, rsa->n) >= 0) 646 if (BN_ucmp(&f, rsa->n) >= 0)
667 { 647 {
668 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); 648 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
669 goto err; 649 goto err;
670 } 650 }
671 651
672 MONT_HELPER(rsa->_method_mod_n, ctx, rsa->n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err); 652 /* do the decrypt */
653
654 if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
655 {
656 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
657 CRYPTO_LOCK_RSA, rsa->n, ctx))
658 goto err;
659 }
673 660
674 if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx, 661 if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,
675 rsa->_method_mod_n)) goto err; 662 rsa->_method_mod_n)) goto err;
676 663
677 if ((padding == RSA_X931_PADDING) && ((ret->d[0] & 0xf) != 12)) 664 if ((padding == RSA_X931_PADDING) && ((ret.d[0] & 0xf) != 12))
678 BN_sub(ret, rsa->n, ret); 665 BN_sub(&ret, rsa->n, &ret);
679 666
680 p=buf; 667 p=buf;
681 i=BN_bn2bin(ret,p); 668 i=BN_bn2bin(&ret,p);
682 669
683 switch (padding) 670 switch (padding)
684 { 671 {
685 case RSA_PKCS1_PADDING: 672 case RSA_PKCS1_PADDING:
686 r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num); 673 r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num);
687 break; 674 break;
688 case RSA_X931_PADDING:
689 r=RSA_padding_check_X931(to,num,buf,i,num);
690 break;
691 case RSA_NO_PADDING: 675 case RSA_NO_PADDING:
692 r=RSA_padding_check_none(to,num,buf,i,num); 676 r=RSA_padding_check_none(to,num,buf,i,num);
693 break; 677 break;
@@ -699,11 +683,9 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
699 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_PADDING_CHECK_FAILED); 683 RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_PADDING_CHECK_FAILED);
700 684
701err: 685err:
702 if (ctx != NULL) 686 if (ctx != NULL) BN_CTX_free(ctx);
703 { 687 BN_clear_free(&f);
704 BN_CTX_end(ctx); 688 BN_clear_free(&ret);
705 BN_CTX_free(ctx);
706 }
707 if (buf != NULL) 689 if (buf != NULL)
708 { 690 {
709 OPENSSL_cleanse(buf,num); 691 OPENSSL_cleanse(buf,num);
@@ -712,111 +694,59 @@ err:
712 return(r); 694 return(r);
713 } 695 }
714 696
715static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) 697static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
716 { 698 {
717 BIGNUM *r1,*m1,*vrfy; 699 BIGNUM r1,m1,vrfy;
718 BIGNUM local_dmp1,local_dmq1,local_c,local_r1; 700 BIGNUM local_dmp1, local_dmq1;
719 BIGNUM *dmp1,*dmq1,*c,*pr1; 701 BIGNUM *dmp1, *dmq1;
720 int ret=0; 702 int ret=0;
703 BN_CTX *ctx;
721 704
722 BN_CTX_start(ctx); 705 BN_init(&m1);
723 r1 = BN_CTX_get(ctx); 706 BN_init(&r1);
724 m1 = BN_CTX_get(ctx); 707 BN_init(&vrfy);
725 vrfy = BN_CTX_get(ctx); 708 if ((ctx=BN_CTX_new()) == NULL) goto err;
726
727 {
728 BIGNUM local_p, local_q;
729 BIGNUM *p = NULL, *q = NULL;
730
731 /* Make sure BN_mod_inverse in Montgomery intialization uses the
732 * BN_FLG_CONSTTIME flag (unless RSA_FLAG_NO_CONSTTIME is set)
733 */
734 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
735 {
736 BN_init(&local_p);
737 p = &local_p;
738 BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
739
740 BN_init(&local_q);
741 q = &local_q;
742 BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME);
743 }
744 else
745 {
746 p = rsa->p;
747 q = rsa->q;
748 }
749
