ag/cpython-source-deps
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Imported OpenSSL 1.1.1b

Browse Source
This commit is contained in:
Steve Dower
2019-03-07 09:36:23 -08:00
parent d6b2cd4920
commit 8f99635588
389 changed files with 7946 additions and 4431 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
crypto/bn/asm/armv8-mont.pl
View File

@@ -1,5 +1,5 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
# Copyright 2015-2019 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -287,6 +287,7 @@ __bn_sqr8x_mont:
cmp $ap,$bp
b.ne __bn_mul4x_mont
.Lsqr8x_mont:
.inst 0xd503233f // paciasp
stp x29,x30,[sp,#-128]!
add x29,sp,#0
stp x19,x20,[sp,#16]
@@ -1040,6 +1041,7 @@ $code.=<<___;
ldp x25,x26,[x29,#64]
ldp x27,x28,[x29,#80]
ldr x29,[sp],#128
.inst 0xd50323bf // autiasp
ret
.size __bn_sqr8x_mont,.-__bn_sqr8x_mont
___
@@ -1063,6 +1065,7 @@ $code.=<<___;
.type __bn_mul4x_mont,%function
.align 5
__bn_mul4x_mont:
.inst 0xd503233f // paciasp
stp x29,x30,[sp,#-128]!
add x29,sp,#0
stp x19,x20,[sp,#16]
@@ -1496,6 +1499,7 @@ __bn_mul4x_mont:
ldp x25,x26,[x29,#64]
ldp x27,x28,[x29,#80]
ldr x29,[sp],#128
.inst 0xd50323bf // autiasp
ret
.size __bn_mul4x_mont,.-__bn_mul4x_mont
___

6
crypto/bn/asm/ia64.S
View File

@@ -3,7 +3,7 @@
.ident "ia64.S, Version 2.1"
.ident "IA-64 ISA artwork by Andy Polyakov <appro@openssl.org>"
// Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
// Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
//
// Licensed under the OpenSSL license (the "License"). You may not use
// this file except in compliance with the License. You can obtain a copy
@@ -48,7 +48,7 @@
// on Itanium2! What to do? Reschedule loops for Itanium2? But then
// Itanium would exhibit anti-scalability. So I've chosen to reschedule
// for worst latency for every instruction aiming for best *all-round*
// performance.
// performance.
// Q. How much faster does it get?
// A. Here is the output from 'openssl speed rsa dsa' for vanilla
@@ -472,7 +472,7 @@ bn_mul_add_words:
.global bn_sqr_words#
.proc bn_sqr_words#
.align 64
.skip 32 // makes the loop body aligned at 64-byte boundary
.skip 32 // makes the loop body aligned at 64-byte boundary
bn_sqr_words:
.prologue
.save ar.pfs,r2

6
crypto/bn/asm/mips.pl
View File

@@ -798,6 +798,11 @@ $code.=<<___;
move $a0,$v0
.end bn_sub_words_internal
#if 0
/*
* The bn_div_3_words entry point is re-used for constant-time interface.
* Implementation is retained as hystorical reference.
*/
.align 5
.globl bn_div_3_words
.ent bn_div_3_words
@@ -877,6 +882,7 @@ $code.=<<___;
jr $ra
move $a0,$v0
.end bn_div_3_words_internal
#endif
.align 5
.globl bn_div_words

