ag/cpython-source-deps
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Import OpenSSL 1.1.0h

Browse Source
This commit is contained in:
Steve Dower
2018-04-13 17:45:41 +00:00
parent f39d324ed3
commit 807cee26df
513 changed files with 11248 additions and 3603 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
crypto/ec/asm/ecp_nistz256-x86_64.pl
View File

@@ -1185,19 +1185,18 @@ __ecp_nistz256_sqr_montx:
adox $t1, $acc5
.byte 0x67,0x67
mulx %rdx, $t0, $t4
mov $acc0, %rdx
mov .Lpoly+8*3(%rip), %rdx
adox $t0, $acc6
shlx $a_ptr, $acc0, $t0
adox $t4, $acc7
shrx $a_ptr, $acc0, $t4
mov .Lpoly+8*3(%rip), $t1
mov %rdx,$t1
# reduction step 1
add $t0, $acc1
adc $t4, $acc2
mulx $t1, $t0, $acc0
mov $acc1, %rdx
mulx $acc0, $t0, $acc0
adc $t0, $acc3
shlx $a_ptr, $acc1, $t0
adc \$0, $acc0
@@ -1207,8 +1206,7 @@ __ecp_nistz256_sqr_montx:
add $t0, $acc2
adc $t4, $acc3
mulx $t1, $t0, $acc1
mov $acc2, %rdx
mulx $acc1, $t0, $acc1
adc $t0, $acc0
shlx $a_ptr, $acc2, $t0
adc \$0, $acc1
@@ -1218,8 +1216,7 @@ __ecp_nistz256_sqr_montx:
add $t0, $acc3
adc $t4, $acc0
mulx $t1, $t0, $acc2
mov $acc3, %rdx
mulx $acc2, $t0, $acc2
adc $t0, $acc1
shlx $a_ptr, $acc3, $t0
adc \$0, $acc2
@@ -1229,12 +1226,12 @@ __ecp_nistz256_sqr_montx:
add $t0, $acc0
adc $t4, $acc1
mulx $t1, $t0, $acc3
mulx $acc3, $t0, $acc3
adc $t0, $acc2
adc \$0, $acc3
xor $t3, $t3 # cf=0
adc $acc0, $acc4 # accumulate upper half
xor $t3, $t3
add $acc0, $acc4 # accumulate upper half
mov .Lpoly+8*1(%rip), $a_ptr
adc $acc1, $acc5
mov $acc4, $acc0
@@ -1243,8 +1240,7 @@ __ecp_nistz256_sqr_montx:
mov $acc5, $acc1
adc \$0, $t3
xor %eax, %eax # cf=0
sbb \$-1, $acc4 # .Lpoly[0]
sub \$-1, $acc4 # .Lpoly[0]
mov $acc6, $acc2
sbb $a_ptr, $acc5 # .Lpoly[1]
sbb \$0, $acc6 # .Lpoly[2]

6
crypto/ec/curve25519.c
View File

@@ -3226,6 +3226,8 @@ static void ge_scalarmult_base(ge_p3 *h, const uint8_t *a) {
ge_madd(&r, h, &t);
ge_p1p1_to_p3(h, &r);
}
OPENSSL_cleanse(e, sizeof(e));
}
/* Replace (f,g) with (g,f) if b == 1;
@@ -3356,6 +3358,8 @@ static void x25519_scalar_mult_generic(uint8_t out[32],
fe_invert(z2, z2);
fe_mul(x2, x2, z2);
fe_tobytes(out, x2);
OPENSSL_cleanse(e, sizeof(e));
}
static void x25519_scalar_mult(uint8_t out[32], const uint8_t scalar[32],
@@ -3391,4 +3395,6 @@ void X25519_public_from_private(uint8_t out_public_value[32],
fe_invert(zminusy_inv, zminusy);
fe_mul(zplusy, zplusy, zminusy_inv);
fe_tobytes(out_public_value, zplusy);
OPENSSL_cleanse(e, sizeof(e));
}

8
crypto/ec/ec_ameth.c
View File

@@ -298,17 +298,21 @@ static int ec_missing_parameters(const EVP_PKEY *pkey)
static int ec_copy_parameters(EVP_PKEY *to, const EVP_PKEY *from)
{
EC_GROUP *group = EC_GROUP_dup(EC_KEY_get0_group(from->pkey.ec));
if (group == NULL)
return 0;
if (to->pkey.ec == NULL) {
to->pkey.ec = EC_KEY_new();
if (to->pkey.ec == NULL)
return 0;
goto err;
}
if (EC_KEY_set_group(to->pkey.ec, group) == 0)
return 0;
goto err;
EC_GROUP_free(group);
return 1;
err:
EC_GROUP_free(group);
return 0;
}
static int ec_cmp_parameters(const EVP_PKEY *a, const EVP_PKEY *b)

