summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--.github/workflows/ci.yml2
-rw-r--r--.github/workflows/coveralls.yml2
-rw-r--r--Configurations/10-main.conf9
-rw-r--r--crypto/bn/bn_lib.c51
-rw-r--r--crypto/bn/bn_rand.c164
-rw-r--r--crypto/bn/bn_shift.c6
-rw-r--r--crypto/dsa/dsa_ossl.c9
-rw-r--r--crypto/ec/ecdsa_ossl.c8
-rw-r--r--crypto/ess/ess_lib.c2
-rw-r--r--crypto/provider_core.c9
-rw-r--r--crypto/sm2/sm2_sign.c9
-rw-r--r--doc/man3/SSL_CIPHER_get_name.pod2
-rw-r--r--doc/man7/EVP_PKEY-SM2.pod3
-rw-r--r--doc/man7/migration_guide.pod18
-rw-r--r--include/crypto/bn.h8
-rw-r--r--include/internal/constant_time.h23
-rw-r--r--include/internal/e_os.h18
-rw-r--r--os-dep/Apple/PrivacyInfo.xcprivacy23
-rw-r--r--providers/fips/self_test_data.inc50
-rw-r--r--test/build.info1
-rw-r--r--test/ct_test.c9
-rw-r--r--test/pathed.cnf22
-rw-r--r--test/prov_config_test.c54
-rw-r--r--test/recipes/30-test_prov_config.t6
-rw-r--r--test/sm2_internal_test.c35
-rw-r--r--test/sslapitest.c84
-rw-r--r--test/v3ext.c15
27 files changed, 513 insertions, 129 deletions
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 4376498edd..ea89c3634e 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -356,7 +356,7 @@ jobs:
sudo apt-get update
sudo apt-get -yq install bison gettext keyutils ldap-utils libldap2-dev libkeyutils-dev python3 python3-paste python3-pyrad slapd tcsh python3-virtualenv virtualenv python3-kdcproxy
- name: install cpanm and Test2::V0 for gost_engine testing
- uses: perl-actions/install-with-cpanm@v1
+ uses: perl-actions/install-with-cpanm@stable
with:
install: Test2::V0
- name: setup hostname workaround
diff --git a/.github/workflows/coveralls.yml b/.github/workflows/coveralls.yml
index bcdcab45c7..6d703dac40 100644
--- a/.github/workflows/coveralls.yml
+++ b/.github/workflows/coveralls.yml
@@ -37,7 +37,7 @@ jobs:
- name: generate coverage info
run: lcov -d . -c -o ./lcov.info
- name: Coveralls upload
- uses: coverallsapp/github-action@1.1.3
+ uses: coverallsapp/github-action@v2.3.0
with:
github-token: ${{ secrets.github_token }}
path-to-lcov: ./lcov.info
diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf
index 0baa0a440b..d029a8b2fe 100644
--- a/Configurations/10-main.conf
+++ b/Configurations/10-main.conf
@@ -784,7 +784,14 @@ my %targets = (
asm_arch => 'aarch64',
perlasm_scheme => "linux64",
},
-
+ "linux-arm64ilp32-clang" => { # clang config abi by --target
+ inherit_from => [ "linux-generic32" ],
+ CC => "clang",
+ CXX => "clang++",
+ bn_ops => "SIXTY_FOUR_BIT RC4_CHAR",
+ asm_arch => 'aarch64',
+ perlasm_scheme => "linux64",
+ },
"linux-mips32" => {
# Configure script adds minimally required -march for assembly
# support, if no -march was specified at command line.
diff --git a/crypto/bn/bn_lib.c b/crypto/bn/bn_lib.c
index 75d73e4885..3bd7adb39f 100644
--- a/crypto/bn/bn_lib.c
+++ b/crypto/bn/bn_lib.c
@@ -618,14 +618,29 @@ int BN_ucmp(const BIGNUM *a, const BIGNUM *b)
int i;
BN_ULONG t1, t2, *ap, *bp;
+ ap = a->d;
+ bp = b->d;
+
+ if (BN_get_flags(a, BN_FLG_CONSTTIME)
+ && a->top == b->top) {
+ int res = 0;
+
+ for (i = 0; i < b->top; i++) {
+ res = constant_time_select_int(constant_time_lt_bn(ap[i], bp[i]),
+ -1, res);
+ res = constant_time_select_int(constant_time_lt_bn(bp[i], ap[i]),
+ 1, res);
+ }
+ return res;
+ }
+
bn_check_top(a);
bn_check_top(b);
i = a->top - b->top;
if (i != 0)
return i;
- ap = a->d;
- bp = b->d;
+
for (i = a->top - 1; i >= 0; i--) {
t1 = ap[i];
t2 = bp[i];
@@ -737,11 +752,10 @@ int BN_is_bit_set(const BIGNUM *a, int n)
return (int)(((a->d[i]) >> j) & ((BN_ULONG)1));
}
-int BN_mask_bits(BIGNUM *a, int n)
+int ossl_bn_mask_bits_fixed_top(BIGNUM *a, int n)
{
int b, w;
- bn_check_top(a);
if (n < 0)
return 0;
@@ -755,10 +769,21 @@ int BN_mask_bits(BIGNUM *a, int n)
a->top = w + 1;
a->d[w] &= ~(BN_MASK2 << b);
}
- bn_correct_top(a);
+ a->flags |= BN_FLG_FIXED_TOP;
return 1;
}
+int BN_mask_bits(BIGNUM *a, int n)
+{
+ int ret;
+
+ bn_check_top(a);
+ ret = ossl_bn_mask_bits_fixed_top(a, n);
+ if (ret)
+ bn_correct_top(a);
+ return ret;
+}
+
void BN_set_negative(BIGNUM *a, int b)
{
if (b && !BN_is_zero(a))
@@ -932,6 +957,22 @@ int BN_is_word(const BIGNUM *a, const BN_ULONG w)
return BN_abs_is_word(a, w) && (!w || !a->neg);
}
+int ossl_bn_is_word_fixed_top(const BIGNUM *a, BN_ULONG w)
+{
+ int res, i;
+ const BN_ULONG *ap = a->d;
+
+ if (a->neg || a->top == 0)
+ return 0;
+
+ res = constant_time_select_int(constant_time_eq_bn(ap[0], w), 1, 0);
+
+ for (i = 1; i < a->top; i++)
+ res = constant_time_select_int(constant_time_is_zero_bn(ap[i]),
+ res, 0);
+ return res;
+}
+
int BN_is_odd(const BIGNUM *a)
{
return (a->top > 0) && (a->d[0] & 1);
diff --git a/crypto/bn/bn_rand.c b/crypto/bn/bn_rand.c
index 2ca426ff76..7fcd03a3cb 100644
--- a/crypto/bn/bn_rand.c
+++ b/crypto/bn/bn_rand.c
@@ -186,8 +186,8 @@ static int bnrand_range(BNRAND_FLAG flag, BIGNUM *r, const BIGNUM *range,
} else {
do {
/* range = 11..._2 or range = 101..._2 */
- if (!bnrand(flag, r, n, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY, 0,
- ctx))
+ if (!bnrand(flag, r, n, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY,
+ strength, ctx))
return 0;
if (!--count) {
@@ -240,17 +240,63 @@ int BN_pseudo_rand_range(BIGNUM *r, const BIGNUM *range)
# endif
#endif
+int ossl_bn_priv_rand_range_fixed_top(BIGNUM *r, const BIGNUM *range,
+ unsigned int strength, BN_CTX *ctx)
+{
+ int n;
+ int count = 100;
+
+ if (r == NULL) {
+ ERR_raise(ERR_LIB_BN, ERR_R_PASSED_NULL_PARAMETER);
+ return 0;
+ }
+
+ if (range->neg || BN_is_zero(range)) {
+ ERR_raise(ERR_LIB_BN, BN_R_INVALID_RANGE);
+ return 0;
+ }
+
+ n = BN_num_bits(range); /* n > 0 */
+
+ /* BN_is_bit_set(range, n - 1) always holds */
+
+ if (n == 1) {
+ BN_zero(r);
+ } else {
+ BN_set_flags(r, BN_FLG_CONSTTIME);
+ do {
+ if (!bnrand(PRIVATE, r, n + 1, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY,
+ strength, ctx))
+ return 0;
+
+ if (!--count) {
+ ERR_raise(ERR_LIB_BN, BN_R_TOO_MANY_ITERATIONS);
+ return 0;
+ }
+ ossl_bn_mask_bits_fixed_top(r, n);
+ }
+ while (BN_ucmp(r, range) >= 0);
+#ifdef BN_DEBUG
+ /* With BN_DEBUG on a fixed top number cannot be returned */
+ bn_correct_top(r);
+#endif
+ }
+
+ return 1;
+}
+
/*
- * BN_generate_dsa_nonce generates a random number 0 <= out < range. Unlike
- * BN_rand_range, it also includes the contents of |priv| and |message| in
- * the generation so that an RNG failure isn't fatal as long as |priv|
+ * ossl_bn_gen_dsa_nonce_fixed_top generates a random number 0 <= out < range.
