Merge OpenSSL 1.1.1b.
This commit is contained in:
commit
6935a639f0
@ -7,6 +7,44 @@
|
||||
https://github.com/openssl/openssl/commits/ and pick the appropriate
|
||||
release branch.
|
||||
|
||||
Changes between 1.1.1a and 1.1.1b [26 Feb 2019]
|
||||
|
||||
*) Added SCA hardening for modular field inversion in EC_GROUP through
|
||||
a new dedicated field_inv() pointer in EC_METHOD.
|
||||
This also addresses a leakage affecting conversions from projective
|
||||
to affine coordinates.
|
||||
[Billy Bob Brumley, Nicola Tuveri]
|
||||
|
||||
*) Change the info callback signals for the start and end of a post-handshake
|
||||
message exchange in TLSv1.3. In 1.1.1/1.1.1a we used SSL_CB_HANDSHAKE_START
|
||||
and SSL_CB_HANDSHAKE_DONE. Experience has shown that many applications get
|
||||
confused by this and assume that a TLSv1.2 renegotiation has started. This
|
||||
can break KeyUpdate handling. Instead we no longer signal the start and end
|
||||
of a post handshake message exchange (although the messages themselves are
|
||||
still signalled). This could break some applications that were expecting
|
||||
the old signals. However without this KeyUpdate is not usable for many
|
||||
applications.
|
||||
[Matt Caswell]
|
||||
|
||||
*) Fix a bug in the computation of the endpoint-pair shared secret used
|
||||
by DTLS over SCTP. This breaks interoperability with older versions
|
||||
of OpenSSL like OpenSSL 1.1.0 and OpenSSL 1.0.2. There is a runtime
|
||||
switch SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG (off by default) enabling
|
||||
interoperability with such broken implementations. However, enabling
|
||||
this switch breaks interoperability with correct implementations.
|
||||
|
||||
*) Fix a use after free bug in d2i_X509_PUBKEY when overwriting a
|
||||
re-used X509_PUBKEY object if the second PUBKEY is malformed.
|
||||
[Bernd Edlinger]
|
||||
|
||||
*) Move strictness check from EVP_PKEY_asn1_new() to EVP_PKEY_asn1_add0().
|
||||
[Richard Levitte]
|
||||
|
||||
*) Remove the 'dist' target and add a tarball building script. The
|
||||
'dist' target has fallen out of use, and it shouldn't be
|
||||
necessary to configure just to create a source distribution.
|
||||
[Richard Levitte]
|
||||
|
||||
Changes between 1.1.1 and 1.1.1a [20 Nov 2018]
|
||||
|
||||
*) Timing vulnerability in DSA signature generation
|
||||
|
@ -57,7 +57,7 @@ guidelines:
|
||||
7. For user visible changes (API changes, behaviour changes, ...),
|
||||
consider adding a note in CHANGES. This could be a summarising
|
||||
description of the change, and could explain the grander details.
|
||||
Have a look through existing entries for inspiration.
|
||||
Have a look through existing entries for inspiration.
|
||||
Please note that this is NOT simply a copy of git-log oneliners.
|
||||
Also note that security fixes get an entry in CHANGES.
|
||||
This file helps users get more in depth information of what comes
|
||||
|
@ -1,6 +1,6 @@
|
||||
#! /usr/bin/env perl
|
||||
# -*- mode: perl; -*-
|
||||
# Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
# Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
#
|
||||
# Licensed under the OpenSSL license (the "License"). You may not use
|
||||
# this file except in compliance with the License. You can obtain a copy
|
||||
@ -144,6 +144,8 @@ my $gcc_devteam_warn = "-DDEBUG_UNUSED"
|
||||
# -Wlanguage-extension-token -- no, we use asm()
|
||||
# -Wunused-macros -- no, too tricky for BN and _XOPEN_SOURCE etc
|
||||
# -Wextended-offsetof -- no, needed in CMS ASN1 code
|
||||
# -Wunused-function -- no, it forces header use of safestack et al
|
||||
# DEFINE macros
|
||||
my $clang_devteam_warn = ""
|
||||
. " -Wswitch-default"
|
||||
. " -Wno-parentheses-equality"
|
||||
@ -153,6 +155,7 @@ my $clang_devteam_warn = ""
|
||||
. " -Wincompatible-pointer-types-discards-qualifiers"
|
||||
. " -Wmissing-variable-declarations"
|
||||
. " -Wno-unknown-warning-option"
|
||||
. " -Wno-unused-function"
|
||||
;
|
||||
|
||||
# This adds backtrace information to the memory leak info. Is only used
|
||||
@ -374,6 +377,7 @@ my @disablables = (
|
||||
"msan",
|
||||
"multiblock",
|
||||
"nextprotoneg",
|
||||
"pinshared",
|
||||
"ocb",
|
||||
"ocsp",
|
||||
"pic",
|
||||
@ -1110,13 +1114,13 @@ foreach my $feature (@{$target{disable}}) {
|
||||
$disabled{$feature} = 'config';
|
||||
}
|
||||
foreach my $feature (@{$target{enable}}) {
|
||||
if ("default" eq ($disabled{$_} // "")) {
|
||||
if ("default" eq ($disabled{$feature} // "")) {
|
||||
if (exists $deprecated_disablables{$feature}) {
|
||||
warn "***** config $target enables deprecated feature $feature\n";
|
||||
} elsif (!grep { $feature eq $_ } @disablables) {
|
||||
die "***** config $target enables unknown feature $feature\n";
|
||||
}
|
||||
delete $disabled{$_};
|
||||
delete $disabled{$feature};
|
||||
}
|
||||
}
|
||||
|
||||
@ -1370,6 +1374,7 @@ unless ($disabled{asm}) {
|
||||
push @{$config{lib_defines}}, "OPENSSL_BN_ASM_MONT" if ($target{bn_asm_src} =~ /-mont/);
|
||||
push @{$config{lib_defines}}, "OPENSSL_BN_ASM_MONT5" if ($target{bn_asm_src} =~ /-mont5/);
|
||||
push @{$config{lib_defines}}, "OPENSSL_BN_ASM_GF2m" if ($target{bn_asm_src} =~ /-gf2m/);
|
||||
push @{$config{lib_defines}}, "BN_DIV3W" if ($target{bn_asm_src} =~ /-div3w/);
|
||||
|
||||
if ($target{sha1_asm_src}) {
|
||||
push @{$config{lib_defines}}, "SHA1_ASM" if ($target{sha1_asm_src} =~ /sx86/ || $target{sha1_asm_src} =~ /sha1/);
|
||||
|
@ -326,6 +326,11 @@
|
||||
Don't build support for datagram based BIOs. Selecting this
|
||||
option will also force the disabling of DTLS.
|
||||
|
||||
enable-devcryptoeng
|
||||
Build the /dev/crypto engine. It is automatically selected
|
||||
on BSD implementations, in which case it can be disabled with
|
||||
no-devcryptoeng.
|
||||
|
||||
no-dso
|
||||
Don't build support for loading Dynamic Shared Objects.
|
||||
|
||||
@ -402,6 +407,24 @@
|
||||
no-pic
|
||||
Don't build with support for Position Independent Code.
|
||||
|
||||
no-pinshared By default OpenSSL will attempt to stay in memory until the
|
||||
process exits. This is so that libcrypto and libssl can be
|
||||
properly cleaned up automatically via an "atexit()" handler.
|
||||
The handler is registered by libcrypto and cleans up both
|
||||
libraries. On some platforms the atexit() handler will run on
|
||||
unload of libcrypto (if it has been dynamically loaded)
|
||||
rather than at process exit. This option can be used to stop
|
||||
OpenSSL from attempting to stay in memory until the process
|
||||
exits. This could lead to crashes if either libcrypto or
|
||||
libssl have already been unloaded at the point
|
||||
that the atexit handler is invoked, e.g. on a platform which
|
||||
calls atexit() on unload of the library, and libssl is
|
||||
unloaded before libcrypto then a crash is likely to happen.
|
||||
Applications can suppress running of the atexit() handler at
|
||||
run time by using the OPENSSL_INIT_NO_ATEXIT option to
|
||||
OPENSSL_init_crypto(). See the man page for it for further
|
||||
details.
|
||||
|
||||
no-posix-io
|
||||
Don't use POSIX IO capabilities.
|
||||
|
||||
@ -941,10 +964,10 @@
|
||||
|
||||
* COMPILING existing applications
|
||||
|
||||
OpenSSL 1.1.0 hides a number of structures that were previously
|
||||
open. This includes all internal libssl structures and a number
|
||||
of EVP types. Accessor functions have been added to allow
|
||||
controlled access to the structures' data.
|
||||
Starting with version 1.1.0, OpenSSL hides a number of structures
|
||||
that were previously open. This includes all internal libssl
|
||||
structures and a number of EVP types. Accessor functions have
|
||||
been added to allow controlled access to the structures' data.
|
||||
|
||||
This means that some software needs to be rewritten to adapt to
|
||||
the new ways of doing things. This often amounts to allocating
|
||||
@ -1047,7 +1070,7 @@
|
||||
|
||||
depend
|
||||
Rebuild the dependencies in the Makefiles. This is a legacy
|
||||
option that no longer needs to be used in OpenSSL 1.1.0.
|
||||
option that no longer needs to be used since OpenSSL 1.1.0.
|
||||
|
||||
install
|
||||
Install all OpenSSL components.
|
||||
|
@ -10,14 +10,14 @@
|
||||
---------------
|
||||
|
||||
/* ====================================================================
|
||||
* Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved.
|
||||
* Copyright (c) 1998-2019 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
*
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
*
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in
|
||||
@ -72,21 +72,21 @@
|
||||
* This package is an SSL implementation written
|
||||
* by Eric Young (eay@cryptsoft.com).
|
||||
* The implementation was written so as to conform with Netscapes SSL.
|
||||
*
|
||||
*
|
||||
* This library is free for commercial and non-commercial use as long as
|
||||
* the following conditions are aheared to. The following conditions
|
||||
* apply to all code found in this distribution, be it the RC4, RSA,
|
||||
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
|
||||
* included with this distribution is covered by the same copyright terms
|
||||
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
|
||||
*
|
||||
*
|
||||
* Copyright remains Eric Young's, and as such any Copyright notices in
|
||||
* the code are not to be removed.
|
||||
* If this package is used in a product, Eric Young should be given attribution
|
||||
* as the author of the parts of the library used.
|
||||
* This can be in the form of a textual message at program startup or
|
||||
* in documentation (online or textual) provided with the package.
|
||||
*
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
@ -101,10 +101,10 @@
|
||||
* Eric Young (eay@cryptsoft.com)"
|
||||
* The word 'cryptographic' can be left out if the rouines from the library
|
||||
* being used are not cryptographic related :-).
|
||||
* 4. If you include any Windows specific code (or a derivative thereof) from
|
||||
* 4. If you include any Windows specific code (or a derivative thereof) from
|
||||
* the apps directory (application code) you must include an acknowledgement:
|
||||
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
|
||||
*
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
@ -116,7 +116,7 @@
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
*
|
||||
* The licence and distribution terms for any publically available version or
|
||||
* derivative of this code cannot be changed. i.e. this code cannot simply be
|
||||
* copied and put under another distribution licence
|
||||
|
@ -5,6 +5,13 @@
|
||||
This file gives a brief overview of the major changes between each OpenSSL
|
||||
release. For more details please read the CHANGES file.
|
||||
|
||||
Major changes between OpenSSL 1.1.1a and OpenSSL 1.1.1b [26 Feb 2019]
|
||||
|
||||
o Change the info callback signals for the start and end of a post-handshake
|
||||
message exchange in TLSv1.3.
|
||||
o Fix a bug in DTLS over SCTP. This breaks interoperability with older versions
|
||||
of OpenSSL like OpenSSL 1.1.0 and OpenSSL 1.0.2.
|
||||
|
||||
Major changes between OpenSSL 1.1.1 and OpenSSL 1.1.1a [20 Nov 2018]
|
||||
|
||||
o Timing vulnerability in DSA signature generation (CVE-2018-0734)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
OpenSSL 1.1.1a 20 Nov 2018
|
||||
OpenSSL 1.1.1b 26 Feb 2019
|
||||
|
||||
Copyright (c) 1998-2018 The OpenSSL Project
|
||||
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -1561,7 +1561,7 @@ CA_DB *load_index(const char *dbfile, DB_ATTR *db_attr)
|
||||
#else
|
||||
BIO_snprintf(buf, sizeof(buf), "%s-attr", dbfile);
|
||||
#endif
|
||||
dbattr_conf = app_load_config(buf);
|
||||
dbattr_conf = app_load_config_quiet(buf);
|
||||
|
||||
retdb = app_malloc(sizeof(*retdb), "new DB");
|
||||
retdb->db = tmpdb;
|
||||
@ -2196,7 +2196,7 @@ double app_tminterval(int stop, int usertime)
|
||||
|
||||
return ret;
|
||||
}
|
||||
#elif defined(OPENSSL_SYSTEM_VXWORKS)
|
||||
#elif defined(OPENSSL_SYS_VXWORKS)
|
||||
# include <time.h>
|
||||
|
||||
double app_tminterval(int stop, int usertime)
|
||||
|
@ -2,8 +2,8 @@
|
||||
# that are to be trusted.
|
||||
|
||||
# Google's list of logs can be found here:
|
||||
# www.certificate-transparency.org/known-logs
|
||||
# www.certificate-transparency.org/known-logs
|
||||
# A Python program to convert the log list to OpenSSL's format can be
|
||||
# found here:
|
||||
# https://github.com/google/certificate-transparency/blob/master/python/utilities/log_list/print_log_list.py
|
||||
# https://github.com/google/certificate-transparency/blob/master/python/utilities/log_list/print_log_list.py
|
||||
# Use the "--openssl_output" flag.
|
||||
|
@ -4,7 +4,7 @@ Sgh5jjQE3e+VGbPNOkMbMCsKbfJfFDdP4TVtbVHCReSFtXZiXn7G9ExC6aY37WsL
|
||||
/1y29Aa37e44a/taiZ+lrp8kEXxLH+ZJKGZR7OZTgf//////////AgEC
|
||||
-----END DH PARAMETERS-----
|
||||
|
||||
These are the 1024-bit DH parameters from "Internet Key Exchange
|
||||
These are the 1024-bit DH parameters from "Internet Key Exchange
|
||||
Protocol Version 2 (IKEv2)": https://tools.ietf.org/html/rfc5996
|
||||
|
||||
See https://tools.ietf.org/html/rfc2412 for how they were generated.
|
||||
|
@ -7,8 +7,8 @@ fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq
|
||||
5RXSJhiY+gUQFXKOWoqsqmj//////////wIBAg==
|
||||
-----END DH PARAMETERS-----
|
||||
|
||||
These are the 2048-bit DH parameters from "More Modular Exponential
|
||||
(MODP) Diffie-Hellman groups for Internet Key Exchange (IKE)":
|
||||
These are the 2048-bit DH parameters from "More Modular Exponential
|
||||
(MODP) Diffie-Hellman groups for Internet Key Exchange (IKE)":
|
||||
https://tools.ietf.org/html/rfc3526
|
||||
|
||||
See https://tools.ietf.org/html/rfc2412 for how they were generated.
|
||||
|
@ -12,8 +12,8 @@ ARpyPBKnh+bXiHGaEL26WyaZwycYavTiPBqUaDS2FQvaJYPpyirUTOjbu8LbBN6O
|
||||
HNAGkSfVsFqpk7TqmI2P3cGG/7fckKbAj030Nck0BjGZ//////////8CAQI=
|
||||
-----END DH PARAMETERS-----
|
||||
|
||||
These are the 4096-bit DH parameters from "More Modular Exponential
|
||||
(MODP) Diffie-Hellman groups for Internet Key Exchange (IKE)":
|
||||
These are the 4096-bit DH parameters from "More Modular Exponential
|
||||
(MODP) Diffie-Hellman groups for Internet Key Exchange (IKE)":
|
||||
https://tools.ietf.org/html/rfc3526
|
||||
|
||||
See https://tools.ietf.org/html/rfc2412 for how they were generated.
