src - FreeBSD source tree

diff options


context:
space:
mode:

author	Jung-uk Kim <jkim@FreeBSD.org>	2023-05-30 14:24:15 +0000
committer	Jung-uk Kim <jkim@FreeBSD.org>	2023-05-30 14:24:15 +0000
commit	8ecb489345f08012fdc92a202a40119891cac330 (patch)
tree	c20f9f8a5f3bb1db19e0ab77ecedb62f3075db88
parent	0d51f658515c605fcc4a8073cb5a8e0d7d904088 (diff)

Import OpenSSL 1.1.1uvendor/openssl/1.1.1u

-rw-r--r--

-rwxr-xr-x

-rw-r--r--

-rw-r--r--

-rw-r--r--

crypto/aes/asm/bsaes-armv7.pl

-rw-r--r--

crypto/asn1/a_bitstr.c

-rw-r--r--

crypto/bio/b_print.c

-rw-r--r--

crypto/bn/bn_asm.c

108

-rw-r--r--

-rw-r--r--

-rw-r--r--

-rw-r--r--

-rw-r--r--

-rw-r--r--

crypto/bn/rsa_sup_mul.c

614

-rw-r--r--

crypto/conf/conf_sap.c

-rw-r--r--

crypto/err/openssl.txt

-rw-r--r--

crypto/objects/obj_dat.c

-rw-r--r--

crypto/rsa/rsa_ossl.c

-rw-r--r--

crypto/ui/ui_lib.c

-rw-r--r--

crypto/ui/ui_util.c

-rw-r--r--

crypto/x509/x509_vfy.c

-rw-r--r--

crypto/x509v3/pcy_local.h

-rw-r--r--

crypto/x509v3/pcy_node.c

-rw-r--r--

crypto/x509v3/pcy_tree.c

-rw-r--r--

doc/fingerprints.txt

-rw-r--r--

doc/man3/X509_VERIFY_PARAM_set_flags.pod

-rw-r--r--

engines/e_padlock.c

-rw-r--r--

include/crypto/bn.h

-rw-r--r--

include/openssl/opensslv.h

29 files changed, 344 insertions, 772 deletions

diff --git a/CHANGES b/CHANGES
index 1e2d651b7514..8945260c3eaf 100644
--- a/CHANGES
+++ b/CHANGES

@@ -7,6 +7,64 @@

https://github.com/openssl/openssl/commits/ and pick the appropriate

release branch.

+ Changes between 1.1.1t and 1.1.1u [30 May 2023]

+ *) Mitigate for the time it takes for `OBJ_obj2txt` to translate gigantic

+ OBJECT IDENTIFIER sub-identifiers to canonical numeric text form.

+ OBJ_obj2txt() would translate any size OBJECT IDENTIFIER to canonical

+ numeric text form. For gigantic sub-identifiers, this would take a very

+ long time, the time complexity being O(n^2) where n is the size of that

+ sub-identifier. (CVE-2023-2650)

+ To mitigitate this, `OBJ_obj2txt()` will only translate an OBJECT

+ IDENTIFIER to canonical numeric text form if the size of that OBJECT

+ IDENTIFIER is 586 bytes or less, and fail otherwise.

+ The basis for this restriction is RFC 2578 (STD 58), section 3.5. OBJECT

+ IDENTIFIER values, which stipulates that OBJECT IDENTIFIERS may have at

+ most 128 sub-identifiers, and that the maximum value that each sub-

+ identifier may have is 2^32-1 (4294967295 decimal).

+ For each byte of every sub-identifier, only the 7 lower bits are part of

+ the value, so the maximum amount of bytes that an OBJECT IDENTIFIER with

+ these restrictions may occupy is 32 * 128 / 7, which is approximately 586

+ bytes.

+ Ref: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5

+ [Richard Levitte]

+ *) Reworked the Fix for the Timing Oracle in RSA Decryption (CVE-2022-4304).

+ The previous fix for this timing side channel turned out to cause

+ a severe 2-3x performance regression in the typical use case

+ compared to 1.1.1s. The new fix uses existing constant time

+ code paths, and restores the previous performance level while

+ fully eliminating all existing timing side channels.

+ The fix was developed by Bernd Edlinger with testing support

+ by Hubert Kario.

+ [Bernd Edlinger]

+ *) Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention

+ that it does not enable policy checking. Thanks to

+ David Benjamin for discovering this issue. (CVE-2023-0466)

+ [Tomas Mraz]

+ *) Fixed an issue where invalid certificate policies in leaf certificates are

+ silently ignored by OpenSSL and other certificate policy checks are skipped

+ for that certificate. A malicious CA could use this to deliberately assert

+ invalid certificate policies in order to circumvent policy checking on the

+ certificate altogether. (CVE-2023-0465)

+ [Matt Caswell]

+ *) Limited the number of nodes created in a policy tree to mitigate

+ against CVE-2023-0464. The default limit is set to 1000 nodes, which

+ should be sufficient for most installations. If required, the limit

+ can be adjusted by setting the OPENSSL_POLICY_TREE_NODES_MAX build

+ time define to a desired maximum number of nodes or zero to allow

+ unlimited growth. (CVE-2023-0464)

+ [Paul Dale]

Changes between 1.1.1s and 1.1.1t [7 Feb 2023]

*) Fixed X.400 address type confusion in X.509 GeneralName.

diff --git a/Configure b/Configure
index 6cb1a84f4b7f..78cc15d18474 100755
--- a/Configure
+++ b/Configure

@@ -1244,7 +1244,7 @@ if ($target =~ /^mingw/ && `$config{CC} --target-help 2>&1` =~ m/-mno-cygwin/m)

}

if ($target =~ /linux.*-mips/ && !$disabled{asm}

- && !grep { $_ !~ /-m(ips|arch=)/ } (@{$config{CFLAGS}})) {

+ && !grep { $_ =~ /-m(ips|arch=)/ } (@{$config{CFLAGS}})) {

# minimally required architecture flags for assembly modules

my $value;

$value = '-mips2' if ($target =~ /mips32/);

diff --git a/NEWS b/NEWS
index 2724fc4d85ba..f5a2d5ad33f8 100644
--- a/NEWS
+++ b/NEWS

@@ -5,6 +5,15 @@

This file gives a brief overview of the major changes between each OpenSSL

release. For more details please read the CHANGES file.

+ Major changes between OpenSSL 1.1.1t and OpenSSL 1.1.1u [30 May 2023]

+ o Mitigate for very slow `OBJ_obj2txt()` performance with gigantic

+ OBJECT IDENTIFIER sub-identities. (CVE-2023-2650)

+ o Fixed documentation of X509_VERIFY_PARAM_add0_policy() (CVE-2023-0466)

+ o Fixed handling of invalid certificate policies in leaf certificates

+ (CVE-2023-0465)

+ o Limited the number of nodes created in a policy tree ([CVE-2023-0464])

Major changes between OpenSSL 1.1.1s and OpenSSL 1.1.1t [7 Feb 2023]

o Fixed X.400 address type confusion in X.509 GeneralName (CVE-2023-0286)

diff --git a/README b/README
index b2f806be3a44..b9bf50f4b1e5 100644
--- a/README
+++ b/README

@@ -1,7 +1,7 @@

- OpenSSL 1.1.1t 7 Feb 2023

+ OpenSSL 1.1.1u 30 May 2023

diff --git a/crypto/aes/asm/bsaes-armv7.pl b/crypto/aes/asm/bsaes-armv7.pl
index 2b9f241ce8b0..b22db37d4d4c 100644
--- a/crypto/aes/asm/bsaes-armv7.pl
+++ b/crypto/aes/asm/bsaes-armv7.pl

@@ -1,5 +1,5 @@

#! /usr/bin/env perl

# Licensed under the OpenSSL license (the "License"). You may not use

# this file except in compliance with the License. You can obtain a copy

@@ -14,7 +14,7 @@

# details see http://www.openssl.org/~appro/cryptogams/.

# Specific modes and adaptation for Linux kernel by Ard Biesheuvel

-# of Linaro. Permission to use under GPL terms is granted.

+# of Linaro.

