mirror of https://github.com/openssl/openssl
Updates from stable branch... fixup CHANGES.
This commit is contained in:
parent
3d3fd6beb2
commit
351b731d00
451
CHANGES
451
CHANGES
|
@ -2,6 +2,196 @@
|
|||
OpenSSL CHANGES
|
||||
_______________
|
||||
|
||||
Changes between 0.9.8h and 0.9.8i [xx XXX xxxx]
|
||||
|
||||
*) Fix a state transitition in s3_srvr.c and d1_srvr.c
|
||||
(was using SSL3_ST_CW_CLNT_HELLO_B, should be ..._ST_SW_SRVR_...).
|
||||
[Nagendra Modadugu]
|
||||
|
||||
*) The fix in 0.9.8c that supposedly got rid of unsafe
|
||||
double-checked locking was incomplete for RSA blinding,
|
||||
addressing just one layer of what turns out to have been
|
||||
doubly unsafe triple-checked locking.
|
||||
|
||||
So now fix this for real by retiring the MONT_HELPER macro
|
||||
in crypto/rsa/rsa_eay.c.
|
||||
|
||||
[Bodo Moeller; problem pointed out by Marius Schilder]
|
||||
|
||||
*) Various precautionary measures:
|
||||
|
||||
- Avoid size_t integer overflow in HASH_UPDATE (md32_common.h).
|
||||
|
||||
- Avoid a buffer overflow in d2i_SSL_SESSION() (ssl_asn1.c).
|
||||
(NB: This would require knowledge of the secret session ticket key
|
||||
to exploit, in which case you'd be SOL either way.)
|
||||
|
||||
- Change bn_nist.c so that it will properly handle input BIGNUMs
|
||||
outside the expected range.
|
||||
|
||||
- Enforce the 'num' check in BN_div() (bn_div.c) for non-BN_DEBUG
|
||||
builds.
|
||||
|
||||
[Neel Mehta, Bodo Moeller]
|
||||
|
||||
*) Add support for Local Machine Keyset attribute in PKCS#12 files.
|
||||
[Steve Henson]
|
||||
|
||||
*) Fix BN_GF2m_mod_arr() top-bit cleanup code.
|
||||
[Huang Ying]
|
||||
|
||||
*) Expand ENGINE to support engine supplied SSL client certificate functions.
|
||||
|
||||
This work was sponsored by Logica.
|
||||
[Steve Henson]
|
||||
|
||||
*) Add CryptoAPI ENGINE to support use of RSA and DSA keys held in Windows
|
||||
keystores. Support for SSL/TLS client authentication too.
|
||||
Not compiled unless enable-capieng specified to Configure.
|
||||
|
||||
This work was sponsored by Logica.
|
||||
[Steve Henson]
|
||||
|
||||
*) Allow engines to be "soft loaded" - i.e. optionally don't die if
|
||||
the load fails. Useful for distros.
|
||||
[Ben Laurie and the FreeBSD team]
|
||||
|
||||
Changes between 0.9.8g and 0.9.8h [28 May 2008]
|
||||
|
||||
*) Fix flaw if 'Server Key exchange message' is omitted from a TLS
|
||||
handshake which could lead to a cilent crash as found using the
|
||||
Codenomicon TLS test suite (CVE-2008-1672)
|
||||
[Steve Henson, Mark Cox]
|
||||
|
||||
*) Fix double free in TLS server name extensions which could lead to
|
||||
a remote crash found by Codenomicon TLS test suite (CVE-2008-0891)
|
||||
[Joe Orton]
|
||||
|
||||
*) Clear error queue in SSL_CTX_use_certificate_chain_file()
|
||||
|
||||
Clear the error queue to ensure that error entries left from
|
||||
older function calls do not interfere with the correct operation.
|
||||
[Lutz Jaenicke, Erik de Castro Lopo]
|
||||
|
||||
*) Remove root CA certificates of commercial CAs:
|
||||
|
||||
The OpenSSL project does not recommend any specific CA and does not
|
||||
have any policy with respect to including or excluding any CA.
|
||||
Therefore it does not make any sense to ship an arbitrary selection
|
||||
of root CA certificates with the OpenSSL software.
|
||||
[Lutz Jaenicke]
|
||||
|
||||
*) RSA OAEP patches to fix two separate invalid memory reads.
|
||||
The first one involves inputs when 'lzero' is greater than
|
||||
'SHA_DIGEST_LENGTH' (it would read about SHA_DIGEST_LENGTH bytes
|
||||
before the beginning of from). The second one involves inputs where
|
||||
the 'db' section contains nothing but zeroes (there is a one-byte
|
||||
invalid read after the end of 'db').
|
||||
[Ivan Nestlerode <inestlerode@us.ibm.com>]
|
||||
|
||||
*) Partial backport from 0.9.9-dev:
|
||||
|
||||
Introduce bn_mul_mont (dedicated Montgomery multiplication
|
||||
procedure) as a candidate for BIGNUM assembler implementation.
|
||||
While 0.9.9-dev uses assembler for various architectures, only
|
||||
x86_64 is available by default here in the 0.9.8 branch, and
|
||||
32-bit x86 is available through a compile-time setting.
|
||||
|
||||
To try the 32-bit x86 assembler implementation, use Configure
|
||||
option "enable-montasm" (which exists only for this backport).
|
||||
|
||||
As "enable-montasm" for 32-bit x86 disclaims code stability
|
||||
anyway, in this constellation we activate additional code
|
||||
backported from 0.9.9-dev for further performance improvements,
|
||||
namely BN_from_montgomery_word. (To enable this otherwise,
|
||||
e.g. x86_64, try "-DMONT_FROM_WORD___NON_DEFAULT_0_9_8_BUILD".)
|
||||
|
||||
[Andy Polyakov (backport partially by Bodo Moeller)]
|
||||
|
||||
*) Add TLS session ticket callback. This allows an application to set
|
||||
TLS ticket cipher and HMAC keys rather than relying on hardcoded fixed
|
||||
values. This is useful for key rollover for example where several key
|
||||
sets may exist with different names.
|
||||
[Steve Henson]
|
||||
|
||||
*) Reverse ENGINE-internal logic for caching default ENGINE handles.
|
||||
This was broken until now in 0.9.8 releases, such that the only way
|
||||
a registered ENGINE could be used (assuming it initialises
|
||||
successfully on the host) was to explicitly set it as the default
|
||||
for the relevant algorithms. This is in contradiction with 0.9.7
|
||||
behaviour and the documentation. With this fix, when an ENGINE is
|
||||
registered into a given algorithm's table of implementations, the
|
||||
'uptodate' flag is reset so that auto-discovery will be used next
|
||||
time a new context for that algorithm attempts to select an
|
||||
implementation.