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -36,7 +36,21 @@ NON_EMPTY_TRANSLATION_UNIT
|
||||
# include <openssl/x509v3.h>
|
||||
# include <openssl/rand.h>
|
||||
|
||||
# if defined(OPENSSL_SYS_UNIX) && !defined(OPENSSL_NO_SOCK) \
|
||||
#ifndef HAVE_FORK
|
||||
# if defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_WINDOWS)
|
||||
# define HAVE_FORK 0
|
||||
# else
|
||||
# define HAVE_FORK 1
|
||||
# endif
|
||||
#endif
|
||||
|
||||
#if HAVE_FORK
|
||||
# undef NO_FORK
|
||||
#else
|
||||
# define NO_FORK
|
||||
#endif
|
||||
|
||||
# if !defined(NO_FORK) && !defined(OPENSSL_NO_SOCK) \
|
||||
&& !defined(OPENSSL_NO_POSIX_IO)
|
||||
# define OCSP_DAEMON
|
||||
# include <sys/types.h>
|
||||
@ -53,6 +67,20 @@ NON_EMPTY_TRANSLATION_UNIT
|
||||
# define LOG_ERR 2
|
||||
# endif
|
||||
|
||||
# if defined(OPENSSL_SYS_VXWORKS)
|
||||
/* not supported */
|
||||
int setpgid(pid_t pid, pid_t pgid)
|
||||
{
|
||||
errno = ENOSYS;
|
||||
return 0;
|
||||
}
|
||||
/* not supported */
|
||||
pid_t fork(void)
|
||||
{
|
||||
errno = ENOSYS;
|
||||
return (pid_t) -1;
|
||||
}
|
||||
# endif
|
||||
/* Maximum leeway in validity period: default 5 minutes */
|
||||
# define MAX_VALIDITY_PERIOD (5 * 60)
|
||||
|
||||
@ -863,6 +891,7 @@ static void killall(int ret, pid_t *kidpids)
|
||||
for (i = 0; i < multi; ++i)
|
||||
if (kidpids[i] != 0)
|
||||
(void)kill(kidpids[i], SIGTERM);
|
||||
OPENSSL_free(kidpids);
|
||||
sleep(1);
|
||||
exit(ret);
|
||||
}
|
||||
@ -977,7 +1006,6 @@ static void spawn_loop(void)
|
||||
}
|
||||
|
||||
/* The loop above can only break on termsig */
|
||||
OPENSSL_free(kidpids);
|
||||
syslog(LOG_INFO, "terminating on signal: %d", termsig);
|
||||
killall(0, kidpids);
|
||||
}
|
||||
|
@ -19,7 +19,7 @@ oid_section = new_oids
|
||||
# To use this configuration file with the "-extfile" option of the
|
||||
# "openssl x509" utility, name here the section containing the
|
||||
# X.509v3 extensions to use:
|
||||
# extensions =
|
||||
# extensions =
|
||||
# (Alternatively, use a configuration file that has only
|
||||
# X.509v3 extensions in its main [= default] section.)
|
||||
|
||||
@ -116,7 +116,7 @@ x509_extensions = v3_ca # The extensions to add to the self signed cert
|
||||
# input_password = secret
|
||||
# output_password = secret
|
||||
|
||||
# This sets a mask for permitted string types. There are several options.
|
||||
# This sets a mask for permitted string types. There are several options.
|
||||
# default: PrintableString, T61String, BMPString.
|
||||
# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
|
||||
# utf8only: only UTF8Strings (PKIX recommendation after 2004).
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1999-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -311,6 +311,13 @@ int pkcs12_main(int argc, char **argv)
|
||||
if (cpass != NULL) {
|
||||
mpass = cpass;
|
||||
noprompt = 1;
|
||||
if (twopass) {
|
||||
if (export_cert)
|
||||
BIO_printf(bio_err, "Option -twopass cannot be used with -passout or -password\n");
|
||||
else
|
||||
BIO_printf(bio_err, "Option -twopass cannot be used with -passin or -password\n");
|
||||
goto end;
|
||||
}
|
||||
} else {
|
||||
cpass = pass;
|
||||
mpass = macpass;
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2015-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright (c) 2013-2014 Timo Teräs <timo.teras@gmail.com>
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
@ -51,6 +51,26 @@
|
||||
# endif
|
||||
# define MAX_COLLISIONS 256
|
||||
|
||||
# if defined(OPENSSL_SYS_VXWORKS)
|
||||
/*
|
||||
* VxWorks has no symbolic links
|
||||
*/
|
||||
|
||||
# define lstat(path, buf) stat(path, buf)
|
||||
|
||||
int symlink(const char *target, const char *linkpath)
|
||||
{
|
||||
errno = ENOSYS;
|
||||
return -1;
|
||||
}
|
||||
|
||||
ssize_t readlink(const char *pathname, char *buf, size_t bufsiz)
|
||||
{
|
||||
errno = ENOSYS;
|
||||
return -1;
|
||||
}
|
||||
# endif
|
||||
|
||||
typedef struct hentry_st {
|
||||
struct hentry_st *next;
|
||||
char *filename;
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -24,7 +24,7 @@
|
||||
|
||||
#define COOKIE_SECRET_LENGTH 16
|
||||
|
||||
VERIFY_CB_ARGS verify_args = { 0, 0, X509_V_OK, 0 };
|
||||
VERIFY_CB_ARGS verify_args = { -1, 0, X509_V_OK, 0 };
|
||||
|
||||
#ifndef OPENSSL_NO_SOCK
|
||||
static unsigned char cookie_secret[COOKIE_SECRET_LENGTH];
|
||||
@ -63,7 +63,7 @@ int verify_callback(int ok, X509_STORE_CTX *ctx)
|
||||
if (!ok) {
|
||||
BIO_printf(bio_err, "verify error:num=%d:%s\n", err,
|
||||
X509_verify_cert_error_string(err));
|
||||
if (verify_args.depth >= depth) {
|
||||
if (verify_args.depth < 0 || verify_args.depth >= depth) {
|
||||
if (!verify_args.return_error)
|
||||
ok = 1;
|
||||
verify_args.error = err;
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2005 Nokia. All rights reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
@ -74,6 +74,7 @@ static void print_stuff(BIO *berr, SSL *con, int full);
|
||||
static int ocsp_resp_cb(SSL *s, void *arg);
|
||||
#endif
|
||||
static int ldap_ExtendedResponse_parse(const char *buf, long rem);
|
||||
static int is_dNS_name(const char *host);
|
||||
|
||||
static int saved_errno;
|
||||
|
||||
@ -596,6 +597,7 @@ typedef enum OPTION_choice {
|
||||
#endif
|
||||
OPT_DANE_TLSA_RRDATA, OPT_DANE_EE_NO_NAME,
|
||||
OPT_ENABLE_PHA,
|
||||
OPT_SCTP_LABEL_BUG,
|
||||
OPT_R_ENUM
|
||||
} OPTION_CHOICE;
|
||||
|
||||
@ -750,6 +752,7 @@ const OPTIONS s_client_options[] = {
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_SCTP
|
||||
{"sctp", OPT_SCTP, '-', "Use SCTP"},
|
||||
{"sctp_label_bug", OPT_SCTP_LABEL_BUG, '-', "Enable SCTP label length bug"},
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_SSL_TRACE
|
||||
{"trace", OPT_TRACE, '-', "Show trace output of protocol messages"},
|
||||
@ -976,6 +979,9 @@ int s_client_main(int argc, char **argv)
|
||||
#endif
|
||||
char *psksessf = NULL;
|
||||
int enable_pha = 0;
|
||||
#ifndef OPENSSL_NO_SCTP
|
||||
int sctp_label_bug = 0;
|
||||
#endif
|
||||
|
||||
FD_ZERO(&readfds);
|
||||
FD_ZERO(&writefds);
|
||||
@ -1121,6 +1127,7 @@ int s_client_main(int argc, char **argv)
|
||||
goto opthelp;
|
||||
break;
|
||||
case OPT_VERIFY_RET_ERROR:
|
||||
verify = SSL_VERIFY_PEER;
|
||||
verify_args.return_error = 1;
|
||||
break;
|
||||
case OPT_VERIFY_QUIET:
|
||||
@ -1321,6 +1328,11 @@ int s_client_main(int argc, char **argv)
|
||||
case OPT_SCTP:
|
||||
#ifndef OPENSSL_NO_SCTP
|
||||
protocol = IPPROTO_SCTP;
|
||||
#endif
|
||||
break;
|
||||
case OPT_SCTP_LABEL_BUG:
|
||||
#ifndef OPENSSL_NO_SCTP
|
||||
sctp_label_bug = 1;
|
||||
#endif
|
||||
break;
|
||||
case OPT_TIMEOUT:
|
||||
@ -1707,6 +1719,11 @@ int s_client_main(int argc, char **argv)
|
||||
}
|
||||
}
|
||||
|
||||
#ifndef OPENSSL_NO_SCTP
|
||||
if (protocol == IPPROTO_SCTP && sctp_label_bug == 1)
|
||||
SSL_CTX_set_mode(ctx, SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG);
|
||||
#endif
|
||||
|
||||
if (min_version != 0
|
||||
&& SSL_CTX_set_min_proto_version(ctx, min_version) == 0)
|
||||
goto end;
|
||||
@ -1975,9 +1992,11 @@ int s_client_main(int argc, char **argv)
|
||||
SSL_set_mode(con, SSL_MODE_SEND_FALLBACK_SCSV);
|
||||
|
||||
if (!noservername && (servername != NULL || dane_tlsa_domain == NULL)) {
|
||||
if (servername == NULL)
|
||||
servername = (host == NULL) ? "localhost" : host;
|
||||
if (!SSL_set_tlsext_host_name(con, servername)) {
|
||||
if (servername == NULL) {
|
||||
if(host == NULL || is_dNS_name(host))
|
||||
servername = (host == NULL) ? "localhost" : host;
|
||||
}
|
||||
if (servername != NULL && !SSL_set_tlsext_host_name(con, servername)) {
|
||||
BIO_printf(bio_err, "Unable to set TLS servername extension.\n");
|
||||
ERR_print_errors(bio_err);
|
||||
goto end;
|
||||
@ -3031,9 +3050,7 @@ int s_client_main(int argc, char **argv)
|
||||
BIO_printf(bio_err, "RENEGOTIATING\n");
|
||||
SSL_renegotiate(con);
|
||||
cbuf_len = 0;
|
||||
}
|
||||
|
||||
if (!c_ign_eof && (cbuf[0] == 'K' || cbuf[0] == 'k' )
|
||||
} else if (!c_ign_eof && (cbuf[0] == 'K' || cbuf[0] == 'k' )
|
||||
&& cmdletters) {
|
||||
BIO_printf(bio_err, "KEYUPDATE\n");
|
||||
SSL_key_update(con,
|
||||
@ -3459,4 +3476,69 @@ static int ldap_ExtendedResponse_parse(const char *buf, long rem)
|
||||
return ret;
|
||||
}
|
||||
|
||||
/*
|
||||
* Host dNS Name verifier: used for checking that the hostname is in dNS format
|
||||
* before setting it as SNI
|
||||
*/
|
||||
static int is_dNS_name(const char *host)
|
||||
{
|
||||
const size_t MAX_LABEL_LENGTH = 63;
|
||||
size_t i;
|
||||
int isdnsname = 0;
|
||||
size_t length = strlen(host);
|
||||
size_t label_length = 0;
|
||||
int all_numeric = 1;
|
||||
|
||||
/*
|
||||
* Deviation from strict DNS name syntax, also check names with '_'
|
||||
* Check DNS name syntax, any '-' or '.' must be internal,
|
||||
* and on either side of each '.' we can't have a '-' or '.'.
|
||||
*
|
||||
* If the name has just one label, we don't consider it a DNS name.
|
||||
*/
|
||||
for (i = 0; i < length && label_length < MAX_LABEL_LENGTH; ++i) {
|
||||
char c = host[i];
|
||||
|
||||
if ((c >= 'a' && c <= 'z')
|
||||
|| (c >= 'A' && c <= 'Z')
|
||||
|| c == '_') {
|
||||
label_length += 1;
|
||||
all_numeric = 0;
|
||||
continue;
|
||||
}
|
||||
|
||||
if (c >= '0' && c <= '9') {
|
||||
label_length += 1;
|
||||
continue;
|
||||
}
|
||||
|
||||
/* Dot and hyphen cannot be first or last. */
|
||||
if (i > 0 && i < length - 1) {
|
||||
if (c == '-') {
|
||||
label_length += 1;
|
||||
continue;
|
||||
}
|
||||
/*
|
||||
* Next to a dot the preceding and following characters must not be
|
||||
* another dot or a hyphen. Otherwise, record that the name is
|
||||
* plausible, since it has two or more labels.
|
||||
*/
|
||||
if (c == '.'
|
||||
&& host[i + 1] != '.'
|
||||
&& host[i - 1] != '-'
|
||||
&& host[i + 1] != '-') {
|
||||
label_length = 0;
|
||||
isdnsname = 1;
|
||||
continue;
|
||||
}
|
||||
}
|
||||
isdnsname = 0;
|
||||
break;
|
||||
}
|
||||
|
||||
/* dNS name must not be all numeric and labels must be shorter than 64 characters. */
|
||||
isdnsname &= !all_numeric && !(label_length == MAX_LABEL_LENGTH);
|
||||
|
||||
return isdnsname;
|
||||
}
|
||||
#endif /* OPENSSL_NO_SOCK */
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
|
||||
* Copyright 2005 Nokia. All rights reserved.
|
||||
*
|
||||
@ -751,7 +751,7 @@ typedef enum OPTION_choice {
|
||||
OPT_CERT2, OPT_KEY2, OPT_NEXTPROTONEG, OPT_ALPN,
|
||||
OPT_SRTP_PROFILES, OPT_KEYMATEXPORT, OPT_KEYMATEXPORTLEN,
|
||||
OPT_KEYLOG_FILE, OPT_MAX_EARLY, OPT_RECV_MAX_EARLY, OPT_EARLY_DATA,
|
||||
OPT_S_NUM_TICKETS, OPT_ANTI_REPLAY, OPT_NO_ANTI_REPLAY,
|
||||
OPT_S_NUM_TICKETS, OPT_ANTI_REPLAY, OPT_NO_ANTI_REPLAY, OPT_SCTP_LABEL_BUG,
|
||||
OPT_R_ENUM,
|
||||
OPT_S_ENUM,
|
||||
OPT_V_ENUM,
|
||||
@ -938,6 +938,7 @@ const OPTIONS s_server_options[] = {
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_SCTP
|
||||
{"sctp", OPT_SCTP, '-', "Use SCTP"},
|
||||
{"sctp_label_bug", OPT_SCTP_LABEL_BUG, '-', "Enable SCTP label length bug"},
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_DH
|
||||
{"no_dhe", OPT_NO_DHE, '-', "Disable ephemeral DH"},
|
||||
@ -1047,6 +1048,9 @@ int s_server_main(int argc, char *argv[])
|
||||
const char *keylog_file = NULL;
|
||||
int max_early_data = -1, recv_max_early_data = -1;
|
||||
char *psksessf = NULL;
|
||||
#ifndef OPENSSL_NO_SCTP
|
||||
int sctp_label_bug = 0;
|
||||
#endif
|
||||
|
||||
/* Init of few remaining global variables */
|
||||
local_argc = argc;
|
||||
@ -1407,7 +1411,7 @@ int s_server_main(int argc, char *argv[])
|
||||
for (p = psk_key = opt_arg(); *p; p++) {
|
||||
if (isxdigit(_UC(*p)))
|
||||
continue;
|
||||
BIO_printf(bio_err, "Not a hex number '%s'\n", *argv);
|
||||
BIO_printf(bio_err, "Not a hex number '%s'\n", psk_key);
|
||||
goto end;
|
||||
}
|
||||
break;
|
||||
@ -1488,6 +1492,11 @@ int s_server_main(int argc, char *argv[])
|
||||
case OPT_SCTP:
|
||||
#ifndef OPENSSL_NO_SCTP
|
||||
protocol = IPPROTO_SCTP;
|
||||
#endif
|
||||
break;
|
||||
case OPT_SCTP_LABEL_BUG:
|
||||
#ifndef OPENSSL_NO_SCTP
|
||||
sctp_label_bug = 1;
|
||||
#endif
|
||||
break;
|
||||
case OPT_TIMEOUT:
|
||||
@ -1792,6 +1801,12 @@ int s_server_main(int argc, char *argv[])
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
|
||||
#ifndef OPENSSL_NO_SCTP
|
||||
if (protocol == IPPROTO_SCTP && sctp_label_bug == 1)
|
||||
SSL_CTX_set_mode(ctx, SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG);
|
||||
#endif
|
||||
|
||||
if (min_version != 0
|
||||
&& SSL_CTX_set_min_proto_version(ctx, min_version) == 0)
|
||||
goto end;
|
||||
@ -2754,6 +2769,8 @@ static int init_ssl_connection(SSL *con)
|
||||
BIO_ADDR_free(client);
|
||||
return 0;
|
||||
}
|
||||
|
||||
(void)BIO_ctrl_set_connected(wbio, client);
|
||||
BIO_ADDR_free(client);
|
||||
dtlslisten = 0;
|
||||
} else {
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
@ -100,7 +100,7 @@
|
||||
#include <openssl/modes.h>
|
||||
|
||||
#ifndef HAVE_FORK
|
||||
# if defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_WINDOWS)
|
||||
# if defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_VXWORKS)
|
||||
# define HAVE_FORK 0
|
||||
# else
|
||||
# define HAVE_FORK 1
|
||||
@ -1499,11 +1499,11 @@ int speed_main(int argc, char **argv)
|
||||
{"nistp192", NID_X9_62_prime192v1, 192},
|
||||
{"nistp224", NID_secp224r1, 224},
|
||||
{"nistp256", NID_X9_62_prime256v1, 256},
|
||||
{"nistp384", NID_secp384r1, 384},
|
||||
{"nistp384", NID_secp384r1, 384},
|
||||
{"nistp521", NID_secp521r1, 521},
|
||||
/* Binary Curves */
|
||||
{"nistk163", NID_sect163k1, 163},
|
||||
{"nistk233", NID_sect233k1, 233},
|
||||
{"nistk233", NID_sect233k1, 233},
|
||||
{"nistk283", NID_sect283k1, 283},
|
||||
{"nistk409", NID_sect409k1, 409},
|
||||
{"nistk571", NID_sect571k1, 571},
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -286,16 +286,19 @@ static int cb(int ok, X509_STORE_CTX *ctx)
|
||||
cert_error,
|
||||
X509_STORE_CTX_get_error_depth(ctx),
|
||||
X509_verify_cert_error_string(cert_error));
|
||||
|
||||
/*
|
||||
* Pretend that some errors are ok, so they don't stop further
|
||||
* processing of the certificate chain. Setting ok = 1 does this.
|
||||
* After X509_verify_cert() is done, we verify that there were
|
||||
* no actual errors, even if the returned value was positive.
|
||||
*/
|
||||
switch (cert_error) {
|
||||
case X509_V_ERR_NO_EXPLICIT_POLICY:
|
||||
policies_print(ctx);
|
||||
/* fall thru */
|
||||
case X509_V_ERR_CERT_HAS_EXPIRED:
|
||||
|
||||
/*
|
||||
* since we are just checking the certificates, it is ok if they
|
||||
* are self signed. But we should still warn the user.