10
crypto/ec/ec_kmeth.c
View File

@@ -236,7 +236,7 @@ void EC_KEY_METHOD_set_verify(EC_KEY_METHOD *meth,
meth->verify_sig = verify_sig;
}
void EC_KEY_METHOD_get_init(EC_KEY_METHOD *meth,
void EC_KEY_METHOD_get_init(const EC_KEY_METHOD *meth,
int (**pinit)(EC_KEY *key),
void (**pfinish)(EC_KEY *key),
int (**pcopy)(EC_KEY *dest, const EC_KEY *src),
@@ -261,14 +261,14 @@ void EC_KEY_METHOD_get_init(EC_KEY_METHOD *meth,
*pset_public = meth->set_public;
}
void EC_KEY_METHOD_get_keygen(EC_KEY_METHOD *meth,
void EC_KEY_METHOD_get_keygen(const EC_KEY_METHOD *meth,
int (**pkeygen)(EC_KEY *key))
{
if (pkeygen != NULL)
*pkeygen = meth->keygen;
}
void EC_KEY_METHOD_get_compute_key(EC_KEY_METHOD *meth,
void EC_KEY_METHOD_get_compute_key(const EC_KEY_METHOD *meth,
int (**pck)(unsigned char **pout,
size_t *poutlen,
const EC_POINT *pub_key,
@@ -278,7 +278,7 @@ void EC_KEY_METHOD_get_compute_key(EC_KEY_METHOD *meth,
*pck = meth->compute_key;
}
void EC_KEY_METHOD_get_sign(EC_KEY_METHOD *meth,
void EC_KEY_METHOD_get_sign(const EC_KEY_METHOD *meth,
int (**psign)(int type, const unsigned char *dgst,
int dlen, unsigned char *sig,
unsigned int *siglen,
@@ -300,7 +300,7 @@ void EC_KEY_METHOD_get_sign(EC_KEY_METHOD *meth,
*psign_sig = meth->sign_sig;
}
void EC_KEY_METHOD_get_verify(EC_KEY_METHOD *meth,
void EC_KEY_METHOD_get_verify(const EC_KEY_METHOD *meth,
int (**pverify)(int type, const unsigned
char *dgst, int dgst_len,
const unsigned char *sigbuf,

12
crypto/ec/ec_mult.c
View File

@@ -222,11 +222,11 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
totalnum = num + numblocks;
wsize = OPENSSL_malloc(totalnum * sizeof wsize[0]);
wNAF_len = OPENSSL_malloc(totalnum * sizeof wNAF_len[0]);
wNAF = OPENSSL_malloc((totalnum + 1) * sizeof wNAF[0]); /* includes space
* for pivot */
val_sub = OPENSSL_malloc(totalnum * sizeof val_sub[0]);
wsize = OPENSSL_malloc(totalnum * sizeof(wsize[0]));
wNAF_len = OPENSSL_malloc(totalnum * sizeof(wNAF_len[0]));
/* include space for pivot */
wNAF = OPENSSL_malloc((totalnum + 1) * sizeof(wNAF[0]));
val_sub = OPENSSL_malloc(totalnum * sizeof(val_sub[0]));
/* Ensure wNAF is initialised in case we end up going to err */
if (wNAF != NULL)
@@ -372,7 +372,7 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
* 'val_sub[i]' is a pointer to the subarray for the i-th point, or to a
* subarray of 'pre_comp->points' if we already have precomputation.
*/
val = OPENSSL_malloc((num_val + 1) * sizeof val[0]);
val = OPENSSL_malloc((num_val + 1) * sizeof(val[0]));
if (val == NULL) {
ECerr(EC_F_EC_WNAF_MUL, ERR_R_MALLOC_FAILURE);
goto err;

4
crypto/ec/ecdh_ossl.c
View File

@@ -66,6 +66,10 @@ int ecdh_simple_compute_key(unsigned char **pout, size_t *poutlen,
BN_CTX_start(ctx);
x = BN_CTX_get(ctx);
y = BN_CTX_get(ctx);
if (y == NULL) {
ECerr(EC_F_ECDH_SIMPLE_COMPUTE_KEY, ERR_R_MALLOC_FAILURE);
goto err;
}
priv_key = EC_KEY_get0_private_key(ecdh);
if (priv_key == NULL) {