# ====================================================================

# Bit-sliced AES for ARM NEON

diff --git a/crypto/asn1/a_bitstr.c b/crypto/asn1/a_bitstr.c
index f462dd107368..14b57265d172 100644
--- a/crypto/asn1/a_bitstr.c
+++ b/crypto/asn1/a_bitstr.c

@@ -1,5 +1,5 @@

* Licensed under the OpenSSL license (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

@@ -148,6 +148,9 @@ int ASN1_BIT_STRING_set_bit(ASN1_BIT_STRING *a, int n, int value)

int w, v, iv;

unsigned char *c;

+ if (n < 0)

+ return 0;

w = n / 8;

v = 1 << (7 - (n & 0x07));

iv = ~v;

@@ -182,6 +185,9 @@ int ASN1_BIT_STRING_get_bit(const ASN1_BIT_STRING *a, int n)

{

int w, v;

+ if (n < 0)

+ return 0;

w = n / 8;

v = 1 << (7 - (n & 0x07));

if ((a == NULL) || (a->length < (w + 1)) || (a->data == NULL))

diff --git a/crypto/bio/b_print.c b/crypto/bio/b_print.c
index 45d4e9f004b1..c4ed364d72f6 100644
--- a/crypto/bio/b_print.c
+++ b/crypto/bio/b_print.c

@@ -305,7 +305,6 @@ _dopr(char **sbuffer,

case 'G':

case 'g':

/* not implemented for UEFI */

- ERR_raise(ERR_LIB_BIO, ERR_R_UNSUPPORTED);

return 0;

#endif

case 'c':

diff --git a/crypto/bn/bn_asm.c b/crypto/bn/bn_asm.c
index 4d83a8cf1115..e5fa81b3a1e3 100644
--- a/crypto/bn/bn_asm.c
+++ b/crypto/bn/bn_asm.c

@@ -1,5 +1,5 @@

* Licensed under the OpenSSL license (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

@@ -381,25 +381,33 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,

#ifndef OPENSSL_SMALL_FOOTPRINT

while (n & ~3) {

t1 = a[0];

- t2 = b[0];

- r[0] = (t1 - t2 - c) & BN_MASK2;

- if (t1 != t2)

- c = (t1 < t2);

+ t2 = (t1 - c) & BN_MASK2;

+ c = (t2 > t1);

+ t1 = b[0];

+ t1 = (t2 - t1) & BN_MASK2;

+ r[0] = t1;

+ c += (t1 > t2);

t1 = a[1];

- t2 = b[1];

- r[1] = (t1 - t2 - c) & BN_MASK2;

- if (t1 != t2)

- c = (t1 < t2);

+ t2 = (t1 - c) & BN_MASK2;

+ c = (t2 > t1);

+ t1 = b[1];

+ t1 = (t2 - t1) & BN_MASK2;

+ r[1] = t1;

+ c += (t1 > t2);

t1 = a[2];

- t2 = b[2];

- r[2] = (t1 - t2 - c) & BN_MASK2;

- if (t1 != t2)

- c = (t1 < t2);

+ t2 = (t1 - c) & BN_MASK2;

+ c = (t2 > t1);

+ t1 = b[2];

+ t1 = (t2 - t1) & BN_MASK2;

+ r[2] = t1;

+ c += (t1 > t2);

t1 = a[3];

- t2 = b[3];

- r[3] = (t1 - t2 - c) & BN_MASK2;

- if (t1 != t2)

- c = (t1 < t2);

+ t2 = (t1 - c) & BN_MASK2;

+ c = (t2 > t1);

+ t1 = b[3];

+ t1 = (t2 - t1) & BN_MASK2;

+ r[3] = t1;

+ c += (t1 > t2);

a += 4;

b += 4;

r += 4;

@@ -408,10 +416,12 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,

#endif

while (n) {

t1 = a[0];

- t2 = b[0];

- r[0] = (t1 - t2 - c) & BN_MASK2;

- if (t1 != t2)

- c = (t1 < t2);

+ t2 = (t1 - c) & BN_MASK2;

+ c = (t2 > t1);

+ t1 = b[0];

+ t1 = (t2 - t1) & BN_MASK2;

+ r[0] = t1;

+ c += (t1 > t2);

a++;

b++;

r++;

@@ -446,7 +456,7 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,

t += c0; /* no carry */ \

c0 = (BN_ULONG)Lw(t); \

hi = (BN_ULONG)Hw(t); \

- c1 = (c1+hi)&BN_MASK2; if (c1<hi) c2++; \

+ c1 = (c1+hi)&BN_MASK2; c2 += (c1<hi); \

} while(0)

# define mul_add_c2(a,b,c0,c1,c2) do { \

@@ -455,11 +465,11 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,

BN_ULLONG tt = t+c0; /* no carry */ \

c0 = (BN_ULONG)Lw(tt); \

hi = (BN_ULONG)Hw(tt); \

- c1 = (c1+hi)&BN_MASK2; if (c1<hi) c2++; \

+ c1 = (c1+hi)&BN_MASK2; c2 += (c1<hi); \

t += c0; /* no carry */ \

c0 = (BN_ULONG)Lw(t); \

hi = (BN_ULONG)Hw(t); \

- c1 = (c1+hi)&BN_MASK2; if (c1<hi) c2++; \

+ c1 = (c1+hi)&BN_MASK2; c2 += (c1<hi); \

} while(0)

# define sqr_add_c(a,i,c0,c1,c2) do { \

@@ -468,7 +478,7 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,

t += c0; /* no carry */ \

c0 = (BN_ULONG)Lw(t); \

hi = (BN_ULONG)Hw(t); \

- c1 = (c1+hi)&BN_MASK2; if (c1<hi) c2++; \

+ c1 = (c1+hi)&BN_MASK2; c2 += (c1<hi); \

} while(0)

# define sqr_add_c2(a,i,j,c0,c1,c2) \

@@ -483,26 +493,26 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,

BN_ULONG ta = (a), tb = (b); \

BN_ULONG lo, hi; \

BN_UMULT_LOHI(lo,hi,ta,tb); \

- c0 += lo; hi += (c0<lo)?1:0; \

- c1 += hi; c2 += (c1<hi)?1:0; \

+ c0 += lo; hi += (c0<lo); \

+ c1 += hi; c2 += (c1<hi); \

} while(0)

# define mul_add_c2(a,b,c0,c1,c2) do { \

BN_ULONG ta = (a), tb = (b); \

BN_ULONG lo, hi, tt; \

BN_UMULT_LOHI(lo,hi,ta,tb); \

- c0 += lo; tt = hi+((c0<lo)?1:0); \

- c1 += tt; c2 += (c1<tt)?1:0; \

- c0 += lo; hi += (c0<lo)?1:0; \

- c1 += hi; c2 += (c1<hi)?1:0; \

+ c0 += lo; tt = hi + (c0<lo); \

+ c1 += tt; c2 += (c1<tt); \

+ c0 += lo; hi += (c0<lo); \

+ c1 += hi; c2 += (c1<hi); \

} while(0)

# define sqr_add_c(a,i,c0,c1,c2) do { \

BN_ULONG ta = (a)[i]; \

BN_ULONG lo, hi; \

BN_UMULT_LOHI(lo,hi,ta,ta); \

- c0 += lo; hi += (c0<lo)?1:0; \

- c1 += hi; c2 += (c1<hi)?1:0; \

+ c0 += lo; hi += (c0<lo); \

+ c1 += hi; c2 += (c1<hi); \

} while(0)

# define sqr_add_c2(a,i,j,c0,c1,c2) \

@@ -517,26 +527,26 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,

BN_ULONG ta = (a), tb = (b); \

BN_ULONG lo = ta * tb; \

BN_ULONG hi = BN_UMULT_HIGH(ta,tb); \

- c0 += lo; hi += (c0<lo)?1:0; \

- c1 += hi; c2 += (c1<hi)?1:0; \

+ c0 += lo; hi += (c0<lo); \

+ c1 += hi; c2 += (c1<hi); \

} while(0)

# define mul_add_c2(a,b,c0,c1,c2) do { \

BN_ULONG ta = (a), tb = (b), tt; \

BN_ULONG lo = ta * tb; \

BN_ULONG hi = BN_UMULT_HIGH(ta,tb); \

- c0 += lo; tt = hi + ((c0<lo)?1:0); \

- c1 += tt; c2 += (c1<tt)?1:0; \

- c0 += lo; hi += (c0<lo)?1:0; \

- c1 += hi; c2 += (c1<hi)?1:0; \

+ c0 += lo; tt = hi + (c0<lo); \

+ c1 += tt; c2 += (c1<tt); \

+ c0 += lo; hi += (c0<lo); \

+ c1 += hi; c2 += (c1<hi); \

} while(0)

# define sqr_add_c(a,i,c0,c1,c2) do { \

BN_ULONG ta = (a)[i]; \

BN_ULONG lo = ta * ta; \

BN_ULONG hi = BN_UMULT_HIGH(ta,ta); \

- c0 += lo; hi += (c0<lo)?1:0; \

- c1 += hi; c2 += (c1<hi)?1:0; \

+ c0 += lo; hi += (c0<lo); \

+ c1 += hi; c2 += (c1<hi); \

} while(0)

# define sqr_add_c2(a,i,j,c0,c1,c2) \

@@ -551,8 +561,8 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,

BN_ULONG lo = LBITS(a), hi = HBITS(a); \

BN_ULONG bl = LBITS(b), bh = HBITS(b); \

mul64(lo,hi,bl,bh); \

- c0 = (c0+lo)&BN_MASK2; if (c0<lo) hi++; \

- c1 = (c1+hi)&BN_MASK2; if (c1<hi) c2++; \

+ c0 = (c0+lo)&BN_MASK2; hi += (c0<lo); \

+ c1 = (c1+hi)&BN_MASK2; c2 += (c1<hi); \

} while(0)