8
crypto/bn/asm/rsaz-avx2.pl
View File

@@ -1,5 +1,5 @@
#! /usr/bin/env perl
# Copyright 2013-2018 The OpenSSL Project Authors. All Rights Reserved.
# Copyright 2013-2019 The OpenSSL Project Authors. All Rights Reserved.
# Copyright (c) 2012, Intel Corporation. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
@@ -1492,6 +1492,7 @@ $code.=<<___;
.type rsaz_1024_red2norm_avx2,\@abi-omnipotent
.align 32
rsaz_1024_red2norm_avx2:
.cfi_startproc
sub \$-128,$inp # size optimization
xor %rax,%rax
___
@@ -1525,12 +1526,14 @@ ___
}
$code.=<<___;
ret
.cfi_endproc
.size rsaz_1024_red2norm_avx2,.-rsaz_1024_red2norm_avx2
.globl rsaz_1024_norm2red_avx2
.type rsaz_1024_norm2red_avx2,\@abi-omnipotent
.align 32
rsaz_1024_norm2red_avx2:
.cfi_startproc
sub \$-128,$out # size optimization
mov ($inp),@T[0]
mov \$0x1fffffff,%eax
@@ -1562,6 +1565,7 @@ $code.=<<___;
mov @T[0],`8*($j+2)-128`($out)
mov @T[0],`8*($j+3)-128`($out)
ret
.cfi_endproc
.size rsaz_1024_norm2red_avx2,.-rsaz_1024_norm2red_avx2
___
}
@@ -1573,6 +1577,7 @@ $code.=<<___;
.type rsaz_1024_scatter5_avx2,\@abi-omnipotent
.align 32
rsaz_1024_scatter5_avx2:
.cfi_startproc
vzeroupper
vmovdqu .Lscatter_permd(%rip),%ymm5
shl \$4,$power
@@ -1592,6 +1597,7 @@ rsaz_1024_scatter5_avx2:
vzeroupper
ret
.cfi_endproc
.size rsaz_1024_scatter5_avx2,.-rsaz_1024_scatter5_avx2
.globl rsaz_1024_gather5_avx2

6
crypto/bn/asm/sparcv8plus.S
View File

@@ -3,7 +3,7 @@
/*
* ====================================================================
* Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1999-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -154,9 +154,9 @@
.register %g2,#scratch
.register %g3,#scratch
# define FRAME_SIZE -192
#else
#else
# define FRAME_SIZE -96
#endif
#endif
/*
* GNU assembler can't stand stuw:-(
*/

4
crypto/bn/asm/x86_64-mont5.pl
View File

@@ -1,5 +1,5 @@
#! /usr/bin/env perl
# Copyright 2011-2018 The OpenSSL Project Authors. All Rights Reserved.
# Copyright 2011-2019 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -2910,6 +2910,7 @@ bn_powerx5:
.align 32
bn_sqrx8x_internal:
__bn_sqrx8x_internal:
.cfi_startproc
##################################################################
# Squaring part:
#
@@ -3542,6 +3543,7 @@ __bn_sqrx8x_reduction:
cmp 8+8(%rsp),%r8 # end of t[]?
jb .Lsqrx8x_reduction_loop
ret
.cfi_endproc
.size bn_sqrx8x_internal,.-bn_sqrx8x_internal
___
}

8
crypto/bn/bn_ctx.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -227,6 +227,8 @@ BIGNUM *BN_CTX_get(BN_CTX *ctx)
}
/* OK, make sure the returned bignum is "zero" */
BN_zero(ret);
/* clear BN_FLG_CONSTTIME if leaked from previous frames */
ret->flags &= (~BN_FLG_CONSTTIME);
ctx->used++;
CTXDBG_RET(ctx, ret);
return ret;
@@ -256,7 +258,7 @@ static int BN_STACK_push(BN_STACK *st, unsigned int idx)
unsigned int newsize =
st->size ? (st->size * 3 / 2) : BN_CTX_START_FRAMES;
unsigned int *newitems;
if ((newitems = OPENSSL_malloc(sizeof(*newitems) * newsize)) == NULL) {
BNerr(BN_F_BN_STACK_PUSH, ERR_R_MALLOC_FAILURE);
return 0;
@@ -310,7 +312,7 @@ static BIGNUM *BN_POOL_get(BN_POOL *p, int flag)
/* Full; allocate a new pool item and link it in. */
if (p->used == p->size) {
BN_POOL_ITEM *item;
if ((item = OPENSSL_malloc(sizeof(*item))) == NULL) {
BNerr(BN_F_BN_POOL_GET, ERR_R_MALLOC_FAILURE);
return NULL;

4
crypto/bn/bn_depr.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2002-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -40,7 +40,7 @@ BIGNUM *BN_generate_prime(BIGNUM *ret, int bits, int safe,
goto err;
/* we have a prime :-) */
return ret;
return rnd;
err:
BN_free(rnd);
return NULL;

