doc/share/security/patches/SA-16:12/openssl-9.3-fix.patch

--- crypto/openssl/crypto/bn/bn_exp.c.orig
+++ crypto/openssl/crypto/bn/bn_exp.c
@@ -107,13 +107,13 @@
  * (eay@cryptsoft.com).  This product includes software written by Tim
  * Hudson (tjh@cryptsoft.com).
  *
- */
-
-#include "cryptlib.h"
-#include "constant_time_locl.h"
-#include "bn_lcl.h"
-
-/* maximum precomputation table size for *variable* sliding windows */
+ */
+
+#include "cryptlib.h"
+#include "constant_time_locl.h"
+#include "bn_lcl.h"
+
+/* maximum precomputation table size for *variable* sliding windows */
 #define TABLE_SIZE      32
 
 /* this one works - simple but works */
@@ -521,79 +521,79 @@
  * pattern as far as cache lines are concerned.  The following functions are
  * used to transfer a BIGNUM from/to that table.
  */
-
-static int MOD_EXP_CTIME_COPY_TO_PREBUF(BIGNUM *b, int top,
-                                        unsigned char *buf, int idx,
-                                        int window)
-{
-    int i, j;
-    int width = 1 << window;
-    BN_ULONG *table = (BN_ULONG *)buf;
-
-    if (bn_wexpand(b, top) == NULL)
-        return 0;
+
+static int MOD_EXP_CTIME_COPY_TO_PREBUF(BIGNUM *b, int top,
+                                        unsigned char *buf, int idx,
+                                        int window)
+{
+    int i, j;
+    int width = 1 << window;
+    BN_ULONG *table = (BN_ULONG *)buf;
+
+    if (bn_wexpand(b, top) == NULL)
+        return 0;
     while (b->top < top) {
-        b->d[b->top++] = 0;
-    }
-
-    for (i = 0, j = idx; i < top; i++, j += width) {
-        table[j] = b->d[i];
-    }
-
-    bn_correct_top(b);
+        b->d[b->top++] = 0;
+    }
+
+    for (i = 0, j = idx; i < top; i++, j += width) {
+        table[j] = b->d[i];
+    }
+
+    bn_correct_top(b);
     return 1;
 }
-
-static int MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM *b, int top,
-                                          unsigned char *buf, int idx,
-                                          int window)
-{
-    int i, j;
-    int width = 1 << window;
-    volatile BN_ULONG *table = (volatile BN_ULONG *)buf;
-
-    if (bn_wexpand(b, top) == NULL)
-        return 0;
-
-    if (window <= 3) {
-        for (i = 0; i < top; i++, table += width) {
-            BN_ULONG acc = 0;
-
-            for (j = 0; j < width; j++) {
-                acc |= table[j] &
-                       ((BN_ULONG)0 - (constant_time_eq_int(j,idx)&1));
-            }
-
-            b->d[i] = acc;
-        }
-    } else {
-        int xstride = 1 << (window - 2);
-        BN_ULONG y0, y1, y2, y3;
-
-        i = idx >> (window - 2);        /* equivalent of idx / xstride */
-        idx &= xstride - 1;             /* equivalent of idx % xstride */
-
-        y0 = (BN_ULONG)0 - (constant_time_eq_int(i,0)&1);
-        y1 = (BN_ULONG)0 - (constant_time_eq_int(i,1)&1);
-        y2 = (BN_ULONG)0 - (constant_time_eq_int(i,2)&1);
-        y3 = (BN_ULONG)0 - (constant_time_eq_int(i,3)&1);
-
-        for (i = 0; i < top; i++, table += width) {
-            BN_ULONG acc = 0;
-
-            for (j = 0; j < xstride; j++) {
-                acc |= ( (table[j + 0 * xstride] & y0) |
-                         (table[j + 1 * xstride] & y1) |
-                         (table[j + 2 * xstride] & y2) |
-                         (table[j + 3 * xstride] & y3) )
-                       & ((BN_ULONG)0 - (constant_time_eq_int(j,idx)&1));
-            }
-
-            b->d[i] = acc;
-        }
-    }
-
-    b->top = top;
+
+static int MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM *b, int top,
+                                          unsigned char *buf, int idx,
+                                          int window)
+{
+    int i, j;
+    int width = 1 << window;
+    volatile BN_ULONG *table = (volatile BN_ULONG *)buf;
+
+    if (bn_wexpand(b, top) == NULL)
+        return 0;
+
+    if (window <= 3) {