# define mul_add_c2(a,b,c0,c1,c2) do { \

@@ -561,17 +571,17 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,

BN_ULONG bl = LBITS(b), bh = HBITS(b); \

mul64(lo,hi,bl,bh); \

tt = hi; \

- c0 = (c0+lo)&BN_MASK2; if (c0<lo) tt++; \

- c1 = (c1+tt)&BN_MASK2; if (c1<tt) c2++; \

- c0 = (c0+lo)&BN_MASK2; if (c0<lo) hi++; \

- c1 = (c1+hi)&BN_MASK2; if (c1<hi) c2++; \

+ c0 = (c0+lo)&BN_MASK2; tt += (c0<lo); \

+ c1 = (c1+tt)&BN_MASK2; c2 += (c1<tt); \

+ c0 = (c0+lo)&BN_MASK2; hi += (c0<lo); \

+ c1 = (c1+hi)&BN_MASK2; c2 += (c1<hi); \

} while(0)

# define sqr_add_c(a,i,c0,c1,c2) do { \

BN_ULONG lo, hi; \

sqr64(lo,hi,(a)[i]); \

- c0 = (c0+lo)&BN_MASK2; if (c0<lo) hi++; \

- c1 = (c1+hi)&BN_MASK2; if (c1<hi) c2++; \

+ c0 = (c0+lo)&BN_MASK2; hi += (c0<lo); \

+ c1 = (c1+hi)&BN_MASK2; c2 += (c1<hi); \

} while(0)

# define sqr_add_c2(a,i,j,c0,c1,c2) \

diff --git a/crypto/bn/bn_blind.c b/crypto/bn/bn_blind.c
index dd5beea7c93e..e76f6107a7b5 100644
--- a/crypto/bn/bn_blind.c
+++ b/crypto/bn/bn_blind.c

@@ -13,6 +13,20 @@

#define BN_BLINDING_COUNTER 32

+struct bn_blinding_st {

+ BIGNUM *A;

+ BIGNUM *Ai;

+ BIGNUM *e;

+ BIGNUM *mod; /* just a reference */

+ CRYPTO_THREAD_ID tid;

+ int counter;

+ unsigned long flags;

+ BN_MONT_CTX *m_ctx;

+ int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p,

+ const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);

+ CRYPTO_RWLOCK *lock;

+};

BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod)

{

BN_BLINDING *ret = NULL;

@@ -177,7 +191,8 @@ int BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b,

n->top = (int)(rtop & ~mask) | (ntop & mask);

n->flags |= (BN_FLG_FIXED_TOP & ~mask);

}

- ret = BN_mod_mul_montgomery(n, n, r, b->m_ctx, ctx);

+ ret = bn_mul_mont_fixed_top(n, n, r, b->m_ctx, ctx);

+ bn_correct_top_consttime(n);

} else {

ret = BN_mod_mul(n, n, r, b->mod, ctx);

}

diff --git a/crypto/bn/bn_err.c b/crypto/bn/bn_err.c
index 6f5464b54054..6ea5fc3d5cf6 100644
--- a/crypto/bn/bn_err.c
+++ b/crypto/bn/bn_err.c

@@ -73,8 +73,6 @@ static const ERR_STRING_DATA BN_str_functs[] = {

{ERR_PACK(ERR_LIB_BN, BN_F_BN_SET_WORDS, 0), "bn_set_words"},

{ERR_PACK(ERR_LIB_BN, BN_F_BN_STACK_PUSH, 0), "BN_STACK_push"},

{ERR_PACK(ERR_LIB_BN, BN_F_BN_USUB, 0), "BN_usub"},

- {ERR_PACK(ERR_LIB_BN, BN_F_OSSL_BN_RSA_DO_UNBLIND, 0),

- "ossl_bn_rsa_do_unblind"},

{0, NULL}

};

diff --git a/crypto/bn/bn_lib.c b/crypto/bn/bn_lib.c
index eb4a31849bef..cd6aa3448afd 100644
--- a/crypto/bn/bn_lib.c
+++ b/crypto/bn/bn_lib.c

@@ -1,5 +1,5 @@

* Licensed under the OpenSSL license (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

@@ -1001,6 +1001,28 @@ BIGNUM *bn_wexpand(BIGNUM *a, int words)

return (words <= a->dmax) ? a : bn_expand2(a, words);

}

+void bn_correct_top_consttime(BIGNUM *a)

+ int j, atop;

+ BN_ULONG limb;

+ unsigned int mask;

+ for (j = 0, atop = 0; j < a->dmax; j++) {

+ limb = a->d[j];

+ limb |= 0 - limb;

+ limb >>= BN_BITS2 - 1;

+ limb = 0 - limb;

+ mask = (unsigned int)limb;

+ mask &= constant_time_msb(j - a->top);

+ atop = constant_time_select_int(mask, j + 1, atop);

+ }

+ mask = constant_time_eq_int(atop, 0);

+ a->top = atop;

+ a->neg = constant_time_select_int(mask, 0, a->neg);

+ a->flags &= ~BN_FLG_FIXED_TOP;

void bn_correct_top(BIGNUM *a)

{

BN_ULONG *ftl;

diff --git a/crypto/bn/bn_local.h b/crypto/bn/bn_local.h
index 30b7614fdbb2..818e34348e1b 100644
--- a/crypto/bn/bn_local.h
+++ b/crypto/bn/bn_local.h

@@ -283,20 +283,6 @@ struct bn_gencb_st {

} cb;

};

-struct bn_blinding_st {

- BIGNUM *A;

- BIGNUM *Ai;

- BIGNUM *e;

- BIGNUM *mod; /* just a reference */

- CRYPTO_THREAD_ID tid;

- int counter;

- unsigned long flags;

- BN_MONT_CTX *m_ctx;

- int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p,

- const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);

- CRYPTO_RWLOCK *lock;

-};

/*-

* BN_window_bits_for_exponent_size -- macro for sliding window mod_exp functions

@@ -529,10 +515,10 @@ unsigned __int64 _umul128(unsigned __int64 a, unsigned __int64 b,

ret = (r); \

BN_UMULT_LOHI(low,high,w,tmp); \

ret += (c); \

- (c) = (ret<(c))?1:0; \

+ (c) = (ret<(c)); \

ret += low; \

- (c) += (ret<low)?1:0; \

+ (c) += (ret<low); \

(r) = ret; \

}

@@ -541,7 +527,7 @@ unsigned __int64 _umul128(unsigned __int64 a, unsigned __int64 b,

BN_UMULT_LOHI(low,high,w,ta); \

ret = low + (c); \

- (c) += (ret<low)?1:0; \

+ (c) += (ret<low); \

(r) = ret; \

}

@@ -557,10 +543,10 @@ unsigned __int64 _umul128(unsigned __int64 a, unsigned __int64 b,

high= BN_UMULT_HIGH(w,tmp); \

ret += (c); \

low = (w) * tmp; \

- (c) = (ret<(c))?1:0; \

+ (c) = (ret<(c)); \

ret += low; \

- (c) += (ret<low)?1:0; \

+ (c) += (ret<low); \

(r) = ret; \

}

@@ -570,7 +556,7 @@ unsigned __int64 _umul128(unsigned __int64 a, unsigned __int64 b,

high= BN_UMULT_HIGH(w,ta); \

ret = low + (c); \

- (c) += (ret<low)?1:0; \

+ (c) += (ret<low); \

(r) = ret; \

}

@@ -603,10 +589,10 @@ unsigned __int64 _umul128(unsigned __int64 a, unsigned __int64 b,

lt=(bl)*(lt); \

m1=(bl)*(ht); \

ht =(bh)*(ht); \

- m=(m+m1)&BN_MASK2; if (m < m1) ht+=L2HBITS((BN_ULONG)1); \

+ m=(m+m1)&BN_MASK2; ht += L2HBITS((BN_ULONG)(m < m1)); \

ht+=HBITS(m); \

m1=L2HBITS(m); \

- lt=(lt+m1)&BN_MASK2; if (lt < m1) ht++; \

+ lt=(lt+m1)&BN_MASK2; ht += (lt < m1); \

(l)=lt; \

(h)=ht; \

}

@@ -623,7 +609,7 @@ unsigned __int64 _umul128(unsigned __int64 a, unsigned __int64 b,

h*=h; \

h+=(m&BN_MASK2h1)>>(BN_BITS4-1); \

m =(m&BN_MASK2l)<<(BN_BITS4+1); \

- l=(l+m)&BN_MASK2; if (l < m) h++; \

+ l=(l+m)&BN_MASK2; h += (l < m); \

(lo)=l; \

(ho)=h; \

}

@@ -637,9 +623,9 @@ unsigned __int64 _umul128(unsigned __int64 a, unsigned __int64 b,

mul64(l,h,(bl),(bh)); \

/* non-multiply part */ \

- l=(l+(c))&BN_MASK2; if (l < (c)) h++; \

+ l=(l+(c))&BN_MASK2; h += (l < (c)); \

(c)=(r); \

- l=(l+(c))&BN_MASK2; if (l < (c)) h++; \

+ l=(l+(c))&BN_MASK2; h += (l < (c)); \

(c)=h&BN_MASK2; \

(r)=l; \

}

@@ -653,7 +639,7 @@ unsigned __int64 _umul128(unsigned __int64 a, unsigned __int64 b,

mul64(l,h,(bl),(bh)); \

/* non-multiply part */ \

- l+=(c); if ((l&BN_MASK2) < (c)) h++; \

+ l+=(c); h += ((l&BN_MASK2) < (c)); \

(c)=h&BN_MASK2; \

(r)=l&BN_MASK2; \

}

@@ -683,7 +669,7 @@ BN_ULONG bn_sub_part_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,

int cl, int dl);

int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,

const BN_ULONG *np, const BN_ULONG *n0, int num);