335
crypto/bn/bn_div.c
View File

@@ -7,6 +7,7 @@
* https://www.openssl.org/source/license.html
*/
#include <assert.h>
#include <openssl/bn.h>
#include "internal/cryptlib.h"
#include "bn_lcl.h"
@@ -86,6 +87,77 @@ int BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, const BIGNUM *d,
#else
# if defined(BN_DIV3W)
BN_ULONG bn_div_3_words(const BN_ULONG *m, BN_ULONG d1, BN_ULONG d0);
# elif 0
/*
* This is #if-ed away, because it's a reference for assembly implementations,
* where it can and should be made constant-time. But if you want to test it,
* just replace 0 with 1.
*/
# if BN_BITS2 == 64 && defined(__SIZEOF_INT128__) && __SIZEOF_INT128__==16
# undef BN_ULLONG
# define BN_ULLONG __uint128_t
# define BN_LLONG
# endif
# ifdef BN_LLONG
# define BN_DIV3W
/*
* Interface is somewhat quirky, |m| is pointer to most significant limb,
* and less significant limb is referred at |m[-1]|. This means that caller
* is responsible for ensuring that |m[-1]| is valid. Second condition that
* has to be met is that |d0|'s most significant bit has to be set. Or in
* other words divisor has to be "bit-aligned to the left." bn_div_fixed_top
* does all this. The subroutine considers four limbs, two of which are
* "overlapping," hence the name...
*/
static BN_ULONG bn_div_3_words(const BN_ULONG *m, BN_ULONG d1, BN_ULONG d0)
{
BN_ULLONG R = ((BN_ULLONG)m[0] << BN_BITS2) | m[-1];
BN_ULLONG D = ((BN_ULLONG)d0 << BN_BITS2) | d1;
BN_ULONG Q = 0, mask;
int i;
for (i = 0; i < BN_BITS2; i++) {
Q <<= 1;
if (R >= D) {
Q |= 1;
R -= D;
}
D >>= 1;
}
mask = 0 - (Q >> (BN_BITS2 - 1)); /* does it overflow? */
Q <<= 1;
Q |= (R >= D);
return (Q | mask) & BN_MASK2;
}
# endif
# endif
static int bn_left_align(BIGNUM *num)
{
BN_ULONG *d = num->d, n, m, rmask;
int top = num->top;
int rshift = BN_num_bits_word(d[top - 1]), lshift, i;
lshift = BN_BITS2 - rshift;
rshift %= BN_BITS2; /* say no to undefined behaviour */
rmask = (BN_ULONG)0 - rshift; /* rmask = 0 - (rshift != 0) */
rmask |= rmask >> 8;
for (i = 0, m = 0; i < top; i++) {
n = d[i];
d[i] = ((n << lshift) | m) & BN_MASK2;
m = (n >> rshift) & rmask;
}
return lshift;
}
# if !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM) \
&& !defined(PEDANTIC) && !defined(BN_DIV3W)
# if defined(__GNUC__) && __GNUC__>=2
@@ -137,56 +209,74 @@ int BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, const BIGNUM *d,
int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
BN_CTX *ctx)
{
int norm_shift, i, loop;
BIGNUM *tmp, wnum, *snum, *sdiv, *res;
BN_ULONG *resp, *wnump;
BN_ULONG d0, d1;
int num_n, div_n;
int no_branch = 0;
/*
* Invalid zero-padding would have particularly bad consequences so don't
* just rely on bn_check_top() here (bn_check_top() works only for
* BN_DEBUG builds)
*/
if ((num->top > 0 && num->d[num->top - 1] == 0) ||
(divisor->top > 0 && divisor->d[divisor->top - 1] == 0)) {
BNerr(BN_F_BN_DIV, BN_R_NOT_INITIALIZED);
return 0;
}
bn_check_top(num);
bn_check_top(divisor);
if ((BN_get_flags(num, BN_FLG_CONSTTIME) != 0)
|| (BN_get_flags(divisor, BN_FLG_CONSTTIME) != 0)) {
no_branch = 1;
}
bn_check_top(dv);
bn_check_top(rm);
/*- bn_check_top(num); *//*
* 'num' has been checked already
*/
/*- bn_check_top(divisor); *//*
* 'divisor' has been checked already
*/
int ret;
if (BN_is_zero(divisor)) {
BNerr(BN_F_BN_DIV, BN_R_DIV_BY_ZERO);
return 0;
}
if (!no_branch && BN_ucmp(num, divisor) < 0) {
if (rm != NULL) {
if (BN_copy(rm, num) == NULL)
return 0;
}
if (dv != NULL)
BN_zero(dv);
return 1;
/*
* Invalid zero-padding would have particularly bad consequences so don't
* just rely on bn_check_top() here (bn_check_top() works only for
* BN_DEBUG builds)
*/
if (divisor->d[divisor->top - 1] == 0) {
BNerr(BN_F_BN_DIV, BN_R_NOT_INITIALIZED);
return 0;
}
ret = bn_div_fixed_top(dv, rm, num, divisor, ctx);
if (ret) {