|
||||
*/
|
||||
/* Continue even if the leaf is a self signed cert */
|
||||
case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
|
||||
/* Continue after extension errors too */
|
||||
case X509_V_ERR_INVALID_CA:
|
||||
|
@ -1,5 +1,5 @@
|
||||
#!/bin/sh
|
||||
# Copyright 1998-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
# Copyright 1998-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
#
|
||||
# Licensed under the OpenSSL license (the "License"). You may not use
|
||||
# this file except in compliance with the License. You can obtain a copy
|
||||
@ -19,7 +19,7 @@ THERE=`dirname $0`
|
||||
# pick up any command line args to config
|
||||
for i
|
||||
do
|
||||
case "$i" in
|
||||
case "$i" in
|
||||
-d*) options=$options" --debug";;
|
||||
-t*) DRYRUN="true" VERBOSE="true";;
|
||||
-v*) VERBOSE="true";;
|
||||
@ -59,7 +59,7 @@ __CNF_LDLIBS=
|
||||
|
||||
# Now test for ISC and SCO, since it is has a braindamaged uname.
|
||||
#
|
||||
# We need to work around FreeBSD 1.1.5.1
|
||||
# We need to work around FreeBSD 1.1.5.1
|
||||
(
|
||||
XREL=`uname -X 2>/dev/null | grep "^Release" | awk '{print $3}'`
|
||||
if [ "x$XREL" != "x" ]; then
|
||||
@ -363,7 +363,7 @@ esac
|
||||
# At this point we gone through all the one's
|
||||
# we know of: Punt
|
||||
|
||||
echo "${MACHINE}-whatever-${SYSTEM}"
|
||||
echo "${MACHINE}-whatever-${SYSTEM}"
|
||||
exit 0
|
||||
) 2>/dev/null | (
|
||||
|
||||
@ -433,7 +433,7 @@ fi
|
||||
|
||||
CCVER=${CCVER:-0}
|
||||
|
||||
# read the output of the embedded GuessOS
|
||||
# read the output of the embedded GuessOS
|
||||
read GUESSOS
|
||||
|
||||
echo Operating system: $GUESSOS
|
||||
@ -732,7 +732,7 @@ case "$GUESSOS" in
|
||||
*-*-[Uu]nix[Ww]are7)
|
||||
if [ "$CC" = "gcc" ]; then
|
||||
OUT="unixware-7-gcc" ; options="$options no-sse2"
|
||||
else
|
||||
else
|
||||
OUT="unixware-7" ; options="$options no-sse2"
|
||||
__CNF_CPPFLAGS="$__CNF_CPPFLAGS -D__i386__"
|
||||
fi
|
||||
@ -793,7 +793,7 @@ case "$GUESSOS" in
|
||||
OUT="aix64-gcc"
|
||||
fi
|
||||
elif [ $OBJECT_MODE -eq 64 ]; then
|
||||
echo 'Your $OBJECT_MODE was found to be set to 64'
|
||||
echo 'Your $OBJECT_MODE was found to be set to 64'
|
||||
OUT="aix64-cc"
|
||||
else
|
||||
OUT="aix-cc"
|
||||
@ -897,7 +897,7 @@ if [ ".$PERL" = . ] ; then
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# run Configure to check to see if we need to specify the
|
||||
# run Configure to check to see if we need to specify the
|
||||
# compiler for the platform ... in which case we add it on
|
||||
# the end ... otherwise we leave it off
|
||||
|
||||
@ -920,7 +920,7 @@ if [ $? = "0" ]; then
|
||||
__CNF_LDFLAGS="'$__CNF_LDFLAGS'" \
|
||||
__CNF_LDLIBS="'$__CNF_LDLIBS'" \
|
||||
$PERL $THERE/Configure $OUT $options
|
||||
fi
|
||||
fi
|
||||
if [ "$DRYRUN" = "false" ]; then
|
||||
# eval to make sure quoted options, possibly with spaces inside,
|
||||
# are treated right
|
||||
|
@ -1,5 +1,5 @@
|
||||
#! /usr/bin/env perl
|
||||
# Copyright 2005-2016 The OpenSSL Project Authors. All Rights Reserved.
|
||||
# Copyright 2005-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
#
|
||||
# Licensed under the OpenSSL license (the "License"). You may not use
|
||||
# this file except in compliance with the License. You can obtain a copy
|
||||
@ -554,6 +554,7 @@ $code.=<<___;
|
||||
.type _x86_64_AES_encrypt_compact,\@abi-omnipotent
|
||||
.align 16
|
||||
_x86_64_AES_encrypt_compact:
|
||||
.cfi_startproc
|
||||
lea 128($sbox),$inp # size optimization
|
||||
mov 0-128($inp),$acc1 # prefetch Te4
|
||||
mov 32-128($inp),$acc2
|
||||
@ -587,6 +588,7 @@ $code.=<<___;
|
||||
xor 8($key),$s2
|
||||
xor 12($key),$s3
|
||||
.byte 0xf3,0xc3 # rep ret
|
||||
.cfi_endproc
|
||||
.size _x86_64_AES_encrypt_compact,.-_x86_64_AES_encrypt_compact
|
||||
___
|
||||
|
||||
@ -1161,6 +1163,7 @@ $code.=<<___;
|
||||
.type _x86_64_AES_decrypt_compact,\@abi-omnipotent
|
||||
.align 16
|
||||
_x86_64_AES_decrypt_compact:
|
||||
.cfi_startproc
|
||||
lea 128($sbox),$inp # size optimization
|
||||
mov 0-128($inp),$acc1 # prefetch Td4
|
||||
mov 32-128($inp),$acc2
|
||||
@ -1203,6 +1206,7 @@ $code.=<<___;
|
||||
xor 8($key),$s2
|
||||
xor 12($key),$s3
|
||||
.byte 0xf3,0xc3 # rep ret
|
||||
.cfi_endproc
|
||||
.size _x86_64_AES_decrypt_compact,.-_x86_64_AES_decrypt_compact
|
||||
___
|
||||
|
||||
@ -1365,6 +1369,7 @@ AES_set_encrypt_key:
|
||||
.type _x86_64_AES_set_encrypt_key,\@abi-omnipotent
|
||||
.align 16
|
||||
_x86_64_AES_set_encrypt_key:
|
||||
.cfi_startproc
|
||||
mov %esi,%ecx # %ecx=bits
|
||||
mov %rdi,%rsi # %rsi=userKey
|
||||
mov %rdx,%rdi # %rdi=key
|
||||
@ -1546,6 +1551,7 @@ $code.=<<___;
|
||||
mov \$-1,%rax
|
||||
.Lexit:
|
||||
.byte 0xf3,0xc3 # rep ret
|
||||
.cfi_endproc
|
||||
.size _x86_64_AES_set_encrypt_key,.-_x86_64_AES_set_encrypt_key
|
||||
___
|
||||
|
||||
@ -1728,7 +1734,9 @@ AES_cbc_encrypt:
|
||||
cmp \$0,%rdx # check length
|
||||
je .Lcbc_epilogue
|
||||
pushfq
|
||||
.cfi_push 49 # %rflags
|
||||
# This could be .cfi_push 49, but libunwind fails on registers it does not
|
||||
# recognize. See https://bugzilla.redhat.com/show_bug.cgi?id=217087.
|
||||
.cfi_adjust_cfa_offset 8
|
||||
push %rbx
|
||||
.cfi_push %rbx
|
||||
push %rbp
|
||||
@ -1751,6 +1759,7 @@ AES_cbc_encrypt:
|
||||
cmp \$0,%r9
|
||||
cmoveq %r10,$sbox
|
||||
|
||||
.cfi_remember_state
|
||||
mov OPENSSL_ia32cap_P(%rip),%r10d
|
||||
cmp \$$speed_limit,%rdx
|
||||
jb .Lcbc_slow_prologue
|
||||
@ -1986,6 +1995,7 @@ AES_cbc_encrypt:
|
||||
#--------------------------- SLOW ROUTINE ---------------------------#
|
||||
.align 16
|
||||
.Lcbc_slow_prologue:
|
||||
.cfi_restore_state
|
||||
# allocate aligned stack frame...
|
||||
lea -88(%rsp),%rbp
|
||||
and \$-64,%rbp
|
||||
@ -1997,8 +2007,10 @@ AES_cbc_encrypt:
|
||||
sub %r10,%rbp
|
||||
|
||||
xchg %rsp,%rbp
|
||||
.cfi_def_cfa_register %rbp
|
||||
#add \$8,%rsp # reserve for return address!
|
||||
mov %rbp,$_rsp # save %rsp
|
||||
.cfi_cfa_expression $_rsp,deref,+64
|
||||
.Lcbc_slow_body:
|
||||
#mov %rdi,$_inp # save copy of inp
|
||||
#mov %rsi,$_out # save copy of out
|
||||
@ -2187,7 +2199,9 @@ AES_cbc_encrypt:
|
||||
.cfi_def_cfa %rsp,16
|
||||
.Lcbc_popfq:
|
||||
popfq
|
||||
.cfi_pop 49 # %rflags
|
||||
# This could be .cfi_pop 49, but libunwind fails on registers it does not
|
||||
# recognize. See https://bugzilla.redhat.com/show_bug.cgi?id=217087.
|
||||
.cfi_adjust_cfa_offset -8
|
||||
.Lcbc_epilogue:
|
||||
ret
|
||||
.cfi_endproc
|
||||
|
@ -1,5 +1,5 @@
|
||||
#! /usr/bin/env perl
|
||||
# Copyright 2009-2016 The OpenSSL Project Authors. All Rights Reserved.
|
||||
# Copyright 2009-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
#
|
||||
# Licensed under the OpenSSL license (the "License"). You may not use
|
||||
# this file except in compliance with the License. You can obtain a copy
|
||||
@ -274,6 +274,7 @@ $code.=<<___;
|
||||
.type ${PREFIX}_encrypt,\@abi-omnipotent
|
||||
.align 16
|
||||
${PREFIX}_encrypt:
|
||||
.cfi_startproc
|
||||
movups ($inp),$inout0 # load input
|
||||
mov 240($key),$rounds # key->rounds
|
||||
___
|
||||
@ -284,12 +285,14 @@ $code.=<<___;
|
||||
movups $inout0,($out) # output
|
||||
pxor $inout0,$inout0
|
||||
ret
|
||||
.cfi_endproc
|
||||
.size ${PREFIX}_encrypt,.-${PREFIX}_encrypt
|
||||
|
||||
.globl ${PREFIX}_decrypt
|
||||
.type ${PREFIX}_decrypt,\@abi-omnipotent
|
||||
.align 16
|
||||
${PREFIX}_decrypt:
|
||||
.cfi_startproc
|
||||
movups ($inp),$inout0 # load input
|
||||
mov 240($key),$rounds # key->rounds
|
||||
___
|
||||
@ -300,6 +303,7 @@ $code.=<<___;
|
||||
movups $inout0,($out) # output
|
||||
pxor $inout0,$inout0
|
||||
ret
|
||||
.cfi_endproc
|
||||
.size ${PREFIX}_decrypt, .-${PREFIX}_decrypt
|
||||
___
|
||||
}
|
||||
@ -325,6 +329,7 @@ $code.=<<___;
|
||||
.type _aesni_${dir}rypt2,\@abi-omnipotent
|
||||
.align 16
|
||||
_aesni_${dir}rypt2:
|
||||
.cfi_startproc
|
||||
$movkey ($key),$rndkey0
|
||||
shl \$4,$rounds
|
||||
$movkey 16($key),$rndkey1
|
||||
@ -350,6 +355,7 @@ _aesni_${dir}rypt2:
|
||||
aes${dir}last $rndkey0,$inout0
|
||||
aes${dir}last $rndkey0,$inout1
|
||||
ret
|
||||
.cfi_endproc
|
||||
.size _aesni_${dir}rypt2,.-_aesni_${dir}rypt2
|
||||
___
|
||||
}
|
||||
@ -361,6 +367,7 @@ $code.=<<___;
|
||||
.type _aesni_${dir}rypt3,\@abi-omnipotent
|
||||
.align 16
|
||||
_aesni_${dir}rypt3:
|
||||
.cfi_startproc
|
||||
$movkey ($key),$rndkey0
|
||||
shl \$4,$rounds
|
||||
$movkey 16($key),$rndkey1
|
||||
@ -391,6 +398,7 @@ _aesni_${dir}rypt3:
|
||||
aes${dir}last $rndkey0,$inout1
|
||||
aes${dir}last $rndkey0,$inout2
|
||||
ret
|
||||
.cfi_endproc
|
||||
.size _aesni_${dir}rypt3,.-_aesni_${dir}rypt3
|
||||
___
|
||||
}
|
||||
@ -406,6 +414,7 @@ $code.=<<___;
|
||||
.type _aesni_${dir}rypt4,\@abi-omnipotent
|
||||
.align 16
|
||||
_aesni_${dir}rypt4:
|
||||
.cfi_startproc
|
||||
$movkey ($key),$rndkey0
|
||||
shl \$4,$rounds
|
||||
$movkey 16($key),$rndkey1
|
||||
@ -442,6 +451,7 @@ _aesni_${dir}rypt4:
|
||||
aes${dir}last $rndkey0,$inout2
|
||||
aes${dir}last $rndkey0,$inout3
|
||||
ret
|
||||
.cfi_endproc
|
||||
.size _aesni_${dir}rypt4,.-_aesni_${dir}rypt4
|
||||
___
|
||||
}
|
||||
@ -453,6 +463,7 @@ $code.=<<___;
|
||||
.type _aesni_${dir}rypt6,\@abi-omnipotent
|
||||
.align 16
|
||||
_aesni_${dir}rypt6:
|
||||
.cfi_startproc
|
||||
$movkey ($key),$rndkey0
|
||||
shl \$4,$rounds
|
||||
$movkey 16($key),$rndkey1
|
||||
@ -503,6 +514,7 @@ _aesni_${dir}rypt6:
|
||||
aes${dir}last $rndkey0,$inout4
|
||||
aes${dir}last $rndkey0,$inout5
|
||||
ret
|
||||
.cfi_endproc
|
||||
.size _aesni_${dir}rypt6,.-_aesni_${dir}rypt6
|
||||
___
|
||||
}
|
||||
@ -514,6 +526,7 @@ $code.=<<___;
|
||||
.type _aesni_${dir}rypt8,\@abi-omnipotent
|
||||
.align 16
|
||||
_aesni_${dir}rypt8:
|
||||
.cfi_startproc
|
||||
$movkey ($key),$rndkey0
|
||||
shl \$4,$rounds
|
||||
$movkey 16($key),$rndkey1
|
||||
@ -574,6 +587,7 @@ _aesni_${dir}rypt8:
|
||||
aes${dir}last $rndkey0,$inout6
|
||||
aes${dir}last $rndkey0,$inout7
|
||||
ret
|
||||
.cfi_endproc
|
||||
.size _aesni_${dir}rypt8,.-_aesni_${dir}rypt8
|
||||
___
|
||||
}
|
||||
@ -598,6 +612,7 @@ $code.=<<___;
|
||||
.type aesni_ecb_encrypt,\@function,5
|
||||
.align 16
|
||||
aesni_ecb_encrypt:
|
||||
.cfi_startproc
|
||||
___
|
||||
$code.=<<___ if ($win64);
|
||||
lea -0x58(%rsp),%rsp
|
||||
@ -943,6 +958,7 @@ $code.=<<___ if ($win64);
|
||||
___
|
||||
$code.=<<___;
|
||||
ret
|
||||
.cfi_endproc
|
||||
.size aesni_ecb_encrypt,.-aesni_ecb_encrypt
|
||||
___
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
#! /usr/bin/env perl
|
||||
# Copyright 2014-2016 The OpenSSL Project Authors. All Rights Reserved.
|
||||
# Copyright 2014-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
#
|
||||
# Licensed under the OpenSSL license (the "License"). You may not use
|
||||
# this file except in compliance with the License. You can obtain a copy
|
||||
@ -262,6 +262,7 @@ $code.=<<___;
|
||||
${prefix}_set_decrypt_key:
|
||||
___
|
||||
$code.=<<___ if ($flavour =~ /64/);
|
||||
.inst 0xd503233f // paciasp
|
||||
stp x29,x30,[sp,#-16]!