+ * Unlike BN_rand_range, it also includes the contents of |priv| and |message|
+ * in the generation so that an RNG failure isn't fatal as long as |priv|
* remains secret. This is intended for use in DSA and ECDSA where an RNG
* weakness leads directly to private key exposure unless this function is
* used.
*/
-int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range,
- const BIGNUM *priv, const unsigned char *message,
- size_t message_len, BN_CTX *ctx)
+int ossl_bn_gen_dsa_nonce_fixed_top(BIGNUM *out, const BIGNUM *range,
+ const BIGNUM *priv,
+ const unsigned char *message,
+ size_t message_len, BN_CTX *ctx)
{
EVP_MD_CTX *mdctx = EVP_MD_CTX_new();
/*
@@ -260,20 +306,24 @@ int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range,
unsigned char random_bytes[64];
unsigned char digest[SHA512_DIGEST_LENGTH];
unsigned done, todo;
- /* We generate |range|+8 bytes of random output. */
- const unsigned num_k_bytes = BN_num_bytes(range) + 8;
+ /* We generate |range|+1 bytes of random output. */
+ const unsigned num_k_bytes = BN_num_bytes(range) + 1;
unsigned char private_bytes[96];
unsigned char *k_bytes = NULL;
+ const int max_n = 64; /* Pr(failure to generate) < 2^max_n */
+ int n;
int ret = 0;
EVP_MD *md = NULL;
OSSL_LIB_CTX *libctx = ossl_bn_get_libctx(ctx);
if (mdctx == NULL)
- goto err;
+ goto end;
k_bytes = OPENSSL_malloc(num_k_bytes);
if (k_bytes == NULL)
- goto err;
+ goto end;
+ /* Ensure top byte is set to avoid non-constant time in bin2bn */
+ k_bytes[0] = 0xff;
/* We copy |priv| into a local buffer to avoid exposing its length. */
if (BN_bn2binpad(priv, private_bytes, sizeof(private_bytes)) < 0) {
@@ -283,41 +333,60 @@ int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range,
* length of the private key.
*/
ERR_raise(ERR_LIB_BN, BN_R_PRIVATE_KEY_TOO_LARGE);
- goto err;
+ goto end;
}
md = EVP_MD_fetch(libctx, "SHA512", NULL);
if (md == NULL) {
ERR_raise(ERR_LIB_BN, BN_R_NO_SUITABLE_DIGEST);
- goto err;
- }
- for (done = 0; done < num_k_bytes;) {
- if (RAND_priv_bytes_ex(libctx, random_bytes, sizeof(random_bytes), 0) <= 0)
- goto err;
-
- if (!EVP_DigestInit_ex(mdctx, md, NULL)
- || !EVP_DigestUpdate(mdctx, &done, sizeof(done))
- || !EVP_DigestUpdate(mdctx, private_bytes,
- sizeof(private_bytes))
- || !EVP_DigestUpdate(mdctx, message, message_len)
- || !EVP_DigestUpdate(mdctx, random_bytes, sizeof(random_bytes))
- || !EVP_DigestFinal_ex(mdctx, digest, NULL))
- goto err;
-
- todo = num_k_bytes - done;
- if (todo > SHA512_DIGEST_LENGTH)
- todo = SHA512_DIGEST_LENGTH;
- memcpy(k_bytes + done, digest, todo);
- done += todo;
+ goto end;
}
+ for (n = 0; n < max_n; n++) {
+ unsigned char i = 0;
+
+ for (done = 1; done < num_k_bytes;) {
+ if (RAND_priv_bytes_ex(libctx, random_bytes, sizeof(random_bytes),
+ 0) <= 0)
+ goto end;
+
+ if (!EVP_DigestInit_ex(mdctx, md, NULL)
+ || !EVP_DigestUpdate(mdctx, &i, sizeof(i))
+ || !EVP_DigestUpdate(mdctx, private_bytes,
+ sizeof(private_bytes))
+ || !EVP_DigestUpdate(mdctx, message, message_len)
+ || !EVP_DigestUpdate(mdctx, random_bytes,
+ sizeof(random_bytes))
+ || !EVP_DigestFinal_ex(mdctx, digest, NULL))
+ goto end;
+
+ todo = num_k_bytes - done;
+ if (todo > SHA512_DIGEST_LENGTH)
+ todo = SHA512_DIGEST_LENGTH;
+ memcpy(k_bytes + done, digest, todo);
+ done += todo;
+ ++i;
+ }
