Module Name: src Committed By: martin Date: Wed Apr 18 13:51:36 UTC 2018
Modified Files: src/crypto/external/bsd/openssl/dist/crypto/asn1 [netbsd-8]: asn1.h asn1_err.c tasn_dec.c src/crypto/external/bsd/openssl/dist/crypto/bn/asm [netbsd-8]: rsaz-avx2.pl x86_64-mont5.pl src/crypto/external/bsd/openssl/dist/crypto/rsa [netbsd-8]: rsa_gen.c src/crypto/external/bsd/openssl/dist/crypto/x509v3 [netbsd-8]: v3_addr.c src/crypto/external/bsd/openssl/dist/ssl [netbsd-8]: ssl.h src/crypto/external/bsd/openssl/lib/libcrypto/arch/x86_64 [netbsd-8]: rsaz-avx2.S x86_64-mont5.S Log Message: Apply upstream fixes for CVE-2017-3735, CVE-2017-3736, CVE-2017-3737, CVE-2017-3738, CVE-2018-0737, CVE-2018-0739. Regen. Requested by christos in ticket #774. To generate a diff of this commit: cvs rdiff -u -r1.2 -r1.2.6.1 \ src/crypto/external/bsd/openssl/dist/crypto/asn1/asn1.h cvs rdiff -u -r1.1.1.7 -r1.1.1.7.8.1 \ src/crypto/external/bsd/openssl/dist/crypto/asn1/asn1_err.c cvs rdiff -u -r1.6 -r1.6.6.1 \ src/crypto/external/bsd/openssl/dist/crypto/asn1/tasn_dec.c cvs rdiff -u -r1.1.1.1 -r1.1.1.1.8.1 \ src/crypto/external/bsd/openssl/dist/crypto/bn/asm/rsaz-avx2.pl cvs rdiff -u -r1.1.1.7 -r1.1.1.7.4.1 \ src/crypto/external/bsd/openssl/dist/crypto/bn/asm/x86_64-mont5.pl cvs rdiff -u -r1.1.1.6 -r1.1.1.6.4.1 \ src/crypto/external/bsd/openssl/dist/crypto/rsa/rsa_gen.c cvs rdiff -u -r1.5 -r1.5.6.1 \ src/crypto/external/bsd/openssl/dist/crypto/x509v3/v3_addr.c cvs rdiff -u -r1.16 -r1.16.6.1 src/crypto/external/bsd/openssl/dist/ssl/ssl.h cvs rdiff -u -r1.2 -r1.2.6.1 \ src/crypto/external/bsd/openssl/lib/libcrypto/arch/x86_64/rsaz-avx2.S cvs rdiff -u -r1.5 -r1.5.4.1 \ src/crypto/external/bsd/openssl/lib/libcrypto/arch/x86_64/x86_64-mont5.S Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/crypto/external/bsd/openssl/dist/crypto/asn1/asn1.h diff -u src/crypto/external/bsd/openssl/dist/crypto/asn1/asn1.h:1.2 src/crypto/external/bsd/openssl/dist/crypto/asn1/asn1.h:1.2.6.1 --- src/crypto/external/bsd/openssl/dist/crypto/asn1/asn1.h:1.2 Fri Oct 14 16:23:18 2016 +++ src/crypto/external/bsd/openssl/dist/crypto/asn1/asn1.h Wed Apr 18 13:51:35 2018 @@ -1365,6 +1365,7 @@ void ERR_load_ASN1_strings(void); # define ASN1_R_MSTRING_NOT_UNIVERSAL 139 # define ASN1_R_MSTRING_WRONG_TAG 140 # define ASN1_R_NESTED_ASN1_STRING 197 +# define ASN1_R_NESTED_TOO_DEEP 219 # define ASN1_R_NON_HEX_CHARACTERS 141 # define ASN1_R_NOT_ASCII_FORMAT 190 # define ASN1_R_NOT_ENOUGH_DATA 142 Index: src/crypto/external/bsd/openssl/dist/crypto/asn1/asn1_err.c diff -u src/crypto/external/bsd/openssl/dist/crypto/asn1/asn1_err.c:1.1.1.7 src/crypto/external/bsd/openssl/dist/crypto/asn1/asn1_err.c:1.1.1.7.8.1 --- src/crypto/external/bsd/openssl/dist/crypto/asn1/asn1_err.c:1.1.1.7 Mon Mar 23 08:28:38 2015 +++ src/crypto/external/bsd/openssl/dist/crypto/asn1/asn1_err.c Wed Apr 18 13:51:35 2018 @@ -1,6 +1,6 @@ /* crypto/asn1/asn1_err.c */ /* ==================================================================== - * Copyright (c) 1999-2014 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2018 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -279,6 +279,7 @@ static ERR_STRING_DATA ASN1_str_reasons[ {ERR_REASON(ASN1_R_MSTRING_NOT_UNIVERSAL), "mstring not universal"}, {ERR_REASON(ASN1_R_MSTRING_WRONG_TAG), "mstring wrong tag"}, {ERR_REASON(ASN1_R_NESTED_ASN1_STRING), "nested asn1 string"}, + {ERR_REASON(ASN1_R_NESTED_TOO_DEEP), "nested too deep"}, {ERR_REASON(ASN1_R_NON_HEX_CHARACTERS), "non hex characters"}, {ERR_REASON(ASN1_R_NOT_ASCII_FORMAT), "not ascii format"}, {ERR_REASON(ASN1_R_NOT_ENOUGH_DATA), "not enough data"}, Index: src/crypto/external/bsd/openssl/dist/crypto/asn1/tasn_dec.c diff -u src/crypto/external/bsd/openssl/dist/crypto/asn1/tasn_dec.c:1.6 src/crypto/external/bsd/openssl/dist/crypto/asn1/tasn_dec.c:1.6.6.1 --- src/crypto/external/bsd/openssl/dist/crypto/asn1/tasn_dec.c:1.6 Fri Oct 14 16:23:18 2016 +++ src/crypto/external/bsd/openssl/dist/crypto/asn1/tasn_dec.c Wed Apr 18 13:51:35 2018 @@ -65,6 +65,14 @@ #include <openssl/buffer.h> #include <openssl/err.h> +/* + * Constructed types with a recursive definition (such as can be found in PKCS7) + * could eventually exceed the stack given malicious input with excessive + * recursion. Therefore we limit the stack depth. This is the maximum number of + * recursive invocations of asn1_item_embed_d2i(). + */ +#define ASN1_MAX_CONSTRUCTED_NEST 30 + static int asn1_check_eoc(const unsigned char **in, long len); static int asn1_find_end(const unsigned char **in, long len, char inf); @@ -81,11 +89,11 @@ static int asn1_check_tlen(long *olen, i static int asn1_template_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, const ASN1_TEMPLATE *tt, char opt, - ASN1_TLC *ctx); + ASN1_TLC *ctx, int depth); static int asn1_template_noexp_d2i(ASN1_VALUE **val, const unsigned char **in, long len, const ASN1_TEMPLATE *tt, char opt, - ASN1_TLC *ctx); + ASN1_TLC *ctx, int depth); static int asn1_d2i_ex_primitive(ASN1_VALUE **pval, const unsigned char **in, long len, const ASN1_ITEM *it, @@ -154,17 +162,16 @@ int ASN1_template_d2i(ASN1_VALUE **pval, { ASN1_TLC c; asn1_tlc_clear_nc(&c); - return asn1_template_ex_d2i(pval, in, len, tt, 0, &c); + return asn1_template_ex_d2i(pval, in, len, tt, 0, &c, 0); } /* * Decode an item, taking care of IMPLICIT tagging, if any. If 'opt' set and * tag mismatch return -1 to handle OPTIONAL */ - -int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, - const ASN1_ITEM *it, - int tag, int aclass, char opt, ASN1_TLC *ctx) +static int asn1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, + long len, const ASN1_ITEM *it, int tag, int aclass, + char opt, ASN1_TLC *ctx, int depth) { const ASN1_TEMPLATE *tt, *errtt = NULL; const ASN1_COMPAT_FUNCS *cf; @@ -189,6 +196,11 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, else asn1_cb = 0; + if (++depth > ASN1_MAX_CONSTRUCTED_NEST) { + ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_NESTED_TOO_DEEP); + goto err; + } + switch (it->itype) { case ASN1_ITYPE_PRIMITIVE: if (it->templates) { @@ -204,7 +216,7 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, goto err; } return asn1_template_ex_d2i(pval, in, len, - it->templates, opt, ctx); + it->templates, opt, ctx, depth); } return asn1_d2i_ex_primitive(pval, in, len, it, tag, aclass, opt, ctx); @@ -326,7 +338,7 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, /* * We mark field as OPTIONAL so its absence can be recognised. */ - ret = asn1_template_ex_d2i(pchptr, &p, len, tt, 1, ctx); + ret = asn1_template_ex_d2i(pchptr, &p, len, tt, 1, ctx, depth); /* If field not present, try the next one */ if (ret == -1) continue; @@ -444,7 +456,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, * attempt to read in field, allowing each to be OPTIONAL */ - ret = asn1_template_ex_d2i(pseqval, &p, len, seqtt, isopt, ctx); + ret = asn1_template_ex_d2i(pseqval, &p, len, seqtt, isopt, ctx, + depth); if (!ret) { errtt = seqtt; goto err; @@ -514,6 +527,13 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, return 0; } +int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, + const ASN1_ITEM *it, + int tag, int aclass, char opt, ASN1_TLC *ctx) +{ + return asn1_item_ex_d2i(pval, in, len, it, tag, aclass, opt, ctx, 0); +} + /* * Templates are handled with two separate functions. One handles any * EXPLICIT tag and the other handles the rest. @@ -522,7 +542,7 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, static int asn1_template_ex_d2i(ASN1_VALUE **val, const unsigned char **in, long inlen, const ASN1_TEMPLATE *tt, char opt, - ASN1_TLC *ctx) + ASN1_TLC *ctx, int depth) { int flags, aclass; int ret; @@ -557,7 +577,7 @@ static int asn1_template_ex_d2i(ASN1_VAL return 0; } /* We've found the field so it can't be OPTIONAL now */ - ret = asn1_template_noexp_d2i(val, &p, len, tt, 0, ctx); + ret = asn1_template_noexp_d2i(val, &p, len, tt, 0, ctx, depth); if (!ret) { ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I, ERR_R_NESTED_ASN1_ERROR); return 0; @@ -581,7 +601,7 @@ static int asn1_template_ex_d2i(ASN1_VAL } } } else - return asn1_template_noexp_d2i(val, in, inlen, tt, opt, ctx); + return asn1_template_noexp_d2i(val, in, inlen, tt, opt, ctx, depth); *in = p; return 1; @@ -594,7 +614,7 @@ static int asn1_template_ex_d2i(ASN1_VAL static int asn1_template_noexp_d2i(ASN1_VALUE **val, const unsigned char **in, long len, const ASN1_TEMPLATE *tt, char opt, - ASN1_TLC *ctx) + ASN1_TLC *ctx, int depth) { int flags, aclass; int ret; @@ -665,8 +685,8 @@ static int asn1_template_noexp_d2i(ASN1_ break; } skfield = NULL; - if (!ASN1_item_ex_d2i(&skfield, &p, len, - ASN1_ITEM_ptr(tt->item), -1, 