if (dv != NULL)
bn_correct_top(dv);
if (rm != NULL)
bn_correct_top(rm);
}
return ret;
}
/*
* It's argued that *length* of *significant* part of divisor is public.
* Even if it's private modulus that is. Again, *length* is assumed
* public, but not *value*. Former is likely to be pre-defined by
* algorithm with bit granularity, though below subroutine is invariant
* of limb length. Thanks to this assumption we can require that |divisor|
* may not be zero-padded, yet claim this subroutine "constant-time"(*).
* This is because zero-padded dividend, |num|, is tolerated, so that
* caller can pass dividend of public length(*), but with smaller amount
* of significant limbs. This naturally means that quotient, |dv|, would
* contain correspongly less significant limbs as well, and will be zero-
* padded accordingly. Returned remainder, |rm|, will have same bit length
* as divisor, also zero-padded if needed. These actually leave sign bits
* in ambiguous state. In sense that we try to avoid negative zeros, while
* zero-padded zeros would retain sign.
*
* (*) "Constant-time-ness" has two pre-conditions:
*
* - availability of constant-time bn_div_3_words;
* - dividend is at least as "wide" as divisor, limb-wise, zero-padded
* if so requied, which shouldn't be a privacy problem, because
* divisor's length is considered public;
*/
int bn_div_fixed_top(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num,
const BIGNUM *divisor, BN_CTX *ctx)
{
int norm_shift, i, j, loop;
BIGNUM *tmp, *snum, *sdiv, *res;
BN_ULONG *resp, *wnum, *wnumtop;
BN_ULONG d0, d1;
int num_n, div_n;
assert(divisor->top > 0 && divisor->d[divisor->top - 1] != 0);
bn_check_top(num);
bn_check_top(divisor);
bn_check_top(dv);
bn_check_top(rm);
BN_CTX_start(ctx);
res = (dv == NULL) ? BN_CTX_get(ctx) : dv;
tmp = BN_CTX_get(ctx);
@@ -196,113 +286,72 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
goto err;
/* First we normalise the numbers */
norm_shift = BN_BITS2 - ((BN_num_bits(divisor)) % BN_BITS2);
if (!(BN_lshift(sdiv, divisor, norm_shift)))
if (!BN_copy(sdiv, divisor))
goto err;
norm_shift = bn_left_align(sdiv);
sdiv->neg = 0;
norm_shift += BN_BITS2;
if (!(BN_lshift(snum, num, norm_shift)))
/*
* Note that bn_lshift_fixed_top's output is always one limb longer
* than input, even when norm_shift is zero. This means that amount of
* inner loop iterations is invariant of dividend value, and that one
* doesn't need to compare dividend and divisor if they were originally
* of the same bit length.
*/
if (!(bn_lshift_fixed_top(snum, num, norm_shift)))
goto err;
snum->neg = 0;
if (no_branch) {
/*
* Since we don't know whether snum is larger than sdiv, we pad snum
* with enough zeroes without changing its value.
*/
if (snum->top <= sdiv->top + 1) {
if (bn_wexpand(snum, sdiv->top + 2) == NULL)
goto err;
for (i = snum->top; i < sdiv->top + 2; i++)
snum->d[i] = 0;
snum->top = sdiv->top + 2;
} else {
if (bn_wexpand(snum, snum->top + 1) == NULL)
goto err;
snum->d[snum->top] = 0;
snum->top++;
}
}
div_n = sdiv->top;
num_n = snum->top;
if (num_n <= div_n) {
/* caller didn't pad dividend -> no constant-time guarantee... */
if (bn_wexpand(snum, div_n + 1) == NULL)
goto err;
memset(&(snum->d[num_n]), 0, (div_n - num_n + 1) * sizeof(BN_ULONG));
snum->top = num_n = div_n + 1;
}
loop = num_n - div_n;
/*
* Lets setup a 'window' into snum This is the part that corresponds to
* the current 'area' being divided
*/
wnum.neg = 0;
wnum.d = &(snum->d[loop]);
wnum.top = div_n;
wnum.flags = BN_FLG_STATIC_DATA;
/*
* only needed when BN_ucmp messes up the values between top and max
*/
wnum.dmax = snum->dmax - loop; /* so we don't step out of bounds */
wnum = &(snum->d[loop]);
wnumtop = &(snum->d[num_n - 1]);
/* Get the top 2 words of sdiv */
/* div_n=sdiv->top; */
d0 = sdiv->d[div_n - 1];