- if (!BN_bin2bn(k_bytes, num_k_bytes, out))
- goto err;
- if (BN_mod(out, out, range, ctx) != 1)
- goto err;
- ret = 1;
+ if (!BN_bin2bn(k_bytes, num_k_bytes, out))
+ goto end;
- err:
+ /* Clear out the top bits and rejection filter into range */
+ BN_set_flags(out, BN_FLG_CONSTTIME);
+ ossl_bn_mask_bits_fixed_top(out, BN_num_bits(range));
+
+ if (BN_ucmp(out, range) < 0) {
+ ret = 1;
+#ifdef BN_DEBUG
+ /* With BN_DEBUG on a fixed top number cannot be returned */
+ bn_correct_top(out);
+#endif
+ goto end;
+ }
+ }
+ /* Failed to generate anything */
+ ERR_raise(ERR_LIB_BN, ERR_R_INTERNAL_ERROR);
+
+ end:
EVP_MD_CTX_free(mdctx);
EVP_MD_free(md);
OPENSSL_clear_free(k_bytes, num_k_bytes);
@@ -326,3 +395,20 @@ int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range,
OPENSSL_cleanse(private_bytes, sizeof(private_bytes));
return ret;
}
+
+int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range,
+ const BIGNUM *priv, const unsigned char *message,
+ size_t message_len, BN_CTX *ctx)
+{
+ int ret;
+
+ ret = ossl_bn_gen_dsa_nonce_fixed_top(out, range, priv, message,
+ message_len, ctx);
+ /*
+ * This call makes the BN_generate_dsa_nonce non-const-time, thus we
+ * do not use it internally. But fixed_top BNs currently cannot be returned
+ * from public API calls.
+ */
+ bn_correct_top(out);
+ return ret;
+}
diff --git a/crypto/bn/bn_shift.c b/crypto/bn/bn_shift.c
index 8fcb04324e..a6976c7130 100644
--- a/crypto/bn/bn_shift.c
+++ b/crypto/bn/bn_shift.c
@@ -156,6 +156,9 @@ int BN_rshift(BIGNUM *r, const BIGNUM *a, int n)
return 0;
}
+ bn_check_top(r);
+ bn_check_top(a);
+
ret = bn_rshift_fixed_top(r, a, n);
bn_correct_top(r);
@@ -177,9 +180,6 @@ int bn_rshift_fixed_top(BIGNUM *r, const BIGNUM *a, int n)
BN_ULONG *t, *f;
BN_ULONG l, m, mask;
- bn_check_top(r);
- bn_check_top(a);
-
assert(n >= 0);
nw = n / BN_BITS2;
diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c
index 8fd66a950e..01f3b068e4 100644
--- a/crypto/dsa/dsa_ossl.c
+++ b/crypto/dsa/dsa_ossl.c
@@ -262,12 +262,13 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
* We calculate k from SHA512(private_key + H(message) + random).
* This protects the private key from a weak PRNG.
*/
- if (!BN_generate_dsa_nonce(k, dsa->params.q, dsa->priv_key, dgst,
- dlen, ctx))
+ if (!ossl_bn_gen_dsa_nonce_fixed_top(k, dsa->params.q,
+ dsa->priv_key, dgst,
+ dlen, ctx))
goto err;
- } else if (!BN_priv_rand_range_ex(k, dsa->params.q, 0, ctx))
+ } else if (!ossl_bn_priv_rand_range_fixed_top(k, dsa->params.q, 0, ctx))
goto err;
- } while (BN_is_zero(k));
+ } while (ossl_bn_is_word_fixed_top(k, 0));
BN_set_flags(k, BN_FLG_CONSTTIME);
BN_set_flags(l, BN_FLG_CONSTTIME);
diff --git a/crypto/ec/ecdsa_ossl.c b/crypto/ec/ecdsa_ossl.c
index 0bdf45e6e7..5d51ff9079 100644
--- a/crypto/ec/ecdsa_ossl.c
+++ b/crypto/ec/ecdsa_ossl.c
@@ -145,18 +145,18 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in,
/* get random k */
do {
if (dgst != NULL) {
- if (!BN_generate_dsa_nonce(k, order, priv_key,
- dgst, dlen, ctx)) {
+ if (!ossl_bn_gen_dsa_nonce_fixed_top(k, order, priv_key,
+ dgst, dlen, ctx)) {
ERR_raise(ERR_LIB_EC, EC_R_RANDOM_NUMBER_GENERATION_FAILED);
goto err;
}
} else {
- if (!BN_priv_rand_range_ex(k, order, 0, ctx)) {
+ if (!ossl_bn_priv_rand_range_fixed_top(k, order, 0, ctx)) {