|
||||
[Ian Lister (tweaked by Geoff Thorpe)]
|
||||
|
||||
*) Backport of CMS code to OpenSSL 0.9.8. This differs from the 0.9.9
|
||||
implemention in the following ways:
|
||||
|
||||
Lack of EVP_PKEY_ASN1_METHOD means algorithm parameters have to be
|
||||
hard coded.
|
||||
|
||||
Lack of BER streaming support means one pass streaming processing is
|
||||
only supported if data is detached: setting the streaming flag is
|
||||
ignored for embedded content.
|
||||
|
||||
CMS support is disabled by default and must be explicitly enabled
|
||||
with the enable-cms configuration option.
|
||||
[Steve Henson]
|
||||
|
||||
*) Update the GMP engine glue to do direct copies between BIGNUM and
|
||||
mpz_t when openssl and GMP use the same limb size. Otherwise the
|
||||
existing "conversion via a text string export" trick is still used.
|
||||
[Paul Sheer <paulsheer@gmail.com>]
|
||||
|
||||
*) Zlib compression BIO. This is a filter BIO which compressed and
|
||||
uncompresses any data passed through it.
|
||||
[Steve Henson]
|
||||
|
||||
*) Add AES_wrap_key() and AES_unwrap_key() functions to implement
|
||||
RFC3394 compatible AES key wrapping.
|
||||
[Steve Henson]
|
||||
|
||||
*) Add utility functions to handle ASN1 structures. ASN1_STRING_set0():
|
||||
sets string data without copying. X509_ALGOR_set0() and
|
||||
X509_ALGOR_get0(): set and retrieve X509_ALGOR (AlgorithmIdentifier)
|
||||
data. Attribute function X509at_get0_data_by_OBJ(): retrieves data
|
||||
from an X509_ATTRIBUTE structure optionally checking it occurs only
|
||||
once. ASN1_TYPE_set1(): set and ASN1_TYPE structure copying supplied
|
||||
data.
|
||||
[Steve Henson]
|
||||
|
||||
*) Fix BN flag handling in RSA_eay_mod_exp() and BN_MONT_CTX_set()
|
||||
to get the expected BN_FLG_CONSTTIME behavior.
|
||||
[Bodo Moeller (Google)]
|
||||
|
||||
*) Netware support:
|
||||
|
||||
- fixed wrong usage of ioctlsocket() when build for LIBC BSD sockets
|
||||
- fixed do_tests.pl to run the test suite with CLIB builds too (CLIB_OPT)
|
||||
- added some more tests to do_tests.pl
|
||||
- fixed RunningProcess usage so that it works with newer LIBC NDKs too
|
||||
- removed usage of BN_LLONG for CLIB builds to avoid runtime dependency
|
||||
- added new Configure targets netware-clib-bsdsock, netware-clib-gcc,
|
||||
netware-clib-bsdsock-gcc, netware-libc-bsdsock-gcc
|
||||
- various changes to netware.pl to enable gcc-cross builds on Win32
|
||||
platform
|
||||
- changed crypto/bio/b_sock.c to work with macro functions (CLIB BSD)
|
||||
- various changes to fix missing prototype warnings
|
||||
- fixed x86nasm.pl to create correct asm files for NASM COFF output
|
||||
- added AES, WHIRLPOOL and CPUID assembler code to build files
|
||||
- added missing AES assembler make rules to mk1mf.pl
|
||||
- fixed order of includes in apps/ocsp.c so that e_os.h settings apply
|
||||
[Guenter Knauf <eflash@gmx.net>]
|
||||
|
||||
*) Implement certificate status request TLS extension defined in RFC3546.
|
||||
A client can set the appropriate parameters and receive the encoded
|
||||
OCSP response via a callback. A server can query the supplied parameters
|
||||
and set the encoded OCSP response in the callback. Add simplified examples
|
||||
to s_client and s_server.
|
||||
[Steve Henson]
|
||||
|
||||
Changes between 0.9.8g and 0.9.8h-fips [xx XXX xxxx]
|
||||
|
||||
*) Add flag EVP_CIPH_FLAG_LENGTH_BITS to indicate that input buffer length
|
||||
|
@ -133,14 +323,6 @@
|
|||
Update Windows build system.
|
||||
[Steve Henson]
|
||||
|
||||
Changes between 0.9.8g and 0.9.8h [xx XXX xxxx]
|
||||
|
||||
*) Implement certificate status request TLS extension defined in RFC3546.
|
||||
A client can set the appropriate parameters and receive the encoded
|
||||
OCSP response via a callback. A server can query the supplied parameters
|
||||
and set the encoded OCSP response in the callback. Add simplified examples
|
||||
to s_client and s_server.
|
||||
[Steve Henson]
|
||||
|
||||
Changes between 0.9.8f and 0.9.8g [19 Oct 2007]
|
||||
|
||||
|
@ -307,256 +489,9 @@
|
|||
authentication-only ciphersuites.
|
||||
[Bodo Moeller]
|
||||
|
||||
Changes between 0.9.8e and 0.9.8f [23 Feb 2007]
|
||||
|
||||
*) Mitigate branch prediction attacks, which can be practical if a
|
||||
single processor is shared, allowing a spy process to extract
|
||||
information. For detailed background information, see
|
||||
http://eprint.iacr.org/2007/039 (O. Aciicmez, S. Gueron,
|
||||
J.-P. Seifert, "New Branch Prediction Vulnerabilities in OpenSSL
|
||||
and Necessary Software Countermeasures"). The core of the change
|
||||
are new versions BN_div_no_branch() and
|
||||
BN_mod_inverse_no_branch() of BN_div() and BN_mod_inverse(),
|
||||
respectively, which are slower, but avoid the security-relevant
|
||||
conditional branches. These are automatically called by BN_div()
|
||||
and BN_mod_inverse() if the flag BN_FLG_CONSTTIME is set for the
|
||||
modulus. Also, BN_is_bit_set() has been changed to remove a
|
||||
conditional branch.
|
||||
|
||||
BN_FLG_CONSTTIME is the new name for the previous
|
||||
BN_FLG_EXP_CONSTTIME flag, since it now affects more than just
|
||||
modular exponentiation. (Since OpenSSL 0.9.7h, setting this flag
|
||||
in the exponent causes BN_mod_exp_mont() to use the alternative
|
||||
implementation in BN_mod_exp_mont_consttime().) The old name
|
||||
remains as a deprecated alias.
|
||||
|
||||
Similary, RSA_FLAG_NO_EXP_CONSTTIME is replaced by a more general
|
||||
RSA_FLAG_NO_CONSTTIME flag since the RSA implementation now uses
|
||||
constant-time implementations for more than just exponentiation.