|
||||
add x29,sp,#0
|
||||
___
|
||||
@ -305,6 +306,7 @@ $code.=<<___ if ($flavour !~ /64/);
|
||||
___
|
||||
$code.=<<___ if ($flavour =~ /64/);
|
||||
ldp x29,x30,[sp],#16
|
||||
.inst 0xd50323bf // autiasp
|
||||
ret
|
||||
___
|
||||
$code.=<<___;
|
||||
|
@ -1,5 +1,5 @@
|
||||
#! /usr/bin/env perl
|
||||
# Copyright 2011-2016 The OpenSSL Project Authors. All Rights Reserved.
|
||||
# Copyright 2011-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
#
|
||||
# Licensed under the OpenSSL license (the "License"). You may not use
|
||||
# this file except in compliance with the License. You can obtain a copy
|
||||
@ -816,6 +816,7 @@ $code.=<<___;
|
||||
.type _bsaes_encrypt8,\@abi-omnipotent
|
||||
.align 64
|
||||
_bsaes_encrypt8:
|
||||
.cfi_startproc
|
||||
lea .LBS0(%rip), $const # constants table
|
||||
|
||||
movdqa ($key), @XMM[9] # round 0 key
|
||||
@ -875,11 +876,13 @@ $code.=<<___;
|
||||
pxor @XMM[8], @XMM[0]
|
||||
pxor @XMM[8], @XMM[1]
|
||||
ret
|
||||
.cfi_endproc
|
||||
.size _bsaes_encrypt8,.-_bsaes_encrypt8
|
||||
|
||||
.type _bsaes_decrypt8,\@abi-omnipotent
|
||||
.align 64
|
||||
_bsaes_decrypt8:
|
||||
.cfi_startproc
|
||||
lea .LBS0(%rip), $const # constants table
|
||||
|
||||
movdqa ($key), @XMM[9] # round 0 key
|
||||
@ -937,6 +940,7 @@ $code.=<<___;
|
||||
pxor @XMM[8], @XMM[0]
|
||||
pxor @XMM[8], @XMM[1]
|
||||
ret
|
||||
.cfi_endproc
|
||||
.size _bsaes_decrypt8,.-_bsaes_decrypt8
|
||||
___
|
||||
}
|
||||
@ -971,6 +975,7 @@ $code.=<<___;
|
||||
.type _bsaes_key_convert,\@abi-omnipotent
|
||||
.align 16
|
||||
_bsaes_key_convert:
|
||||
.cfi_startproc
|
||||
lea .Lmasks(%rip), $const
|
||||
movdqu ($inp), %xmm7 # load round 0 key
|
||||
lea 0x10($inp), $inp
|
||||
@ -1049,6 +1054,7 @@ _bsaes_key_convert:
|
||||
movdqa 0x50($const), %xmm7 # .L63
|
||||
#movdqa %xmm6, ($out) # don't save last round key
|
||||
ret
|
||||
.cfi_endproc
|
||||
.size _bsaes_key_convert,.-_bsaes_key_convert
|
||||
___
|
||||
}
|
||||
|
@ -1,5 +1,5 @@
|
||||
#! /usr/bin/env perl
|
||||
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
|
||||
# Copyright 2015-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
#
|
||||
# Licensed under the OpenSSL license (the "License"). You may not use
|
||||
# this file except in compliance with the License. You can obtain a copy
|
||||
@ -255,6 +255,7 @@ _vpaes_encrypt_core:
|
||||
.type vpaes_encrypt,%function
|
||||
.align 4
|
||||
vpaes_encrypt:
|
||||
.inst 0xd503233f // paciasp
|
||||
stp x29,x30,[sp,#-16]!
|
||||
add x29,sp,#0
|
||||
|
||||
@ -264,6 +265,7 @@ vpaes_encrypt:
|
||||
st1 {v0.16b}, [$out]
|
||||
|
||||
ldp x29,x30,[sp],#16
|
||||
.inst 0xd50323bf // autiasp
|
||||
ret
|
||||
.size vpaes_encrypt,.-vpaes_encrypt
|
||||
|
||||
@ -486,6 +488,7 @@ _vpaes_decrypt_core:
|
||||
.type vpaes_decrypt,%function
|
||||
.align 4
|
||||
vpaes_decrypt:
|
||||
.inst 0xd503233f // paciasp
|
||||
stp x29,x30,[sp,#-16]!
|
||||
add x29,sp,#0
|
||||
|
||||
@ -495,6 +498,7 @@ vpaes_decrypt:
|
||||
st1 {v0.16b}, [$out]
|
||||
|
||||
ldp x29,x30,[sp],#16
|
||||
.inst 0xd50323bf // autiasp
|
||||
ret
|
||||
.size vpaes_decrypt,.-vpaes_decrypt
|
||||
|
||||
@ -665,6 +669,7 @@ _vpaes_key_preheat:
|
||||
.type _vpaes_schedule_core,%function
|
||||
.align 4
|
||||
_vpaes_schedule_core:
|
||||
.inst 0xd503233f // paciasp
|
||||
stp x29, x30, [sp,#-16]!
|
||||
add x29,sp,#0
|
||||
|
||||
@ -829,6 +834,7 @@ _vpaes_schedule_core:
|
||||
eor v6.16b, v6.16b, v6.16b // vpxor %xmm6, %xmm6, %xmm6
|
||||
eor v7.16b, v7.16b, v7.16b // vpxor %xmm7, %xmm7, %xmm7
|
||||
ldp x29, x30, [sp],#16
|
||||
.inst 0xd50323bf // autiasp
|
||||
ret
|
||||
.size _vpaes_schedule_core,.-_vpaes_schedule_core
|
||||
|
||||
@ -1041,6 +1047,7 @@ _vpaes_schedule_mangle:
|
||||
.type vpaes_set_encrypt_key,%function
|
||||
.align 4
|
||||
vpaes_set_encrypt_key:
|
||||
.inst 0xd503233f // paciasp
|
||||
stp x29,x30,[sp,#-16]!
|
||||
add x29,sp,#0
|
||||
stp d8,d9,[sp,#-16]! // ABI spec says so
|
||||
@ -1056,6 +1063,7 @@ vpaes_set_encrypt_key:
|
||||
|
||||
ldp d8,d9,[sp],#16
|
||||
ldp x29,x30,[sp],#16
|
||||
.inst 0xd50323bf // autiasp
|
||||
ret
|
||||
.size vpaes_set_encrypt_key,.-vpaes_set_encrypt_key
|
||||
|
||||
@ -1063,6 +1071,7 @@ vpaes_set_encrypt_key:
|
||||
.type vpaes_set_decrypt_key,%function
|
||||
.align 4
|
||||
vpaes_set_decrypt_key:
|
||||
.inst 0xd503233f // paciasp
|
||||
stp x29,x30,[sp,#-16]!
|
||||
add x29,sp,#0
|
||||
stp d8,d9,[sp,#-16]! // ABI spec says so
|
||||
@ -1082,6 +1091,7 @@ vpaes_set_decrypt_key:
|
||||
|
||||
ldp d8,d9,[sp],#16
|
||||
ldp x29,x30,[sp],#16
|
||||
.inst 0xd50323bf // autiasp
|
||||
ret
|
||||
.size vpaes_set_decrypt_key,.-vpaes_set_decrypt_key
|
||||
___
|
||||
@ -1098,6 +1108,7 @@ vpaes_cbc_encrypt:
|
||||
cmp w5, #0 // check direction
|
||||
b.eq vpaes_cbc_decrypt
|
||||
|
||||
.inst 0xd503233f // paciasp
|
||||
stp x29,x30,[sp,#-16]!
|
||||
add x29,sp,#0
|
||||
|
||||
@ -1120,6 +1131,7 @@ vpaes_cbc_encrypt:
|
||||
st1 {v0.16b}, [$ivec] // write ivec
|
||||
|
||||
ldp x29,x30,[sp],#16
|
||||
.inst 0xd50323bf // autiasp
|
||||
.Lcbc_abort:
|
||||
ret
|
||||
.size vpaes_cbc_encrypt,.-vpaes_cbc_encrypt
|
||||
@ -1127,6 +1139,7 @@ vpaes_cbc_encrypt:
|
||||
.type vpaes_cbc_decrypt,%function
|
||||
.align 4
|
||||
vpaes_cbc_decrypt:
|
||||
.inst 0xd503233f // paciasp
|
||||
stp x29,x30,[sp,#-16]!
|
||||
add x29,sp,#0
|
||||
stp d8,d9,[sp,#-16]! // ABI spec says so
|
||||
@ -1168,6 +1181,7 @@ vpaes_cbc_decrypt:
|
||||
ldp d10,d11,[sp],#16
|
||||
ldp d8,d9,[sp],#16
|
||||
ldp x29,x30,[sp],#16
|
||||
.inst 0xd50323bf // autiasp
|
||||
ret
|
||||
.size vpaes_cbc_decrypt,.-vpaes_cbc_decrypt
|
||||
___
|
||||
@ -1177,6 +1191,7 @@ $code.=<<___;
|
||||
.type vpaes_ecb_encrypt,%function
|
||||
.align 4
|
||||
vpaes_ecb_encrypt:
|
||||
.inst 0xd503233f // paciasp
|
||||
stp x29,x30,[sp,#-16]!
|
||||
add x29,sp,#0
|
||||
stp d8,d9,[sp,#-16]! // ABI spec says so
|
||||
@ -1210,6 +1225,7 @@ vpaes_ecb_encrypt:
|
||||
ldp d10,d11,[sp],#16
|
||||
ldp d8,d9,[sp],#16
|
||||
ldp x29,x30,[sp],#16
|
||||
.inst 0xd50323bf // autiasp
|
||||
ret
|
||||
.size vpaes_ecb_encrypt,.-vpaes_ecb_encrypt
|
||||
|
||||
@ -1217,6 +1233,7 @@ vpaes_ecb_encrypt:
|
||||
.type vpaes_ecb_decrypt,%function
|
||||
.align 4
|
||||
vpaes_ecb_decrypt:
|
||||
.inst 0xd503233f // paciasp
|
||||
stp x29,x30,[sp,#-16]!
|
||||
add x29,sp,#0
|
||||
stp d8,d9,[sp,#-16]! // ABI spec says so
|
||||
@ -1250,6 +1267,7 @@ vpaes_ecb_decrypt:
|
||||
ldp d10,d11,[sp],#16
|
||||
ldp d8,d9,[sp],#16
|
||||
ldp x29,x30,[sp],#16
|
||||
.inst 0xd50323bf // autiasp
|
||||
ret
|
||||
.size vpaes_ecb_decrypt,.-vpaes_ecb_decrypt
|
||||
___
|
||||
|
@ -1,5 +1,5 @@
|
||||
#! /usr/bin/env perl
|
||||
# Copyright 2011-2016 The OpenSSL Project Authors. All Rights Reserved.
|
||||
# Copyright 2011-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
#
|
||||
# Licensed under the OpenSSL license (the "License"). You may not use
|
||||
# this file except in compliance with the License. You can obtain a copy
|
||||
@ -91,6 +91,7 @@ $code.=<<___;
|
||||
.type _vpaes_encrypt_core,\@abi-omnipotent
|
||||
.align 16
|
||||
_vpaes_encrypt_core:
|
||||
.cfi_startproc
|
||||
mov %rdx, %r9
|
||||
mov \$16, %r11
|
||||
mov 240(%rdx),%eax
|
||||
@ -171,6 +172,7 @@ _vpaes_encrypt_core:
|
||||
pxor %xmm4, %xmm0 # 0 = A
|
||||
pshufb %xmm1, %xmm0
|
||||
ret
|
||||
.cfi_endproc
|
||||
.size _vpaes_encrypt_core,.-_vpaes_encrypt_core
|
||||
|
||||
##
|
||||
@ -181,6 +183,7 @@ _vpaes_encrypt_core:
|
||||
.type _vpaes_decrypt_core,\@abi-omnipotent
|
||||
.align 16
|
||||
_vpaes_decrypt_core:
|
||||
.cfi_startproc
|
||||
mov %rdx, %r9 # load key
|
||||
mov 240(%rdx),%eax
|
||||
movdqa %xmm9, %xmm1
|
||||
@ -277,6 +280,7 @@ _vpaes_decrypt_core:
|
||||
pxor %xmm4, %xmm0 # 0 = A
|
||||
pshufb %xmm2, %xmm0
|
||||
ret
|
||||
.cfi_endproc
|
||||
.size _vpaes_decrypt_core,.-_vpaes_decrypt_core
|
||||
|
||||
########################################################
|
||||
@ -287,6 +291,7 @@ _vpaes_decrypt_core:
|
||||
.type _vpaes_schedule_core,\@abi-omnipotent
|
||||
.align 16
|
||||
_vpaes_schedule_core:
|
||||
.cfi_startproc
|
||||
# rdi = key
|
||||
# rsi = size in bits
|
||||
# rdx = buffer
|
||||
@ -453,6 +458,7 @@ _vpaes_schedule_core:
|
||||
pxor %xmm6, %xmm6
|
||||
pxor %xmm7, %xmm7
|
||||
ret
|
||||
.cfi_endproc
|
||||
.size _vpaes_schedule_core,.-_vpaes_schedule_core
|
||||
|
||||
##
|
||||
@ -472,6 +478,7 @@ _vpaes_schedule_core:
|
||||
.type _vpaes_schedule_192_smear,\@abi-omnipotent
|
||||
.align 16
|
||||
_vpaes_schedule_192_smear:
|
||||
.cfi_startproc
|
||||
pshufd \$0x80, %xmm6, %xmm1 # d c 0 0 -> c 0 0 0
|
||||
pshufd \$0xFE, %xmm7, %xmm0 # b a _ _ -> b b b a
|
||||
pxor %xmm1, %xmm6 # -> c+d c 0 0
|
||||
@ -480,6 +487,7 @@ _vpaes_schedule_192_smear:
|
||||
movdqa %xmm6, %xmm0
|
||||
movhlps %xmm1, %xmm6 # clobber low side with zeros
|
||||
ret
|
||||
.cfi_endproc
|
||||
.size _vpaes_schedule_192_smear,.-_vpaes_schedule_192_smear
|
||||
|
||||
##
|
||||
@ -503,6 +511,7 @@ _vpaes_schedule_192_smear:
|
||||
.type _vpaes_schedule_round,\@abi-omnipotent
|
||||
.align 16
|
||||
_vpaes_schedule_round:
|
||||
.cfi_startproc
|
||||
# extract rcon from xmm8
|
||||
pxor %xmm1, %xmm1
|
||||
palignr \$15, %xmm8, %xmm1
|
||||
@ -556,6 +565,7 @@ _vpaes_schedule_low_round:
|
||||
pxor %xmm7, %xmm0
|
||||
movdqa %xmm0, %xmm7
|
||||
ret
|
||||
.cfi_endproc
|
||||
.size _vpaes_schedule_round,.-_vpaes_schedule_round
|
||||
|
||||
##
|
||||
@ -570,6 +580,7 @@ _vpaes_schedule_low_round:
|
||||
.type _vpaes_schedule_transform,\@abi-omnipotent
|
||||
.align 16
|
||||
_vpaes_schedule_transform:
|
||||
.cfi_startproc
|
||||
movdqa %xmm9, %xmm1
|
||||
pandn %xmm0, %xmm1
|
||||
psrld \$4, %xmm1
|
||||
@ -580,6 +591,7 @@ _vpaes_schedule_transform:
|
||||
pshufb %xmm1, %xmm0
|
||||
pxor %xmm2, %xmm0
|
||||
ret
|
||||
.cfi_endproc
|
||||
.size _vpaes_schedule_transform,.-_vpaes_schedule_transform
|
||||
|
||||
##
|
||||
@ -608,6 +620,7 @@ _vpaes_schedule_transform:
|
||||
.type _vpaes_schedule_mangle,\@abi-omnipotent
|
||||
.align 16
|
||||
_vpaes_schedule_mangle:
|
||||
.cfi_startproc
|
||||
movdqa %xmm0, %xmm4 # save xmm0 for later
|
||||
movdqa .Lk_mc_forward(%rip),%xmm5
|
||||
test %rcx, %rcx
|
||||
@ -672,6 +685,7 @@ _vpaes_schedule_mangle:
|
||||
and \$0x30, %r8
|
||||
movdqu %xmm3, (%rdx)
|
||||
ret
|
||||
.cfi_endproc
|
||||
.size _vpaes_schedule_mangle,.-_vpaes_schedule_mangle
|
||||
|
||||
#
|
||||
@ -681,6 +695,7 @@ _vpaes_schedule_mangle:
|
||||
.type ${PREFIX}_set_encrypt_key,\@function,3
|
||||
.align 16
|
||||
${PREFIX}_set_encrypt_key:
|
||||
.cfi_startproc
|
||||
___
|
||||
$code.=<<___ if ($win64);
|
||||
lea -0xb8(%rsp),%rsp
|
||||
@ -723,12 +738,14 @@ ___
|
||||
$code.=<<___;
|
||||
xor %eax,%eax
|
||||
ret
|
||||
.cfi_endproc
|
||||
.size ${PREFIX}_set_encrypt_key,.-${PREFIX}_set_encrypt_key
|
||||
|
||||
.globl ${PREFIX}_set_decrypt_key
|
||||
.type ${PREFIX}_set_decrypt_key,\@function,3
|
||||
.align 16
|
||||
${PREFIX}_set_decrypt_key:
|
||||
.cfi_startproc
|
||||
___
|
||||
$code.=<<___ if ($win64);
|
||||
lea -0xb8(%rsp),%rsp
|
||||
@ -776,12 +793,14 @@ ___
|
||||
$code.=<<___;
|
||||
xor %eax,%eax
|
||||
ret
|
||||
.cfi_endproc
|
||||
.size ${PREFIX}_set_decrypt_key,.-${PREFIX}_set_decrypt_key
|
||||
|
||||
.globl ${PREFIX}_encrypt
|
||||
.type ${PREFIX}_encrypt,\@function,3
|
||||
.align 16
|
||||
${PREFIX}_encrypt:
|
||||
.cfi_startproc
|
||||
___
|
||||
$code.=<<___ if ($win64);
|
||||
lea -0xb8(%rsp),%rsp
|
||||
@ -819,12 +838,14 @@ $code.=<<___ if ($win64);
|
||||
___
|
||||
$code.=<<___;
|
||||
ret
|
||||
.cfi_endproc
|
||||
.size ${PREFIX}_encrypt,.-${PREFIX}_encrypt
|
||||
|
||||
.globl ${PREFIX}_decrypt
|
||||
.type ${PREFIX}_decrypt,\@function,3
|
||||
.align 16
|
||||
${PREFIX}_decrypt:
|
||||
.cfi_startproc
|
||||
___
|
||||
$code.=<<___ if ($win64);
|
||||
lea -0xb8(%rsp),%rsp
|
||||
@ -862,6 +883,7 @@ $code.=<<___ if ($win64);
|
||||
___
|
||||
$code.=<<___;
|
||||
ret
|
||||
.cfi_endproc
|
||||
.size ${PREFIX}_decrypt,.-${PREFIX}_decrypt
|
||||
___
|
||||
{
|
||||
@ -874,6 +896,7 @@ $code.=<<___;
|
||||
.type ${PREFIX}_cbc_encrypt,\@function,6
|
||||
.align 16
|
||||
${PREFIX}_cbc_encrypt:
|
||||
.cfi_startproc
|
||||
xchg $key,$len
|
||||
___
|
||||
($len,$key)=($key,$len);
|
||||
@ -944,6 +967,7 @@ ___
|
||||
$code.=<<___;
|
||||
.Lcbc_abort:
|
||||
ret
|
||||
.cfi_endproc
|
||||
.size ${PREFIX}_cbc_encrypt,.-${PREFIX}_cbc_encrypt
|
||||
___
|
||||
}
|
||||
@ -957,6 +981,7 @@ $code.=<<___;
|
||||
.type _vpaes_preheat,\@abi-omnipotent
|
||||
.align 16
|
||||
_vpaes_preheat:
|
||||
.cfi_startproc
|
||||
lea .Lk_s0F(%rip), %r10
|
||||
movdqa -0x20(%r10), %xmm10 # .Lk_inv
|
||||
movdqa -0x10(%r10), %xmm11 # .Lk_inv+16
|
||||
@ -966,6 +991,7 @@ _vpaes_preheat:
|
||||
movdqa 0x50(%r10), %xmm15 # .Lk_sb2
|
||||
movdqa 0x60(%r10), %xmm14 # .Lk_sb2+16
|
||||
ret
|
||||
.cfi_endproc
|
||||
.size _vpaes_preheat,.-_vpaes_preheat
|
||||
########################################################
|
||||
## ##
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2011-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2011-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -63,14 +63,12 @@ uint32_t OPENSSL_rdtsc(void)
|
||||
# if defined(__GNUC__) && __GNUC__>=2
|
||||
void OPENSSL_cpuid_setup(void) __attribute__ ((constructor));
|
||||
# endif
|
||||
/*
|
||||
* Use a weak reference to getauxval() so we can use it if it is available but
|
||||
* don't break the build if it is not.