d1 = (div_n == 1) ? 0 : sdiv->d[div_n - 2];
/* pointer to the 'top' of snum */
wnump = &(snum->d[num_n - 1]);
/* Setup to 'res' */
if (!bn_wexpand(res, (loop + 1)))
/* Setup quotient */
if (!bn_wexpand(res, loop))
goto err;
res->neg = (num->neg ^ divisor->neg);
res->top = loop - no_branch;
resp = &(res->d[loop - 1]);
res->top = loop;
res->flags |= BN_FLG_FIXED_TOP;
resp = &(res->d[loop]);
/* space for temp */
if (!bn_wexpand(tmp, (div_n + 1)))
goto err;
if (!no_branch) {
if (BN_ucmp(&wnum, sdiv) >= 0) {
/*
* If BN_DEBUG_RAND is defined BN_ucmp changes (via bn_pollute)
* the const bignum arguments => clean the values between top and
* max again
*/
bn_clear_top2max(&wnum);
bn_sub_words(wnum.d, wnum.d, sdiv->d, div_n);
*resp = 1;
} else
res->top--;
}
/* Increase the resp pointer so that we never create an invalid pointer. */
resp++;
/*
* if res->top == 0 then clear the neg value otherwise decrease the resp
* pointer
*/
if (res->top == 0)
res->neg = 0;
else
resp--;
for (i = 0; i < loop - 1; i++, wnump--) {
for (i = 0; i < loop; i++, wnumtop--) {
BN_ULONG q, l0;
/*
* the first part of the loop uses the top two words of snum and sdiv
* to calculate a BN_ULONG q such that | wnum - sdiv * q | < sdiv
*/
# if defined(BN_DIV3W) && !defined(OPENSSL_NO_ASM)
BN_ULONG bn_div_3_words(BN_ULONG *, BN_ULONG, BN_ULONG);
q = bn_div_3_words(wnump, d1, d0);
# if defined(BN_DIV3W)
q = bn_div_3_words(wnumtop, d1, d0);
# else
BN_ULONG n0, n1, rem = 0;
n0 = wnump[0];
n1 = wnump[-1];
n0 = wnumtop[0];
n1 = wnumtop[-1];
if (n0 == d0)
q = BN_MASK2;
else { /* n0 < d0 */
BN_ULONG n2 = (wnumtop == wnum) ? 0 : wnumtop[-2];
# ifdef BN_LLONG
BN_ULLONG t2;
@@ -322,7 +371,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
t2 = (BN_ULLONG) d1 *q;
for (;;) {
if (t2 <= ((((BN_ULLONG) rem) << BN_BITS2) | wnump[-2]))
if (t2 <= ((((BN_ULLONG) rem) << BN_BITS2) | n2))
break;
q--;
rem += d0;
@@ -355,7 +404,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
# endif
for (;;) {
if ((t2h < rem) || ((t2h == rem) && (t2l <= wnump[-2])))
if ((t2h < rem) || ((t2h == rem) && (t2l <= n2)))
break;
q--;
rem += d0;
@@ -371,43 +420,33 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
l0 = bn_mul_words(tmp->d, sdiv->d, div_n, q);
tmp->d[div_n] = l0;
wnum.d--;
wnum--;
/*
* ingore top values of the bignums just sub the two BN_ULONG arrays
* ignore top values of the bignums just sub the two BN_ULONG arrays
* with bn_sub_words
*/
if (bn_sub_words(wnum.d, wnum.d, tmp->d, div_n + 1)) {
/*
* Note: As we have considered only the leading two BN_ULONGs in
* the calculation of q, sdiv * q might be greater than wnum (but
* then (q-1) * sdiv is less or equal than wnum)
*/
q--;
if (bn_add_words(wnum.d, wnum.d, sdiv->d, div_n))
/*
* we can't have an overflow here (assuming that q != 0, but
* if q == 0 then tmp is zero anyway)
*/
(*wnump)++;
}
/* store part of the result */
resp--;
*resp = q;
}
bn_correct_top(snum);
if (rm != NULL) {
l0 = bn_sub_words(wnum, wnum, tmp->d, div_n + 1);
q -= l0;
/*
* Keep a copy of the neg flag in num because if rm==num BN_rshift()
* will overwrite it.
* Note: As we have considered only the leading two BN_ULONGs in
* the calculation of q, sdiv * q might be greater than wnum (but
* then (q-1) * sdiv is less or equal than wnum)
*/
int neg = num->neg;
BN_rshift(rm, snum, norm_shift);
if (!BN_is_zero(rm))
rm->neg = neg;
bn_check_top(rm);
for (l0 = 0 - l0, j = 0; j < div_n; j++)
tmp->d[j] = sdiv->d[j] & l0;
l0 = bn_add_words(wnum, wnum, tmp->d, div_n);
(*wnumtop) += l0;
assert((*wnumtop) == 0);
/* store part of the result */
*--resp = q;
}
if (no_branch)
bn_correct_top(res);
/* snum holds remainder, it's as wide as divisor */
snum->neg = num->neg;
snum->top = div_n;
snum->flags |= BN_FLG_FIXED_TOP;
if (rm != NULL)
bn_rshift_fixed_top(rm, snum, norm_shift);
BN_CTX_end(ctx);
return 1;
err:

68
crypto/bn/bn_exp.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -648,34 +648,41 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
goto err;
}
#ifdef RSAZ_ENABLED
if (!a->neg) {
/*
* If the size of the operands allow it, perform the optimized
* RSAZ exponentiation. For further information see
* crypto/bn/rsaz_exp.c and accompanying assembly modules.
*/
if ((16 == a->top) && (16 == p->top) && (BN_num_bits(m) == 1024)
&& rsaz_avx2_eligible()) {
if (NULL == bn_wexpand(rr, 16))
goto err;
RSAZ_1024_mod_exp_avx2(rr->d, a->d, p->d, m->d, mont->RR.d,
mont->n0[0]);
rr->top = 16;
rr->neg = 0;
bn_correct_top(rr);
ret = 1;
goto err;
} else if ((8 == a->top) && (8 == p->top) && (BN_num_bits(m) == 512)) {
if (NULL == bn_wexpand(rr, 8))
goto err;
RSAZ_512_mod_exp(rr->d, a->d, p->d, m->d, mont->n0[0], mont->RR.d);
rr->top = 8;
rr->neg = 0;
bn_correct_top(rr);
ret = 1;
if (a->neg || BN_ucmp(a, m) >= 0) {
BIGNUM *reduced = BN_CTX_get(ctx);
if (reduced == NULL
|| !BN_nnmod(reduced, a, m, ctx)) {
goto err;
}
a = reduced;
}
#ifdef RSAZ_ENABLED
/*
* If the size of the operands allow it, perform the optimized
* RSAZ exponentiation. For further information see
* crypto/bn/rsaz_exp.c and accompanying assembly modules.
*/
if ((16 == a->top) && (16 == p->top) && (BN_num_bits(m) == 1024)
&& rsaz_avx2_eligible()) {
if (NULL == bn_wexpand(rr, 16))
goto err;
RSAZ_1024_mod_exp_avx2(rr->d, a->d, p->d, m->d, mont->RR.d,
mont->n0[0]);
rr->top = 16;
rr->neg = 0;
bn_correct_top(rr);
ret = 1;
goto err;
} else if ((8 == a->top) && (8 == p->top) && (BN_num_bits(m) == 512)) {
if (NULL == bn_wexpand(rr, 8))
goto err;
RSAZ_512_mod_exp(rr->d, a->d, p->d, m->d, mont->n0[0], mont->RR.d);
rr->top = 8;
rr->neg = 0;
bn_correct_top(rr);
ret = 1;
goto err;
}
#endif
@@ -747,12 +754,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
goto err;
/* prepare a^1 in Montgomery domain */
if (a->neg || BN_ucmp(a, m) >= 0) {
if (!BN_nnmod(&am, a, m, ctx))
goto err;
if (!bn_to_mont_fixed_top(&am, &am, mont, ctx))
goto err;
} else if (!bn_to_mont_fixed_top(&am, a, mont, ctx))
if (!bn_to_mont_fixed_top(&am, a, mont, ctx))
goto err;
#if defined(SPARC_T4_MONT)

