From f85b2a86a0f41019ca0fd34685f70630fe9e7d5c Mon Sep 17 00:00:00 2001 From: delphij Date: Thu, 10 Mar 2016 10:03:28 +0000 Subject: [PATCH] Fix multiple vulnerabilities of BIND. [SA-16:13] Fix a regression with OpenSSL patch. [SA-16:12] Approved by: so git-svn-id: svn://svn.freebsd.org/base/releng/9.3@296611 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f --- UPDATING | 7 + contrib/bind9/bin/named/control.c | 2 +- contrib/bind9/bin/named/controlconf.c | 4 +- contrib/bind9/bin/rndc/rndc.c | 8 +- contrib/bind9/lib/dns/resolver.c | 221 +++++++++++++------------- contrib/bind9/lib/isccc/cc.c | 14 +- crypto/openssl/crypto/bn/bn_exp.c | 200 +++++++++++------------ sys/conf/newvers.sh | 2 +- 8 files changed, 231 insertions(+), 227 deletions(-) diff --git a/UPDATING b/UPDATING index 3beaa3534..041ad0a12 100644 --- a/UPDATING +++ b/UPDATING @@ -11,6 +11,13 @@ handbook: Items affecting the ports and packages system can be found in /usr/ports/UPDATING. Please read that file before running portupgrade. +20160310 p38 FreeBSD-SA-16:13.bind + FreeBSD-SA-16:12.openssl [revised] + + Fix multiple vulnerabilities of BIND. [SA-16:13] + + Fix a regression with OpenSSL patch. [SA-16:12] + 20160303 p37 FreeBSD-SA-16:12.openssl Fix multiple vulnerabilities of OpenSSL. diff --git a/contrib/bind9/bin/named/control.c b/contrib/bind9/bin/named/control.c index 35312fee5..07a4ccdcb 100644 --- a/contrib/bind9/bin/named/control.c +++ b/contrib/bind9/bin/named/control.c @@ -69,7 +69,7 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) { #endif data = isccc_alist_lookup(message, "_data"); - if (data == NULL) { + if (!isccc_alist_alistp(data)) { /* * No data section. */ diff --git a/contrib/bind9/bin/named/controlconf.c b/contrib/bind9/bin/named/controlconf.c index 509a113b3..aa1a1d40f 100644 --- a/contrib/bind9/bin/named/controlconf.c +++ b/contrib/bind9/bin/named/controlconf.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2008, 2011-2014 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2008, 2011-2014, 2016 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2001-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -396,7 +396,7 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) { * Limit exposure to replay attacks. */ _ctrl = isccc_alist_lookup(request, "_ctrl"); - if (_ctrl == NULL) { + if (!isccc_alist_alistp(_ctrl)) { log_invalid(&conn->ccmsg, ISC_R_FAILURE); goto cleanup_request; } diff --git a/contrib/bind9/bin/rndc/rndc.c b/contrib/bind9/bin/rndc/rndc.c index 33802db2a..4f044e80d 100644 --- a/contrib/bind9/bin/rndc/rndc.c +++ b/contrib/bind9/bin/rndc/rndc.c @@ -252,8 +252,8 @@ rndc_recvdone(isc_task_t *task, isc_event_t *event) { DO("parse message", isccc_cc_fromwire(&source, &response, &secret)); data = isccc_alist_lookup(response, "_data"); - if (data == NULL) - fatal("no data section in response"); + if (!isccc_alist_alistp(data)) + fatal("bad or missing data section in response"); result = isccc_cc_lookupstring(data, "err", &errormsg); if (result == ISC_R_SUCCESS) { failed = ISC_TRUE; @@ -316,8 +316,8 @@ rndc_recvnonce(isc_task_t *task, isc_event_t *event) { DO("parse message", isccc_cc_fromwire(&source, &response, &secret)); _ctrl = isccc_alist_lookup(response, "_ctrl"); - if (_ctrl == NULL) - fatal("_ctrl section missing"); + if (!isccc_alist_alistp(_ctrl)) + fatal("bad or missing ctrl section in response"); nonce = 0; if (isccc_cc_lookupuint32(_ctrl, "_nonce", &nonce) != ISC_R_SUCCESS) nonce = 0; diff --git a/contrib/bind9/lib/dns/resolver.c b/contrib/bind9/lib/dns/resolver.c index 1723d49da..75fabab5a 100644 --- a/contrib/bind9/lib/dns/resolver.c +++ b/contrib/bind9/lib/dns/resolver.c @@ -5385,14 +5385,11 @@ cname_target(dns_rdataset_t *rdataset, dns_name_t *tname) { } static inline isc_result_t -dname_target(fetchctx_t *fctx, dns_rdataset_t *rdataset, dns_name_t *qname, - dns_name_t *oname, dns_fixedname_t *fixeddname) +dname_target(dns_rdataset_t *rdataset, dns_name_t *qname, + unsigned int nlabels, dns_fixedname_t *fixeddname) { isc_result_t result; dns_rdata_t rdata = DNS_RDATA_INIT; - unsigned int nlabels; - int order; - dns_namereln_t namereln; dns_rdata_dname_t dname; dns_fixedname_t prefix; @@ -5407,21 +5404,6 @@ dname_target(fetchctx_t *fctx, dns_rdataset_t *rdataset, dns_name_t *qname, if (result != ISC_R_SUCCESS) return (result); - /* - * Get the prefix of qname. - */ - namereln = dns_name_fullcompare(qname, oname, &order, &nlabels); - if (namereln != dns_namereln_subdomain) { - char qbuf[DNS_NAME_FORMATSIZE]; - char obuf[DNS_NAME_FORMATSIZE]; - - dns_rdata_freestruct(&dname); - dns_name_format(qname, qbuf, sizeof(qbuf)); - dns_name_format(oname, obuf, sizeof(obuf)); - log_formerr(fctx, "unrelated DNAME in answer: " - "%s is not in %s", qbuf, obuf); - return (DNS_R_FORMERR); - } dns_fixedname_init(&prefix); dns_name_split(qname, nlabels, dns_fixedname_name(&prefix), NULL); dns_fixedname_init(fixeddname); @@ -6034,13 +6016,13 @@ static isc_result_t answer_response(fetchctx_t *fctx) { isc_result_t result; dns_message_t *message; - dns_name_t *name, *qname, tname, *ns_name; + dns_name_t *name, *dname = NULL, *qname, tname, *ns_name; dns_rdataset_t *rdataset, *ns_rdataset; isc_boolean_t done, external, chaining, aa, found, want_chaining; isc_boolean_t have_answer, found_cname, found_type, wanted_chaining; unsigned int aflag; dns_rdatatype_t type; - dns_fixedname_t dname, fqname; + dns_fixedname_t fdname, fqname; dns_view_t *view; FCTXTRACE("answer_response"); @@ -6068,10 +6050,15 @@ answer_response(fetchctx_t *fctx) { view = fctx->res->view; result = dns_message_firstname(message, DNS_SECTION_ANSWER); while (!done && result == ISC_R_SUCCESS) { + dns_namereln_t namereln; + int order; + unsigned int nlabels; + name = NULL; dns_message_currentname(message, DNS_SECTION_ANSWER, &name); external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain)); - if (dns_name_equal(name, qname)) { + namereln = dns_name_fullcompare(qname, name, &order, &nlabels); + if (namereln == dns_namereln_equal) { wanted_chaining = ISC_FALSE; for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL; @@ -6196,10 +6183,11 @@ answer_response(fetchctx_t *fctx) { */ INSIST(!external); if (aflag == - DNS_RDATASETATTR_ANSWER) + DNS_RDATASETATTR_ANSWER) { have_answer = ISC_TRUE; - name->attributes |= - DNS_NAMEATTR_ANSWER; + name->attributes |= + DNS_NAMEATTR_ANSWER; + } rdataset->attributes |= aflag; if (aa) rdataset->trust = @@ -6254,6 +6242,8 @@ answer_response(fetchctx_t *fctx) { if (wanted_chaining) chaining = ISC_TRUE; } else { + dns_rdataset_t *dnameset = NULL; + /* * Look for a DNAME (or its SIG). Anything else is * ignored. @@ -6261,32 +6251,56 @@ answer_response(fetchctx_t *fctx) { wanted_chaining = ISC_FALSE; for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL; - rdataset = ISC_LIST_NEXT(rdataset, link)) { - isc_boolean_t found_dname = ISC_FALSE; - dns_name_t *dname_name; + rdataset = ISC_LIST_NEXT(rdataset, link)) + { + /* + * Only pass DNAME or RRSIG(DNAME). + */ + if (rdataset->type != dns_rdatatype_dname && + (rdataset->type != dns_rdatatype_rrsig || + rdataset->covers != dns_rdatatype_dname)) + continue; + + /* + * If we're not chaining, then the DNAME and + * its signature should not be external. + */ + if (!chaining && external) { + char qbuf[DNS_NAME_FORMATSIZE]; + char obuf[DNS_NAME_FORMATSIZE]; + + dns_name_format(name, qbuf, + sizeof(qbuf)); + dns_name_format(&fctx->domain, obuf, + sizeof(obuf)); + log_formerr(fctx, "external DNAME or " + "RRSIG covering DNAME " + "in answer: %s is " + "not in %s", qbuf, obuf); + return (DNS_R_FORMERR); + } + + if (namereln != dns_namereln_subdomain) { + char qbuf[DNS_NAME_FORMATSIZE]; + char obuf[DNS_NAME_FORMATSIZE]; + + dns_name_format(qname, qbuf, + sizeof(qbuf)); + dns_name_format(name, obuf, + sizeof(obuf)); + log_formerr(fctx, "unrelated DNAME " + "in answer: %s is " + "not in %s", qbuf, obuf); + return (DNS_R_FORMERR); + } - found = ISC_FALSE; aflag = 0; if (rdataset->type == dns_rdatatype_dname) { - /* - * We're looking for something else, - * but we found a DNAME. - * - * If we're not chaining, then the - * DNAME should not be external. - */ - if (!chaining && external) { - log_formerr(fctx, - "external DNAME"); - return (DNS_R_FORMERR); - } - found = ISC_TRUE; want_chaining = ISC_TRUE; POST(want_chaining); aflag = DNS_RDATASETATTR_ANSWER; - result = dname_target(fctx, rdataset, - qname, name, - &dname); + result = dname_target(rdataset, qname, + nlabels, &fdname); if (result == ISC_R_NOSPACE) { /* * We can't construct the @@ -6298,90 +6312,73 @@ answer_response(fetchctx_t *fctx) { } else if (result != ISC_R_SUCCESS) return (result); else - found_dname = ISC_TRUE; + dnameset = rdataset; - dname_name = dns_fixedname_name(&dname); + dname = dns_fixedname_name(&fdname); if (!is_answertarget_allowed(view, - qname, - rdataset->type, - dname_name, - &fctx->domain)) { + qname, rdataset->type, + dname, &fctx->domain)) { return (DNS_R_SERVFAIL); } - } else if (rdataset->type == dns_rdatatype_rrsig - && rdataset->covers == - dns_rdatatype_dname) { + } else { /* * We've found a signature that * covers the DNAME. */ - found = ISC_TRUE; aflag = DNS_RDATASETATTR_ANSWERSIG; } - if (found) { + /* + * We've found an answer to our + * question. + */ + name->attributes |= DNS_NAMEATTR_CACHE; + rdataset->attributes |= DNS_RDATASETATTR_CACHE; + rdataset->trust = dns_trust_answer; + if (!chaining) { /* - * We've found an answer to our - * question. + * This data is "the" answer to + * our question only if we're + * not chaining. */ - name->attributes |= - DNS_NAMEATTR_CACHE; - rdataset->attributes |= - DNS_RDATASETATTR_CACHE; - rdataset->trust = dns_trust_answer; - if (!chaining) { - /* - * This data is "the" answer - * to our question only if - * we're not chaining. - */ - INSIST(!external); - if (aflag == - DNS_RDATASETATTR_ANSWER) - have_answer = ISC_TRUE; + INSIST(!external); + if (aflag == DNS_RDATASETATTR_ANSWER) { + have_answer = ISC_TRUE; name->attributes |= DNS_NAMEATTR_ANSWER; - rdataset->attributes |= aflag; - if (aa) - rdataset->trust = - dns_trust_authanswer; - } else if (external) { - rdataset->attributes |= - DNS_RDATASETATTR_EXTERNAL; - } - - /* - * DNAME chaining. - */ - if (found_dname) { - /* - * Copy the dname into the - * qname fixed name. - * - * Although we check for - * failure of the copy - * operation, in practice it - * should never fail since - * we already know that the - * result fits in a fixedname. - */ - dns_fixedname_init(&fqname); - result = dns_name_copy( - dns_fixedname_name(&dname), - dns_fixedname_name(&fqname), - NULL); - if (result != ISC_R_SUCCESS) - return (result); - wanted_chaining = ISC_TRUE; - name->attributes |= - DNS_NAMEATTR_CHAINING; - rdataset->attributes |= - DNS_RDATASETATTR_CHAINING; - qname = dns_fixedname_name( - &fqname); } + rdataset->attributes |= aflag; + if (aa) + rdataset->trust = + dns_trust_authanswer; + } else if (external) { + rdataset->attributes |= + DNS_RDATASETATTR_EXTERNAL; } } + + /* + * DNAME chaining. + */ + if (dnameset != NULL) { + /* + * Copy the dname into the qname fixed name. + * + * Although we check for failure of the copy + * operation, in practice it should never fail + * since we already know that the result fits + * in a fixedname. + */ + dns_fixedname_init(&fqname); + qname = dns_fixedname_name(&fqname); + result = dns_name_copy(dname, qname, NULL); + if (result != ISC_R_SUCCESS) + return (result); + wanted_chaining = ISC_TRUE; + name->attributes |= DNS_NAMEATTR_CHAINING; + dnameset->attributes |= + DNS_RDATASETATTR_CHAINING; + } if (wanted_chaining) chaining = ISC_TRUE; } diff --git a/contrib/bind9/lib/isccc/cc.c b/contrib/bind9/lib/isccc/cc.c index 69e7f7cee..ce05fdb2d 100644 --- a/contrib/bind9/lib/isccc/cc.c +++ b/contrib/bind9/lib/isccc/cc.c @@ -287,10 +287,10 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length, * Extract digest. */ _auth = isccc_alist_lookup(alist, "_auth"); - if (_auth == NULL) + if (!isccc_alist_alistp(_auth)) return (ISC_R_FAILURE); hmd5 = isccc_alist_lookup(_auth, "hmd5"); - if (hmd5 == NULL) + if (!isccc_sexpr_binaryp(hmd5)) return (ISC_R_FAILURE); /* * Compute digest. @@ -545,7 +545,7 @@ isccc_cc_createack(isccc_sexpr_t *message, isc_boolean_t ok, REQUIRE(ackp != NULL && *ackp == NULL); _ctrl = isccc_alist_lookup(message, "_ctrl"); - if (_ctrl == NULL || + if (!isccc_alist_alistp(_ctrl) || isccc_cc_lookupuint32(_ctrl, "_ser", &serial) != ISC_R_SUCCESS || isccc_cc_lookupuint32(_ctrl, "_tim", &t) != ISC_R_SUCCESS) return (ISC_R_FAILURE); @@ -590,7 +590,7 @@ isccc_cc_isack(isccc_sexpr_t *message) isccc_sexpr_t *_ctrl; _ctrl = isccc_alist_lookup(message, "_ctrl"); - if (_ctrl == NULL) + if (!isccc_alist_alistp(_ctrl)) return (ISC_FALSE); if (isccc_cc_lookupstring(_ctrl, "_ack", NULL) == ISC_R_SUCCESS) return (ISC_TRUE); @@ -603,7 +603,7 @@ isccc_cc_isreply(isccc_sexpr_t *message) isccc_sexpr_t *_ctrl; _ctrl = isccc_alist_lookup(message, "_ctrl"); - if (_ctrl == NULL) + if (!isccc_alist_alistp(_ctrl)) return (ISC_FALSE); if (isccc_cc_lookupstring(_ctrl, "_rpl", NULL) == ISC_R_SUCCESS) return (ISC_TRUE); @@ -623,7 +623,7 @@ isccc_cc_createresponse(isccc_sexpr_t *message, isccc_time_t now, _ctrl = isccc_alist_lookup(message, "_ctrl"); _data = isccc_alist_lookup(message, "_data"); - if (_ctrl == NULL || _data == NULL || + if (!isccc_alist_alistp(_ctrl) || !isccc_alist_alistp(_data) || isccc_cc_lookupuint32(_ctrl, "_ser", &serial) != ISC_R_SUCCESS || isccc_cc_lookupstring(_data, "type", &type) != ISC_R_SUCCESS) return (ISC_R_FAILURE); @@ -812,7 +812,7 @@ isccc_cc_checkdup(isccc_symtab_t *symtab, isccc_sexpr_t *message, isccc_sexpr_t *_ctrl; _ctrl = isccc_alist_lookup(message, "_ctrl"); - if (_ctrl == NULL || + if (!isccc_alist_alistp(_ctrl) || isccc_cc_lookupstring(_ctrl, "_ser", &_ser) != ISC_R_SUCCESS || isccc_cc_lookupstring(_ctrl, "_tim", &_tim) != ISC_R_SUCCESS) return (ISC_R_FAILURE); diff --git a/crypto/openssl/crypto/bn/bn_exp.c b/crypto/openssl/crypto/bn/bn_exp.c index 797d19e91..2ce056d13 100644 --- a/crypto/openssl/crypto/bn/bn_exp.c +++ b/crypto/openssl/crypto/bn/bn_exp.c @@ -107,13 +107,13 @@ * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.com). * - */ - -#include "cryptlib.h" -#include "constant_time_locl.h" -#include "bn_lcl.h" - -/* maximum precomputation table size for *variable* sliding windows */ + */ + +#include "cryptlib.h" +#include "constant_time_locl.h" +#include "bn_lcl.h" + +/* maximum precomputation table size for *variable* sliding windows */ #define TABLE_SIZE 32 /* this one works - simple but works */ @@ -521,79 +521,79 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, * pattern as far as cache lines are concerned. The following functions are * used to transfer a BIGNUM from/to that table. */ - -static int MOD_EXP_CTIME_COPY_TO_PREBUF(BIGNUM *b, int top, - unsigned char *buf, int idx, - int window) -{ - int i, j; - int width = 1 << window; - BN_ULONG *table = (BN_ULONG *)buf; - - if (bn_wexpand(b, top) == NULL) - return 0; + +static int MOD_EXP_CTIME_COPY_TO_PREBUF(BIGNUM *b, int top, + unsigned char *buf, int idx, + int window) +{ + int i, j; + int width = 1 << window; + BN_ULONG *table = (BN_ULONG *)buf; + + if (bn_wexpand(b, top) == NULL) + return 0; while (b->top < top) { - b->d[b->top++] = 0; - } - - for (i = 0, j = idx; i < top; i++, j += width) { - table[j] = b->d[i]; - } - - bn_correct_top(b); + b->d[b->top++] = 0; + } + + for (i = 0, j = idx; i < top; i++, j += width) { + table[j] = b->d[i]; + } + + bn_correct_top(b); return 1; } - -static int MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM *b, int top, - unsigned char *buf, int idx, - int window) -{ - int i, j; - int width = 1 << window; - volatile BN_ULONG *table = (volatile BN_ULONG *)buf; - - if (bn_wexpand(b, top) == NULL) - return 0; - - if (window <= 3) { - for (i = 0; i < top; i++, table += width) { - BN_ULONG acc = 0; - - for (j = 0; j < width; j++) { - acc |= table[j] & - ((BN_ULONG)0 - (constant_time_eq_int(j,idx)&1)); - } - - b->d[i] = acc; - } - } else { - int xstride = 1 << (window - 2); - BN_ULONG y0, y1, y2, y3; - - i = idx >> (window - 2); /* equivalent of idx / xstride */ - idx &= xstride - 1; /* equivalent of idx % xstride */ - - y0 = (BN_ULONG)0 - (constant_time_eq_int(i,0)&1); - y1 = (BN_ULONG)0 - (constant_time_eq_int(i,1)&1); - y2 = (BN_ULONG)0 - (constant_time_eq_int(i,2)&1); - y3 = (BN_ULONG)0 - (constant_time_eq_int(i,3)&1); - - for (i = 0; i < top; i++, table += width) { - BN_ULONG acc = 0; - - for (j = 0; j < xstride; j++) { - acc |= ( (table[j + 0 * xstride] & y0) | - (table[j + 1 * xstride] & y1) | - (table[j + 2 * xstride] & y2) | - (table[j + 3 * xstride] & y3) ) - & ((BN_ULONG)0 - (constant_time_eq_int(j,idx)&1)); - } - - b->d[i] = acc; - } - } - - b->top = top; + +static int MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM *b, int top, + unsigned char *buf, int idx, + int window) +{ + int i, j; + int width = 1 << window; + volatile BN_ULONG *table = (volatile BN_ULONG *)buf; + + if (bn_wexpand(b, top) == NULL) + return 0; + + if (window <= 3) { + for (i = 0; i < top; i++, table += width) { + BN_ULONG acc = 0; + + for (j = 0; j < width; j++) { + acc |= table[j] & + ((BN_ULONG)0 - (constant_time_eq_int(j,idx)&1)); + } + + b->d[i] = acc; + } + } else { + int xstride = 1 << (window - 2); + BN_ULONG y0, y1, y2, y3; + + i = idx >> (window - 2); /* equivalent of idx / xstride */ + idx &= xstride - 1; /* equivalent of idx % xstride */ + + y0 = (BN_ULONG)0 - (constant_time_eq_int(i,0)&1); + y1 = (BN_ULONG)0 - (constant_time_eq_int(i,1)&1); + y2 = (BN_ULONG)0 - (constant_time_eq_int(i,2)&1); + y3 = (BN_ULONG)0 - (constant_time_eq_int(i,3)&1); + + for (i = 0; i < top; i++, table += width) { + BN_ULONG acc = 0; + + for (j = 0; j < xstride; j++) { + acc |= ( (table[j + 0 * xstride] & y0) | + (table[j + 1 * xstride] & y1) | + (table[j + 2 * xstride] & y2) | + (table[j + 3 * xstride] & y3) ) + & ((BN_ULONG)0 - (constant_time_eq_int(j,idx)&1)); + } + + b->d[i] = acc; + } + } + + b->top = top; bn_correct_top(b); return 1; } @@ -684,13 +684,13 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, /* * Initialize the intermediate result. Do this early to save double * conversion, once each for a^0 and intermediate result. - */ - if (!BN_to_montgomery(r, BN_value_one(), mont, ctx)) - goto err; - if (!MOD_EXP_CTIME_COPY_TO_PREBUF(r, top, powerbuf, 0, window)) - goto err; - - /* Initialize computeTemp as a^1 with montgomery precalcs */ + */ + if (!BN_to_montgomery(r, BN_value_one(), mont, ctx)) + goto err; + if (!MOD_EXP_CTIME_COPY_TO_PREBUF(r, top, powerbuf, 0, window)) + goto err; + + /* Initialize computeTemp as a^1 with montgomery precalcs */ computeTemp = BN_CTX_get(ctx); am = BN_CTX_get(ctx); if (computeTemp == NULL || am == NULL) @@ -703,13 +703,13 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, } else aa = a; if (!BN_to_montgomery(am, aa, mont, ctx)) - goto err; - if (!BN_copy(computeTemp, am)) - goto err; - if (!MOD_EXP_CTIME_COPY_TO_PREBUF(am, top, powerbuf, 1, window)) - goto err; - - /* + goto err; + if (!BN_copy(computeTemp, am)) + goto err; + if (!MOD_EXP_CTIME_COPY_TO_PREBUF(am, top, powerbuf, 1, window)) + goto err; + + /* * If the window size is greater than 1, then calculate * val[i=2..2^winsize-1]. Powers are computed as a*a^(i-1) (even powers * could instead be computed as (a^(i/2))^2 to use the slight performance @@ -718,14 +718,14 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, if (window > 1) { for (i = 2; i < numPowers; i++) { /* Calculate a^i = a^(i-1) * a */ - if (!BN_mod_mul_montgomery - (computeTemp, am, computeTemp, mont, ctx)) - goto err; - if (!MOD_EXP_CTIME_COPY_TO_PREBUF(computeTemp, top, powerbuf, i, - window)) - goto err; - } - } + if (!BN_mod_mul_montgomery + (computeTemp, am, computeTemp, mont, ctx)) + goto err; + if (!MOD_EXP_CTIME_COPY_TO_PREBUF(computeTemp, top, powerbuf, i, + window)) + goto err; + } + } /* * Adjust the number of bits up to a multiple of the window size. If the @@ -758,7 +758,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, * Fetch the appropriate pre-computed value from the pre-buf */ if (!MOD_EXP_CTIME_COPY_FROM_PREBUF - (computeTemp, top, powerbuf, wvalue, numPowers)) + (computeTemp, top, powerbuf, wvalue, window)) goto err; /* Multiply the result into the intermediate result */ diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh index 16465be68..6780b8c1b 100644 --- a/sys/conf/newvers.sh +++ b/sys/conf/newvers.sh @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="9.3" -BRANCH="RELEASE-p37" +BRANCH="RELEASE-p38" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi -- 2.42.0