ERR_raise(ERR_LIB_EC, EC_R_RANDOM_NUMBER_GENERATION_FAILED);
goto err;
}
}
- } while (BN_is_zero(k));
+ } while (ossl_bn_is_word_fixed_top(k, 0));
/* compute r the x-coordinate of generator * k */
if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) {
diff --git a/crypto/ess/ess_lib.c b/crypto/ess/ess_lib.c
index 65444d383f..3d59fc2151 100644
--- a/crypto/ess/ess_lib.c
+++ b/crypto/ess/ess_lib.c
@@ -293,7 +293,7 @@ int OSSL_ESS_check_signing_certs(const ESS_SIGNING_CERT *ss,
int i, ret;
if (require_signing_cert && ss == NULL && ssv2 == NULL) {
- ERR_raise(ERR_LIB_CMS, ESS_R_MISSING_SIGNING_CERTIFICATE_ATTRIBUTE);
+ ERR_raise(ERR_LIB_ESS, ESS_R_MISSING_SIGNING_CERTIFICATE_ATTRIBUTE);
return -1;
}
if (n_v1 == 0 || n_v2 == 0) {
diff --git a/crypto/provider_core.c b/crypto/provider_core.c
index e90b63b303..9f8e73c9d0 100644
--- a/crypto/provider_core.c
+++ b/crypto/provider_core.c
@@ -559,8 +559,15 @@ OSSL_PROVIDER *ossl_provider_new(OSSL_LIB_CTX *libctx, const char *name,
}
/* provider_new() generates an error, so no need here */
- if ((prov = provider_new(name, template.init, template.parameters)) == NULL)
+ prov = provider_new(name, template.init, template.parameters);
+
+ if (prov == NULL)
+ return NULL;
+
+ if (!ossl_provider_set_module_path(prov, template.path)) {
+ ossl_provider_free(prov);
return NULL;
+ }
prov->libctx = libctx;
#ifndef FIPS_MODULE
diff --git a/crypto/sm2/sm2_sign.c b/crypto/sm2/sm2_sign.c
index b6d41db8e3..79692f146e 100644
--- a/crypto/sm2/sm2_sign.c
+++ b/crypto/sm2/sm2_sign.c
@@ -28,6 +28,7 @@ int ossl_sm2_compute_z_digest(uint8_t *out,
{
int rc = 0;
const EC_GROUP *group = EC_KEY_get0_group(key);
+ const EC_POINT *pubkey = EC_KEY_get0_public_key(key);
BN_CTX *ctx = NULL;
EVP_MD_CTX *hash = NULL;
BIGNUM *p = NULL;
@@ -42,6 +43,12 @@ int ossl_sm2_compute_z_digest(uint8_t *out,
uint16_t entl = 0;
uint8_t e_byte = 0;
+ /* SM2 Signatures require a public key, check for it */
+ if (pubkey == NULL) {
+ ERR_raise(ERR_LIB_SM2, ERR_R_PASSED_NULL_PARAMETER);
+ goto done;
+ }
+
hash = EVP_MD_CTX_new();
ctx = BN_CTX_new_ex(ossl_ec_key_get_libctx(key));
if (hash == NULL || ctx == NULL) {
@@ -117,7 +124,7 @@ int ossl_sm2_compute_z_digest(uint8_t *out,
|| BN_bn2binpad(yG, buf, p_bytes) < 0
|| !EVP_DigestUpdate(hash, buf, p_bytes)
|| !EC_POINT_get_affine_coordinates(group,
- EC_KEY_get0_public_key(key),
+ pubkey,
xA, yA, ctx)
|| BN_bn2binpad(xA, buf, p_bytes) < 0
|| !EVP_DigestUpdate(hash, buf, p_bytes)
diff --git a/doc/man3/SSL_CIPHER_get_name.pod b/doc/man3/SSL_CIPHER_get_name.pod
index e22a85a063..c3109279a7 100644
--- a/doc/man3/SSL_CIPHER_get_name.pod
+++ b/doc/man3/SSL_CIPHER_get_name.pod
@@ -109,7 +109,7 @@ cipher B<c>.
SSL_CIPHER_description() returns a textual description of the cipher used
into the buffer B<buf> of length B<len> provided. If B<buf> is provided, it
-must be at least 128 bytes, otherwise a buffer will be allocated using
+must be at least 128 bytes. If B<buf> is NULL it will be allocated using
OPENSSL_malloc(). If the provided buffer is too small, or the allocation fails,
B<NULL> is returned.
diff --git a/doc/man7/EVP_PKEY-SM2.pod b/doc/man7/EVP_PKEY-SM2.pod
index 8bdc506cec..b073dc8b05 100644
--- a/doc/man7/EVP_PKEY-SM2.pod
+++ b/doc/man7/EVP_PKEY-SM2.pod
@@ -38,6 +38,9 @@ Getter that returns the default digest name.