64
crypto/bn/bn_lib.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -695,6 +695,9 @@ int bn_cmp_words(const BN_ULONG *a, const BN_ULONG *b, int n)
int i;
BN_ULONG aa, bb;
if (n == 0)
return 0;
aa = a[n - 1];
bb = b[n - 1];
if (aa != bb)
@@ -737,26 +740,25 @@ int bn_cmp_part_words(const BN_ULONG *a, const BN_ULONG *b, int cl, int dl)
return bn_cmp_words(a, b, cl);
}
/*
/*-
* Constant-time conditional swap of a and b.
* a and b are swapped if condition is not 0. The code assumes that at most one bit of condition is set.
* nwords is the number of words to swap. The code assumes that at least nwords are allocated in both a and b,
* and that no more than nwords are used by either a or b.
* a and b cannot be the same number
* a and b are swapped if condition is not 0.
* nwords is the number of words to swap.
* Assumes that at least nwords are allocated in both a and b.
* Assumes that no more than nwords are used by either a or b.
*/
void BN_consttime_swap(BN_ULONG condition, BIGNUM *a, BIGNUM *b, int nwords)
{
BN_ULONG t;
int i;
if (a == b)
return;
bn_wcheck_size(a, nwords);
bn_wcheck_size(b, nwords);
assert(a != b);
assert((condition & (condition - 1)) == 0);
assert(sizeof(BN_ULONG) >= sizeof(int));
condition = ((condition - 1) >> (BN_BITS2 - 1)) - 1;
condition = ((~condition & ((condition - 1))) >> (BN_BITS2 - 1)) - 1;
t = (a->top ^ b->top) & condition;
a->top ^= t;
@@ -794,42 +796,16 @@ void BN_consttime_swap(BN_ULONG condition, BIGNUM *a, BIGNUM *b, int nwords)
a->flags ^= t;
b->flags ^= t;
#define BN_CONSTTIME_SWAP(ind) \
do { \
t = (a->d[ind] ^ b->d[ind]) & condition; \
a->d[ind] ^= t; \
b->d[ind] ^= t; \
} while (0)
switch (nwords) {
default:
for (i = 10; i < nwords; i++)
BN_CONSTTIME_SWAP(i);
/* Fallthrough */
case 10:
BN_CONSTTIME_SWAP(9); /* Fallthrough */
case 9:
BN_CONSTTIME_SWAP(8); /* Fallthrough */
case 8:
BN_CONSTTIME_SWAP(7); /* Fallthrough */
case 7:
BN_CONSTTIME_SWAP(6); /* Fallthrough */
case 6:
BN_CONSTTIME_SWAP(5); /* Fallthrough */
case 5:
BN_CONSTTIME_SWAP(4); /* Fallthrough */
case 4:
BN_CONSTTIME_SWAP(3); /* Fallthrough */
case 3:
BN_CONSTTIME_SWAP(2); /* Fallthrough */
case 2:
BN_CONSTTIME_SWAP(1); /* Fallthrough */
case 1:
BN_CONSTTIME_SWAP(0);
/* conditionally swap the data */
for (i = 0; i < nwords; i++) {
t = (a->d[i] ^ b->d[i]) & condition;
a->d[i] ^= t;
b->d[i] ^= t;
}
#undef BN_CONSTTIME_SWAP
}
#undef BN_CONSTTIME_SWAP_FLAGS
/* Bits of security, see SP800-57 */
int BN_security_bits(int L, int N)