+        for (i = 0; i < top; i++, table += width) {
+            BN_ULONG acc = 0;
+
+            for (j = 0; j < width; j++) {
+                acc |= table[j] &
+                       ((BN_ULONG)0 - (constant_time_eq_int(j,idx)&1));
+            }
+
+            b->d[i] = acc;
+        }
+    } else {
+        int xstride = 1 << (window - 2);
+        BN_ULONG y0, y1, y2, y3;
+
+        i = idx >> (window - 2);        /* equivalent of idx / xstride */
+        idx &= xstride - 1;             /* equivalent of idx % xstride */
+
+        y0 = (BN_ULONG)0 - (constant_time_eq_int(i,0)&1);
+        y1 = (BN_ULONG)0 - (constant_time_eq_int(i,1)&1);
+        y2 = (BN_ULONG)0 - (constant_time_eq_int(i,2)&1);
+        y3 = (BN_ULONG)0 - (constant_time_eq_int(i,3)&1);
+
+        for (i = 0; i < top; i++, table += width) {
+            BN_ULONG acc = 0;
+
+            for (j = 0; j < xstride; j++) {
+                acc |= ( (table[j + 0 * xstride] & y0) |
+                         (table[j + 1 * xstride] & y1) |
+                         (table[j + 2 * xstride] & y2) |
+                         (table[j + 3 * xstride] & y3) )
+                       & ((BN_ULONG)0 - (constant_time_eq_int(j,idx)&1));
+            }
+
+            b->d[i] = acc;
+        }
+    }
+
+    b->top = top;
     bn_correct_top(b);
     return 1;
 }
@@ -684,13 +684,13 @@
     /*
      * Initialize the intermediate result. Do this early to save double
      * conversion, once each for a^0 and intermediate result.
-     */
-    if (!BN_to_montgomery(r, BN_value_one(), mont, ctx))
-        goto err;
-    if (!MOD_EXP_CTIME_COPY_TO_PREBUF(r, top, powerbuf, 0, window))
-        goto err;
-
-    /* Initialize computeTemp as a^1 with montgomery precalcs */
+     */
+    if (!BN_to_montgomery(r, BN_value_one(), mont, ctx))
+        goto err;
+    if (!MOD_EXP_CTIME_COPY_TO_PREBUF(r, top, powerbuf, 0, window))
+        goto err;
+
+    /* Initialize computeTemp as a^1 with montgomery precalcs */
     computeTemp = BN_CTX_get(ctx);
     am = BN_CTX_get(ctx);
     if (computeTemp == NULL || am == NULL)
@@ -703,13 +703,13 @@
     } else
         aa = a;
     if (!BN_to_montgomery(am, aa, mont, ctx))
-        goto err;
-    if (!BN_copy(computeTemp, am))
-        goto err;
-    if (!MOD_EXP_CTIME_COPY_TO_PREBUF(am, top, powerbuf, 1, window))
-        goto err;
-
-    /*
+        goto err;
+    if (!BN_copy(computeTemp, am))
+        goto err;
+    if (!MOD_EXP_CTIME_COPY_TO_PREBUF(am, top, powerbuf, 1, window))
+        goto err;
+
+    /*
      * If the window size is greater than 1, then calculate
      * val[i=2..2^winsize-1]. Powers are computed as a*a^(i-1) (even powers
      * could instead be computed as (a^(i/2))^2 to use the slight performance
@@ -718,14 +718,14 @@
     if (window > 1) {
         for (i = 2; i < numPowers; i++) {
             /* Calculate a^i = a^(i-1) * a */
-            if (!BN_mod_mul_montgomery
-                (computeTemp, am, computeTemp, mont, ctx))
-                goto err;
-            if (!MOD_EXP_CTIME_COPY_TO_PREBUF(computeTemp, top, powerbuf, i,
-                                              window))
-                goto err;
-        }
-    }
+            if (!BN_mod_mul_montgomery
+                (computeTemp, am, computeTemp, mont, ctx))
+                goto err;
+            if (!MOD_EXP_CTIME_COPY_TO_PREBUF(computeTemp, top, powerbuf, i,
+                                              window))
+                goto err;
+        }
+    }
 
     /*
      * Adjust the number of bits up to a multiple of the window size. If the
@@ -758,7 +758,7 @@
          * Fetch the appropriate pre-computed value from the pre-buf
          */
         if (!MOD_EXP_CTIME_COPY_FROM_PREBUF
-            (computeTemp, top, powerbuf, wvalue, numPowers))
+            (computeTemp, top, powerbuf, wvalue, window))
             goto err;
 
         /* Multiply the result into the intermediate result */