0, 0, ctx)) { + if (!asn1_item_ex_d2i(&skfield, &p, len, ASN1_ITEM_ptr(tt->item), + -1, 0, 0, ctx, depth)) { ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_NESTED_ASN1_ERROR); goto err; @@ -683,9 +703,8 @@ static int asn1_template_noexp_d2i(ASN1_ } } else if (flags & ASN1_TFLG_IMPTAG) { /* IMPLICIT tagging */ - ret = ASN1_item_ex_d2i(val, &p, len, - ASN1_ITEM_ptr(tt->item), tt->tag, aclass, opt, - ctx); + ret = asn1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), tt->tag, + aclass, opt, ctx, depth); if (!ret) { ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_NESTED_ASN1_ERROR); goto err; @@ -693,8 +712,9 @@ static int asn1_template_noexp_d2i(ASN1_ return -1; } else { /* Nothing special */ - ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), - -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx); + ret = asn1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), + -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx, + depth); if (!ret) { ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_NESTED_ASN1_ERROR); goto err; Index: src/crypto/external/bsd/openssl/dist/crypto/bn/asm/rsaz-avx2.pl diff -u src/crypto/external/bsd/openssl/dist/crypto/bn/asm/rsaz-avx2.pl:1.1.1.1 src/crypto/external/bsd/openssl/dist/crypto/bn/asm/rsaz-avx2.pl:1.1.1.1.8.1 --- src/crypto/external/bsd/openssl/dist/crypto/bn/asm/rsaz-avx2.pl:1.1.1.1 Fri Oct 14 16:03:22 2016 +++ src/crypto/external/bsd/openssl/dist/crypto/bn/asm/rsaz-avx2.pl Wed Apr 18 13:51:35 2018 @@ -239,7 +239,7 @@ $code.=<<___; vmovdqu 32*8-128($ap), $ACC8 lea 192(%rsp), $tp0 # 64+128=192 - vpbroadcastq .Land_mask(%rip), $AND_MASK + vmovdqu .Land_mask(%rip), $AND_MASK jmp .LOOP_GRANDE_SQR_1024 .align 32 @@ -1070,10 +1070,10 @@ $code.=<<___; vpmuludq 32*6-128($np),$Yi,$TEMP1 vpaddq $TEMP1,$ACC6,$ACC6 vpmuludq 32*7-128($np),$Yi,$TEMP2 - vpblendd \$3, $ZERO, $ACC9, $ACC9 # correct $ACC3 + vpblendd \$3, $ZERO, $ACC9, $TEMP1 # correct $ACC3 vpaddq $TEMP2,$ACC7,$ACC7 vpmuludq 32*8-128($np),$Yi,$TEMP0 - vpaddq $ACC9, $ACC3, $ACC3 # correct $ACC3 + vpaddq $TEMP1, $ACC3, $ACC3 # correct $ACC3 vpaddq $TEMP0,$ACC8,$ACC8 mov %rbx, %rax @@ -1086,7 +1086,9 @@ $code.=<<___; vmovdqu -8+32*2-128($ap),$TEMP2 mov $r1, %rax + vpblendd \$0xfc, $ZERO, $ACC9, $ACC9 # correct $ACC3 imull $n0, %eax + vpaddq $ACC9,$ACC4,$ACC4 # correct $ACC3 and \$0x1fffffff, %eax imulq 16-128($ap),%rbx @@ -1322,15 +1324,12 @@ ___ # But as we underutilize resources, it's possible to correct in # each iteration with marginal performance loss. But then, as # we do it in each iteration, we can correct less digits, and -# avoid performance penalties completely. Also note that we -# correct only three digits out of four. This works because -# most significant digit is subjected to less additions. +# avoid performance penalties completely. $TEMP0 = $ACC9; $TEMP3 = $Bi; $TEMP4 = $Yi; $code.