750 MONT_HELPER(rsa->_method_mod_p, ctx, p, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
751 MONT_HELPER(rsa->_method_mod_q, ctx, q, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
752 }
753
754 MONT_HELPER(rsa->_method_mod_n, ctx, rsa->n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
755 709
756 /* compute I mod q */ 710 if (rsa->flags & RSA_FLAG_CACHE_PRIVATE)
757 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
758 {
759 c = &local_c;
760 BN_with_flags(c, I, BN_FLG_CONSTTIME);
761 if (!BN_mod(r1,c,rsa->q,ctx)) goto err;
762 }
763 else
764 { 711 {
765 if (!BN_mod(r1,I,rsa->q,ctx)) goto err; 712 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p,
713 CRYPTO_LOCK_RSA, rsa->p, ctx))
714 goto err;
715 if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q,
716 CRYPTO_LOCK_RSA, rsa->q, ctx))
717 goto err;
766 } 718 }
767 719
768 /* compute r1^dmq1 mod q */ 720 if (!BN_mod(&r1,I,rsa->q,ctx)) goto err;
769 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 721 if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME))
770 { 722 {
771 dmq1 = &local_dmq1; 723 dmq1 = &local_dmq1;
772 BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME); 724 BN_with_flags(dmq1, rsa->dmq1, BN_FLG_EXP_CONSTTIME);
773 } 725 }
774 else 726 else
775 dmq1 = rsa->dmq1; 727 dmq1 = rsa->dmq1;
776 if (!rsa->meth->bn_mod_exp(m1,r1,dmq1,rsa->q,ctx, 728 if (!rsa->meth->bn_mod_exp(&m1,&r1,dmq1,rsa->q,ctx,
777 rsa->_method_mod_q)) goto err; 729 rsa->_method_mod_q)) goto err;
778 730
779 /* compute I mod p */ 731 if (!BN_mod(&r1,I,rsa->p,ctx)) goto err;
780 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 732 if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME))
781 {
782 c = &local_c;
783 BN_with_flags(c, I, BN_FLG_CONSTTIME);
784 if (!BN_mod(r1,c,rsa->p,ctx)) goto err;
785 }
786 else
787 {
788 if (!BN_mod(r1,I,rsa->p,ctx)) goto err;
789 }
790
791 /* compute r1^dmp1 mod p */
792 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
793 { 733 {
794 dmp1 = &local_dmp1; 734 dmp1 = &local_dmp1;
795 BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME); 735 BN_with_flags(dmp1, rsa->dmp1, BN_FLG_EXP_CONSTTIME);
796 } 736 }
797 else 737 else
798 dmp1 = rsa->dmp1; 738 dmp1 = rsa->dmp1;
799 if (!rsa->meth->bn_mod_exp(r0,r1,dmp1,rsa->p,ctx, 739 if (!rsa->meth->bn_mod_exp(r0,&r1,dmp1,rsa->p,ctx,
800 rsa->_method_mod_p)) goto err; 740 rsa->_method_mod_p)) goto err;
801 741
802 if (!BN_sub(r0,r0,m1)) goto err; 742 if (!BN_sub(r0,r0,&m1)) goto err;
803 /* This will help stop the size of r0 increasing, which does 743 /* This will help stop the size of r0 increasing, which does
804 * affect the multiply if it optimised for a power of 2 size */ 744 * affect the multiply if it optimised for a power of 2 size */
805 if (BN_is_negative(r0)) 745 if (r0->neg)
806 if (!BN_add(r0,r0,rsa->p)) goto err; 746 if (!BN_add(r0,r0,rsa->p)) goto err;
807 747
808 if (!BN_mul(r1,r0,rsa->iqmp,ctx)) goto err; 748 if (!BN_mul(&r1,r0,rsa->iqmp,ctx)) goto err;
809 749 if (!BN_mod(r0,&r1,rsa->p,ctx)) goto err;
810 /* Turn BN_FLG_CONSTTIME flag on before division operation */
811 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
812 {
813 pr1 = &local_r1;
814 BN_with_flags(pr1, r1, BN_FLG_CONSTTIME);
815 }
816 else
817 pr1 = r1;
818 if (!BN_mod(r0,pr1,rsa->p,ctx)) goto err;