26
crypto/ec/ecdsa_ossl.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2002-2017 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -41,6 +41,7 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in,
EC_POINT *tmp_point = NULL;
const EC_GROUP *group;
int ret = 0;
int order_bits;
if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL) {
ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_PASSED_NULL_PARAMETER);
@@ -77,6 +78,13 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in,
goto err;
}
/* Preallocate space */
order_bits = BN_num_bits(order);
if (!BN_set_bit(k, order_bits)
|| !BN_set_bit(r, order_bits)
|| !BN_set_bit(X, order_bits))
goto err;
do {
/* get random k */
do
@@ -100,13 +108,19 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in,
/*
* We do not want timing information to leak the length of k, so we
* compute G*k using an equivalent scalar of fixed bit-length.
*
* We unconditionally perform both of these additions to prevent a
* small timing information leakage. We then choose the sum that is
* one bit longer than the order. This guarantees the code
* path used in the constant time implementations elsewhere.
*
* TODO: revisit the BN_copy aiming for a memory access agnostic
* conditional copy.
*/
if (!BN_add(k, k, order))
if (!BN_add(r, k, order)
|| !BN_add(X, r, order)
|| !BN_copy(k, BN_num_bits(r) > order_bits ? r : X))
goto err;
if (BN_num_bits(k) <= BN_num_bits(order))
if (!BN_add(k, k, order))
goto err;
/* compute r the x-coordinate of generator * k */
if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) {

10
crypto/ec/ecp_nistp224.c
View File

@@ -50,7 +50,6 @@ typedef __uint128_t uint128_t; /* nonstandard; implemented by gcc on 64-bit
typedef uint8_t u8;
typedef uint64_t u64;
typedef int64_t s64;
/******************************************************************************/
/*-
@@ -337,7 +336,7 @@ static int BN_to_felem(felem out, const BIGNUM *bn)
/* BN_bn2bin eats leading zeroes */
memset(b_out, 0, sizeof(b_out));
num_bytes = BN_num_bytes(bn);
if (num_bytes > sizeof b_out) {
if (num_bytes > sizeof(b_out)) {
ECerr(EC_F_BN_TO_FELEM, EC_R_BIGNUM_OUT_OF_RANGE);
return 0;
}
@@ -356,8 +355,8 @@ static BIGNUM *felem_to_BN(BIGNUM *out, const felem in)
{
felem_bytearray b_in, b_out;
felem_to_bin28(b_in, in);
flip_endian(b_out, b_in, sizeof b_out);
return BN_bin2bn(b_out, sizeof b_out, out);
flip_endian(b_out, b_in, sizeof(b_out));
return BN_bin2bn(b_out, sizeof(b_out), out);
}
/******************************************************************************/
@@ -700,7 +699,7 @@ static limb felem_is_zero(const felem in)
return (zero | two224m96p1 | two225m97p2);
}
static limb felem_is_zero_int(const felem in)
static int felem_is_zero_int(const void *in)
{
return (int)(felem_is_zero(in) & ((limb) 1));
}
@@ -1365,7 +1364,6 @@ static void make_points_affine(size_t num, felem points[ /* num */ ][3],
sizeof(felem),
tmp_felems,
(void (*)(void *))felem_one,
(int (*)(const void *))
felem_is_zero_int,
(void (*)(void *, const void *))
felem_assign,