=<<___; - vpermq \$0, $AND_MASK, $AND_MASK vpaddq (%rsp), $TEMP1, $ACC0 vpsrlq \$29, $ACC0, $TEMP1 @@ -1763,7 +1762,7 @@ $code.=<<___; .align 64 .Land_mask: - .quad 0x1fffffff,0x1fffffff,0x1fffffff,-1 + .quad 0x1fffffff,0x1fffffff,0x1fffffff,0x1fffffff .Lscatter_permd: .long 0,2,4,6,7,7,7,7 .Lgather_permd: Index: src/crypto/external/bsd/openssl/dist/crypto/bn/asm/x86_64-mont5.pl diff -u src/crypto/external/bsd/openssl/dist/crypto/bn/asm/x86_64-mont5.pl:1.1.1.7 src/crypto/external/bsd/openssl/dist/crypto/bn/asm/x86_64-mont5.pl:1.1.1.7.4.1 --- src/crypto/external/bsd/openssl/dist/crypto/bn/asm/x86_64-mont5.pl:1.1.1.7 Fri Jan 27 22:55:23 2017 +++ src/crypto/external/bsd/openssl/dist/crypto/bn/asm/x86_64-mont5.pl Wed Apr 18 13:51:35 2018 @@ -3090,11 +3090,19 @@ $code.=<<___; .align 32 .Lsqrx8x_break: - sub 16+8(%rsp),%r8 # consume last carry + xor $zero,$zero + sub 16+8(%rsp),%rbx # mov 16(%rsp),%cf + adcx $zero,%r8 mov 24+8(%rsp),$carry # initial $tptr, borrow $carry + adcx $zero,%r9 mov 0*8($aptr),%rdx # a[8], modulo-scheduled - xor %ebp,%ebp # xor $zero,$zero + adc \$0,%r10 mov %r8,0*8($tptr) + adc \$0,%r11 + adc \$0,%r12 + adc \$0,%r13 + adc \$0,%r14 + adc \$0,%r15 cmp $carry,$tptr # cf=0, of=0 je .Lsqrx8x_outer_loop Index: src/crypto/external/bsd/openssl/dist/crypto/rsa/rsa_gen.c diff -u src/crypto/external/bsd/openssl/dist/crypto/rsa/rsa_gen.c:1.1.1.6 src/crypto/external/bsd/openssl/dist/crypto/rsa/rsa_gen.c:1.1.1.6.4.1 --- src/crypto/external/bsd/openssl/dist/crypto/rsa/rsa_gen.c:1.1.1.6 Fri Jan 27 22:56:46 2017 +++ src/crypto/external/bsd/openssl/dist/crypto/rsa/rsa_gen.c Wed Apr 18 13:51:35 2018 @@ -146,6 +146,9 @@ static int rsa_builtin_keygen(RSA *rsa, goto err; /* generate p and q */ + BN_set_flags(rsa->p, BN_FLG_CONSTTIME); + BN_set_flags(rsa->q, BN_FLG_CONSTTIME); + BN_set_flags(r2, BN_FLG_CONSTTIME); for (;;) { if (!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb)) goto err; Index: src/crypto/external/bsd/openssl/dist/crypto/x509v3/v3_addr.c diff -u src/crypto/external/bsd/openssl/dist/crypto/x509v3/v3_addr.c:1.5 src/crypto/external/bsd/openssl/dist/crypto/x509v3/v3_addr.c:1.5.6.1 --- src/crypto/external/bsd/openssl/dist/crypto/x509v3/v3_addr.c:1.5 Fri Oct 14 16:23:21 2016 +++ src/crypto/external/bsd/openssl/dist/crypto/x509v3/v3_addr.c Wed Apr 18 13:51:35 2018 @@ -130,10 +130,12 @@ static int length_from_afi(const unsigne */ unsigned int v3_addr_get_afi(const IPAddressFamily *f) { - return ((f != NULL && - f->addressFamily != NULL && f->addressFamily->data != NULL) - ? ((f->addressFamily->data[0] << 8) | (f->addressFamily->data[1])) - : 0); + if (f == NULL + || f->addressFamily == NULL + || f->addressFamily->data == NULL + || f->addressFamily->length < 2) + return 0; + return (f->addressFamily->data[0] << 8) | f->addressFamily->data[1]; } /* Index: src/crypto/external/bsd/openssl/dist/ssl/ssl.h diff -u src/crypto/external/bsd/openssl/dist/ssl/ssl.h:1.16 