|
||||
*/
|
||||
# if defined(__GNUC__) && __GNUC__>=2 && defined(__ELF__)
|
||||
extern unsigned long getauxval(unsigned long type) __attribute__ ((weak));
|
||||
# else
|
||||
static unsigned long (*getauxval) (unsigned long) = NULL;
|
||||
|
||||
# if defined(__GLIBC__) && defined(__GLIBC_PREREQ)
|
||||
# if __GLIBC_PREREQ(2, 16)
|
||||
# include <sys/auxv.h>
|
||||
# define OSSL_IMPLEMENT_GETAUXVAL
|
||||
# endif
|
||||
# endif
|
||||
|
||||
/*
|
||||
@ -135,6 +133,33 @@ void OPENSSL_cpuid_setup(void)
|
||||
*/
|
||||
# endif
|
||||
|
||||
OPENSSL_armcap_P = 0;
|
||||
|
||||
# ifdef OSSL_IMPLEMENT_GETAUXVAL
|
||||
if (getauxval(HWCAP) & HWCAP_NEON) {
|
||||
unsigned long hwcap = getauxval(HWCAP_CE);
|
||||
|
||||
OPENSSL_armcap_P |= ARMV7_NEON;
|
||||
|
||||
if (hwcap & HWCAP_CE_AES)
|
||||
OPENSSL_armcap_P |= ARMV8_AES;
|
||||
|
||||
if (hwcap & HWCAP_CE_PMULL)
|
||||
OPENSSL_armcap_P |= ARMV8_PMULL;
|
||||
|
||||
if (hwcap & HWCAP_CE_SHA1)
|
||||
OPENSSL_armcap_P |= ARMV8_SHA1;
|
||||
|
||||
if (hwcap & HWCAP_CE_SHA256)
|
||||
OPENSSL_armcap_P |= ARMV8_SHA256;
|
||||
|
||||
# ifdef __aarch64__
|
||||
if (hwcap & HWCAP_CE_SHA512)
|
||||
OPENSSL_armcap_P |= ARMV8_SHA512;
|
||||
# endif
|
||||
}
|
||||
# endif
|
||||
|
||||
sigfillset(&all_masked);
|
||||
sigdelset(&all_masked, SIGILL);
|
||||
sigdelset(&all_masked, SIGTRAP);
|
||||
@ -142,8 +167,6 @@ void OPENSSL_cpuid_setup(void)
|
||||
sigdelset(&all_masked, SIGBUS);
|
||||
sigdelset(&all_masked, SIGSEGV);
|
||||
|
||||
OPENSSL_armcap_P = 0;
|
||||
|
||||
memset(&ill_act, 0, sizeof(ill_act));
|
||||
ill_act.sa_handler = ill_handler;
|
||||
ill_act.sa_mask = all_masked;
|
||||
@ -151,30 +174,9 @@ void OPENSSL_cpuid_setup(void)
|
||||
sigprocmask(SIG_SETMASK, &ill_act.sa_mask, &oset);
|
||||
sigaction(SIGILL, &ill_act, &ill_oact);
|
||||
|
||||
if (getauxval != NULL) {
|
||||
if (getauxval(HWCAP) & HWCAP_NEON) {
|
||||
unsigned long hwcap = getauxval(HWCAP_CE);
|
||||
|
||||
OPENSSL_armcap_P |= ARMV7_NEON;
|
||||
|
||||
if (hwcap & HWCAP_CE_AES)
|
||||
OPENSSL_armcap_P |= ARMV8_AES;
|
||||
|
||||
if (hwcap & HWCAP_CE_PMULL)
|
||||
OPENSSL_armcap_P |= ARMV8_PMULL;
|
||||
|
||||
if (hwcap & HWCAP_CE_SHA1)
|
||||
OPENSSL_armcap_P |= ARMV8_SHA1;
|
||||
|
||||
if (hwcap & HWCAP_CE_SHA256)
|
||||
OPENSSL_armcap_P |= ARMV8_SHA256;
|
||||
|
||||
# ifdef __aarch64__
|
||||
if (hwcap & HWCAP_CE_SHA512)
|
||||
OPENSSL_armcap_P |= ARMV8_SHA512;
|
||||
# endif
|
||||
}
|
||||
} else if (sigsetjmp(ill_jmp, 1) == 0) {
|
||||
/* If we used getauxval, we already have all the values */
|
||||
# ifndef OSSL_IMPLEMENT_GETAUXVAL
|
||||
if (sigsetjmp(ill_jmp, 1) == 0) {
|
||||
_armv7_neon_probe();
|
||||
OPENSSL_armcap_P |= ARMV7_NEON;
|
||||
if (sigsetjmp(ill_jmp, 1) == 0) {
|
||||
@ -192,13 +194,16 @@ void OPENSSL_cpuid_setup(void)
|
||||
_armv8_sha256_probe();
|
||||
OPENSSL_armcap_P |= ARMV8_SHA256;
|
||||
}
|
||||
# if defined(__aarch64__) && !defined(__APPLE__)
|
||||
# if defined(__aarch64__) && !defined(__APPLE__)
|
||||
if (sigsetjmp(ill_jmp, 1) == 0) {
|
||||
_armv8_sha512_probe();
|
||||
OPENSSL_armcap_P |= ARMV8_SHA512;
|
||||
}
|
||||
# endif
|
||||
# endif
|
||||
}
|
||||
# endif
|
||||
|
||||
/* Things that getauxval didn't tell us */
|
||||
if (sigsetjmp(ill_jmp, 1) == 0) {
|
||||
_armv7_tick();
|
||||
OPENSSL_armcap_P |= ARMV7_TICK;
|
||||
|
@ -23,18 +23,22 @@
|
||||
int ASN1_digest(i2d_of_void *i2d, const EVP_MD *type, char *data,
|
||||
unsigned char *md, unsigned int *len)
|
||||
{
|
||||
int i;
|
||||
int inl;
|
||||
unsigned char *str, *p;
|
||||
|
||||
i = i2d(data, NULL);
|
||||
if ((str = OPENSSL_malloc(i)) == NULL) {
|
||||
inl = i2d(data, NULL);
|
||||
if (inl <= 0) {
|
||||
ASN1err(ASN1_F_ASN1_DIGEST, ERR_R_INTERNAL_ERROR);
|
||||
return 0;
|
||||
}
|
||||
if ((str = OPENSSL_malloc(inl)) == NULL) {
|
||||
ASN1err(ASN1_F_ASN1_DIGEST, ERR_R_MALLOC_FAILURE);
|
||||
return 0;
|
||||
}
|
||||
p = str;
|
||||
i2d(data, &p);
|
||||
|
||||
if (!EVP_Digest(str, i, md, len, type, NULL)) {
|
||||
if (!EVP_Digest(str, inl, md, len, type, NULL)) {
|
||||
OPENSSL_free(str);
|
||||
return 0;
|
||||
}
|
||||
|
@ -29,7 +29,8 @@ int ASN1_sign(i2d_of_void *i2d, X509_ALGOR *algor1, X509_ALGOR *algor2,
|
||||
{
|
||||
EVP_MD_CTX *ctx = EVP_MD_CTX_new();
|
||||
unsigned char *p, *buf_in = NULL, *buf_out = NULL;
|
||||
int i, inl = 0, outl = 0, outll = 0;
|
||||
int i, inl = 0, outl = 0;
|
||||
size_t inll = 0, outll = 0;
|
||||
X509_ALGOR *a;
|
||||
|
||||
if (ctx == NULL) {
|
||||
@ -70,10 +71,15 @@ int ASN1_sign(i2d_of_void *i2d, X509_ALGOR *algor1, X509_ALGOR *algor2,
|
||||
}
|
||||
}
|
||||
inl = i2d(data, NULL);
|
||||
buf_in = OPENSSL_malloc((unsigned int)inl);
|
||||
if (inl <= 0) {
|
||||
ASN1err(ASN1_F_ASN1_SIGN, ERR_R_INTERNAL_ERROR);
|
||||
goto err;
|
||||
}
|
||||
inll = (size_t)inl;
|
||||
buf_in = OPENSSL_malloc(inll);
|
||||
outll = outl = EVP_PKEY_size(pkey);
|
||||
buf_out = OPENSSL_malloc((unsigned int)outl);
|
||||
if ((buf_in == NULL) || (buf_out == NULL)) {
|
||||
buf_out = OPENSSL_malloc(outll);
|
||||
if (buf_in == NULL || buf_out == NULL) {
|
||||
outl = 0;
|
||||
ASN1err(ASN1_F_ASN1_SIGN, ERR_R_MALLOC_FAILURE);
|
||||
goto err;
|
||||
@ -101,7 +107,7 @@ int ASN1_sign(i2d_of_void *i2d, X509_ALGOR *algor1, X509_ALGOR *algor2,
|
||||
signature->flags |= ASN1_STRING_FLAG_BITS_LEFT;
|
||||
err:
|
||||
EVP_MD_CTX_free(ctx);
|
||||
OPENSSL_clear_free((char *)buf_in, (unsigned int)inl);
|
||||
OPENSSL_clear_free((char *)buf_in, inll);
|
||||
OPENSSL_clear_free((char *)buf_out, outll);
|
||||
return outl;
|
||||
}
|
||||
@ -138,7 +144,7 @@ int ASN1_item_sign_ctx(const ASN1_ITEM *it,
|
||||
EVP_PKEY *pkey;
|
||||
unsigned char *buf_in = NULL, *buf_out = NULL;
|
||||
size_t inl = 0, outl = 0, outll = 0;
|
||||
int signid, paramtype;
|
||||
int signid, paramtype, buf_len = 0;
|
||||
int rv;
|
||||
|
||||
type = EVP_MD_CTX_md(ctx);
|
||||
@ -198,10 +204,16 @@ int ASN1_item_sign_ctx(const ASN1_ITEM *it,
|
||||
|
||||
}
|
||||
|
||||
inl = ASN1_item_i2d(asn, &buf_in, it);
|
||||
buf_len = ASN1_item_i2d(asn, &buf_in, it);
|
||||
if (buf_len <= 0) {
|
||||
outl = 0;
|
||||
ASN1err(ASN1_F_ASN1_ITEM_SIGN_CTX, ERR_R_INTERNAL_ERROR);
|
||||
goto err;
|
||||
}
|
||||
inl = buf_len;
|
||||
outll = outl = EVP_PKEY_size(pkey);
|
||||
buf_out = OPENSSL_malloc((unsigned int)outl);
|
||||
if ((buf_in == NULL) || (buf_out == NULL)) {
|
||||
buf_out = OPENSSL_malloc(outll);
|
||||
if (buf_in == NULL || buf_out == NULL) {
|
||||
outl = 0;
|
||||
ASN1err(ASN1_F_ASN1_ITEM_SIGN_CTX, ERR_R_MALLOC_FAILURE);
|
||||
goto err;
|
||||
@ -223,7 +235,7 @@ int ASN1_item_sign_ctx(const ASN1_ITEM *it,
|
||||
signature->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07);
|
||||
signature->flags |= ASN1_STRING_FLAG_BITS_LEFT;
|
||||
err:
|
||||
OPENSSL_clear_free((char *)buf_in, (unsigned int)inl);
|
||||
OPENSSL_clear_free((char *)buf_in, inl);
|
||||
OPENSSL_clear_free((char *)buf_out, outll);
|
||||
return outl;
|
||||
}
|
||||
|
@ -48,6 +48,10 @@ int ASN1_verify(i2d_of_void *i2d, X509_ALGOR *a, ASN1_BIT_STRING *signature,
|
||||
}
|
||||
|
||||
inl = i2d(data, NULL);
|
||||
if (inl <= 0) {
|
||||
ASN1err(ASN1_F_ASN1_VERIFY, ERR_R_INTERNAL_ERROR);
|
||||
goto err;
|
||||
}
|
||||
buf_in = OPENSSL_malloc((unsigned int)inl);
|
||||
if (buf_in == NULL) {
|
||||
ASN1err(ASN1_F_ASN1_VERIFY, ERR_R_MALLOC_FAILURE);
|
||||
@ -87,8 +91,8 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a,
|
||||
EVP_MD_CTX *ctx = NULL;
|
||||
unsigned char *buf_in = NULL;
|
||||
int ret = -1, inl = 0;
|
||||
|
||||
int mdnid, pknid;
|
||||
size_t inll = 0;
|
||||
|
||||
if (!pkey) {
|
||||
ASN1err(ASN1_F_ASN1_ITEM_VERIFY, ERR_R_PASSED_NULL_PARAMETER);
|
||||
@ -127,8 +131,8 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a,
|
||||
goto err;
|
||||
ret = -1;
|
||||
} else {
|
||||
const EVP_MD *type;
|
||||
type = EVP_get_digestbynid(mdnid);
|
||||
const EVP_MD *type = EVP_get_digestbynid(mdnid);
|
||||
|
||||
if (type == NULL) {
|
||||
ASN1err(ASN1_F_ASN1_ITEM_VERIFY,
|
||||
ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);
|
||||
@ -150,11 +154,15 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a,
|
||||
}
|
||||
|
||||
inl = ASN1_item_i2d(asn, &buf_in, it);
|
||||
|
||||
if (inl <= 0) {
|
||||
ASN1err(ASN1_F_ASN1_ITEM_VERIFY, ERR_R_INTERNAL_ERROR);
|
||||
goto err;
|
||||
}
|
||||
if (buf_in == NULL) {
|
||||
ASN1err(ASN1_F_ASN1_ITEM_VERIFY, ERR_R_MALLOC_FAILURE);
|
||||
goto err;
|
||||
}
|
||||
inll = inl;
|
||||
|
||||
ret = EVP_DigestVerify(ctx, signature->data, (size_t)signature->length,
|
||||
buf_in, inl);
|
||||
@ -164,7 +172,7 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a,
|
||||
}
|
||||
ret = 1;
|
||||
err:
|
||||
OPENSSL_clear_free(buf_in, (unsigned int)inl);
|
||||
OPENSSL_clear_free(buf_in, inll);
|
||||
EVP_MD_CTX_free(ctx);
|
||||
return ret;
|
||||
}
|
||||
|
@ -140,6 +140,22 @@ int EVP_PKEY_asn1_add0(const EVP_PKEY_ASN1_METHOD *ameth)
|
||||
{
|
||||
EVP_PKEY_ASN1_METHOD tmp = { 0, };
|
||||
|
||||
/*
|
||||
* One of the following must be true:
|
||||
*
|
||||
* pem_str == NULL AND ASN1_PKEY_ALIAS is set
|
||||
* pem_str != NULL AND ASN1_PKEY_ALIAS is clear
|
||||
*
|
||||
* Anything else is an error and may lead to a corrupt ASN1 method table
|
||||
*/
|
||||
if (!((ameth->pem_str == NULL
|
||||
&& (ameth->pkey_flags & ASN1_PKEY_ALIAS) != 0)
|
||||
|| (ameth->pem_str != NULL
|
||||
&& (ameth->pkey_flags & ASN1_PKEY_ALIAS) == 0))) {
|
||||
EVPerr(EVP_F_EVP_PKEY_ASN1_ADD0, ERR_R_PASSED_INVALID_ARGUMENT);
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (app_methods == NULL) {
|
||||
app_methods = sk_EVP_PKEY_ASN1_METHOD_new(ameth_cmp);
|
||||
if (app_methods == NULL)
|
||||
@ -216,18 +232,6 @@ EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_new(int id, int flags,
|
||||
goto err;
|
||||
}
|
||||
|
||||
/*
|
||||
* One of the following must be true:
|
||||
*
|
||||
* pem_str == NULL AND ASN1_PKEY_ALIAS is set
|
||||
* pem_str != NULL AND ASN1_PKEY_ALIAS is clear
|
||||
*
|
||||
* Anything else is an error and may lead to a corrupt ASN1 method table
|
||||
*/
|
||||
if (!((pem_str == NULL && (flags & ASN1_PKEY_ALIAS) != 0)
|
||||
|| (pem_str != NULL && (flags & ASN1_PKEY_ALIAS) == 0)))
|
||||
goto err;
|
||||
|
||||
if (pem_str) {
|
||||
ameth->pem_str = OPENSSL_strdup(pem_str);
|
||||
if (!ameth->pem_str)
|
||||
|
@ -2,7 +2,7 @@
|
||||
* WARNING: do not edit!