38
crypto/ec/ecp_nistp256.c
View File

@@ -53,7 +53,6 @@ typedef __int128_t int128_t;
typedef uint8_t u8;
typedef uint32_t u32;
typedef uint64_t u64;
typedef int64_t s64;
/*
* The underlying field. P256 operates over GF(2^256-2^224+2^192+2^96-1). We
@@ -165,7 +164,7 @@ static int BN_to_felem(felem out, const BIGNUM *bn)
/* BN_bn2bin eats leading zeroes */
memset(b_out, 0, sizeof(b_out));
num_bytes = BN_num_bytes(bn);
if (num_bytes > sizeof b_out) {
if (num_bytes > sizeof(b_out)) {
ECerr(EC_F_BN_TO_FELEM, EC_R_BIGNUM_OUT_OF_RANGE);
return 0;
}
@@ -184,8 +183,8 @@ static BIGNUM *smallfelem_to_BN(BIGNUM *out, const smallfelem in)
{
felem_bytearray b_in, b_out;
smallfelem_to_bin32(b_in, in);
flip_endian(b_out, b_in, sizeof b_out);
return BN_bin2bn(b_out, sizeof b_out, out);
flip_endian(b_out, b_in, sizeof(b_out));
return BN_bin2bn(b_out, sizeof(b_out), out);
}
/*-
@@ -394,7 +393,7 @@ static void felem_shrink(smallfelem out, const felem in)
{
felem tmp;
u64 a, b, mask;
s64 high, low;
u64 high, low;
static const u64 kPrime3Test = 0x7fffffff00000001ul; /* 2^63 - 2^32 + 1 */
/* Carry 2->3 */
@@ -435,29 +434,31 @@ static void felem_shrink(smallfelem out, const felem in)
* In order to make space in tmp[3] for the carry from 2 -> 3, we
* conditionally subtract kPrime if tmp[3] is large enough.
*/
high = tmp[3] >> 64;
high = (u64)(tmp[3] >> 64);
/* As tmp[3] < 2^65, high is either 1 or 0 */
high <<= 63;
high >>= 63;
high = 0 - high;
/*-
* high is:
* all ones if the high word of tmp[3] is 1
* all zeros if the high word of tmp[3] if 0 */
low = tmp[3];
mask = low >> 63;
* all zeros if the high word of tmp[3] if 0
*/
low = (u64)tmp[3];
mask = 0 - (low >> 63);
/*-
* mask is:
* all ones if the MSB of low is 1
* all zeros if the MSB of low if 0 */
* all zeros if the MSB of low if 0
*/
low &= bottom63bits;
low -= kPrime3Test;
/* if low was greater than kPrime3Test then the MSB is zero */
low = ~low;
low >>= 63;
low = 0 - (low >> 63);
/*-
* low is:
* all ones if low was > kPrime3Test
* all zeros if low was <= kPrime3Test */
* all zeros if low was <= kPrime3Test
*/
mask = (mask & low) | high;
tmp[0] -= mask & kPrime[0];
tmp[1] -= mask & kPrime[1];
@@ -891,7 +892,7 @@ static void felem_contract(smallfelem out, const felem in)
equal &= equal << 4;
equal &= equal << 2;
equal &= equal << 1;
equal = ((s64) equal) >> 63;
equal = 0 - (equal >> 63);
all_equal_so_far &= equal;
}
@@ -958,7 +959,7 @@ static limb smallfelem_is_zero(const smallfelem small)
is_zero &= is_zero << 4;
is_zero &= is_zero << 2;
is_zero &= is_zero << 1;
is_zero = ((s64) is_zero) >> 63;
is_zero = 0 - (is_zero >> 63);
is_p = (small[0] ^ kPrime[0]) |
(small[1] ^ kPrime[1]) |
@@ -970,7 +971,7 @@ static limb smallfelem_is_zero(const smallfelem small)
is_p &= is_p << 4;
is_p &= is_p << 2;
is_p &= is_p << 1;
is_p = ((s64) is_p) >> 63;
is_p = 0 - (is_p >> 63);
is_zero |= is_p;
@@ -979,7 +980,7 @@ static limb smallfelem_is_zero(const smallfelem small)
return result;
}
static int smallfelem_is_zero_int(const smallfelem small)
static int smallfelem_is_zero_int(const void *small)
{
return (int)(smallfelem_is_zero(small) & ((limb) 1));
}
@@ -1983,7 +1984,6 @@ static void make_points_affine(size_t num, smallfelem points[][3],
sizeof(smallfelem),
tmp_smallfelems,
(void (*)(void *))smallfelem_one,
(int (*)(const void *))
smallfelem_is_zero_int,
(void (*)(void *, const void *))
smallfelem_assign,