+void bn_correct_top_consttime(BIGNUM *a);

BIGNUM *int_bn_mod_inverse(BIGNUM *in,

const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx,

int *noinv);

diff --git a/crypto/bn/build.info b/crypto/bn/build.info
index c9fe2fdada69..b9ed5322fa68 100644
--- a/crypto/bn/build.info
+++ b/crypto/bn/build.info

@@ -5,8 +5,7 @@ SOURCE[../../libcrypto]=\

bn_kron.c bn_sqrt.c bn_gcd.c bn_prime.c bn_err.c bn_sqr.c \

{- $target{bn_asm_src} -} \

bn_recp.c bn_mont.c bn_mpi.c bn_exp2.c bn_gf2m.c bn_nist.c \

- bn_depr.c bn_const.c bn_x931p.c bn_intern.c bn_dh.c bn_srp.c \

- rsa_sup_mul.c

+ bn_depr.c bn_const.c bn_x931p.c bn_intern.c bn_dh.c bn_srp.c

INCLUDE[bn_exp.o]=..

diff --git a/crypto/bn/rsa_sup_mul.c b/crypto/bn/rsa_sup_mul.c
deleted file mode 100644
index acafefd5febf..000000000000
--- a/crypto/bn/rsa_sup_mul.c
+++ /dev/null

@@ -1,614 +0,0 @@

-#include <openssl/e_os2.h>

-#include <stddef.h>

-#include <sys/types.h>

-#include <string.h>

-#include <openssl/bn.h>

-#include <openssl/err.h>

-#include <openssl/rsaerr.h>

-#include "internal/numbers.h"

-#include "internal/constant_time.h"

-#include "bn_local.h"

-# if BN_BYTES == 8

-typedef uint64_t limb_t;

-# if defined(__SIZEOF_INT128__) && __SIZEOF_INT128__ == 16

-/* nonstandard; implemented by gcc on 64-bit platforms */

-typedef __uint128_t limb2_t;

-# define HAVE_LIMB2_T

-# endif

-# define LIMB_BIT_SIZE 64

-# define LIMB_BYTE_SIZE 8

-# elif BN_BYTES == 4

-typedef uint32_t limb_t;

-typedef uint64_t limb2_t;

-# define LIMB_BIT_SIZE 32

-# define LIMB_BYTE_SIZE 4

-# define HAVE_LIMB2_T

-# else

-# error "Not supported"

-# endif

-/*

- * For multiplication we're using schoolbook multiplication,

- * so if we have two numbers, each with 6 "digits" (words)

- * the multiplication is calculated as follows:

- * A B C D E F

- * x I J K L M N

- * --------------

- * N*F

- * N*E

- * N*D

- * N*C

- * N*B

- * N*A

- * M*F

- * M*E

- * M*D

- * M*C

- * M*B

- * M*A

- * L*F

- * L*E

- * L*D

- * L*C

- * L*B

- * L*A

- * K*F

- * K*E

- * K*D

- * K*C

- * K*B

- * K*A

- * J*F

- * J*E

- * J*D

- * J*C

- * J*B

- * J*A

- * I*F

- * I*E

- * I*D

- * I*C

- * I*B

- * + I*A

- * ==========================

- * N*B N*D N*F

- * + N*A N*C N*E

- * + M*B M*D M*F

- * + M*A M*C M*E

- * + L*B L*D L*F

- * + L*A L*C L*E

- * + K*B K*D K*F

- * + K*A K*C K*E

- * + J*B J*D J*F

- * + J*A J*C J*E

- * + I*B I*D I*F

- * + I*A I*C I*E

- *

- * 1+1 1+3 1+5

- * 1+0 1+2 1+4

- * 0+1 0+3 0+5

- * 0+0 0+2 0+4

- *

- * 0 1 2 3 4 5 6

- * which requires n^2 multiplications and 2n full length additions

- * as we can keep every other result of limb multiplication in two separate

- * limbs

- */

-#if defined HAVE_LIMB2_T

-static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b)

- limb2_t t;

- /*

- * this is idiomatic code to tell compiler to use the native mul

- * those three lines will actually compile to single instruction

- */

- t = (limb2_t)a * b;

- *hi = t >> LIMB_BIT_SIZE;

- *lo = (limb_t)t;

-#elif (BN_BYTES == 8) && (defined _MSC_VER)

-/* https://learn.microsoft.com/en-us/cpp/intrinsics/umul128?view=msvc-170 */

-#pragma intrinsic(_umul128)

-static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b)

- *lo = _umul128(a, b, hi);

-#else

-/*

- * if the compiler doesn't have either a 128bit data type nor a "return

- * high 64 bits of multiplication"

- */

-static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b)

- limb_t a_low = (limb_t)(uint32_t)a;

- limb_t a_hi = a >> 32;

- limb_t b_low = (limb_t)(uint32_t)b;

- limb_t b_hi = b >> 32;

- limb_t p0 = a_low * b_low;

- limb_t p1 = a_low * b_hi;

- limb_t p2 = a_hi * b_low;

- limb_t p3 = a_hi * b_hi;

- uint32_t cy = (uint32_t)(((p0 >> 32) + (uint32_t)p1 + (uint32_t)p2) >> 32);

- *lo = p0 + (p1 << 32) + (p2 << 32);

- *hi = p3 + (p1 >> 32) + (p2 >> 32) + cy;

-#endif

-/* add two limbs with carry in, return carry out */

-static ossl_inline limb_t _add_limb(limb_t *ret, limb_t a, limb_t b, limb_t carry)

- limb_t carry1, carry2, t;

- /*

- * `c = a + b; if (c < a)` is idiomatic code that makes compilers

- * use add with carry on assembly level

- */

- *ret = a + carry;

- if (*ret < a)

- carry1 = 1;

- else

- carry1 = 0;

- t = *ret;

- *ret = t + b;

- if (*ret < t)

- carry2 = 1;

- else

- carry2 = 0;

- return carry1 + carry2;

-/*

- * add two numbers of the same size, return overflow

- *

- * add a to b, place result in ret; all arrays need to be n limbs long

- * return overflow from addition (0 or 1)

- */

-static ossl_inline limb_t add(limb_t *ret, limb_t *a, limb_t *b, size_t n)

- limb_t c = 0;

- ossl_ssize_t i;

- for(i = n - 1; i > -1; i--)

- c = _add_limb(&ret[i], a[i], b[i], c);

- return c;

-/*

- * return number of limbs necessary for temporary values

- * when multiplying numbers n limbs large

- */

-static ossl_inline size_t mul_limb_numb(size_t n)

- return 2 * n * 2;

-/*

- * multiply two numbers of the same size

- *

- * multiply a by b, place result in ret; a and b need to be n limbs long

- * ret needs to be 2*n limbs long, tmp needs to be mul_limb_numb(n) limbs

- * long

- */

-static void limb_mul(limb_t *ret, limb_t *a, limb_t *b, size_t n, limb_t *tmp)

- limb_t *r_odd, *r_even;

- size_t i, j, k;

- r_odd = tmp;

- r_even = &tmp[2 * n];

- memset(ret, 0, 2 * n * sizeof(limb_t));

- for (i = 0; i < n; i++) {

- for (k = 0; k < i + n + 1; k++) {

- r_even[k] = 0;

- r_odd[k] = 0;

- }

- for (j = 0; j < n; j++) {

- /*

- * place results from even and odd limbs in separate arrays so that

- * we don't have to calculate overflow every time we get individual

- * limb multiplication result

- */

- if (j % 2 == 0)

- _mul_limb(&r_even[i + j], &r_even[i + j + 1], a[i], b[j]);