B<SM2> signatures can be generated by using the 'DigestSign' series of APIs, for
instance, EVP_DigestSignInit(), EVP_DigestSignUpdate() and EVP_DigestSignFinal().
Ditto for the verification process by calling the 'DigestVerify' series of APIs.
+Note that the SM2 algorithm requires the presence of the public key for signatures,
+as such the B<OSSL_PKEY_PARAM_PUB_KEY> option must be set on any key used in signature
+generation.
Before computing an B<SM2> signature, an B<EVP_PKEY_CTX> needs to be created,
and an B<SM2> ID must be set for it, like this:
diff --git a/doc/man7/migration_guide.pod b/doc/man7/migration_guide.pod
index 28983ea600..3152b70483 100644
--- a/doc/man7/migration_guide.pod
+++ b/doc/man7/migration_guide.pod
@@ -1326,7 +1326,7 @@ d2i_DSAPrivateKey_bio(), d2i_DSAPrivateKey_fp(), d2i_DSA_PUBKEY(),
d2i_DSA_PUBKEY_bio(), d2i_DSA_PUBKEY_fp(), d2i_DSAPublicKey(),
d2i_ECParameters(), d2i_ECPrivateKey(), d2i_ECPrivateKey_bio(),
d2i_ECPrivateKey_fp(), d2i_EC_PUBKEY(), d2i_EC_PUBKEY_bio(),
-d2i_EC_PUBKEY_fp(), o2i_ECPublicKey(), d2i_RSAPrivateKey(),
+d2i_EC_PUBKEY_fp(), d2i_RSAPrivateKey(),
d2i_RSAPrivateKey_bio(), d2i_RSAPrivateKey_fp(), d2i_RSA_PUBKEY(),
d2i_RSA_PUBKEY_bio(), d2i_RSA_PUBKEY_fp(), d2i_RSAPublicKey(),
d2i_RSAPublicKey_bio(), d2i_RSAPublicKey_fp()
@@ -1335,6 +1335,13 @@ See L</Deprecated i2d and d2i functions for low-level key types>
=item *
+o2i_ECPublicKey()
+
+Use L<EVP_PKEY_set1_encoded_public_key(3)>.
+See L</Deprecated low-level key parameter setters>
+
+=item *
+
DES_crypt(), DES_fcrypt(), DES_encrypt1(), DES_encrypt2(), DES_encrypt3(),
DES_decrypt3(), DES_ede3_cbc_encrypt(), DES_ede3_cfb64_encrypt(),
DES_ede3_cfb_encrypt(),DES_ede3_ofb64_encrypt(),
@@ -1885,13 +1892,20 @@ and L<d2i_RSAPrivateKey(3)/Migration>
i2d_ECParameters(), i2d_ECPrivateKey(), i2d_ECPrivateKey_bio(),
i2d_ECPrivateKey_fp(), i2d_EC_PUBKEY(), i2d_EC_PUBKEY_bio(),
-i2d_EC_PUBKEY_fp(), i2o_ECPublicKey()
+i2d_EC_PUBKEY_fp()
See L</Deprecated low-level key reading and writing functions>
and L<d2i_RSAPrivateKey(3)/Migration>
=item *
+i2o_ECPublicKey()
+
+Use L<EVP_PKEY_get1_encoded_public_key(3)>.