819
820 /* If p < q it is occasionally possible for the correction of 750 /* If p < q it is occasionally possible for the correction of
821 * adding 'p' if r0 is negative above to leave the result still 751 * adding 'p' if r0 is negative above to leave the result still
822 * negative. This can break the private key operations: the following 752 * negative. This can break the private key operations: the following
@@ -824,23 +754,23 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
824 * This will *never* happen with OpenSSL generated keys because 754 * This will *never* happen with OpenSSL generated keys because
825 * they ensure p > q [steve] 755 * they ensure p > q [steve]
826 */ 756 */
827 if (BN_is_negative(r0)) 757 if (r0->neg)
828 if (!BN_add(r0,r0,rsa->p)) goto err; 758 if (!BN_add(r0,r0,rsa->p)) goto err;
829 if (!BN_mul(r1,r0,rsa->q,ctx)) goto err; 759 if (!BN_mul(&r1,r0,rsa->q,ctx)) goto err;
830 if (!BN_add(r0,r1,m1)) goto err; 760 if (!BN_add(r0,&r1,&m1)) goto err;
831 761
832 if (rsa->e && rsa->n) 762 if (rsa->e && rsa->n)
833 { 763 {
834 if (!rsa->meth->bn_mod_exp(vrfy,r0,rsa->e,rsa->n,ctx,rsa->_method_mod_n)) goto err; 764 if (!rsa->meth->bn_mod_exp(&vrfy,r0,rsa->e,rsa->n,ctx,NULL)) goto err;
835 /* If 'I' was greater than (or equal to) rsa->n, the operation 765 /* If 'I' was greater than (or equal to) rsa->n, the operation
836 * will be equivalent to using 'I mod n'. However, the result of 766 * will be equivalent to using 'I mod n'. However, the result of
837 * the verify will *always* be less than 'n' so we don't check 767 * the verify will *always* be less than 'n' so we don't check
838 * for absolute equality, just congruency. */ 768 * for absolute equality, just congruency. */
839 if (!BN_sub(vrfy, vrfy, I)) goto err; 769 if (!BN_sub(&vrfy, &vrfy, I)) goto err;
840 if (!BN_mod(vrfy, vrfy, rsa->n, ctx)) goto err; 770 if (!BN_mod(&vrfy, &vrfy, rsa->n, ctx)) goto err;
841 if (BN_is_negative(vrfy)) 771 if (vrfy.neg)
842 if (!BN_add(vrfy, vrfy, rsa->n)) goto err; 772 if (!BN_add(&vrfy, &vrfy, rsa->n)) goto err;
843 if (!BN_is_zero(vrfy)) 773 if (!BN_is_zero(&vrfy))
844 { 774 {
845 /* 'I' and 'vrfy' aren't congruent mod n. Don't leak 775 /* 'I' and 'vrfy' aren't congruent mod n. Don't leak
846 * miscalculated CRT output, just do a raw (slower) 776 * miscalculated CRT output, just do a raw (slower)
@@ -849,20 +779,22 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
849 BIGNUM local_d; 779 BIGNUM local_d;
850 BIGNUM *d = NULL; 780 BIGNUM *d = NULL;
851 781
852 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) 782 if (!(rsa->flags & RSA_FLAG_NO_EXP_CONSTTIME))
853 { 783 {
854 d = &local_d; 784 d = &local_d;
855 BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); 785 BN_with_flags(d, rsa->d, BN_FLG_EXP_CONSTTIME);
856 } 786 }
857 else 787 else
858 d = rsa->d; 788 d = rsa->d;
859 if (!rsa->meth->bn_mod_exp(r0,I,d,rsa->n,ctx, 789 if (!rsa->meth->bn_mod_exp(r0,I,d,rsa->n,ctx,NULL)) goto err;
860 rsa->_method_mod_n)) goto err;
861 } 790 }
862 } 791 }
863 ret=1; 792 ret=1;
864err: 793err:
865 BN_CTX_end(ctx); 794 BN_clear_free(&m1);
795 BN_clear_free(&r1);
796 BN_clear_free(&vrfy);
797 BN_CTX_free(ctx);
866 return(ret); 798 return(ret);
867 } 799 }
868 800
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-27 05:09:29 +0000