- else

- _mul_limb(&r_odd[i + j], &r_odd[i + j + 1], a[i], b[j]);

- }

- /*

- * skip the least significant limbs when adding multiples of

- * more significant limbs (they're zero anyway)

- */

- add(ret, ret, r_even, n + i + 1);

- add(ret, ret, r_odd, n + i + 1);

- }

-/* modifies the value in place by performing a right shift by one bit */

-static ossl_inline void rshift1(limb_t *val, size_t n)

- limb_t shift_in = 0, shift_out = 0;

- size_t i;

- for (i = 0; i < n; i++) {

- shift_out = val[i] & 1;

- val[i] = shift_in << (LIMB_BIT_SIZE - 1) | (val[i] >> 1);

- shift_in = shift_out;

- }

-/* extend the LSB of flag to all bits of limb */

-static ossl_inline limb_t mk_mask(limb_t flag)

- flag |= flag << 1;

- flag |= flag << 2;

- flag |= flag << 4;

- flag |= flag << 8;

- flag |= flag << 16;

-#if (LIMB_BYTE_SIZE == 8)

- flag |= flag << 32;

-#endif

- return flag;

-/*

- * copy from either a or b to ret based on flag

- * when flag == 0, then copies from b

- * when flag == 1, then copies from a

- */

-static ossl_inline void cselect(limb_t flag, limb_t *ret, limb_t *a, limb_t *b, size_t n)

- /*

- * would be more efficient with non volatile mask, but then gcc

- * generates code with jumps

- */

- volatile limb_t mask;

- size_t i;

- mask = mk_mask(flag);

- for (i = 0; i < n; i++) {

-#if (LIMB_BYTE_SIZE == 8)

- ret[i] = constant_time_select_64(mask, a[i], b[i]);

-#else

- ret[i] = constant_time_select_32(mask, a[i], b[i]);

-#endif

- }

-static limb_t _sub_limb(limb_t *ret, limb_t a, limb_t b, limb_t borrow)

- limb_t borrow1, borrow2, t;

- /*

- * while it doesn't look constant-time, this is idiomatic code

- * to tell compilers to use the carry bit from subtraction

- */

- *ret = a - borrow;

- if (*ret > a)

- borrow1 = 1;

- else

- borrow1 = 0;

- t = *ret;

- *ret = t - b;

- if (*ret > t)

- borrow2 = 1;

- else

- borrow2 = 0;

- return borrow1 + borrow2;

-/*

- * place the result of a - b into ret, return the borrow bit.

- * All arrays need to be n limbs long

- */

-static limb_t sub(limb_t *ret, limb_t *a, limb_t *b, size_t n)

- limb_t borrow = 0;

- ossl_ssize_t i;

- for (i = n - 1; i > -1; i--)

- borrow = _sub_limb(&ret[i], a[i], b[i], borrow);

- return borrow;

-/* return the number of limbs necessary to allocate for the mod() tmp operand */

-static ossl_inline size_t mod_limb_numb(size_t anum, size_t modnum)

- return (anum + modnum) * 3;

-/*

- * calculate a % mod, place the result in ret

- * size of a is defined by anum, size of ret and mod is modnum,

- * size of tmp is returned by mod_limb_numb()

- */

-static void mod(limb_t *ret, limb_t *a, size_t anum, limb_t *mod,

- size_t modnum, limb_t *tmp)

- limb_t *atmp, *modtmp, *rettmp;

- limb_t res;

- size_t i;

- memset(tmp, 0, mod_limb_numb(anum, modnum) * LIMB_BYTE_SIZE);

- atmp = tmp;

- modtmp = &tmp[anum + modnum];

- rettmp = &tmp[(anum + modnum) * 2];

- for (i = modnum; i <modnum + anum; i++)

- atmp[i] = a[i-modnum];

- for (i = 0; i < modnum; i++)

- modtmp[i] = mod[i];

- for (i = 0; i < anum * LIMB_BIT_SIZE; i++) {

- rshift1(modtmp, anum + modnum);

- res = sub(rettmp, atmp, modtmp, anum+modnum);

- cselect(res, atmp, atmp, rettmp, anum+modnum);

- }

- memcpy(ret, &atmp[anum], sizeof(limb_t) * modnum);

-/* necessary size of tmp for a _mul_add_limb() call with provided anum */

-static ossl_inline size_t _mul_add_limb_numb(size_t anum)

- return 2 * (anum + 1);

-/* multiply a by m, add to ret, return carry */

-static limb_t _mul_add_limb(limb_t *ret, limb_t *a, size_t anum,

- limb_t m, limb_t *tmp)

- limb_t carry = 0;

- limb_t *r_odd, *r_even;

- size_t i;

- memset(tmp, 0, sizeof(limb_t) * (anum + 1) * 2);

- r_odd = tmp;

- r_even = &tmp[anum + 1];

- for (i = 0; i < anum; i++) {

- /*

- * place the results from even and odd limbs in separate arrays

- * so that we have to worry about carry just once

- */

- if (i % 2 == 0)

- _mul_limb(&r_even[i], &r_even[i + 1], a[i], m);

- else

- _mul_limb(&r_odd[i], &r_odd[i + 1], a[i], m);

- }

- /* assert: add() carry here will be equal zero */

- add(r_even, r_even, r_odd, anum + 1);

- /*

- * while here it will not overflow as the max value from multiplication

- * is -2 while max overflow from addition is 1, so the max value of

- * carry is -1 (i.e. max int)

- */

- carry = add(ret, ret, &r_even[1], anum) + r_even[0];

- return carry;

-static ossl_inline size_t mod_montgomery_limb_numb(size_t modnum)

- return modnum * 2 + _mul_add_limb_numb(modnum);

-/*

- * calculate a % mod, place result in ret

- * assumes that a is in Montgomery form with the R (Montgomery modulus) being

- * smallest power of two big enough to fit mod and that's also a power

- * of the count of number of bits in limb_t (B).

- * For calculation, we also need n', such that mod * n' == -1 mod B.

- * anum must be <= 2 * modnum

- * ret needs to be modnum words long

- * tmp needs to be mod_montgomery_limb_numb(modnum) limbs long

- */

-static void mod_montgomery(limb_t *ret, limb_t *a, size_t anum, limb_t *mod,

- size_t modnum, limb_t ni0, limb_t *tmp)

- limb_t carry, v;

- limb_t *res, *rp, *tmp2;

- ossl_ssize_t i;

- res = tmp;

- /*

- * for intermediate result we need an integer twice as long as modulus

- * but keep the input in the least significant limbs

- */

- memset(res, 0, sizeof(limb_t) * (modnum * 2));

- memcpy(&res[modnum * 2 - anum], a, sizeof(limb_t) * anum);

- rp = &res[modnum];

- tmp2 = &res[modnum * 2];

- carry = 0;

- /* add multiples of the modulus to the value until R divides it cleanly */

- for (i = modnum; i > 0; i--, rp--) {

- v = _mul_add_limb(rp, mod, modnum, rp[modnum - 1] * ni0, tmp2);

- v = v + carry + rp[-1];

- carry |= (v != rp[-1]);

- carry &= (v <= rp[-1]);

- rp[-1] = v;

- }

- /* perform the final reduction by mod... */

- carry -= sub(ret, rp, mod, modnum);

- /* ...conditionally */

- cselect(carry, ret, rp, ret, modnum);

-/* allocated buffer should be freed afterwards */

-static void BN_to_limb(const BIGNUM *bn, limb_t *buf, size_t limbs)

- int i;

- int real_limbs = (BN_num_bytes(bn) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE;

- limb_t *ptr = buf + (limbs - real_limbs);

- for (i = 0; i < real_limbs; i++)

- ptr[i] = bn->d[real_limbs - i - 1];

-#if LIMB_BYTE_SIZE == 8

-static ossl_inline uint64_t be64(uint64_t host)

- const union {

- long one;

- char little;

- } is_endian = { 1 };

- if (is_endian.little) {

- uint64_t big = 0;

- big |= (host & 0xff00000000000000) >> 56;

- big |= (host & 0x00ff000000000000) >> 40;

- big |= (host & 0x0000ff0000000000) >> 24;

- big |= (host & 0x000000ff00000000) >> 8;

- big |= (host & 0x00000000ff000000) << 8;

- big |= (host & 0x0000000000ff0000) << 24;

- big |= (host & 0x000000000000ff00) << 40;

- big |= (host & 0x00000000000000ff) << 56;

- return big;

- } else {

- return host;

- }

-#else

-/* Not all platforms have htobe32(). */

-static ossl_inline uint32_t be32(uint32_t host)

- const union {

- long one;

- char little;

- } is_endian = { 1 };

- if (is_endian.little) {

- uint32_t big = 0;

- big |= (host & 0xff000000) >> 24;

- big |= (host & 0x00ff0000) >> 8;

- big |= (host & 0x0000ff00) << 8;

- big |= (host & 0x000000ff) << 24;

- return big;

- } else {

- return host;

- }

-#endif

-/*

- * We assume that intermediate, possible_arg2, blinding, and ctx are used

- * similar to BN_BLINDING_invert_ex() arguments.