|
||||
* Generated by crypto/asn1/charmap.pl
|
||||
*
|
||||
* Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -1,5 +1,5 @@
|
||||
#! /usr/bin/env perl
|
||||
# Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
# Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
#
|
||||
# Licensed under the OpenSSL license (the "License"). You may not use
|
||||
# this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -32,7 +32,7 @@ EVP_PKEY *d2i_PublicKey(int type, EVP_PKEY **a, const unsigned char **pp,
|
||||
} else
|
||||
ret = *a;
|
||||
|
||||
if (!EVP_PKEY_set_type(ret, type)) {
|
||||
if (type != EVP_PKEY_id(ret) && !EVP_PKEY_set_type(ret, type)) {
|
||||
ASN1err(ASN1_F_D2I_PUBLICKEY, ERR_R_EVP_LIB);
|
||||
goto err;
|
||||
}
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -782,7 +782,12 @@ int BIO_lookup_ex(const char *host, const char *service, int lookup_type,
|
||||
* anyway [above getaddrinfo/gai_strerror is]. We just let
|
||||
* system administrator figure this out...
|
||||
*/
|
||||
# if defined(OPENSSL_SYS_VXWORKS)
|
||||
/* h_errno doesn't exist on VxWorks */
|
||||
SYSerr(SYS_F_GETHOSTBYNAME, 1000 );
|
||||
# else
|
||||
SYSerr(SYS_F_GETHOSTBYNAME, 1000 + h_errno);
|
||||
# endif
|
||||
#else
|
||||
SYSerr(SYS_F_GETHOSTBYNAME, WSAGetLastError());
|
||||
#endif
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -253,9 +253,7 @@ static long file_ctrl(BIO *b, int cmd, long num, void *ptr)
|
||||
}
|
||||
# elif defined(OPENSSL_SYS_WIN32_CYGWIN)
|
||||
int fd = fileno((FILE *)ptr);
|
||||
if (num & BIO_FP_TEXT)
|
||||
setmode(fd, O_TEXT);
|
||||
else
|
||||
if (!(num & BIO_FP_TEXT))
|
||||
setmode(fd, O_BINARY);
|
||||
# endif
|
||||
}
|
||||
@ -279,11 +277,14 @@ static long file_ctrl(BIO *b, int cmd, long num, void *ptr)
|
||||
ret = 0;
|
||||
break;
|
||||
}
|
||||
# if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32_CYGWIN)
|
||||
# if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WINDOWS)
|
||||
if (!(num & BIO_FP_TEXT))
|
||||
OPENSSL_strlcat(p, "b", sizeof(p));
|
||||
else
|
||||
OPENSSL_strlcat(p, "t", sizeof(p));
|
||||
# elif defined(OPENSSL_SYS_WIN32_CYGWIN)
|
||||
if (!(num & BIO_FP_TEXT))
|
||||
OPENSSL_strlcat(p, "b", sizeof(p));
|
||||
# endif
|
||||
fp = openssl_fopen(ptr, p);
|
||||
if (fp == NULL) {
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -20,7 +20,7 @@ static long mem_ctrl(BIO *h, int cmd, long arg1, void *arg2);
|
||||
static int mem_new(BIO *h);
|
||||
static int secmem_new(BIO *h);
|
||||
static int mem_free(BIO *data);
|
||||
static int mem_buf_free(BIO *data, int free_all);
|
||||
static int mem_buf_free(BIO *data);
|
||||
static int mem_buf_sync(BIO *h);
|
||||
|
||||
static const BIO_METHOD mem_method = {
|
||||
@ -140,10 +140,20 @@ static int secmem_new(BIO *bi)
|
||||
|
||||
static int mem_free(BIO *a)
|
||||
{
|
||||
return mem_buf_free(a, 1);
|
||||
BIO_BUF_MEM *bb;
|
||||
|
||||
if (a == NULL)
|
||||
return 0;
|
||||
|
||||
bb = (BIO_BUF_MEM *)a->ptr;
|
||||
if (!mem_buf_free(a))
|
||||
return 0;
|
||||
OPENSSL_free(bb->readp);
|
||||
OPENSSL_free(bb);
|
||||
return 1;
|
||||
}
|
||||
|
||||
static int mem_buf_free(BIO *a, int free_all)
|
||||
static int mem_buf_free(BIO *a)
|
||||
{
|
||||
if (a == NULL)
|
||||
return 0;
|
||||
@ -155,11 +165,6 @@ static int mem_buf_free(BIO *a, int free_all)
|
||||
if (a->flags & BIO_FLAGS_MEM_RDONLY)
|
||||
b->data = NULL;
|
||||
BUF_MEM_free(b);
|
||||
if (free_all) {
|
||||
OPENSSL_free(bb->readp);
|
||||
OPENSSL_free(bb);
|
||||
}
|
||||
a->ptr = NULL;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
@ -266,11 +271,10 @@ static long mem_ctrl(BIO *b, int cmd, long num, void *ptr)
|
||||
}
|
||||
break;
|
||||
case BIO_C_SET_BUF_MEM:
|
||||
mem_buf_free(b, 0);
|
||||
mem_buf_free(b);
|
||||
b->shutdown = (int)num;
|
||||
bbm->buf = ptr;
|
||||
*bbm->readp = *bbm->buf;
|
||||
b->ptr = bbm;
|
||||
break;
|
||||
case BIO_C_GET_BUF_MEM_PTR:
|
||||
if (ptr != NULL) {
|
||||
|
@ -1,5 +1,5 @@
|
||||
#! /usr/bin/env perl
|
||||
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
|
||||
# Copyright 2015-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
#
|
||||
# Licensed under the OpenSSL license (the "License"). You may not use
|
||||
# this file except in compliance with the License. You can obtain a copy
|
||||
@ -287,6 +287,7 @@ __bn_sqr8x_mont:
|
||||
cmp $ap,$bp
|
||||
b.ne __bn_mul4x_mont
|
||||
.Lsqr8x_mont:
|
||||
.inst 0xd503233f // paciasp
|
||||
stp x29,x30,[sp,#-128]!
|
||||
add x29,sp,#0
|
||||
stp x19,x20,[sp,#16]
|
||||
@ -1040,6 +1041,7 @@ $code.=<<___;
|
||||
ldp x25,x26,[x29,#64]
|
||||
ldp x27,x28,[x29,#80]
|
||||
ldr x29,[sp],#128
|
||||
.inst 0xd50323bf // autiasp
|
||||
ret
|
||||
.size __bn_sqr8x_mont,.-__bn_sqr8x_mont
|
||||
___
|
||||
@ -1063,6 +1065,7 @@ $code.=<<___;
|
||||
.type __bn_mul4x_mont,%function
|
||||
.align 5
|
||||
__bn_mul4x_mont:
|
||||
.inst 0xd503233f // paciasp
|
||||
stp x29,x30,[sp,#-128]!
|
||||
add x29,sp,#0
|
||||
stp x19,x20,[sp,#16]
|
||||
@ -1496,6 +1499,7 @@ __bn_mul4x_mont:
|
||||
ldp x25,x26,[x29,#64]
|
||||
ldp x27,x28,[x29,#80]
|
||||
ldr x29,[sp],#128
|
||||
.inst 0xd50323bf // autiasp
|
||||
ret
|
||||
.size __bn_mul4x_mont,.-__bn_mul4x_mont
|
||||
___
|
||||
|
@ -3,7 +3,7 @@
|
||||
.ident "ia64.S, Version 2.1"
|
||||
.ident "IA-64 ISA artwork by Andy Polyakov <appro@openssl.org>"
|
||||
|
||||
// Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
// Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
//
|
||||
// Licensed under the OpenSSL license (the "License"). You may not use
|
||||
// this file except in compliance with the License. You can obtain a copy
|
||||
@ -48,7 +48,7 @@
|
||||
// on Itanium2! What to do? Reschedule loops for Itanium2? But then
|
||||
// Itanium would exhibit anti-scalability. So I've chosen to reschedule
|
||||
// for worst latency for every instruction aiming for best *all-round*
|
||||
// performance.
|
||||
// performance.
|
||||
|
||||
// Q. How much faster does it get?
|
||||
// A. Here is the output from 'openssl speed rsa dsa' for vanilla
|
||||
@ -472,7 +472,7 @@ bn_mul_add_words:
|
||||
.global bn_sqr_words#
|
||||
.proc bn_sqr_words#
|
||||
.align 64
|
||||
.skip 32 // makes the loop body aligned at 64-byte boundary
|
||||
.skip 32 // makes the loop body aligned at 64-byte boundary
|
||||
bn_sqr_words:
|
||||
.prologue
|
||||
.save ar.pfs,r2
|
||||
|
@ -798,6 +798,11 @@ $code.=<<___;
|
||||
move $a0,$v0
|
||||
.end bn_sub_words_internal
|
||||
|
||||
#if 0
|
||||
/*
|
||||
* The bn_div_3_words entry point is re-used for constant-time interface.
|
||||
* Implementation is retained as hystorical reference.
|
||||
*/
|
||||
.align 5
|
||||
.globl bn_div_3_words
|
||||
.ent bn_div_3_words
|
||||
@ -877,6 +882,7 @@ $code.=<<___;
|
||||
jr $ra
|
||||
move $a0,$v0
|
||||
.end bn_div_3_words_internal
|
||||
#endif
|
||||
|
||||
.align 5
|
||||
.globl bn_div_words
|
||||
|
@ -1,5 +1,5 @@
|
||||
#! /usr/bin/env perl
|
||||
# Copyright 2013-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
# Copyright 2013-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
# Copyright (c) 2012, Intel Corporation. All Rights Reserved.
|
||||
#
|
||||
# Licensed under the OpenSSL license (the "License"). You may not use
|
||||
@ -1492,6 +1492,7 @@ $code.=<<___;
|
||||
.type rsaz_1024_red2norm_avx2,\@abi-omnipotent
|
||||
.align 32
|
||||
rsaz_1024_red2norm_avx2:
|
||||
.cfi_startproc
|
||||
sub \$-128,$inp # size optimization
|
||||
xor %rax,%rax
|
||||
___
|
||||
@ -1525,12 +1526,14 @@ ___
|
||||
}
|
||||
$code.=<<___;
|
||||
ret
|
||||
.cfi_endproc
|
||||
.size rsaz_1024_red2norm_avx2,.-rsaz_1024_red2norm_avx2
|
||||
|
||||
.globl rsaz_1024_norm2red_avx2
|
||||
.type rsaz_1024_norm2red_avx2,\@abi-omnipotent
|
||||
.align 32
|
||||
rsaz_1024_norm2red_avx2:
|
||||
.cfi_startproc
|
||||
sub \$-128,$out # size optimization
|
||||
mov ($inp),@T[0]
|
||||
mov \$0x1fffffff,%eax
|
||||
@ -1562,6 +1565,7 @@ $code.=<<___;
|
||||
mov @T[0],`8*($j+2)-128`($out)
|
||||
mov @T[0],`8*($j+3)-128`($out)
|
||||
ret
|
||||
.cfi_endproc
|
||||
.size rsaz_1024_norm2red_avx2,.-rsaz_1024_norm2red_avx2
|
||||
___
|
||||
}
|
||||
@ -1573,6 +1577,7 @@ $code.=<<___;
|
||||
.type rsaz_1024_scatter5_avx2,\@abi-omnipotent
|
||||
.align 32
|
||||
rsaz_1024_scatter5_avx2:
|
||||
.cfi_startproc
|
||||
vzeroupper
|
||||
vmovdqu .Lscatter_permd(%rip),%ymm5
|
||||
shl \$4,$power
|
||||
@ -1592,6 +1597,7 @@ rsaz_1024_scatter5_avx2:
|
||||
|
||||
vzeroupper
|
||||
ret
|
||||
.cfi_endproc
|
||||
.size rsaz_1024_scatter5_avx2,.-rsaz_1024_scatter5_avx2
|
||||
|
||||
.globl rsaz_1024_gather5_avx2
|
||||
|
@ -3,7 +3,7 @@
|
||||
|
||||
/*
|
||||
* ====================================================================
|
||||
* Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1999-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -154,9 +154,9 @@
|
||||
.register %g2,#scratch
|
||||
.register %g3,#scratch
|
||||
# define FRAME_SIZE -192
|
||||
#else
|
||||
#else
|
||||
# define FRAME_SIZE -96
|
||||
#endif
|
||||
#endif
|
||||
/*
|
||||
* GNU assembler can't stand stuw:-(
|
||||
*/
|
||||
|
@ -1,5 +1,5 @@
|
||||
#! /usr/bin/env perl
|
||||
# Copyright 2011-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
# Copyright 2011-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
#
|
||||
# Licensed under the OpenSSL license (the "License"). You may not use
|
||||
# this file except in compliance with the License. You can obtain a copy
|
||||
@ -2910,6 +2910,7 @@ bn_powerx5:
|
||||
.align 32
|
||||
bn_sqrx8x_internal:
|
||||
__bn_sqrx8x_internal:
|
||||
.cfi_startproc
|
||||
##################################################################
|
||||
# Squaring part:
|
||||
#
|
||||
@ -3542,6 +3543,7 @@ __bn_sqrx8x_reduction:
|
||||
cmp 8+8(%rsp),%r8 # end of t[]?
|
||||
jb .Lsqrx8x_reduction_loop
|
||||
ret
|
||||
.cfi_endproc
|
||||
.size bn_sqrx8x_internal,.-bn_sqrx8x_internal
|
||||
___
|
||||
}
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -227,6 +227,8 @@ BIGNUM *BN_CTX_get(BN_CTX *ctx)
|
||||
}
|
||||
/* OK, make sure the returned bignum is "zero" */
|
||||
BN_zero(ret);
|
||||
/* clear BN_FLG_CONSTTIME if leaked from previous frames */
|
||||
ret->flags &= (~BN_FLG_CONSTTIME);
|
||||
ctx->used++;
|
||||
CTXDBG_RET(ctx, ret);
|
||||
return ret;
|
||||
@ -256,7 +258,7 @@ static int BN_STACK_push(BN_STACK *st, unsigned int idx)
|
||||
unsigned int newsize =
|
||||
st->size ? (st->size * 3 / 2) : BN_CTX_START_FRAMES;
|
||||
unsigned int *newitems;
|
||||
|
||||
|
||||
if ((newitems = OPENSSL_malloc(sizeof(*newitems) * newsize)) == NULL) {
|
||||
BNerr(BN_F_BN_STACK_PUSH, ERR_R_MALLOC_FAILURE);
|
||||
return 0;
|
||||
@ -310,7 +312,7 @@ static BIGNUM *BN_POOL_get(BN_POOL *p, int flag)
|
||||
/* Full; allocate a new pool item and link it in. */
|
||||
if (p->used == p->size) {
|
||||
BN_POOL_ITEM *item;
|
||||
|
||||
|
||||
if ((item = OPENSSL_malloc(sizeof(*item))) == NULL) {
|
||||
BNerr(BN_F_BN_POOL_GET, ERR_R_MALLOC_FAILURE);
|
||||
return NULL;
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2002-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -40,7 +40,7 @@ BIGNUM *BN_generate_prime(BIGNUM *ret, int bits, int safe,
|
||||
goto err;
|
||||
|
||||
/* we have a prime :-) */
|
||||
return ret;
|
||||
return rnd;
|
||||
err:
|
||||
BN_free(rnd);
|
||||
return NULL;
|
||||
|
@ -7,6 +7,7 @@
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
#include <assert.h>
|
||||
#include <openssl/bn.h>
|
||||
#include "internal/cryptlib.h"
|
||||
#include "bn_lcl.h"
|
||||
@ -86,6 +87,77 @@ int BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, const BIGNUM *d,
|
||||
|
||||
#else
|
||||
|
||||
# if defined(BN_DIV3W)
|
||||
BN_ULONG bn_div_3_words(const BN_ULONG *m, BN_ULONG d1, BN_ULONG d0);
|
||||
# elif 0
|
||||
/*
|
||||
* This is #if-ed away, because it's a reference for assembly implementations,
|
||||
* where it can and should be made constant-time. But if you want to test it,
|
||||
* just replace 0 with 1.
|
||||
*/
|
||||
# if BN_BITS2 == 64 && defined(__SIZEOF_INT128__) && __SIZEOF_INT128__==16
|
||||
# undef BN_ULLONG
|
||||
# define BN_ULLONG __uint128_t
|
||||
# define BN_LLONG
|
||||
# endif
|
||||
|
||||
# ifdef BN_LLONG
|
||||
# define BN_DIV3W
|
||||
/*
|
||||
* Interface is somewhat quirky, |m| is pointer to most significant limb,
|
||||
* and less significant limb is referred at |m[-1]|. This means that caller
|
||||
* is responsible for ensuring that |m[-1]| is valid. Second condition that
|
||||
* has to be met is that |d0|'s most significant bit has to be set. Or in
|
||||
* other words divisor has to be "bit-aligned to the left." bn_div_fixed_top
|
||||
* does all this. The subroutine considers four limbs, two of which are
|
||||
* "overlapping," hence the name...