|
||||
Here too the old name is kept as a deprecated alias.
|
||||
|
||||
BN_BLINDING_new() will now use BN_dup() for the modulus so that
|
||||
the BN_BLINDING structure gets an independent copy of the
|
||||
modulus. This means that the previous "BIGNUM *m" argument to
|
||||
BN_BLINDING_new() and to BN_BLINDING_create_param() now
|
||||
essentially becomes "const BIGNUM *m", although we can't actually
|
||||
change this in the header file before 0.9.9. It allows
|
||||
RSA_setup_blinding() to use BN_with_flags() on the modulus to
|
||||
enable BN_FLG_CONSTTIME.
|
||||
|
||||
[Matthew D Wood (Intel Corp)]
|
||||
|
||||
*) Mitigate branch prediction attacks, which can be practical if a
|
||||
single processor is shared, allowing a spy process to extract
|
||||
information. For detailed background information, see
|
||||
http://eprint.iacr.org/2007/039 (O. Aciicmez, S. Gueron,
|
||||
J.-P. Seifert, "New Branch Prediction Vulnerabilities in OpenSSL
|
||||
and Necessary Software Countermeasures"). The core of the change
|
||||
are new versions BN_div_no_branch() and
|
||||
BN_mod_inverse_no_branch() of BN_div() and BN_mod_inverse(),
|
||||
respectively, which are slower, but avoid the security-relevant
|
||||
conditional branches. These are automatically called by BN_div()
|
||||
and BN_mod_inverse() if the flag BN_FLG_CONSTTIME is set for one
|
||||
of the input BIGNUMs. Also, BN_is_bit_set() has been changed to
|
||||
remove a conditional branch.
|
||||
|
||||
BN_FLG_CONSTTIME is the new name for the previous
|
||||
BN_FLG_EXP_CONSTTIME flag, since it now affects more than just
|
||||
modular exponentiation. (Since OpenSSL 0.9.7h, setting this flag
|
||||
in the exponent causes BN_mod_exp_mont() to use the alternative
|
||||
implementation in BN_mod_exp_mont_consttime().) The old name
|
||||
remains as a deprecated alias.
|
||||
|
||||
Similary, RSA_FLAG_NO_EXP_CONSTTIME is replaced by a more general
|
||||
RSA_FLAG_NO_CONSTTIME flag since the RSA implementation now uses
|
||||
constant-time implementations for more than just exponentiation.
|
||||
Here too the old name is kept as a deprecated alias.
|
||||
|
||||
BN_BLINDING_new() will now use BN_dup() for the modulus so that
|
||||
the BN_BLINDING structure gets an independent copy of the
|
||||
modulus. This means that the previous "BIGNUM *m" argument to
|
||||
BN_BLINDING_new() and to BN_BLINDING_create_param() now
|
||||
essentially becomes "const BIGNUM *m", although we can't actually
|
||||
change this in the header file before 0.9.9. It allows
|
||||
RSA_setup_blinding() to use BN_with_flags() on the modulus to
|
||||
enable BN_FLG_CONSTTIME.
|
||||
|
||||
[Matthew D Wood (Intel Corp)]
|
||||
|
||||
*) Add the Korean symmetric 128-bit cipher SEED (see
|
||||
http://www.kisa.or.kr/kisa/seed/jsp/seed_eng.jsp) and
|
||||
add SEED ciphersuites from RFC 4162:
|
||||
|
||||
TLS_RSA_WITH_SEED_CBC_SHA = "SEED-SHA"
|
||||
TLS_DHE_DSS_WITH_SEED_CBC_SHA = "DHE-DSS-SEED-SHA"
|
||||
TLS_DHE_RSA_WITH_SEED_CBC_SHA = "DHE-RSA-SEED-SHA"
|
||||
TLS_DH_anon_WITH_SEED_CBC_SHA = "ADH-SEED-SHA"
|
||||
|
||||
To minimize changes between patchlevels in the OpenSSL 0.9.8
|
||||
series, SEED remains excluded from compilation unless OpenSSL
|
||||
is configured with 'enable-seed'.
|
||||
[KISA, Bodo Moeller]
|
||||
|
||||
*) Mitigate branch prediction attacks, which can be practical if a
|
||||
single processor is shared, allowing a spy process to extract
|
||||
information. For detailed background information, see
|
||||
http://eprint.iacr.org/2007/039 (O. Aciicmez, S. Gueron,
|
||||
J.-P. Seifert, "New Branch Prediction Vulnerabilities in OpenSSL
|
||||
and Necessary Software Countermeasures"). The core of the change
|
||||
are new versions BN_div_no_branch() and
|
||||
BN_mod_inverse_no_branch() of BN_div() and BN_mod_inverse(),
|
||||
respectively, which are slower, but avoid the security-relevant
|
||||
conditional branches. These are automatically called by BN_div()
|
||||
and BN_mod_inverse() if the flag BN_FLG_CONSTTIME is set for one
|
||||
of the input BIGNUMs. Also, BN_is_bit_set() has been changed to
|
||||
remove a conditional branch.
|
||||
|
||||
BN_FLG_CONSTTIME is the new name for the previous
|
||||
BN_FLG_EXP_CONSTTIME flag, since it now affects more than just
|
||||
modular exponentiation. (Since OpenSSL 0.9.7h, setting this flag
|
||||
in the exponent causes BN_mod_exp_mont() to use the alternative
|
||||
implementation in BN_mod_exp_mont_consttime().) The old name
|
||||
remains as a deprecated alias.
|
||||
|
||||
Similary, RSA_FLAG_NO_EXP_CONSTTIME is replaced by a more general
|
||||
RSA_FLAG_NO_CONSTTIME flag since the RSA implementation now uses
|
||||
constant-time implementations for more than just exponentiation.
|
||||
Here too the old name is kept as a deprecated alias.
|
||||
|
||||
BN_BLINDING_new() will now use BN_dup() for the modulus so that
|
||||
the BN_BLINDING structure gets an independent copy of the
|
||||
modulus. This means that the previous "BIGNUM *m" argument to
|
||||
BN_BLINDING_new() and to BN_BLINDING_create_param() now
|
||||
essentially becomes "const BIGNUM *m", although we can't actually
|
||||
change this in the header file before 0.9.9. It allows
|
||||
RSA_setup_blinding() to use BN_with_flags() on the modulus to
|
||||
enable BN_FLG_CONSTTIME.