- * to_mod is RSA modulus.

- * buf and num is the serialization buffer and its length.

- *

- * Here we use classic/Montgomery multiplication and modulo. After the calculation finished

- * we serialize the new structure instead of BIGNUMs taking endianness into account.

- */

-int ossl_bn_rsa_do_unblind(const BIGNUM *intermediate,

- const BN_BLINDING *blinding,

- const BIGNUM *possible_arg2,

- const BIGNUM *to_mod, BN_CTX *ctx,

- unsigned char *buf, int num)

- limb_t *l_im = NULL, *l_mul = NULL, *l_mod = NULL;

- limb_t *l_ret = NULL, *l_tmp = NULL, l_buf;

- size_t l_im_count = 0, l_mul_count = 0, l_size = 0, l_mod_count = 0;

- size_t l_tmp_count = 0;

- int ret = 0;

- size_t i;

- unsigned char *tmp;

- const BIGNUM *arg1 = intermediate;

- const BIGNUM *arg2 = (possible_arg2 == NULL) ? blinding->Ai : possible_arg2;

- l_im_count = (BN_num_bytes(arg1) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE;

- l_mul_count = (BN_num_bytes(arg2) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE;

- l_mod_count = (BN_num_bytes(to_mod) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE;

- l_size = l_im_count > l_mul_count ? l_im_count : l_mul_count;

- l_im = OPENSSL_zalloc(l_size * LIMB_BYTE_SIZE);

- l_mul = OPENSSL_zalloc(l_size * LIMB_BYTE_SIZE);

- l_mod = OPENSSL_zalloc(l_mod_count * LIMB_BYTE_SIZE);

- if ((l_im == NULL) || (l_mul == NULL) || (l_mod == NULL))

- goto err;

- BN_to_limb(arg1, l_im, l_size);

- BN_to_limb(arg2, l_mul, l_size);

- BN_to_limb(to_mod, l_mod, l_mod_count);

- l_ret = OPENSSL_malloc(2 * l_size * LIMB_BYTE_SIZE);

- if (blinding->m_ctx != NULL) {

- l_tmp_count = mul_limb_numb(l_size) > mod_montgomery_limb_numb(l_mod_count) ?

- mul_limb_numb(l_size) : mod_montgomery_limb_numb(l_mod_count);

- l_tmp = OPENSSL_malloc(l_tmp_count * LIMB_BYTE_SIZE);

- } else {

- l_tmp_count = mul_limb_numb(l_size) > mod_limb_numb(2 * l_size, l_mod_count) ?

- mul_limb_numb(l_size) : mod_limb_numb(2 * l_size, l_mod_count);

- l_tmp = OPENSSL_malloc(l_tmp_count * LIMB_BYTE_SIZE);

- }

- if ((l_ret == NULL) || (l_tmp == NULL))

- goto err;

- if (blinding->m_ctx != NULL) {

- limb_mul(l_ret, l_im, l_mul, l_size, l_tmp);

- mod_montgomery(l_ret, l_ret, 2 * l_size, l_mod, l_mod_count,

- blinding->m_ctx->n0[0], l_tmp);

- } else {

- limb_mul(l_ret, l_im, l_mul, l_size, l_tmp);

- mod(l_ret, l_ret, 2 * l_size, l_mod, l_mod_count, l_tmp);

- }

- /* modulus size in bytes can be equal to num but after limbs conversion it becomes bigger */

- if (num < BN_num_bytes(to_mod)) {

- BNerr(BN_F_OSSL_BN_RSA_DO_UNBLIND, ERR_R_PASSED_INVALID_ARGUMENT);

- goto err;

- }

- memset(buf, 0, num);

- tmp = buf + num - BN_num_bytes(to_mod);

- for (i = 0; i < l_mod_count; i++) {

-#if LIMB_BYTE_SIZE == 8

- l_buf = be64(l_ret[i]);

-#else

- l_buf = be32(l_ret[i]);

-#endif

- if (i == 0) {

- int delta = LIMB_BYTE_SIZE - ((l_mod_count * LIMB_BYTE_SIZE) - num);

- memcpy(tmp, ((char *)&l_buf) + LIMB_BYTE_SIZE - delta, delta);

- tmp += delta;

- } else {

- memcpy(tmp, &l_buf, LIMB_BYTE_SIZE);

- tmp += LIMB_BYTE_SIZE;

- }

- ret = num;

- err:

- OPENSSL_free(l_im);

- OPENSSL_free(l_mul);

- OPENSSL_free(l_mod);

- OPENSSL_free(l_tmp);

- OPENSSL_free(l_ret);

- return ret;

diff --git a/crypto/conf/conf_sap.c b/crypto/conf/conf_sap.c
index 82105de748ed..db4f94ed93d3 100644
--- a/crypto/conf/conf_sap.c
+++ b/crypto/conf/conf_sap.c

@@ -1,5 +1,5 @@

* Licensed under the OpenSSL license (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

@@ -43,16 +43,19 @@ void OPENSSL_config(const char *appname)

int openssl_config_int(const OPENSSL_INIT_SETTINGS *settings)

{

int ret = 0;

+#if defined(OPENSSL_INIT_DEBUG) || !defined(OPENSSL_SYS_UEFI)

const char *filename;

const char *appname;

unsigned long flags;

+#endif

if (openssl_configured)

return 1;

+#if defined(OPENSSL_INIT_DEBUG) || !defined(OPENSSL_SYS_UEFI)

filename = settings ? settings->filename : NULL;

appname = settings ? settings->appname : NULL;

flags = settings ? settings->flags : DEFAULT_CONF_MFLAGS;

+#endif

#ifdef OPENSSL_INIT_DEBUG

fprintf(stderr, "OPENSSL_INIT: openssl_config_int(%s, %s, %lu)\n",

diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
index ba3a46d5b988..9f91a4a811e6 100644
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt

@@ -1,4 +1,4 @@

# Licensed under the OpenSSL license (the "License"). You may not use

# this file except in compliance with the License. You can obtain a copy

@@ -232,7 +232,6 @@ BN_F_BN_RSHIFT:146:BN_rshift

BN_F_BN_SET_WORDS:144:bn_set_words

BN_F_BN_STACK_PUSH:148:BN_STACK_push

BN_F_BN_USUB:115:BN_usub

-BN_F_OSSL_BN_RSA_DO_UNBLIND:151:ossl_bn_rsa_do_unblind

BUF_F_BUF_MEM_GROW:100:BUF_MEM_grow

BUF_F_BUF_MEM_GROW_CLEAN:105:BUF_MEM_grow_clean

BUF_F_BUF_MEM_NEW:101:BUF_MEM_new

diff --git a/crypto/objects/obj_dat.c b/crypto/objects/obj_dat.c
index 7e8de727f310..e1b4c589dbd3 100644
--- a/crypto/objects/obj_dat.c
+++ b/crypto/objects/obj_dat.c

@@ -1,5 +1,5 @@

* Licensed under the OpenSSL license (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

@@ -428,6 +428,25 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name)

first = 1;

bl = NULL;

+ /*

+ * RFC 2578 (STD 58) says this about OBJECT IDENTIFIERs:

+ *

+ * > 3.5. OBJECT IDENTIFIER values

+ * >

+ * > An OBJECT IDENTIFIER value is an ordered list of non-negative

+ * > numbers. For the SMIv2, each number in the list is referred to as a

+ * > sub-identifier, there are at most 128 sub-identifiers in a value,

+ * > and each sub-identifier has a maximum value of 2^32-1 (4294967295

+ * > decimal).

+ *

+ * So a legitimate OID according to this RFC is at most (32 * 128 / 7),

+ * i.e. 586 bytes long.

+ *

+ * Ref: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5

+ */

+ if (len > 586)

+ goto err;

while (len > 0) {

l = 0;

use_bn = 0;

diff --git a/crypto/rsa/rsa_ossl.c b/crypto/rsa/rsa_ossl.c
index 2e3ee4ab33dc..cf5a10ab435f 100644
--- a/crypto/rsa/rsa_ossl.c
+++ b/crypto/rsa/rsa_ossl.c

@@ -226,6 +226,7 @@ static int rsa_blinding_invert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind,

* will only read the modulus from BN_BLINDING. In both cases it's safe

* to access the blinding without a lock.