18
crypto/ec/ecp_nistp521.c
View File

@@ -50,7 +50,6 @@ typedef __uint128_t uint128_t; /* nonstandard; implemented by gcc on 64-bit
typedef uint8_t u8;
typedef uint64_t u64;
typedef int64_t s64;
/*
* The underlying field. P521 operates over GF(2^521-1). We can serialise an
@@ -188,7 +187,7 @@ static int BN_to_felem(felem out, const BIGNUM *bn)
/* BN_bn2bin eats leading zeroes */
memset(b_out, 0, sizeof(b_out));
num_bytes = BN_num_bytes(bn);
if (num_bytes > sizeof b_out) {
if (num_bytes > sizeof(b_out)) {
ECerr(EC_F_BN_TO_FELEM, EC_R_BIGNUM_OUT_OF_RANGE);
return 0;
}
@@ -207,8 +206,8 @@ static BIGNUM *felem_to_BN(BIGNUM *out, const felem in)
{
felem_bytearray b_in, b_out;
felem_to_bin66(b_in, in);
flip_endian(b_out, b_in, sizeof b_out);
return BN_bin2bn(b_out, sizeof b_out, out);
flip_endian(b_out, b_in, sizeof(b_out));
return BN_bin2bn(b_out, sizeof(b_out), out);
}
/*-
@@ -867,7 +866,7 @@ static limb felem_is_zero(const felem in)
* We know that ftmp[i] < 2^63, therefore the only way that the top bit
* can be set is if is_zero was 0 before the decrement.
*/
is_zero = ((s64) is_zero) >> 63;
is_zero = 0 - (is_zero >> 63);
is_p = ftmp[0] ^ kPrime[0];
is_p |= ftmp[1] ^ kPrime[1];
@@ -880,13 +879,13 @@ static limb felem_is_zero(const felem in)
is_p |= ftmp[8] ^ kPrime[8];
is_p--;
is_p = ((s64) is_p) >> 63;
is_p = 0 - (is_p >> 63);
is_zero |= is_p;
return is_zero;
}
static int felem_is_zero_int(const felem in)
static int felem_is_zero_int(const void *in)
{
return (int)(felem_is_zero(in) & ((limb) 1));
}
@@ -951,7 +950,7 @@ static void felem_contract(felem out, const felem in)
is_p &= is_p << 4;
is_p &= is_p << 2;
is_p &= is_p << 1;
is_p = ((s64) is_p) >> 63;
is_p = 0 - (is_p >> 63);
is_p = ~is_p;
/* is_p is 0 iff |out| == 2^521-1 and all ones otherwise */
@@ -977,7 +976,7 @@ static void felem_contract(felem out, const felem in)
is_greater |= is_greater << 4;
is_greater |= is_greater << 2;
is_greater |= is_greater << 1;
is_greater = ((s64) is_greater) >> 63;
is_greater = 0 - (is_greater >> 63);
out[0] -= kPrime[0] & is_greater;
out[1] -= kPrime[1] & is_greater;
@@ -1805,7 +1804,6 @@ static void make_points_affine(size_t num, felem points[][3],
sizeof(felem),
tmp_felems,
(void (*)(void *))felem_one,
(int (*)(const void *))
felem_is_zero_int,
(void (*)(void *, const void *))
felem_assign,

4
crypto/ec/ecp_nistz256.c
View File

@@ -757,12 +757,12 @@ __owur static int ecp_nistz256_windowed_mul(const EC_GROUP *group,
}
/* Coordinates of G, for which we have precomputed tables */
const static BN_ULONG def_xG[P256_LIMBS] = {
static const BN_ULONG def_xG[P256_LIMBS] = {
TOBN(0x79e730d4, 0x18a9143c), TOBN(0x75ba95fc, 0x5fedb601),
TOBN(0x79fb732b, 0x77622510), TOBN(0x18905f76, 0xa53755c6)
};
const static BN_ULONG def_yG[P256_LIMBS] = {
static const BN_ULONG def_yG[P256_LIMBS] = {
TOBN(0xddf25357, 0xce95560a), TOBN(0x8b4ab8e4, 0xba19e45c),
TOBN(0xd2e88688, 0xdd21f325), TOBN(0x8571ff18, 0x25885d85)
};

2
crypto/ec/ecp_smpl.c
View File

@@ -1221,7 +1221,7 @@ int ec_GFp_simple_points_make_affine(const EC_GROUP *group, size_t num,
if (tmp == NULL || tmp_Z == NULL)
goto err;
prod_Z = OPENSSL_malloc(num * sizeof prod_Z[0]);
prod_Z = OPENSSL_malloc(num * sizeof(prod_Z[0]));
if (prod_Z == NULL)
goto err;
for (i = 0; i < num; i++) {

2
crypto/ec/ecx_meth.c
View File

@@ -212,7 +212,7 @@ static void ecx_free(EVP_PKEY *pkey)
X25519_KEY *xkey = pkey->pkey.ptr;
if (xkey)
OPENSSL_secure_free(xkey->privkey);
OPENSSL_secure_clear_free(xkey->privkey, X25519_KEYLEN);
OPENSSL_free(xkey);
}