|
||||
*/
|
||||
static BN_ULONG bn_div_3_words(const BN_ULONG *m, BN_ULONG d1, BN_ULONG d0)
|
||||
{
|
||||
BN_ULLONG R = ((BN_ULLONG)m[0] << BN_BITS2) | m[-1];
|
||||
BN_ULLONG D = ((BN_ULLONG)d0 << BN_BITS2) | d1;
|
||||
BN_ULONG Q = 0, mask;
|
||||
int i;
|
||||
|
||||
for (i = 0; i < BN_BITS2; i++) {
|
||||
Q <<= 1;
|
||||
if (R >= D) {
|
||||
Q |= 1;
|
||||
R -= D;
|
||||
}
|
||||
D >>= 1;
|
||||
}
|
||||
|
||||
mask = 0 - (Q >> (BN_BITS2 - 1)); /* does it overflow? */
|
||||
|
||||
Q <<= 1;
|
||||
Q |= (R >= D);
|
||||
|
||||
return (Q | mask) & BN_MASK2;
|
||||
}
|
||||
# endif
|
||||
# endif
|
||||
|
||||
static int bn_left_align(BIGNUM *num)
|
||||
{
|
||||
BN_ULONG *d = num->d, n, m, rmask;
|
||||
int top = num->top;
|
||||
int rshift = BN_num_bits_word(d[top - 1]), lshift, i;
|
||||
|
||||
lshift = BN_BITS2 - rshift;
|
||||
rshift %= BN_BITS2; /* say no to undefined behaviour */
|
||||
rmask = (BN_ULONG)0 - rshift; /* rmask = 0 - (rshift != 0) */
|
||||
rmask |= rmask >> 8;
|
||||
|
||||
for (i = 0, m = 0; i < top; i++) {
|
||||
n = d[i];
|
||||
d[i] = ((n << lshift) | m) & BN_MASK2;
|
||||
m = (n >> rshift) & rmask;
|
||||
}
|
||||
|
||||
return lshift;
|
||||
}
|
||||
|
||||
# if !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM) \
|
||||
&& !defined(PEDANTIC) && !defined(BN_DIV3W)
|
||||
# if defined(__GNUC__) && __GNUC__>=2
|
||||
@ -137,56 +209,74 @@ int BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, const BIGNUM *d,
|
||||
int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
|
||||
BN_CTX *ctx)
|
||||
{
|
||||
int norm_shift, i, loop;
|
||||
BIGNUM *tmp, wnum, *snum, *sdiv, *res;
|
||||
BN_ULONG *resp, *wnump;
|
||||
BN_ULONG d0, d1;
|
||||
int num_n, div_n;
|
||||
int no_branch = 0;
|
||||
|
||||
/*
|
||||
* Invalid zero-padding would have particularly bad consequences so don't
|
||||
* just rely on bn_check_top() here (bn_check_top() works only for
|
||||
* BN_DEBUG builds)
|
||||
*/
|
||||
if ((num->top > 0 && num->d[num->top - 1] == 0) ||
|
||||
(divisor->top > 0 && divisor->d[divisor->top - 1] == 0)) {
|
||||
BNerr(BN_F_BN_DIV, BN_R_NOT_INITIALIZED);
|
||||
return 0;
|
||||
}
|
||||
|
||||
bn_check_top(num);
|
||||
bn_check_top(divisor);
|
||||
|
||||
if ((BN_get_flags(num, BN_FLG_CONSTTIME) != 0)
|
||||
|| (BN_get_flags(divisor, BN_FLG_CONSTTIME) != 0)) {
|
||||
no_branch = 1;
|
||||
}
|
||||
|
||||
bn_check_top(dv);
|
||||
bn_check_top(rm);
|
||||
/*- bn_check_top(num); *//*
|
||||
* 'num' has been checked already
|
||||
*/
|
||||
/*- bn_check_top(divisor); *//*
|
||||
* 'divisor' has been checked already
|
||||
*/
|
||||
int ret;
|
||||
|
||||
if (BN_is_zero(divisor)) {
|
||||
BNerr(BN_F_BN_DIV, BN_R_DIV_BY_ZERO);
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (!no_branch && BN_ucmp(num, divisor) < 0) {
|
||||
if (rm != NULL) {
|
||||
if (BN_copy(rm, num) == NULL)
|
||||
return 0;
|
||||
}
|
||||
if (dv != NULL)
|
||||
BN_zero(dv);
|
||||
return 1;
|
||||
/*
|
||||
* Invalid zero-padding would have particularly bad consequences so don't
|
||||
* just rely on bn_check_top() here (bn_check_top() works only for
|
||||
* BN_DEBUG builds)
|
||||
*/
|
||||
if (divisor->d[divisor->top - 1] == 0) {
|
||||
BNerr(BN_F_BN_DIV, BN_R_NOT_INITIALIZED);
|
||||
return 0;
|
||||
}
|
||||
|
||||
ret = bn_div_fixed_top(dv, rm, num, divisor, ctx);
|
||||
|
||||
if (ret) {
|
||||
if (dv != NULL)
|
||||
bn_correct_top(dv);
|
||||
if (rm != NULL)
|
||||
bn_correct_top(rm);
|
||||
}
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
/*
|
||||
* It's argued that *length* of *significant* part of divisor is public.
|
||||
* Even if it's private modulus that is. Again, *length* is assumed
|
||||
* public, but not *value*. Former is likely to be pre-defined by
|
||||
* algorithm with bit granularity, though below subroutine is invariant
|
||||
* of limb length. Thanks to this assumption we can require that |divisor|
|
||||
* may not be zero-padded, yet claim this subroutine "constant-time"(*).
|
||||
* This is because zero-padded dividend, |num|, is tolerated, so that
|
||||
* caller can pass dividend of public length(*), but with smaller amount
|
||||
* of significant limbs. This naturally means that quotient, |dv|, would
|
||||
* contain correspongly less significant limbs as well, and will be zero-
|
||||
* padded accordingly. Returned remainder, |rm|, will have same bit length
|
||||
* as divisor, also zero-padded if needed. These actually leave sign bits
|
||||
* in ambiguous state. In sense that we try to avoid negative zeros, while
|
||||
* zero-padded zeros would retain sign.
|
||||
*
|
||||
* (*) "Constant-time-ness" has two pre-conditions:
|
||||
*
|
||||
* - availability of constant-time bn_div_3_words;
|
||||
* - dividend is at least as "wide" as divisor, limb-wise, zero-padded
|
||||
* if so requied, which shouldn't be a privacy problem, because
|
||||
* divisor's length is considered public;
|
||||
*/
|
||||
int bn_div_fixed_top(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num,
|
||||
const BIGNUM *divisor, BN_CTX *ctx)
|
||||
{
|
||||
int norm_shift, i, j, loop;
|
||||
BIGNUM *tmp, *snum, *sdiv, *res;
|
||||
BN_ULONG *resp, *wnum, *wnumtop;
|
||||
BN_ULONG d0, d1;
|
||||
int num_n, div_n;
|
||||
|
||||
assert(divisor->top > 0 && divisor->d[divisor->top - 1] != 0);
|
||||
|
||||
bn_check_top(num);
|
||||
bn_check_top(divisor);
|
||||
bn_check_top(dv);
|
||||
bn_check_top(rm);
|
||||
|
||||
BN_CTX_start(ctx);
|
||||
res = (dv == NULL) ? BN_CTX_get(ctx) : dv;
|
||||
tmp = BN_CTX_get(ctx);
|
||||
@ -196,113 +286,72 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
|
||||
goto err;
|
||||
|
||||
/* First we normalise the numbers */
|
||||
norm_shift = BN_BITS2 - ((BN_num_bits(divisor)) % BN_BITS2);
|
||||
if (!(BN_lshift(sdiv, divisor, norm_shift)))
|
||||
if (!BN_copy(sdiv, divisor))
|
||||
goto err;
|
||||
norm_shift = bn_left_align(sdiv);
|
||||
sdiv->neg = 0;
|
||||
norm_shift += BN_BITS2;
|
||||
if (!(BN_lshift(snum, num, norm_shift)))
|
||||
/*
|
||||
* Note that bn_lshift_fixed_top's output is always one limb longer
|
||||
* than input, even when norm_shift is zero. This means that amount of
|
||||
* inner loop iterations is invariant of dividend value, and that one
|
||||
* doesn't need to compare dividend and divisor if they were originally
|
||||
* of the same bit length.
|
||||
*/
|
||||
if (!(bn_lshift_fixed_top(snum, num, norm_shift)))
|
||||
goto err;
|
||||
snum->neg = 0;
|
||||
|
||||
if (no_branch) {
|
||||
/*
|
||||
* Since we don't know whether snum is larger than sdiv, we pad snum
|
||||
* with enough zeroes without changing its value.
|
||||
*/
|
||||
if (snum->top <= sdiv->top + 1) {
|
||||
if (bn_wexpand(snum, sdiv->top + 2) == NULL)
|
||||
goto err;
|
||||
for (i = snum->top; i < sdiv->top + 2; i++)
|
||||
snum->d[i] = 0;
|
||||
snum->top = sdiv->top + 2;
|
||||
} else {
|
||||
if (bn_wexpand(snum, snum->top + 1) == NULL)
|
||||
goto err;
|
||||
snum->d[snum->top] = 0;
|
||||
snum->top++;
|
||||
}
|
||||
}
|
||||
|
||||
div_n = sdiv->top;
|
||||
num_n = snum->top;
|
||||
|
||||
if (num_n <= div_n) {
|
||||
/* caller didn't pad dividend -> no constant-time guarantee... */
|
||||
if (bn_wexpand(snum, div_n + 1) == NULL)
|
||||
goto err;
|
||||
memset(&(snum->d[num_n]), 0, (div_n - num_n + 1) * sizeof(BN_ULONG));
|
||||
snum->top = num_n = div_n + 1;
|
||||
}
|
||||
|
||||
loop = num_n - div_n;
|
||||
/*
|
||||
* Lets setup a 'window' into snum This is the part that corresponds to
|
||||
* the current 'area' being divided
|
||||
*/
|
||||
wnum.neg = 0;
|
||||
wnum.d = &(snum->d[loop]);
|
||||
wnum.top = div_n;
|
||||
wnum.flags = BN_FLG_STATIC_DATA;
|
||||
/*
|
||||
* only needed when BN_ucmp messes up the values between top and max
|
||||
*/
|
||||
wnum.dmax = snum->dmax - loop; /* so we don't step out of bounds */
|
||||
wnum = &(snum->d[loop]);
|
||||
wnumtop = &(snum->d[num_n - 1]);
|
||||
|
||||
/* Get the top 2 words of sdiv */
|
||||
/* div_n=sdiv->top; */
|
||||
d0 = sdiv->d[div_n - 1];
|
||||
d1 = (div_n == 1) ? 0 : sdiv->d[div_n - 2];
|
||||
|
||||
/* pointer to the 'top' of snum */
|
||||
wnump = &(snum->d[num_n - 1]);
|
||||
|
||||
/* Setup to 'res' */
|
||||
if (!bn_wexpand(res, (loop + 1)))
|
||||
/* Setup quotient */
|
||||
if (!bn_wexpand(res, loop))
|
||||
goto err;
|
||||
res->neg = (num->neg ^ divisor->neg);
|
||||
res->top = loop - no_branch;
|
||||
resp = &(res->d[loop - 1]);
|
||||
res->top = loop;
|
||||
res->flags |= BN_FLG_FIXED_TOP;
|
||||
resp = &(res->d[loop]);
|
||||
|
||||
/* space for temp */
|
||||
if (!bn_wexpand(tmp, (div_n + 1)))
|
||||
goto err;
|
||||
|
||||
if (!no_branch) {
|
||||
if (BN_ucmp(&wnum, sdiv) >= 0) {
|
||||
/*
|
||||
* If BN_DEBUG_RAND is defined BN_ucmp changes (via bn_pollute)
|
||||
* the const bignum arguments => clean the values between top and
|
||||
* max again
|
||||
*/
|
||||
bn_clear_top2max(&wnum);
|
||||
bn_sub_words(wnum.d, wnum.d, sdiv->d, div_n);
|
||||
*resp = 1;
|
||||
} else
|
||||
res->top--;
|
||||
}
|
||||
|
||||
/* Increase the resp pointer so that we never create an invalid pointer. */
|
||||
resp++;
|
||||
|
||||
/*
|
||||
* if res->top == 0 then clear the neg value otherwise decrease the resp
|
||||
* pointer
|
||||
*/
|
||||
if (res->top == 0)
|
||||
res->neg = 0;
|
||||
else
|
||||
resp--;
|
||||
|
||||
for (i = 0; i < loop - 1; i++, wnump--) {
|
||||
for (i = 0; i < loop; i++, wnumtop--) {
|
||||
BN_ULONG q, l0;
|
||||
/*
|
||||
* the first part of the loop uses the top two words of snum and sdiv
|
||||
* to calculate a BN_ULONG q such that | wnum - sdiv * q | < sdiv
|
||||
*/
|
||||
# if defined(BN_DIV3W) && !defined(OPENSSL_NO_ASM)
|
||||
BN_ULONG bn_div_3_words(BN_ULONG *, BN_ULONG, BN_ULONG);
|
||||
q = bn_div_3_words(wnump, d1, d0);
|
||||
# if defined(BN_DIV3W)
|
||||
q = bn_div_3_words(wnumtop, d1, d0);
|
||||
# else
|
||||
BN_ULONG n0, n1, rem = 0;
|
||||
|
||||
n0 = wnump[0];
|
||||
n1 = wnump[-1];
|
||||
n0 = wnumtop[0];
|
||||
n1 = wnumtop[-1];
|
||||
if (n0 == d0)
|
||||
q = BN_MASK2;
|
||||
else { /* n0 < d0 */
|
||||
|
||||
BN_ULONG n2 = (wnumtop == wnum) ? 0 : wnumtop[-2];
|
||||
# ifdef BN_LLONG
|
||||
BN_ULLONG t2;
|
||||
|
||||
@ -322,7 +371,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
|
||||
t2 = (BN_ULLONG) d1 *q;
|
||||
|
||||
for (;;) {
|
||||
if (t2 <= ((((BN_ULLONG) rem) << BN_BITS2) | wnump[-2]))
|
||||
if (t2 <= ((((BN_ULLONG) rem) << BN_BITS2) | n2))
|
||||
break;
|
||||
q--;
|
||||
rem += d0;
|
||||
@ -355,7 +404,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
|
||||
# endif
|
||||
|
||||
for (;;) {
|
||||
if ((t2h < rem) || ((t2h == rem) && (t2l <= wnump[-2])))
|
||||
if ((t2h < rem) || ((t2h == rem) && (t2l <= n2)))
|
||||
break;
|
||||
q--;
|
||||
rem += d0;
|
||||
@ -371,43 +420,33 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
|
||||
|
||||
l0 = bn_mul_words(tmp->d, sdiv->d, div_n, q);
|
||||
tmp->d[div_n] = l0;
|
||||
wnum.d--;
|
||||
wnum--;
|
||||
/*
|
||||
* ingore top values of the bignums just sub the two BN_ULONG arrays
|
||||
* ignore top values of the bignums just sub the two BN_ULONG arrays
|
||||
* with bn_sub_words
|
||||
*/
|
||||
if (bn_sub_words(wnum.d, wnum.d, tmp->d, div_n + 1)) {
|
||||
/*
|
||||
* Note: As we have considered only the leading two BN_ULONGs in
|
||||
* the calculation of q, sdiv * q might be greater than wnum (but
|
||||
* then (q-1) * sdiv is less or equal than wnum)
|
||||
*/
|
||||
q--;
|
||||
if (bn_add_words(wnum.d, wnum.d, sdiv->d, div_n))
|
||||
/*
|
||||
* we can't have an overflow here (assuming that q != 0, but
|
||||
* if q == 0 then tmp is zero anyway)
|
||||
*/
|
||||
(*wnump)++;
|
||||
}
|
||||
/* store part of the result */
|
||||
resp--;
|
||||
*resp = q;
|
||||
}
|
||||
bn_correct_top(snum);
|
||||
if (rm != NULL) {
|
||||
l0 = bn_sub_words(wnum, wnum, tmp->d, div_n + 1);
|
||||
q -= l0;
|
||||
/*
|
||||
* Keep a copy of the neg flag in num because if rm==num BN_rshift()
|
||||
* will overwrite it.
|
||||
* Note: As we have considered only the leading two BN_ULONGs in
|
||||
* the calculation of q, sdiv * q might be greater than wnum (but
|
||||
* then (q-1) * sdiv is less or equal than wnum)
|
||||
*/
|
||||
int neg = num->neg;
|
||||
BN_rshift(rm, snum, norm_shift);
|
||||
if (!BN_is_zero(rm))
|
||||
rm->neg = neg;
|
||||
bn_check_top(rm);
|
||||
for (l0 = 0 - l0, j = 0; j < div_n; j++)
|
||||
tmp->d[j] = sdiv->d[j] & l0;
|
||||
l0 = bn_add_words(wnum, wnum, tmp->d, div_n);
|
||||
(*wnumtop) += l0;
|
||||
assert((*wnumtop) == 0);
|
||||
|
||||
/* store part of the result */
|
||||
*--resp = q;
|
||||
}
|
||||
if (no_branch)
|
||||
bn_correct_top(res);
|
||||
/* snum holds remainder, it's as wide as divisor */
|
||||
snum->neg = num->neg;
|
||||
snum->top = div_n;
|
||||
snum->flags |= BN_FLG_FIXED_TOP;
|
||||
if (rm != NULL)
|
||||
bn_rshift_fixed_top(rm, snum, norm_shift);
|
||||
BN_CTX_end(ctx);
|
||||
return 1;
|
||||
err:
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -648,34 +648,41 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
|
||||
goto err;
|
||||
}
|
||||
|
||||
#ifdef RSAZ_ENABLED
|
||||
if (!a->neg) {
|
||||
/*
|
||||
* If the size of the operands allow it, perform the optimized
|
||||
* RSAZ exponentiation. For further information see
|
||||
* crypto/bn/rsaz_exp.c and accompanying assembly modules.