|
||||
|
||||
[Matthew D Wood (Intel Corp)]
|
||||
|
||||
*) Add the Korean symmetric 128-bit cipher SEED (see
|
||||
http://www.kisa.or.kr/kisa/seed/jsp/seed_eng.jsp) and
|
||||
add SEED ciphersuites from RFC 4162:
|
||||
|
||||
TLS_RSA_WITH_SEED_CBC_SHA = "SEED-SHA"
|
||||
TLS_DHE_DSS_WITH_SEED_CBC_SHA = "DHE-DSS-SEED-SHA"
|
||||
TLS_DHE_RSA_WITH_SEED_CBC_SHA = "DHE-RSA-SEED-SHA"
|
||||
TLS_DH_anon_WITH_SEED_CBC_SHA = "ADH-SEED-SHA"
|
||||
|
||||
To minimize changes between patchlevels in the OpenSSL 0.9.8
|
||||
series, SEED remains excluded from compilation unless OpenSSL
|
||||
is configured with 'enable-seed'.
|
||||
[KISA, Bodo Moeller]
|
||||
|
||||
*) Mitigate branch prediction attacks, which can be practical if a
|
||||
single processor is shared, allowing a spy process to extract
|
||||
information. For detailed background information, see
|
||||
http://eprint.iacr.org/2007/039 (O. Aciicmez, S. Gueron,
|
||||
J.-P. Seifert, "New Branch Prediction Vulnerabilities in OpenSSL
|
||||
and Necessary Software Countermeasures"). The core of the change
|
||||
are new versions BN_div_no_branch() and
|
||||
BN_mod_inverse_no_branch() of BN_div() and BN_mod_inverse(),
|
||||
respectively, which are slower, but avoid the security-relevant
|
||||
conditional branches. These are automatically called by BN_div()
|
||||
and BN_mod_inverse() if the flag BN_FLG_CONSTTIME is set for one
|
||||
of the input BIGNUMs. Also, BN_is_bit_set() has been changed to
|
||||
remove a conditional branch.
|
||||
|
||||
BN_FLG_CONSTTIME is the new name for the previous
|
||||
BN_FLG_EXP_CONSTTIME flag, since it now affects more than just
|
||||
modular exponentiation. (Since OpenSSL 0.9.7h, setting this flag
|
||||
in the exponent causes BN_mod_exp_mont() to use the alternative
|
||||
implementation in BN_mod_exp_mont_consttime().) The old name
|
||||
remains as a deprecated alias.
|
||||
|
||||
Similary, RSA_FLAG_NO_EXP_CONSTTIME is replaced by a more general
|
||||
RSA_FLAG_NO_CONSTTIME flag since the RSA implementation now uses
|
||||
constant-time implementations for more than just exponentiation.
|
||||
Here too the old name is kept as a deprecated alias.
|
||||
|
||||
BN_BLINDING_new() will now use BN_dup() for the modulus so that
|
||||
the BN_BLINDING structure gets an independent copy of the
|
||||
modulus. This means that the previous "BIGNUM *m" argument to
|
||||
BN_BLINDING_new() and to BN_BLINDING_create_param() now
|
||||
essentially becomes "const BIGNUM *m", although we can't actually
|
||||
change this in the header file before 0.9.9. It allows
|
||||
RSA_setup_blinding() to use BN_with_flags() on the modulus to
|
||||
enable BN_FLG_CONSTTIME.
|
||||
|
||||
[Matthew D Wood (Intel Corp)]
|
||||
|
||||
*) Squeeze another 10% out of IGE mode when in != out.
|
||||
[Ben Laurie]
|
||||
|
||||
*) AES IGE mode speedup.
|
||||
[Dean Gaudet (Google)]
|
||||
|
||||
*) Add the Korean symmetric 128-bit cipher SEED (see
|
||||
http://www.kisa.or.kr/kisa/seed/jsp/seed_eng.jsp) and
|
||||
add SEED ciphersuites from RFC 4162:
|
||||
|
||||
TLS_RSA_WITH_SEED_CBC_SHA = "SEED-SHA"
|
||||
TLS_DHE_DSS_WITH_SEED_CBC_SHA = "DHE-DSS-SEED-SHA"
|
||||
TLS_DHE_RSA_WITH_SEED_CBC_SHA = "DHE-RSA-SEED-SHA"
|
||||
TLS_DH_anon_WITH_SEED_CBC_SHA = "ADH-SEED-SHA"
|
||||
|
||||
To minimize changes between patchlevels in the OpenSSL 0.9.8
|
||||
series, SEED remains excluded from compilation unless OpenSSL
|
||||
is configured with 'enable-seed'.
|
||||
[KISA, Bodo Moeller]
|
||||
|
||||
*) Mitigate branch prediction attacks, which can be practical if a
|
||||
single processor is shared, allowing a spy process to extract
|
||||
information. For detailed background information, see
|
||||
http://eprint.iacr.org/2007/039 (O. Aciicmez, S. Gueron,
|
||||
J.-P. Seifert, "New Branch Prediction Vulnerabilities in OpenSSL
|
||||
and Necessary Software Countermeasures"). The core of the change
|
||||
are new versions BN_div_no_branch() and
|
||||
BN_mod_inverse_no_branch() of BN_div() and BN_mod_inverse(),
|
||||
respectively, which are slower, but avoid the security-relevant
|
||||
conditional branches. These are automatically called by BN_div()
|
||||
and BN_mod_inverse() if the flag BN_FLG_CONSTTIME is set for one
|
||||
of the input BIGNUMs. Also, BN_is_bit_set() has been changed to
|
||||
remove a conditional branch.
|
||||
|
||||
BN_FLG_CONSTTIME is the new name for the previous
|
||||
BN_FLG_EXP_CONSTTIME flag, since it now affects more than just
|
||||
modular exponentiation. (Since OpenSSL 0.9.7h, setting this flag
|
||||
in the exponent causes BN_mod_exp_mont() to use the alternative
|
||||
implementation in BN_mod_exp_mont_consttime().) The old name
|
||||
remains as a deprecated alias.
|
||||
|
||||
Similary, RSA_FLAG_NO_EXP_CONSTTIME is replaced by a more general
|
||||
RSA_FLAG_NO_CONSTTIME flag since the RSA implementation now uses
|
||||
constant-time implementations for more than just exponentiation.
|
||||
Here too the old name is kept as a deprecated alias.
|
||||
|
||||
BN_BLINDING_new() will now use BN_dup() for the modulus so that
|
||||
the BN_BLINDING structure gets an independent copy of the
|
||||
modulus. This means that the previous "BIGNUM *m" argument to
|
||||
BN_BLINDING_new() and to BN_BLINDING_create_param() now
|
||||
essentially becomes "const BIGNUM *m", although we can't actually
|
||||
change this in the header file before 0.9.9. It allows
|
||||
RSA_setup_blinding() to use BN_with_flags() on the modulus to
|
||||
enable BN_FLG_CONSTTIME.