+ BN_set_flags(f, BN_FLG_CONSTTIME);

return BN_BLINDING_invert_ex(f, unblind, b, ctx);

}

@@ -412,6 +413,11 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,

goto err;

}

+ if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)

+ if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock,

+ rsa->n, ctx))

+ goto err;

if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) {

blinding = rsa_get_blinding(rsa, &local_blinding, ctx);

if (blinding == NULL) {

@@ -449,13 +455,6 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,

goto err;

}

BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);

- if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)

- if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock,

- rsa->n, ctx)) {

- BN_free(d);

- goto err;

- }

if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,

rsa->_method_mod_n)) {

BN_free(d);

@@ -465,20 +464,11 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,

BN_free(d);

}

- if (blinding) {

- /*

- * ossl_bn_rsa_do_unblind() combines blinding inversion and

- * 0-padded BN BE serialization

- */

- j = ossl_bn_rsa_do_unblind(ret, blinding, unblind, rsa->n, ctx,

- buf, num);

- if (j == 0)

- goto err;

- } else {

- j = BN_bn2binpad(ret, buf, num);

- if (j < 0)

+ if (blinding)

+ if (!rsa_blinding_invert(blinding, ret, unblind, ctx))

goto err;

- }

+ j = BN_bn2binpad(ret, buf, num);

switch (padding) {

case RSA_PKCS1_PADDING:

diff --git a/crypto/ui/ui_lib.c b/crypto/ui/ui_lib.c
index 49cc45057c4c..335a3d3d2044 100644
--- a/crypto/ui/ui_lib.c
+++ b/crypto/ui/ui_lib.c

@@ -1,5 +1,5 @@

* Licensed under the OpenSSL license (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

@@ -529,6 +529,10 @@ int UI_process(UI *ui)

ok = 0;

break;

}

+ } else {

+ ui->flags &= ~UI_FLAG_REDOABLE;

+ ok = -2;

+ goto err;

}

diff --git a/crypto/ui/ui_util.c b/crypto/ui/ui_util.c
index 32a3c4e38de2..754c75671faf 100644
--- a/crypto/ui/ui_util.c
+++ b/crypto/ui/ui_util.c

@@ -1,5 +1,5 @@

* Licensed under the OpenSSL license (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

@@ -32,7 +32,7 @@ int UI_UTIL_read_pw_string(char *buf, int length, const char *prompt,

int UI_UTIL_read_pw(char *buf, char *buff, int size, const char *prompt,

int verify)

{

- int ok = 0;

+ int ok = -2;

UI *ui;

if (size < 1)

@@ -47,8 +47,6 @@ int UI_UTIL_read_pw(char *buf, char *buff, int size, const char *prompt,

ok = UI_process(ui);

UI_free(ui);

}

- if (ok > 0)

- ok = 0;

return ok;

}

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 925fbb541258..66b532a16571 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c

@@ -1,5 +1,5 @@

* Licensed under the OpenSSL license (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

@@ -1649,18 +1649,25 @@ static int check_policy(X509_STORE_CTX *ctx)

}

/* Invalid or inconsistent extensions */

if (ret == X509_PCY_TREE_INVALID) {

- int i;

+ int i, cbcalled = 0;

/* Locate certificates with bad extensions and notify callback. */

- for (i = 1; i < sk_X509_num(ctx->chain); i++) {

+ for (i = 0; i < sk_X509_num(ctx->chain); i++) {

X509 *x = sk_X509_value(ctx->chain, i);

if (!(x->ex_flags & EXFLAG_INVALID_POLICY))

continue;

+ cbcalled = 1;

if (!verify_cb_cert(ctx, x, i,

X509_V_ERR_INVALID_POLICY_EXTENSION))

return 0;

}

+ if (!cbcalled) {

+ /* Should not be able to get here */

+ X509err(X509_F_CHECK_POLICY, ERR_R_INTERNAL_ERROR);

+ return 0;

+ }

+ /* The callback ignored the error so we return success */

return 1;

}

if (ret == X509_PCY_TREE_FAILURE) {

diff --git a/crypto/x509v3/pcy_local.h b/crypto/x509v3/pcy_local.h
index 5daf78de4585..70d77bfb0b64 100644
--- a/crypto/x509v3/pcy_local.h
+++ b/crypto/x509v3/pcy_local.h

@@ -1,5 +1,5 @@

* Licensed under the OpenSSL license (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

@@ -111,6 +111,11 @@ struct X509_POLICY_LEVEL_st {

};

struct X509_POLICY_TREE_st {

+ /* The number of nodes in the tree */

+ size_t node_count;

+ /* The maximum number of nodes in the tree */

+ size_t node_maximum;

/* This is the tree 'level' data */

X509_POLICY_LEVEL *levels;

int nlevel;

@@ -159,7 +164,8 @@ X509_POLICY_NODE *tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk,

X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,

X509_POLICY_DATA *data,

X509_POLICY_NODE *parent,

- X509_POLICY_TREE *tree);

+ X509_POLICY_TREE *tree,

+ int extra_data);

void policy_node_free(X509_POLICY_NODE *node);

int policy_node_match(const X509_POLICY_LEVEL *lvl,

const X509_POLICY_NODE *node, const ASN1_OBJECT *oid);

diff --git a/crypto/x509v3/pcy_node.c b/crypto/x509v3/pcy_node.c
index e2d7b1532236..78bf8b62f8e4 100644
--- a/crypto/x509v3/pcy_node.c
+++ b/crypto/x509v3/pcy_node.c

@@ -1,5 +1,5 @@

* Licensed under the OpenSSL license (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

@@ -59,10 +59,15 @@ X509_POLICY_NODE *level_find_node(const X509_POLICY_LEVEL *level,

X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,

X509_POLICY_DATA *data,

X509_POLICY_NODE *parent,

- X509_POLICY_TREE *tree)

+ X509_POLICY_TREE *tree,

+ int extra_data)

{

X509_POLICY_NODE *node;

+ /* Verify that the tree isn't too large. This mitigates CVE-2023-0464 */

+ if (tree->node_maximum > 0 && tree->node_count >= tree->node_maximum)

+ return NULL;

node = OPENSSL_zalloc(sizeof(*node));

if (node == NULL) {

X509V3err(X509V3_F_LEVEL_ADD_NODE, ERR_R_MALLOC_FAILURE);

@@ -70,7 +75,7 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,

}

node->data = data;

node->parent = parent;

- if (level) {

+ if (level != NULL) {

if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) {

if (level->anyPolicy)

goto node_error;

@@ -90,24 +95,33 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,

}

- if (tree) {

+ if (extra_data) {

if (tree->extra_data == NULL)

tree->extra_data = sk_X509_POLICY_DATA_new_null();

if (tree->extra_data == NULL){

X509V3err(X509V3_F_LEVEL_ADD_NODE, ERR_R_MALLOC_FAILURE);

- goto node_error;

+ goto extra_data_error;

}

if (!sk_X509_POLICY_DATA_push(tree->extra_data, data)) {

X509V3err(X509V3_F_LEVEL_ADD_NODE, ERR_R_MALLOC_FAILURE);

- goto node_error;

+ goto extra_data_error;

}

+ tree->node_count++;

if (parent)

parent->nchild++;

return node;

+ extra_data_error:

+ if (level != NULL) {

+ if (level->anyPolicy == node)

+ level->anyPolicy = NULL;

+ else

+ (void) sk_X509_POLICY_NODE_pop(level->nodes);

+ }

node_error:

policy_node_free(node);

return NULL;

diff --git a/crypto/x509v3/pcy_tree.c b/crypto/x509v3/pcy_tree.c
index 6e8322cbc5e3..8f09c9d095d3 100644
--- a/crypto/x509v3/pcy_tree.c
+++ b/crypto/x509v3/pcy_tree.c

@@ -1,5 +1,5 @@

* Licensed under the OpenSSL license (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

@@ -14,6 +14,20 @@

#include "pcy_local.h"

+ * If the maximum number of nodes in the policy tree isn't defined, set it to

+ * a generous default of 1000 nodes.

+ *

+ * Defining this to be zero means unlimited policy tree growth which opens the

+ * door on CVE-2023-0464.

+ */

+#ifndef OPENSSL_POLICY_TREE_NODES_MAX

+# define OPENSSL_POLICY_TREE_NODES_MAX 1000

+#endif

+static void exnode_free(X509_POLICY_NODE *node);

+/*

* Enable this to print out the complete policy tree at various point during

* evaluation.

@@ -168,6 +182,9 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,

return X509_PCY_TREE_INTERNAL;

}

+ /* Limit the growth of the tree to mitigate CVE-2023-0464 */

+ tree->node_maximum = OPENSSL_POLICY_TREE_NODES_MAX;

* http://tools.ietf.org/html/rfc5280#section-6.1.2, figure 3.