+See L</Deprecated low-level key parameter getters>
+
+=item *
+
i2d_RSAPrivateKey(), i2d_RSAPrivateKey_bio(), i2d_RSAPrivateKey_fp(),
i2d_RSA_PUBKEY(), i2d_RSA_PUBKEY_bio(), i2d_RSA_PUBKEY_fp(),
i2d_RSAPublicKey(), i2d_RSAPublicKey_bio(), i2d_RSAPublicKey_fp()
diff --git a/include/crypto/bn.h b/include/crypto/bn.h
index 00544d9d25..3180b993ab 100644
--- a/include/crypto/bn.h
+++ b/include/crypto/bn.h
@@ -87,6 +87,14 @@ int bn_lshift_fixed_top(BIGNUM *r, const BIGNUM *a, int n);
int bn_rshift_fixed_top(BIGNUM *r, const BIGNUM *a, int n);
int bn_div_fixed_top(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m,
const BIGNUM *d, BN_CTX *ctx);
+int ossl_bn_mask_bits_fixed_top(BIGNUM *a, int n);
+int ossl_bn_is_word_fixed_top(const BIGNUM *a, BN_ULONG w);
+int ossl_bn_priv_rand_range_fixed_top(BIGNUM *r, const BIGNUM *range,
+ unsigned int strength, BN_CTX *ctx);
+int ossl_bn_gen_dsa_nonce_fixed_top(BIGNUM *out, const BIGNUM *range,
+ const BIGNUM *priv,
+ const unsigned char *message,
+ size_t message_len, BN_CTX *ctx);
#define BN_PRIMETEST_COMPOSITE 0
#define BN_PRIMETEST_COMPOSITE_WITH_FACTOR 1
diff --git a/include/internal/constant_time.h b/include/internal/constant_time.h
index 0ed6f823c1..f2572ded51 100644
--- a/include/internal/constant_time.h
+++ b/include/internal/constant_time.h
@@ -140,6 +140,29 @@ static ossl_inline uint64_t constant_time_lt_64(uint64_t a, uint64_t b)
return constant_time_msb_64(a ^ ((a ^ b) | ((a - b) ^ b)));
}
+#ifdef BN_ULONG
+static ossl_inline BN_ULONG constant_time_msb_bn(BN_ULONG a)
+{
+ return 0 - (a >> (sizeof(a) * 8 - 1));
+}
+
+static ossl_inline BN_ULONG constant_time_lt_bn(BN_ULONG a, BN_ULONG b)
+{
+ return constant_time_msb_bn(a ^ ((a ^ b) | ((a - b) ^ b)));
+}
+
+static ossl_inline BN_ULONG constant_time_is_zero_bn(BN_ULONG a)
+{
+ return constant_time_msb_bn(~a & (a - 1));
+}
+
+static ossl_inline BN_ULONG constant_time_eq_bn(BN_ULONG a,
+ BN_ULONG b)
+{
+ return constant_time_is_zero_bn(a ^ b);
+}
+#endif
+
static ossl_inline unsigned int constant_time_ge(unsigned int a,
unsigned int b)
{
diff --git a/include/internal/e_os.h b/include/internal/e_os.h
index 7fdc389982..c7802d6e6c 100644
--- a/include/internal/e_os.h
+++ b/include/internal/e_os.h
@@ -296,20 +296,18 @@ static ossl_inline void ossl_sleep(unsigned long millis)
ts.tv_sec = (long int) (millis / 1000);
ts.tv_nsec = (long int) (millis % 1000) * 1000000ul;
nanosleep(&ts, NULL);
-# elif defined(__TANDEM)
-# if !defined(_REENTRANT)
+# elif defined(__TANDEM) && !defined(_REENTRANT)
# include <cextdecs.h(PROCESS_DELAY_)>
+
/* HPNS does not support usleep for non threaded apps */
PROCESS_DELAY_(millis * 1000);
-# elif defined(_SPT_MODEL_)
-# include <spthread.h>
-# include <spt_extensions.h>
- usleep(millis * 1000);
-# else
- usleep(millis * 1000);
-# endif
# else
- usleep(millis * 1000);
+ unsigned int s = (unsigned int)(millis / 1000);
+ unsigned int us = (unsigned int)((millis % 1000) * 1000);
+
+ if (s > 0)
+ sleep(s);
+ usleep(us);
# endif
}
#elif defined(_WIN32)