|
||||
|
||||
[Matthew D Wood (Intel Corp)]
|
||||
|
||||
*) In the SSL/TLS server implementation, be strict about session ID
|
||||
context matching (which matters if an application uses a single
|
||||
external cache for different purposes). Previously,
|
||||
out-of-context reuse was forbidden only if SSL_VERIFY_PEER was
|
||||
set. This did ensure strict client verification, but meant that,
|
||||
with applications using a single external cache for quite
|
||||
different requirements, clients could circumvent ciphersuite
|
||||
restrictions for a given session ID context by starting a session
|
||||
in a different context.
|
||||
[Bodo Moeller]
|
||||
|
||||
*) Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that
|
||||
a ciphersuite string such as "DEFAULT:RSA" cannot enable
|
||||
authentication-only ciphersuites.
|
||||
[Bodo Moeller]
|
||||
*) Update the SSL_get_shared_ciphers() fix CVE-2006-3738 which was
|
||||
not complete and could lead to a possible single byte overflow
|
||||
(CVE-2007-5135) [Ben Laurie]
|
||||
|
||||
Changes between 0.9.8d and 0.9.8e [23 Feb 2007]
|
||||
|
||||
|
|
|
@ -187,6 +187,17 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
|
|||
BN_ULONG d0,d1;
|
||||
int num_n,div_n;
|
||||
|
||||
/* Invalid zero-padding would have particularly bad consequences
|
||||
* in the case of 'num', so don't just rely on bn_check_top() for this one
|
||||
* (bn_check_top() works only for BN_DEBUG builds) */
|
||||
if (num->top > 0 && num->d[num->top - 1] == 0)
|
||||
{
|
||||
BNerr(BN_F_BN_DIV,BN_R_NOT_INITIALIZED);
|
||||
return 0;
|
||||
}
|
||||
|
||||
bn_check_top(num);
|
||||
|
||||
if ((BN_get_flags(num, BN_FLG_CONSTTIME) != 0) || (BN_get_flags(divisor, BN_FLG_CONSTTIME) != 0))
|
||||
{
|
||||
return BN_div_no_branch(dv, rm, num, divisor, ctx);
|
||||
|
@ -194,7 +205,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
|
|||
|
||||
bn_check_top(dv);
|
||||
bn_check_top(rm);
|
||||
bn_check_top(num);
|
||||
/* bn_check_top(num); */ /* 'num' has been checked already */
|
||||
bn_check_top(divisor);
|
||||
|
||||
if (BN_is_zero(divisor))
|
||||
|
@ -419,7 +430,7 @@ static int BN_div_no_branch(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num,
|
|||
|
||||
bn_check_top(dv);
|
||||
bn_check_top(rm);
|
||||
bn_check_top(num);
|
||||
/* bn_check_top(num); */ /* 'num' has been checked in BN_div() */
|
||||
bn_check_top(divisor);
|
||||
|
||||
if (BN_is_zero(divisor))
|
||||
|
|
|
@ -59,6 +59,7 @@
|
|||
#include "bn_lcl.h"
|
||||
#include "cryptlib.h"
|
||||
|
||||
|
||||
#define BN_NIST_192_TOP (192+BN_BITS2-1)/BN_BITS2
|
||||
#define BN_NIST_224_TOP (224+BN_BITS2-1)/BN_BITS2
|
||||
#define BN_NIST_256_TOP (256+BN_BITS2-1)/BN_BITS2
|
||||
|
@ -101,60 +102,98 @@ static const BN_ULONG _nist_p_521[] = {0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,
|
|||
0xFFFFFFFF,0x000001FF};
|
||||
#endif
|
||||
|
||||
|
||||
static const BIGNUM _bignum_nist_p_192 =
|
||||
{
|
||||
(BN_ULONG *)_nist_p_192,
|
||||
BN_NIST_192_TOP,
|
||||
BN_NIST_192_TOP,
|
||||
0,
|
||||
BN_FLG_STATIC_DATA
|
||||
};
|
||||
|
||||
static const BIGNUM _bignum_nist_p_224 =
|
||||
{
|
||||
(BN_ULONG *)_nist_p_224,
|
||||
BN_NIST_224_TOP,
|
||||
BN_NIST_224_TOP,
|
||||
0,
|
||||
BN_FLG_STATIC_DATA
|
||||
};
|
||||
|
||||
static const BIGNUM _bignum_nist_p_256 =
|
||||
{
|
||||
(BN_ULONG *)_nist_p_256,
|
||||
BN_NIST_256_TOP,
|
||||
BN_NIST_256_TOP,
|
||||
0,
|
||||
BN_FLG_STATIC_DATA
|
||||
};
|
||||
|
||||
static const BIGNUM _bignum_nist_p_384 =
|
||||
{
|
||||
(BN_ULONG *)_nist_p_384,
|
||||
BN_NIST_384_TOP,
|
||||
BN_NIST_384_TOP,
|
||||
0,
|
||||
BN_FLG_STATIC_DATA
|
||||
};
|
||||
|
||||
static const BIGNUM _bignum_nist_p_521 =
|
||||
{
|
||||
(BN_ULONG *)_nist_p_521,
|
||||
BN_NIST_521_TOP,
|
||||
BN_NIST_521_TOP,
|
||||
0,
|
||||
BN_FLG_STATIC_DATA
|
||||
};
|
||||
|
||||
|
||||
const BIGNUM *BN_get0_nist_prime_192(void)
|
||||
{
|
||||
static BIGNUM const_nist_192 = { (BN_ULONG *)_nist_p_192,
|
||||
BN_NIST_192_TOP, BN_NIST_192_TOP, 0, BN_FLG_STATIC_DATA };
|
||||
return &const_nist_192;
|
||||
return &_bignum_nist_p_192;
|
||||
}
|
||||
|
||||
const BIGNUM *BN_get0_nist_prime_224(void)
|
||||
{
|
||||
static BIGNUM const_nist_224 = { (BN_ULONG *)_nist_p_224,
|
||||
BN_NIST_224_TOP, BN_NIST_224_TOP, 0, BN_FLG_STATIC_DATA };
|
||||
return &const_nist_224;
|
||||
return &_bignum_nist_p_224;
|
||||
}
|
||||
|
||||
const BIGNUM *BN_get0_nist_prime_256(void)
|
||||
{
|
||||
static BIGNUM const_nist_256 = { (BN_ULONG *)_nist_p_256,
|
||||
BN_NIST_256_TOP, BN_NIST_256_TOP, 0, BN_FLG_STATIC_DATA };
|
||||
return &const_nist_256;
|
||||
return &_bignum_nist_p_256;
|
||||
}
|
||||
|
||||
const BIGNUM *BN_get0_nist_prime_384(void)
|
||||
{
|
||||
static BIGNUM const_nist_384 = { (BN_ULONG *)_nist_p_384,
|
||||
BN_NIST_384_TOP, BN_NIST_384_TOP, 0, BN_FLG_STATIC_DATA };
|
||||
return &const_nist_384;
|
||||
return &_bignum_nist_p_384;
|
||||
}
|
||||
|
||||
const BIGNUM *BN_get0_nist_prime_521(void)
|
||||
{
|
||||
static BIGNUM const_nist_521 = { (BN_ULONG *)_nist_p_521,
|
||||
BN_NIST_521_TOP, BN_NIST_521_TOP, 0, BN_FLG_STATIC_DATA };
|
||||
return &const_nist_521;
|
||||
return &_bignum_nist_p_521;
|