@@ -184,7 +201,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,

level = tree->levels;

if ((data = policy_data_new(NULL, OBJ_nid2obj(NID_any_policy), 0)) == NULL)

goto bad_tree;

- if (level_add_node(level, data, NULL, tree) == NULL) {

+ if (level_add_node(level, data, NULL, tree, 1) == NULL) {

policy_data_free(data);

goto bad_tree;

}

@@ -243,7 +260,8 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,

* Return value: 1 on success, 0 otherwise

static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,

- X509_POLICY_DATA *data)

+ X509_POLICY_DATA *data,

+ X509_POLICY_TREE *tree)

{

X509_POLICY_LEVEL *last = curr - 1;

int i, matched = 0;

@@ -253,13 +271,13 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,

X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(last->nodes, i);

if (policy_node_match(last, node, data->valid_policy)) {

- if (level_add_node(curr, data, node, NULL) == NULL)

+ if (level_add_node(curr, data, node, tree, 0) == NULL)

return 0;

matched = 1;

}

if (!matched && last->anyPolicy) {

- if (level_add_node(curr, data, last->anyPolicy, NULL) == NULL)

+ if (level_add_node(curr, data, last->anyPolicy, tree, 0) == NULL)

return 0;

}

return 1;

@@ -272,7 +290,8 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,

* Return value: 1 on success, 0 otherwise.

static int tree_link_nodes(X509_POLICY_LEVEL *curr,

- const X509_POLICY_CACHE *cache)

+ const X509_POLICY_CACHE *cache,

+ X509_POLICY_TREE *tree)

{

int i;

@@ -280,7 +299,7 @@ static int tree_link_nodes(X509_POLICY_LEVEL *curr,

X509_POLICY_DATA *data = sk_X509_POLICY_DATA_value(cache->data, i);

/* Look for matching nodes in previous level */

- if (!tree_link_matching_nodes(curr, data))

+ if (!tree_link_matching_nodes(curr, data, tree))

return 0;

}

return 1;

@@ -311,7 +330,7 @@ static int tree_add_unmatched(X509_POLICY_LEVEL *curr,

/* Curr may not have anyPolicy */

data->qualifier_set = cache->anyPolicy->qualifier_set;

data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;

- if (level_add_node(curr, data, node, tree) == NULL) {

+ if (level_add_node(curr, data, node, tree, 1) == NULL) {

policy_data_free(data);

return 0;

}

@@ -373,7 +392,7 @@ static int tree_link_any(X509_POLICY_LEVEL *curr,

}

/* Finally add link to anyPolicy */

if (last->anyPolicy &&

- level_add_node(curr, cache->anyPolicy, last->anyPolicy, NULL) == NULL)

+ level_add_node(curr, cache->anyPolicy, last->anyPolicy, tree, 0) == NULL)

return 0;

return 1;

}

@@ -555,15 +574,24 @@ static int tree_calculate_user_set(X509_POLICY_TREE *tree,

extra->qualifier_set = anyPolicy->data->qualifier_set;

extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS

| POLICY_DATA_FLAG_EXTRA_NODE;

- node = level_add_node(NULL, extra, anyPolicy->parent, tree);

+ node = level_add_node(NULL, extra, anyPolicy->parent,

+ tree, 1);

+ if (node == NULL) {

+ policy_data_free(extra);

+ return 0;

+ }

}

if (!tree->user_policies) {

tree->user_policies = sk_X509_POLICY_NODE_new_null();

- if (!tree->user_policies)

- return 1;

+ if (!tree->user_policies) {

+ exnode_free(node);

+ return 0;

+ }

}

- if (!sk_X509_POLICY_NODE_push(tree->user_policies, node))

+ if (!sk_X509_POLICY_NODE_push(tree->user_policies, node)) {

+ exnode_free(node);

return 0;

+ }

}

return 1;

}

@@ -582,7 +610,7 @@ static int tree_evaluate(X509_POLICY_TREE *tree)

for (i = 1; i < tree->nlevel; i++, curr++) {

cache = policy_cache_set(curr->cert);

- if (!tree_link_nodes(curr, cache))

+ if (!tree_link_nodes(curr, cache, tree))

return X509_PCY_TREE_INTERNAL;

if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY)

diff --git a/doc/fingerprints.txt b/doc/fingerprints.txt
index 3604fbdc658c..0655df2fd76a 100644
--- a/doc/fingerprints.txt
+++ b/doc/fingerprints.txt

@@ -12,6 +12,11 @@ in the file named openssl-1.0.1h.tar.gz.asc.

The following is the list of fingerprints for the keys that are

currently in use to sign OpenSSL distributions:

+pub rsa4096 2014-10-04

+ Key fingerprint = EFC0 A467 D613 CB83 C7ED 6D30 D894 E2CE 8B3D 79F5

+uid OpenSSL OMC <openssl-omc@openssl.org>

+uid OpenSSL Security <openssl-security@openssl.org>

pub 4096R/7DF9EE8C 2014-10-04

Key fingerprint = 7953 AC1F BC3D C8B3 B292 393E D5E9 E43F 7DF9 EE8C

uid Richard Levitte <richard@opensslfoundation.com>

diff --git a/doc/man3/X509_VERIFY_PARAM_set_flags.pod b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
index f6f304bf7bd0..6c79b4296823 100644
--- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod
+++ b/doc/man3/X509_VERIFY_PARAM_set_flags.pod

@@ -92,8 +92,9 @@ B<trust>.

X509_VERIFY_PARAM_set_time() sets the verification time in B<param> to

B<t>. Normally the current time is used.

-X509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled

-by default) and adds B<policy> to the acceptable policy set.

+X509_VERIFY_PARAM_add0_policy() adds B<policy> to the acceptable policy set.

+Contrary to preexisting documentation of this function it does not enable

+policy checking.

X509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled

by default) and sets the acceptable policy set to B<policies>. Any existing

@@ -377,9 +378,13 @@ and has no effect.

The X509_VERIFY_PARAM_get_hostflags() function was added in OpenSSL 1.1.0i.

+The function X509_VERIFY_PARAM_add0_policy() was historically documented as

+enabling policy checking however the implementation has never done this.

+The documentation was changed to align with the implementation.

=head1 COPYRIGHT

Licensed under the OpenSSL license (the "License"). You may not use

this file except in compliance with the License. You can obtain a copy

diff --git a/engines/e_padlock.c b/engines/e_padlock.c
index a82c07e81373..80756e82be82 100644
--- a/engines/e_padlock.c
+++ b/engines/e_padlock.c

@@ -1,5 +1,5 @@

* Licensed under the OpenSSL license (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

@@ -144,6 +144,19 @@ static int padlock_init(ENGINE *e)

return (padlock_use_rng || padlock_use_ace);

}

+# ifndef AES_ASM

+static int padlock_aes_set_encrypt_key(const unsigned char *userKey,

+ const int bits,

+ AES_KEY *key);

+static int padlock_aes_set_decrypt_key(const unsigned char *userKey,

+ const int bits,

+ AES_KEY *key);

+# define AES_ASM

+# define AES_set_encrypt_key padlock_aes_set_encrypt_key

+# define AES_set_decrypt_key padlock_aes_set_decrypt_key

+# include "../crypto/aes/aes_core.c"

+# endif

* This stuff is needed if this ENGINE is being compiled into a

* self-contained shared-library.

@@ -639,12 +652,10 @@ padlock_aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,

AES_set_decrypt_key(key, key_len, &cdata->ks);

else

AES_set_encrypt_key(key, key_len, &cdata->ks);

-# ifndef AES_ASM

* OpenSSL C functions use byte-swapped extended key.

padlock_key_bswap(&cdata->ks);

-# endif

cdata->cword.b.keygen = 1;

break;

diff --git a/include/crypto/bn.h b/include/crypto/bn.h
index 9f866ed71abf..250914c46a28 100644
--- a/include/crypto/bn.h
+++ b/include/crypto/bn.h

@@ -86,10 +86,5 @@ int bn_lshift_fixed_top(BIGNUM *r, const BIGNUM *a, int n);

int bn_rshift_fixed_top(BIGNUM *r, const BIGNUM *a, int n);

int bn_div_fixed_top(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m,

const BIGNUM *d, BN_CTX *ctx);

-int ossl_bn_rsa_do_unblind(const BIGNUM *intermediate,

- const BN_BLINDING *blinding,

- const BIGNUM *possible_arg2,

- const BIGNUM *to_mod, BN_CTX *ctx,

- unsigned char *buf, int num);

#endif

diff --git a/include/openssl/opensslv.h b/include/openssl/opensslv.h
index 7b6c212fa097..5ed047d11bbc 100644
--- a/include/openssl/opensslv.h
+++ b/include/openssl/opensslv.h

@@ -1,5 +1,5 @@

* Licensed under the OpenSSL license (the "License"). You may not use

* this file except in compliance with the License. You can obtain a copy

@@ -39,8 +39,8 @@ extern "C" {

* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for

* major minor fix final patch/beta)

-# define OPENSSL_VERSION_NUMBER 0x1010114fL

-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1t 7 Feb 2023"

+# define OPENSSL_VERSION_NUMBER 0x1010115fL

+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1u 30 May 2023"

/*-

* The macros below are to be used for shared library (.so, .dll, ...)