diff --git a/os-dep/Apple/PrivacyInfo.xcprivacy b/os-dep/Apple/PrivacyInfo.xcprivacy
new file mode 100644
index 0000000000..285dd5beba
--- /dev/null
+++ b/os-dep/Apple/PrivacyInfo.xcprivacy
@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+ <key>NSPrivacyAccessedAPITypes</key>
+ <array>
+ <dict>
+ <key>NSPrivacyAccessedAPIType</key>
+ <string>NSPrivacyAccessedAPICategoryFileTimestamp</string>
+ <key>NSPrivacyAccessedAPITypeReasons</key>
+ <array>
+ <string>C617.1</string>
+ </array>
+ </dict>
+ </array>
+ <key>NSPrivacyCollectedDataTypes</key>
+ <array/>
+ <key>NSPrivacyTrackingDomains</key>
+ <array/>
+ <key>NSPrivacyTracking</key>
+ <false/>
+</dict>
+</plist>
diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc
index 2057378d3d..094cb30acb 100644
--- a/providers/fips/self_test_data.inc
+++ b/providers/fips/self_test_data.inc
@@ -1400,14 +1400,14 @@ static const unsigned char ecd_prime_pub[] = {
0x82
};
static const unsigned char ecdsa_prime_expected_sig[] = {
- 0x30, 0x3d, 0x02, 0x1d, 0x00, 0xd2, 0x4a, 0xc9,
- 0x4f, 0xaf, 0xdb, 0x62, 0xfc, 0x41, 0x4a, 0x81,
- 0x2a, 0x9f, 0xcf, 0xa3, 0xda, 0xfe, 0xa3, 0x49,
- 0xbd, 0xea, 0xbf, 0x2a, 0x51, 0xb4, 0x0b, 0xc3,
- 0xbc, 0x02, 0x1c, 0x7f, 0x30, 0xb7, 0xad, 0xab,
- 0x09, 0x6e, 0x3c, 0xad, 0x7f, 0xf9, 0x5e, 0xaa,
- 0xe2, 0x38, 0xe5, 0x29, 0x16, 0xc4, 0xc8, 0x77,
- 0xa1, 0xf8, 0x60, 0x77, 0x39, 0x7a, 0xec
+ 0x30, 0x3d, 0x02, 0x1c, 0x48, 0x4f, 0x3c, 0x97,
+ 0x5b, 0xfa, 0x40, 0x6c, 0xdb, 0xd6, 0x70, 0xb5,
+ 0xbd, 0x2d, 0xd0, 0xc6, 0x22, 0x93, 0x5a, 0x88,
+ 0x56, 0xd0, 0xaf, 0x0a, 0x94, 0x92, 0x20, 0x01,
+ 0x02, 0x1d, 0x00, 0xa4, 0x80, 0xe0, 0x47, 0x88,
+ 0x8a, 0xef, 0x2a, 0x47, 0x9d, 0x81, 0x9a, 0xbf,
+ 0x45, 0xc3, 0x6f, 0x9e, 0x2e, 0xc1, 0x44, 0x9f,
+ 0xfd, 0x79, 0xdb, 0x90, 0x3e, 0xb9, 0xb2
};
static const ST_KAT_PARAM ecdsa_prime_key[] = {
ST_KAT_PARAM_UTF8STRING(OSSL_PKEY_PARAM_GROUP_NAME, ecd_prime_curve_name),
@@ -1435,15 +1435,15 @@ static const unsigned char ecd_bin_pub[] = {
0x99, 0xb6, 0x8f, 0x80, 0x46
};
static const unsigned char ecdsa_bin_expected_sig[] = {
- 0x30, 0x3f, 0x02, 0x1d, 0x08, 0x11, 0x7c, 0xcd,
- 0xf4, 0xa1, 0x31, 0x9a, 0xc1, 0xfd, 0x50, 0x0e,
- 0x5d, 0xa9, 0xb6, 0x0e, 0x95, 0x49, 0xe1, 0xbd,
- 0x44, 0xe3, 0x5b, 0xa9, 0x35, 0x94, 0xa5, 0x2f,
- 0xae, 0x02, 0x1e, 0x00, 0xe3, 0xba, 0xb8, 0x8f,
- 0x4b, 0x05, 0x76, 0x88, 0x1e, 0x49, 0xd6, 0x62,
- 0x76, 0xd3, 0x22, 0x4d, 0xa3, 0x7b, 0x04, 0xcc,
- 0xfa, 0x7b, 0x41, 0x9b, 0x8c, 0xaf, 0x1b, 0x6d,
- 0xbd
+ 0x30, 0x3f, 0x02, 0x1d, 0x58, 0xe9, 0xd0, 0x84,
+ 0x5c, 0xad, 0x29, 0x03, 0xf6, 0xa6, 0xbc, 0xe0,
+ 0x24, 0x6d, 0x9e, 0x79, 0x5d, 0x1e, 0xe8, 0x5a,
+ 0xc3, 0x31, 0x0a, 0xa9, 0xfb, 0xe3, 0x99, 0x54,
+ 0x11, 0x02, 0x1e, 0x00, 0xa3, 0x44, 0x28, 0xa3,
+ 0x70, 0x97, 0x98, 0x17, 0xd7, 0xa6, 0xad, 0x91,
+ 0xaf, 0x41, 0x69, 0xb6, 0x06, 0x99, 0x39, 0xc7,
+ 0x63, 0xa4, 0x6a, 0x81, 0xe4, 0x9a, 0x9d, 0x15,
+ 0x8b
};
static const ST_KAT_PARAM ecdsa_bin_key[] = {
ST_KAT_PARAM_UTF8STRING(OSSL_PKEY_PARAM_GROUP_NAME, ecd_bin_curve_name),
@@ -1571,14 +1571,14 @@ static const unsigned char dsa_priv[] = {
0x40, 0x7e, 0x5c, 0xb7
};
stat