src/crypto/external/bsd/openssl/dist/ssl/ssl.h:1.16.6.1 --- src/crypto/external/bsd/openssl/dist/ssl/ssl.h:1.16 Fri Oct 14 16:23:22 2016 +++ src/crypto/external/bsd/openssl/dist/ssl/ssl.h Wed Apr 18 13:51:36 2018 @@ -1727,7 +1727,7 @@ extern "C" { # define SSL_ST_BEFORE 0x4000 # define SSL_ST_OK 0x03 # define SSL_ST_RENEGOTIATE (0x04|SSL_ST_INIT) -# define SSL_ST_ERR 0x05 +# define SSL_ST_ERR (0x05|SSL_ST_INIT) # define SSL_CB_LOOP 0x01 # define SSL_CB_EXIT 0x02 Index: src/crypto/external/bsd/openssl/lib/libcrypto/arch/x86_64/rsaz-avx2.S diff -u src/crypto/external/bsd/openssl/lib/libcrypto/arch/x86_64/rsaz-avx2.S:1.2 src/crypto/external/bsd/openssl/lib/libcrypto/arch/x86_64/rsaz-avx2.S:1.2.6.1 --- src/crypto/external/bsd/openssl/lib/libcrypto/arch/x86_64/rsaz-avx2.S:1.2 Sun Jan 8 01:59:43 2017 +++ src/crypto/external/bsd/openssl/lib/libcrypto/arch/x86_64/rsaz-avx2.S Wed Apr 18 13:51:36 2018 @@ -67,7 +67,7 @@ rsaz_1024_sqr_avx2: vmovdqu 256-128(%rsi),%ymm8 leaq 192(%rsp),%rbx - vpbroadcastq .Land_mask(%rip),%ymm15 + vmovdqu .Land_mask(%rip),%ymm15 jmp .LOOP_GRANDE_SQR_1024 .align 32 @@ -800,10 +800,10 @@ rsaz_1024_mul_avx2: vpmuludq 192-128(%rcx),%ymm11,%ymm12 vpaddq %ymm12,%ymm6,%ymm6 vpmuludq 224-128(%rcx),%ymm11,%ymm13 - vpblendd $3,%ymm14,%ymm9,%ymm9 + vpblendd $3,%ymm14,%ymm9,%ymm12 vpaddq %ymm13,%ymm7,%ymm7 vpmuludq 256-128(%rcx),%ymm11,%ymm0 - vpaddq %ymm9,%ymm3,%ymm3 + vpaddq %ymm12,%ymm3,%ymm3 vpaddq %ymm0,%ymm8,%ymm8 movq %rbx,%rax @@ -816,7 +816,9 @@ rsaz_1024_mul_avx2: vmovdqu -8+64-128(%rsi),%ymm13 movq %r10,%rax + vpblendd $0xfc,%ymm14,%ymm9,%ymm9 imull %r8d,%eax + vpaddq %ymm9,%ymm4,%ymm4 andl $0x1fffffff,%eax imulq 16-128(%rsi),%rbx @@ -1045,7 +1047,6 @@ rsaz_1024_mul_avx2: decl %r14d jnz .Loop_mul_1024 - vpermq $0,%ymm15,%ymm15 vpaddq (%rsp),%ymm12,%ymm0 vpsrlq $29,%ymm0,%ymm12 @@ -1685,7 +1686,7 @@ rsaz_avx2_eligible: .align 64 .Land_mask: -.quad 0x1fffffff,0x1fffffff,0x1fffffff,-1 +.quad 0x1fffffff,0x1fffffff,0x1fffffff,0x1fffffff .Lscatter_permd: .long 0,2,4,6,7,7,7,7 .Lgather_permd: Index: src/crypto/external/bsd/openssl/lib/libcrypto/arch/x86_64/x86_64-mont5.S diff -u src/crypto/external/bsd/openssl/lib/libcrypto/arch/x86_64/x86_64-mont5.S:1.5 src/crypto/external/bsd/openssl/lib/libcrypto/arch/x86_64/x86_64-mont5.S:1.5.4.1 --- src/crypto/external/bsd/openssl/lib/libcrypto/arch/x86_64/x86_64-mont5.S:1.5 Fri Jan 27 23:00:46 2017 +++ src/crypto/external/bsd/openssl/lib/libcrypto/arch/x86_64/x86_64-mont5.S Wed Apr 18 13:51:36 2018 @@ -3076,11 +3076,19 @@ __bn_sqrx8x_internal: .align 32 .Lsqrx8x_break: - subq 16+8(%rsp),%r8 + xorq %rbp,%rbp + subq 16+8(%rsp),%rbx + adcxq %rbp,%r8 movq 24+8(%rsp),%rcx + adcxq %rbp,%r9 movq 0(%rsi),%rdx - xorl %ebp,%ebp + adcq $0,%r10 movq %r8,0(%rdi) + adcq $0,%r11 + adcq $0,%r12 + adcq $0,%r13 + adcq $0,%r14 + adcq $0,%r15 cmpq %rcx,%rdi je .Lsqrx8x_outer_loop