2
crypto/bn/bn_prime.h
View File

@@ -2,7 +2,7 @@
* WARNING: do not edit!
* Generated by crypto/bn/bn_prime.pl
*
* Copyright 1998-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1998-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy

2
crypto/bn/bn_prime.pl
View File

@@ -1,5 +1,5 @@
#! /usr/bin/env perl
# Copyright 1998-2018 The OpenSSL Project Authors. All Rights Reserved.
# Copyright 1998-2019 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy

130
crypto/bn/bn_shift.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -7,6 +7,7 @@
* https://www.openssl.org/source/license.html
*/
#include <assert.h>
#include "internal/cryptlib.h"
#include "bn_lcl.h"
@@ -82,40 +83,70 @@ int BN_rshift1(BIGNUM *r, const BIGNUM *a)
int BN_lshift(BIGNUM *r, const BIGNUM *a, int n)
{
int i, nw, lb, rb;
BN_ULONG *t, *f;
BN_ULONG l;
bn_check_top(r);
bn_check_top(a);
int ret;
if (n < 0) {
BNerr(BN_F_BN_LSHIFT, BN_R_INVALID_SHIFT);
return 0;
}
ret = bn_lshift_fixed_top(r, a, n);
bn_correct_top(r);
bn_check_top(r);
return ret;
}
/*
* In respect to shift factor the execution time is invariant of
* |n % BN_BITS2|, but not |n / BN_BITS2|. Or in other words pre-condition
* for constant-time-ness is |n < BN_BITS2| or |n / BN_BITS2| being
* non-secret.
*/
int bn_lshift_fixed_top(BIGNUM *r, const BIGNUM *a, int n)
{
int i, nw;
unsigned int lb, rb;
BN_ULONG *t, *f;
BN_ULONG l, m, rmask = 0;
assert(n >= 0);
bn_check_top(r);
bn_check_top(a);
nw = n / BN_BITS2;
if (bn_wexpand(r, a->top + nw + 1) == NULL)
return 0;
r->neg = a->neg;
lb = n % BN_BITS2;
rb = BN_BITS2 - lb;
f = a->d;
t = r->d;
t[a->top + nw] = 0;
if (lb == 0)
for (i = a->top - 1; i >= 0; i--)
t[nw + i] = f[i];
else
for (i = a->top - 1; i >= 0; i--) {
l = f[i];
t[nw + i + 1] |= (l >> rb) & BN_MASK2;
t[nw + i] = (l << lb) & BN_MASK2;
if (a->top != 0) {
lb = (unsigned int)n % BN_BITS2;
rb = BN_BITS2 - lb;
rb %= BN_BITS2; /* say no to undefined behaviour */
rmask = (BN_ULONG)0 - rb; /* rmask = 0 - (rb != 0) */
rmask |= rmask >> 8;
f = &(a->d[0]);
t = &(r->d[nw]);
l = f[a->top - 1];
t[a->top] = (l >> rb) & rmask;
for (i = a->top - 1; i > 0; i--) {
m = l << lb;
l = f[i - 1];
t[i] = (m | ((l >> rb) & rmask)) & BN_MASK2;
}
memset(t, 0, sizeof(*t) * nw);
t[0] = (l << lb) & BN_MASK2;
} else {
/* shouldn't happen, but formally required */
r->d[nw] = 0;
}
if (nw != 0)
memset(r->d, 0, sizeof(*t) * nw);
r->neg = a->neg;
r->top = a->top + nw + 1;
bn_correct_top(r);
bn_check_top(r);
r->flags |= BN_FLG_FIXED_TOP;
return 1;
}
@@ -173,3 +204,54 @@ int BN_rshift(BIGNUM *r, const BIGNUM *a, int n)
bn_check_top(r);
return 1;
}
/*
* In respect to shift factor the execution time is invariant of
* |n % BN_BITS2|, but not |n / BN_BITS2|. Or in other words pre-condition
* for constant-time-ness for sufficiently[!] zero-padded inputs is
* |n < BN_BITS2| or |n / BN_BITS2| being non-secret.
*/
int bn_rshift_fixed_top(BIGNUM *r, const BIGNUM *a, int n)
{
int i, top, nw;
unsigned int lb, rb;
BN_ULONG *t, *f;
BN_ULONG l, m, mask;
bn_check_top(r);
bn_check_top(a);
assert(n >= 0);
nw = n / BN_BITS2;
if (nw >= a->top) {
/* shouldn't happen, but formally required */
BN_zero(r);
return 1;
}
rb = (unsigned int)n % BN_BITS2;
lb = BN_BITS2 - rb;
lb %= BN_BITS2; /* say no to undefined behaviour */
mask = (BN_ULONG)0 - lb; /* mask = 0 - (lb != 0) */
mask |= mask >> 8;
top = a->top - nw;
if (r != a && bn_wexpand(r, top) == NULL)
return 0;
t = &(r->d[0]);
f = &(a->d[nw]);
l = f[0];
for (i = 0; i < top - 1; i++) {
m = f[i + 1];
t[i] = (l >> rb) | ((m << lb) & mask);
l = m;
}
t[i] = l >> rb;
r->neg = a->neg;
r->top = top;
r->flags |= BN_FLG_FIXED_TOP;
return 1;
}