||||
}
|
||||
|
||||
#define BN_NIST_ADD_ONE(a) while (!(*(a)=(*(a)+1)&BN_MASK2)) ++(a);
|
||||
|
||||
static void nist_cp_bn_0(BN_ULONG *buf, BN_ULONG *a, int top, int max)
|
||||
{
|
||||
{
|
||||
int i;
|
||||
BN_ULONG *_tmp1 = (buf), *_tmp2 = (a);
|
||||
for (i = (top); i != 0; i--)
|
||||
*_tmp1++ = *_tmp2++;
|
||||
for (i = (max) - (top); i != 0; i--)
|
||||
*_tmp1++ = (BN_ULONG) 0;
|
||||
}
|
||||
BN_ULONG *_tmp1 = (buf), *_tmp2 = (a);
|
||||
|
||||
OPENSSL_assert(top <= max);
|
||||
for (i = (top); i != 0; i--)
|
||||
*_tmp1++ = *_tmp2++;
|
||||
for (i = (max) - (top); i != 0; i--)
|
||||
*_tmp1++ = (BN_ULONG) 0;
|
||||
}
|
||||
|
||||
static void nist_cp_bn(BN_ULONG *buf, BN_ULONG *a, int top)
|
||||
{
|
||||
{
|
||||
int i;
|
||||
BN_ULONG *_tmp1 = (buf), *_tmp2 = (a);
|
||||
for (i = (top); i != 0; i--)
|
||||
*_tmp1++ = *_tmp2++;
|
||||
}
|
||||
BN_ULONG *_tmp1 = (buf), *_tmp2 = (a);
|
||||
for (i = (top); i != 0; i--)
|
||||
*_tmp1++ = *_tmp2++;
|
||||
}
|
||||
|
||||
#if BN_BITS2 == 64
|
||||
#define bn_cp_64(to, n, from, m) (to)[n] = (m>=0)?((from)[m]):0;
|
||||
|
@ -199,6 +238,11 @@ int BN_nist_mod_192(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
|
|||
*res;
|
||||
size_t mask;
|
||||
|
||||
field = &_bignum_nist_p_192; /* just to make sure */
|
||||
|
||||
if (BN_is_negative(a) || a->top > 2*BN_NIST_192_TOP)
|
||||
return BN_nnmod(r, field, a, ctx);
|
||||
|
||||
i = BN_ucmp(field, a);
|
||||
if (i == 0)
|
||||
{
|
||||
|
@ -208,9 +252,6 @@ int BN_nist_mod_192(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
|
|||
else if (i > 0)
|
||||
return (r == a) ? 1 : (BN_copy(r ,a) != NULL);
|
||||
|
||||
if (top == BN_NIST_192_TOP)
|
||||
return BN_usub(r, a, field);
|
||||
|
||||
if (r != a)
|
||||
{
|
||||
if (!bn_wexpand(r, BN_NIST_192_TOP))
|
||||
|
@ -245,6 +286,11 @@ int BN_nist_mod_192(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
|
|||
r->top = BN_NIST_192_TOP;
|
||||
bn_correct_top(r);
|
||||
|
||||
if (BN_ucmp(field, r) <= 0)
|
||||
{
|
||||
if (!BN_usub(r, r, field)) return 0;
|
||||
}
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
|
@ -272,6 +318,11 @@ int BN_nist_mod_224(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
|
|||
*res;
|
||||
size_t mask;
|
||||
|
||||
field = &_bignum_nist_p_224; /* just to make sure */
|
||||
|
||||
if (BN_is_negative(a) || a->top > 2*BN_NIST_224_TOP)
|
||||
return BN_nnmod(r, field, a, ctx);
|
||||
|
||||
i = BN_ucmp(field, a);
|
||||
if (i == 0)
|
||||
{
|
||||
|
@ -281,9 +332,6 @@ int BN_nist_mod_224(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
|
|||
else if (i > 0)
|
||||
return (r == a)? 1 : (BN_copy(r ,a) != NULL);
|
||||
|
||||
if (top == BN_NIST_224_TOP)
|
||||
return BN_usub(r, a, field);
|
||||
|
||||
if (r != a)
|
||||
{
|
||||
if (!bn_wexpand(r, BN_NIST_224_TOP))
|
||||
|
@ -333,6 +381,11 @@ int BN_nist_mod_224(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
|
|||
r->top = BN_NIST_224_TOP;
|
||||
bn_correct_top(r);
|
||||
|
||||
if (BN_ucmp(field, r) <= 0)
|
||||
{
|
||||
if (!BN_usub(r, r, field)) return 0;
|
||||
}
|
||||
|
||||
return 1;
|
||||
#else /* BN_BITS!=32 */
|
||||
return 0;
|
||||
|
@ -364,6 +417,11 @@ int BN_nist_mod_256(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
|
|||
*res;
|
||||
size_t mask;
|
||||
|
||||
field = &_bignum_nist_p_256; /* just to make sure */
|
||||
|
||||
if (BN_is_negative(a) || a->top > 2*BN_NIST_256_TOP)
|
||||
return BN_nnmod(r, field, a, ctx);
|
||||
|
||||
i = BN_ucmp(field, a);
|
||||
if (i == 0)
|
||||
{
|
||||
|
@ -373,9 +431,6 @@ int BN_nist_mod_256(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
|
|||
else if (i > 0)
|
||||
return (r == a)? 1 : (BN_copy(r ,a) != NULL);
|
||||
|
||||
if (top == BN_NIST_256_TOP)
|
||||
return BN_usub(r, a, field);
|
||||
|
||||
if (r != a)
|
||||
{
|
||||
if (!bn_wexpand(r, BN_NIST_256_TOP))
|
||||
|
@ -470,6 +525,11 @@ int BN_nist_mod_256(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
|
|||
r->top = BN_NIST_256_TOP;
|
||||
bn_correct_top(r);
|
||||
|
||||
if (BN_ucmp(field, r) <= 0)
|
||||
{
|
||||
if (!BN_usub(r, r, field)) return 0;
|
||||
}
|
||||
|
||||
return 1;
|
||||
#else /* BN_BITS!=32 */
|
||||
return 0;
|
||||
|
@ -505,6 +565,11 @@ int BN_nist_mod_384(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
|
|||
*res;
|
||||
size_t mask;
|
||||
|
||||
field = &_bignum_nist_p_384; /* just to make sure */
|
||||
|
||||
if (BN_is_negative(a) || a->top > 2*BN_NIST_384_TOP)
|
||||
return BN_nnmod(r, field, a, ctx);
|
||||
|
||||
i = BN_ucmp(field, a);
|
||||
if (i == 0)
|
||||
{
|
||||
|
@ -514,9 +579,6 @@ int BN_nist_mod_384(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
|
|||
else if (i > 0)
|
||||
return (r == a)? 1 : (BN_copy(r ,a) != NULL);
|
||||
|
||||
if (top == BN_NIST_384_TOP)
|
||||
return BN_usub(r, a, field);
|
||||
|
||||
if (r != a)
|
||||
{
|
||||
if (!bn_wexpand(r, BN_NIST_384_TOP))
|
||||
|
@ -631,6 +693,11 @@ int BN_nist_mod_384(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
|
|||
r->top = BN_NIST_384_TOP;
|
||||
bn_correct_top(r);
|
||||
|
||||
if (BN_ucmp(field, r) <= 0)
|
||||
{
|
||||
if (!BN_usub(r, r, field)) return 0;
|
||||
}
|
||||
|
||||
return 1;
|
||||
#else /* BN_BITS!=32 */
|
||||
return 0;
|
||||
|
@ -649,11 +716,33 @@ int BN_nist_mod_521(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
|
|||
BN_ULONG *r_d;
|
||||
BIGNUM *tmp;
|
||||
|
||||
field = &_bignum_nist_p_521; /* just to make sure */
|
||||
|
||||
if (BN_is_negative(a))
|
||||
return BN_nnmod(r, field, a, ctx);
|
||||
|
||||
/* check whether a reduction is necessary */
|
||||
top = a->top;
|
||||
if (top < BN_NIST_521_TOP || ( top == BN_NIST_521_TOP &&
|
||||
(!(a->d[BN_NIST_521_TOP-1] & ~(BN_NIST_521_TOP_MASK)))))
|
||||
return (r == a)? 1 : (BN_copy(r ,a) != NULL);
|
||||
(!(a->d[BN_NIST_521_TOP-1] & ~(BN_NIST_521_TOP_MASK)))))
|
||||
{
|
||||
int i = BN_ucmp(field, a);
|
||||
if (i == 0)
|
||||
{
|
||||
BN_zero(r);
|
||||
return 1;
|
||||
}
|
||||
else
|
||||
{
|
||||
#ifdef BN_DEBUG
|
||||
OPENSSL_assert(i > 0); /* because 'field' is 1111...1111 */
|
||||
#endif
|
||||
return (r == a)? 1 : (BN_copy(r ,a) != NULL);
|
||||
}
|
||||
}
|
||||
|
||||
if (BN_num_bits(a) > 2*521)
|
||||
return BN_nnmod(r, field, a, ctx);
|
||||
|
||||
BN_CTX_start(ctx);
|
||||
tmp = BN_CTX_get(ctx);
|
||||
|
@ -673,15 +762,11 @@ int BN_nist_mod_521(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
|
|||
|
||||
if (!BN_uadd(r, tmp, r))
|
||||
goto err;
|
||||
top = r->top;
|
||||
r_d = r->d;
|
||||
if (top == BN_NIST_521_TOP &&
|
||||
(r_d[BN_NIST_521_TOP-1] & ~(BN_NIST_521_TOP_MASK)))
|
||||
|
||||
if (BN_ucmp(field, r) <= 0)
|
||||
{
|
||||
BN_NIST_ADD_ONE(r_d)
|
||||
r->d[BN_NIST_521_TOP-1] &= BN_NIST_521_TOP_MASK;
|
||||
if (!BN_usub(r, r, field)) goto err;
|
||||
}
|
||||
bn_correct_top(r);
|
||||
|
||||
ret = 1;
|
||||
err:
|
||||
|
|
|
@ -301,7 +301,7 @@ int HASH_UPDATE (HASH_CTX *c, const void *data_, size_t len)
|
|||
{
|
||||
p=(unsigned char *)c->data;
|
||||
|
||||
if ((n+len) >= HASH_CBLOCK)
|
||||
if (len >= HASH_CBLOCK || len+n >= HASH_CBLOCK)
|
||||
{
|
||||
memcpy (p+n,data,HASH_CBLOCK-n);
|
||||
HASH_BLOCK_DATA_ORDER (c,p,1);
|
||||
|
|
|
@ -150,16 +150,6 @@ const RSA_METHOD *RSA_PKCS1_SSLeay(void)
|
|||
return(&rsa_pkcs1_eay_meth);
|
||||
}
|
||||
|
||||
/* Usage example;
|
||||
* MONT_HELPER(rsa, bn_ctx, p, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
|
||||
*/
|
||||
#define MONT_HELPER(rsa, ctx, m, pre_cond, err_instr) \
|
||||
if((pre_cond) && ((rsa)->_method_mod_##m == NULL) && \
|
||||
!BN_MONT_CTX_set_locked(&((rsa)->_method_mod_##m), \
|
||||
CRYPTO_LOCK_RSA, \
|
||||
(rsa)->m, (ctx))) \
|
||||
err_instr
|
||||
|
||||
static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
|
||||
unsigned char *to, RSA *rsa, int padding)
|
||||
{
|
||||
|
@ -227,13 +217,15 @@ static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
|
|||
if (BN_bin2bn(buf,num,f) == NULL) goto err;
|
||||
|
||||
if (BN_ucmp(f, rsa->n) >= 0)
|
||||
{
|
||||
{
|
||||
/* usually the padding functions would catch this */
|
||||
RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
|
||||
goto err;
|
||||
}
|
||||
|
||||
MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
|
||||
if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
|
||||
if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
|
||||
goto err;
|
||||
|
||||
if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx,
|
||||
rsa->_method_mod_n)) goto err;
|
||||
|
@ -436,9 +428,11 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
|
|||
BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
|
||||
}
|
||||
else
|
||||
d = rsa->d;
|
||||
d= rsa->d;
|
||||
|
||||
MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
|
||||
if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
|
||||
if(!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
|
||||
goto err;
|
||||
|
||||
if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx,
|
||||
rsa->_method_mod_n)) goto err;
|
||||
|
@ -559,7 +553,9 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
|
|||
else
|
||||
d = rsa->d;
|
||||
|
||||
MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
|
||||
if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
|
||||
if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
|
||||
goto err;
|
||||
if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx,
|
||||
rsa->_method_mod_n))
|
||||
goto err;
|
||||
|
@ -669,7 +665,9 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
|
|||
goto err;
|
||||
}
|
||||
|
||||
MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
|
||||
if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
|
||||
if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
|
||||
goto err;
|
||||
|
||||
if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx,
|
||||
rsa->_method_mod_n)) goto err;
|
||||
|
@ -717,7 +715,6 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
|
|||
BIGNUM *r1,*m1,*vrfy;
|
||||
BIGNUM local_dmp1,local_dmq1,local_c,local_r1;
|
||||
BIGNUM *dmp1,*dmq1,*c,*pr1;
|
||||
int bn_flags;
|
||||
int ret=0;
|
||||
|
||||
BN_CTX_start(ctx);
|
||||
|
@ -725,31 +722,41 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
|
|||
m1 = BN_CTX_get(ctx);
|
||||
vrfy = BN_CTX_get(ctx);
|
||||
|
||||
/* Make sure mod_inverse in montgomerey intialization use correct
|
||||
* BN_FLG_CONSTTIME flag.
|
||||
*/
|
||||
bn_flags = rsa->p->flags;
|
||||
if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
|
||||
{
|
||||
rsa->p->flags |= BN_FLG_CONSTTIME;
|
||||
}
|
||||
MONT_HELPER(rsa, ctx, p, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
|
||||
/* We restore bn_flags back */
|
||||
rsa->p->flags = bn_flags;
|
||||
{
|
||||
BIGNUM local_p, local_q;
|
||||
BIGNUM *p = NULL, *q = NULL;
|
||||
|
||||
/* Make sure mod_inverse in montgomerey intialization use correct
|
||||
* BN_FLG_CONSTTIME flag.
|
||||
*/
|
||||
bn_flags = rsa->q->flags;
|
||||
if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
|
||||
{
|
||||
rsa->q->flags |= BN_FLG_CONSTTIME;
|
||||
}
|
||||
MONT_HELPER(rsa, ctx, q, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
|
||||
/* We restore bn_flags back */
|
||||
rsa->q->flags = bn_flags;
|
||||
/* Make sure BN_mod_inverse in Montgomery intialization uses the
|
||||
* BN_FLG_CONSTTIME flag (unless RSA_FLAG_NO_CONSTTIME is set)
|
||||
*/
|
||||
if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
|
||||
{
|
||||
BN_init(&local_p);
|
||||
p = &local_p;
|
||||
BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
|
||||
|
||||
MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
|
||||
BN_init(&local_q);
|
||||
q = &local_q;
|
||||
BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME);
|
||||
}
|
||||
else
|
||||
{
|
||||
p = rsa->p;
|
||||
q = rsa->q;
|
||||
}
|
||||
|
||||
if (rsa->flags & RSA_FLAG_CACHE_PRIVATE)
|
||||
{
|
||||
if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p, CRYPTO_LOCK_RSA, p, ctx))
|
||||
goto err;
|
||||
if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q, CRYPTO_LOCK_RSA, q, ctx))
|
||||
goto err;
|
||||
}
|
||||
}
|
||||
|
||||
if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
|
||||
if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
|
||||
goto err;
|
||||
|
||||
/* compute I mod q */
|
||||
if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
|
||||
|
|
|
@ -732,7 +732,7 @@ int dtls1_send_server_hello(SSL *s)
|
|||
|
||||
d = dtls1_set_message_header(s, d, SSL3_MT_SERVER_HELLO, l, 0, l);
|
||||
|
||||
s->state=SSL3_ST_CW_CLNT_HELLO_B;
|
||||
s->state=SSL3_ST_SW_SRVR_HELLO_B;
|
||||
/* number of bytes to write */
|
||||
s->init_num=p-buf;
|
||||
s->init_off=0;
|
||||
|
@ -741,7 +741,7 @@ int dtls1_send_server_hello(SSL *s)
|
|||
dtls1_buffer_message(s, 0);
|
||||
}
|
||||
|
||||
/* SSL3_ST_CW_CLNT_HELLO_B */
|
||||
/* SSL3_ST_SW_SRVR_HELLO_B */
|
||||
return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
|
||||
}
|
||||
|
||||
|
@ -765,7 +765,7 @@ int dtls1_send_server_done(SSL *s)
|
|||
dtls1_buffer_message(s, 0);
|
||||
}
|
||||
|
||||
/* SSL3_ST_CW_CLNT_HELLO_B */
|
||||
/* SSL3_ST_SW_SRVR_DONE_B */
|
||||
return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
|
||||
}
|
||||
|
||||
|
|
|
@ -1172,13 +1172,13 @@ int ssl3_send_server_hello(SSL *s)
|
|||
*(d++)=SSL3_MT_SERVER_HELLO;
|
||||
l2n3(l,d);
|
||||
|
||||
s->state=SSL3_ST_CW_CLNT_HELLO_B;
|
||||
s->state=SSL3_ST_SW_CLNT_HELLO_B;
|
||||
/* number of bytes to write */
|
||||
s->init_num=p-buf;
|
||||
s->init_off=0;
|
||||
}
|
||||
|
||||
/* SSL3_ST_CW_CLNT_HELLO_B */
|
||||
/* SSL3_ST_SW_CLNT_HELLO_B */
|
||||
return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
|
||||
}
|
||||
|
||||
|
@ -1202,7 +1202,7 @@ int ssl3_send_server_done(SSL *s)
|
|||
s->init_off=0;
|
||||
}
|
||||
|
||||
/* SSL3_ST_CW_CLNT_HELLO_B */
|
||||
/* SSL3_ST_SW_SRVR_DONE_B */
|
||||
return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
|
||||
}
|
||||
|
||||
|
|
|
@ -353,7 +353,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
|
|||
memcpy(ret->session_id,os.data,os.length);
|
||||
|
||||
M_ASN1_D2I_get_x(ASN1_OCTET_STRING,osp,d2i_ASN1_OCTET_STRING);
|
||||
if (ret->master_key_length > SSL_MAX_MASTER_KEY_LENGTH)
|
||||
if (os.length > SSL_MAX_MASTER_KEY_LENGTH)
|
||||
ret->master_key_length=SSL_MAX_MASTER_KEY_LENGTH;
|
||||
else
|
||||
ret->master_key_length=os.length;
|
||||
|
|
Loading…
Reference in New Issue