|
||||
*/
|
||||
if ((16 == a->top) && (16 == p->top) && (BN_num_bits(m) == 1024)
|
||||
&& rsaz_avx2_eligible()) {
|
||||
if (NULL == bn_wexpand(rr, 16))
|
||||
goto err;
|
||||
RSAZ_1024_mod_exp_avx2(rr->d, a->d, p->d, m->d, mont->RR.d,
|
||||
mont->n0[0]);
|
||||
rr->top = 16;
|
||||
rr->neg = 0;
|
||||
bn_correct_top(rr);
|
||||
ret = 1;
|
||||
goto err;
|
||||
} else if ((8 == a->top) && (8 == p->top) && (BN_num_bits(m) == 512)) {
|
||||
if (NULL == bn_wexpand(rr, 8))
|
||||
goto err;
|
||||
RSAZ_512_mod_exp(rr->d, a->d, p->d, m->d, mont->n0[0], mont->RR.d);
|
||||
rr->top = 8;
|
||||
rr->neg = 0;
|
||||
bn_correct_top(rr);
|
||||
ret = 1;
|
||||
if (a->neg || BN_ucmp(a, m) >= 0) {
|
||||
BIGNUM *reduced = BN_CTX_get(ctx);
|
||||
if (reduced == NULL
|
||||
|| !BN_nnmod(reduced, a, m, ctx)) {
|
||||
goto err;
|
||||
}
|
||||
a = reduced;
|
||||
}
|
||||
|
||||
#ifdef RSAZ_ENABLED
|
||||
/*
|
||||
* If the size of the operands allow it, perform the optimized
|
||||
* RSAZ exponentiation. For further information see
|
||||
* crypto/bn/rsaz_exp.c and accompanying assembly modules.
|
||||
*/
|
||||
if ((16 == a->top) && (16 == p->top) && (BN_num_bits(m) == 1024)
|
||||
&& rsaz_avx2_eligible()) {
|
||||
if (NULL == bn_wexpand(rr, 16))
|
||||
goto err;
|
||||
RSAZ_1024_mod_exp_avx2(rr->d, a->d, p->d, m->d, mont->RR.d,
|
||||
mont->n0[0]);
|
||||
rr->top = 16;
|
||||
rr->neg = 0;
|
||||
bn_correct_top(rr);
|
||||
ret = 1;
|
||||
goto err;
|
||||
} else if ((8 == a->top) && (8 == p->top) && (BN_num_bits(m) == 512)) {
|
||||
if (NULL == bn_wexpand(rr, 8))
|
||||
goto err;
|
||||
RSAZ_512_mod_exp(rr->d, a->d, p->d, m->d, mont->n0[0], mont->RR.d);
|
||||
rr->top = 8;
|
||||
rr->neg = 0;
|
||||
bn_correct_top(rr);
|
||||
ret = 1;
|
||||
goto err;
|
||||
}
|
||||
#endif
|
||||
|
||||
@ -747,12 +754,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
|
||||
goto err;
|
||||
|
||||
/* prepare a^1 in Montgomery domain */
|
||||
if (a->neg || BN_ucmp(a, m) >= 0) {
|
||||
if (!BN_nnmod(&am, a, m, ctx))
|
||||
goto err;
|
||||
if (!bn_to_mont_fixed_top(&am, &am, mont, ctx))
|
||||
goto err;
|
||||
} else if (!bn_to_mont_fixed_top(&am, a, mont, ctx))
|
||||
if (!bn_to_mont_fixed_top(&am, a, mont, ctx))
|
||||
goto err;
|
||||
|
||||
#if defined(SPARC_T4_MONT)
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -695,6 +695,9 @@ int bn_cmp_words(const BN_ULONG *a, const BN_ULONG *b, int n)
|
||||
int i;
|
||||
BN_ULONG aa, bb;
|
||||
|
||||
if (n == 0)
|
||||
return 0;
|
||||
|
||||
aa = a[n - 1];
|
||||
bb = b[n - 1];
|
||||
if (aa != bb)
|
||||
@ -737,26 +740,25 @@ int bn_cmp_part_words(const BN_ULONG *a, const BN_ULONG *b, int cl, int dl)
|
||||
return bn_cmp_words(a, b, cl);
|
||||
}
|
||||
|
||||
/*
|
||||
/*-
|
||||
* Constant-time conditional swap of a and b.
|
||||
* a and b are swapped if condition is not 0. The code assumes that at most one bit of condition is set.
|
||||
* nwords is the number of words to swap. The code assumes that at least nwords are allocated in both a and b,
|
||||
* and that no more than nwords are used by either a or b.
|
||||
* a and b cannot be the same number
|
||||
* a and b are swapped if condition is not 0.
|
||||
* nwords is the number of words to swap.
|
||||
* Assumes that at least nwords are allocated in both a and b.
|
||||
* Assumes that no more than nwords are used by either a or b.
|
||||
*/
|
||||
void BN_consttime_swap(BN_ULONG condition, BIGNUM *a, BIGNUM *b, int nwords)
|
||||
{
|
||||
BN_ULONG t;
|
||||
int i;
|
||||
|
||||
if (a == b)
|
||||
return;
|
||||
|
||||
bn_wcheck_size(a, nwords);
|
||||
bn_wcheck_size(b, nwords);
|
||||
|
||||
assert(a != b);
|
||||
assert((condition & (condition - 1)) == 0);
|
||||
assert(sizeof(BN_ULONG) >= sizeof(int));
|
||||
|
||||
condition = ((condition - 1) >> (BN_BITS2 - 1)) - 1;
|
||||
condition = ((~condition & ((condition - 1))) >> (BN_BITS2 - 1)) - 1;
|
||||
|
||||
t = (a->top ^ b->top) & condition;
|
||||
a->top ^= t;
|
||||
@ -794,42 +796,16 @@ void BN_consttime_swap(BN_ULONG condition, BIGNUM *a, BIGNUM *b, int nwords)
|
||||
a->flags ^= t;
|
||||
b->flags ^= t;
|
||||
|
||||
#define BN_CONSTTIME_SWAP(ind) \
|
||||
do { \
|
||||
t = (a->d[ind] ^ b->d[ind]) & condition; \
|
||||
a->d[ind] ^= t; \
|
||||
b->d[ind] ^= t; \
|
||||
} while (0)
|
||||
|
||||
switch (nwords) {
|
||||
default:
|
||||
for (i = 10; i < nwords; i++)
|
||||
BN_CONSTTIME_SWAP(i);
|
||||
/* Fallthrough */
|
||||
case 10:
|
||||
BN_CONSTTIME_SWAP(9); /* Fallthrough */
|
||||
case 9:
|
||||
BN_CONSTTIME_SWAP(8); /* Fallthrough */
|
||||
case 8:
|
||||
BN_CONSTTIME_SWAP(7); /* Fallthrough */
|
||||
case 7:
|
||||
BN_CONSTTIME_SWAP(6); /* Fallthrough */
|
||||
case 6:
|
||||
BN_CONSTTIME_SWAP(5); /* Fallthrough */
|
||||
case 5:
|
||||
BN_CONSTTIME_SWAP(4); /* Fallthrough */
|
||||
case 4:
|
||||
BN_CONSTTIME_SWAP(3); /* Fallthrough */
|
||||
case 3:
|
||||
BN_CONSTTIME_SWAP(2); /* Fallthrough */
|
||||
case 2:
|
||||
BN_CONSTTIME_SWAP(1); /* Fallthrough */
|
||||
case 1:
|
||||
BN_CONSTTIME_SWAP(0);
|
||||
/* conditionally swap the data */
|
||||
for (i = 0; i < nwords; i++) {
|
||||
t = (a->d[i] ^ b->d[i]) & condition;
|
||||
a->d[i] ^= t;
|
||||
b->d[i] ^= t;
|
||||
}
|
||||
#undef BN_CONSTTIME_SWAP
|
||||
}
|
||||
|
||||
#undef BN_CONSTTIME_SWAP_FLAGS
|
||||
|
||||
/* Bits of security, see SP800-57 */
|
||||
|
||||
int BN_security_bits(int L, int N)
|
||||
|
@ -2,7 +2,7 @@
|
||||
* WARNING: do not edit!
|
||||
* Generated by crypto/bn/bn_prime.pl
|
||||
*
|
||||
* Copyright 1998-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1998-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -1,5 +1,5 @@
|
||||
#! /usr/bin/env perl
|
||||
# Copyright 1998-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
# Copyright 1998-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
#
|
||||
# Licensed under the OpenSSL license (the "License"). You may not use
|
||||
# this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -7,6 +7,7 @@
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
#include <assert.h>
|
||||
#include "internal/cryptlib.h"
|
||||
#include "bn_lcl.h"
|
||||
|
||||
@ -82,40 +83,70 @@ int BN_rshift1(BIGNUM *r, const BIGNUM *a)
|
||||
|
||||
int BN_lshift(BIGNUM *r, const BIGNUM *a, int n)
|
||||
{
|
||||
int i, nw, lb, rb;
|
||||
BN_ULONG *t, *f;
|
||||
BN_ULONG l;
|
||||
|
||||
bn_check_top(r);
|
||||
bn_check_top(a);
|
||||
int ret;
|
||||
|
||||
if (n < 0) {
|
||||
BNerr(BN_F_BN_LSHIFT, BN_R_INVALID_SHIFT);
|
||||
return 0;
|
||||
}
|
||||
|
||||
ret = bn_lshift_fixed_top(r, a, n);
|
||||
|
||||
bn_correct_top(r);
|
||||
bn_check_top(r);
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
/*
|
||||
* In respect to shift factor the execution time is invariant of
|
||||
* |n % BN_BITS2|, but not |n / BN_BITS2|. Or in other words pre-condition
|
||||
* for constant-time-ness is |n < BN_BITS2| or |n / BN_BITS2| being
|
||||
* non-secret.
|
||||
*/
|
||||
int bn_lshift_fixed_top(BIGNUM *r, const BIGNUM *a, int n)
|
||||
{
|
||||
int i, nw;
|
||||
unsigned int lb, rb;
|
||||
BN_ULONG *t, *f;
|
||||
BN_ULONG l, m, rmask = 0;
|
||||
|
||||
assert(n >= 0);
|
||||
|
||||
bn_check_top(r);
|
||||
bn_check_top(a);
|
||||
|
||||
nw = n / BN_BITS2;
|
||||
if (bn_wexpand(r, a->top + nw + 1) == NULL)
|
||||
return 0;
|
||||
r->neg = a->neg;
|
||||
lb = n % BN_BITS2;
|
||||
rb = BN_BITS2 - lb;
|
||||
f = a->d;
|
||||
t = r->d;
|
||||
t[a->top + nw] = 0;
|
||||
if (lb == 0)
|
||||
for (i = a->top - 1; i >= 0; i--)
|
||||
t[nw + i] = f[i];
|
||||
else
|
||||
for (i = a->top - 1; i >= 0; i--) {
|
||||
l = f[i];
|
||||
t[nw + i + 1] |= (l >> rb) & BN_MASK2;
|
||||
t[nw + i] = (l << lb) & BN_MASK2;
|
||||
|
||||
if (a->top != 0) {
|
||||
lb = (unsigned int)n % BN_BITS2;
|
||||
rb = BN_BITS2 - lb;
|
||||
rb %= BN_BITS2; /* say no to undefined behaviour */
|
||||
rmask = (BN_ULONG)0 - rb; /* rmask = 0 - (rb != 0) */
|
||||
rmask |= rmask >> 8;
|
||||
f = &(a->d[0]);
|
||||
t = &(r->d[nw]);
|
||||
l = f[a->top - 1];
|
||||
t[a->top] = (l >> rb) & rmask;
|
||||
for (i = a->top - 1; i > 0; i--) {
|
||||
m = l << lb;
|
||||
l = f[i - 1];
|
||||
t[i] = (m | ((l >> rb) & rmask)) & BN_MASK2;
|
||||
}
|
||||
memset(t, 0, sizeof(*t) * nw);
|
||||
t[0] = (l << lb) & BN_MASK2;
|
||||
} else {
|
||||
/* shouldn't happen, but formally required */
|
||||
r->d[nw] = 0;
|
||||
}
|
||||
if (nw != 0)
|
||||
memset(r->d, 0, sizeof(*t) * nw);
|
||||
|
||||
r->neg = a->neg;
|
||||
r->top = a->top + nw + 1;
|
||||
bn_correct_top(r);
|
||||
bn_check_top(r);
|
||||
r->flags |= BN_FLG_FIXED_TOP;
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
@ -173,3 +204,54 @@ int BN_rshift(BIGNUM *r, const BIGNUM *a, int n)
|
||||
bn_check_top(r);
|
||||
return 1;
|
||||
}
|
||||
|
||||
/*
|
||||
* In respect to shift factor the execution time is invariant of
|
||||
* |n % BN_BITS2|, but not |n / BN_BITS2|. Or in other words pre-condition
|
||||
* for constant-time-ness for sufficiently[!] zero-padded inputs is
|
||||
* |n < BN_BITS2| or |n / BN_BITS2| being non-secret.
|
||||
*/
|
||||
int bn_rshift_fixed_top(BIGNUM *r, const BIGNUM *a, int n)
|
||||
{
|
||||
int i, top, nw;
|
||||
unsigned int lb, rb;
|
||||
BN_ULONG *t, *f;
|
||||
BN_ULONG l, m, mask;
|
||||
|
||||
bn_check_top(r);
|
||||
bn_check_top(a);
|
||||
|
||||
assert(n >= 0);
|
||||
|
||||
nw = n / BN_BITS2;
|
||||
if (nw >= a->top) {
|
||||
/* shouldn't happen, but formally required */
|
||||
BN_zero(r);
|
||||
return 1;
|
||||
}
|
||||
|
||||
rb = (unsigned int)n % BN_BITS2;
|
||||
lb = BN_BITS2 - rb;
|
||||
lb %= BN_BITS2; /* say no to undefined behaviour */
|
||||
mask = (BN_ULONG)0 - lb; /* mask = 0 - (lb != 0) */
|
||||
mask |= mask >> 8;
|
||||
top = a->top - nw;
|
||||
if (r != a && bn_wexpand(r, top) == NULL)
|
||||
return 0;
|
||||
|
||||
t = &(r->d[0]);
|
||||
f = &(a->d[nw]);
|
||||
l = f[0];
|
||||
for (i = 0; i < top - 1; i++) {
|
||||
m = f[i + 1];
|
||||
t[i] = (l >> rb) | ((m << lb) & mask);
|
||||
l = m;
|
||||
}
|
||||
t[i] = l >> rb;
|
||||
|
||||
r->neg = a->neg;
|
||||
r->top = top;
|
||||
r->flags |= BN_FLG_FIXED_TOP;
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
@ -1,5 +1,5 @@
|
||||
#! /usr/bin/env perl
|
||||
# Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
|
||||
# Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
#
|
||||
# Licensed under the OpenSSL license (the "License"). You may not use
|
||||
# this file except in compliance with the License. You can obtain a copy
|
||||
@ -157,6 +157,7 @@ ChaCha20_ctr32:
|
||||
b.ne ChaCha20_neon
|
||||
|
||||
.Lshort:
|
||||
.inst 0xd503233f // paciasp
|
||||
stp x29,x30,[sp,#-96]!
|
||||
add x29,sp,#0
|
||||
|
||||
@ -276,6 +277,7 @@ $code.=<<___;
|
||||
ldp x25,x26,[x29,#64]
|
||||
ldp x27,x28,[x29,#80]
|
||||
ldp x29,x30,[sp],#96
|
||||
.inst 0xd50323bf // autiasp
|
||||
.Labort:
|
||||
ret
|
||||
|
||||
@ -332,6 +334,7 @@ $code.=<<___;
|
||||
ldp x25,x26,[x29,#64]
|
||||
ldp x27,x28,[x29,#80]
|
||||
ldp x29,x30,[sp],#96
|
||||
.inst 0xd50323bf // autiasp
|
||||
ret
|
||||
.size ChaCha20_ctr32,.-ChaCha20_ctr32
|
||||
___
|
||||
@ -377,6 +380,7 @@ $code.=<<___;
|
||||
.type ChaCha20_neon,%function
|
||||
.align 5
|
||||
ChaCha20_neon:
|
||||
.inst 0xd503233f // paciasp
|
||||
stp x29,x30,[sp,#-96]!
|
||||
add x29,sp,#0
|
||||
|
||||
@ -575,6 +579,7 @@ $code.=<<___;
|
||||
ldp x25,x26,[x29,#64]
|
||||
ldp x27,x28,[x29,#80]
|
||||
ldp x29,x30,[sp],#96
|
||||
.inst 0xd50323bf // autiasp
|
||||
ret
|
||||
|
||||
.Ltail_neon:
|
||||
@ -684,6 +689,7 @@ $code.=<<___;
|
||||
ldp x25,x26,[x29,#64]
|
||||
ldp x27,x28,[x29,#80]
|
||||
ldp x29,x30,[sp],#96
|
||||
.inst 0xd50323bf // autiasp
|
||||
ret
|
||||
.size ChaCha20_neon,.-ChaCha20_neon
|
||||
___
|
||||
@ -696,6 +702,7 @@ $code.=<<___;
|
||||
.type ChaCha20_512_neon,%function
|
||||
.align 5
|
||||
ChaCha20_512_neon:
|
||||
.inst 0xd503233f // paciasp
|
||||
stp x29,x30,[sp,#-96]!
|
||||
add x29,sp,#0
|
||||
|
||||
@ -1114,6 +1121,7 @@ $code.=<<___;
|
||||
ldp x25,x26,[x29,#64]
|
||||
ldp x27,x28,[x29,#80]
|
||||
ldp x29,x30,[sp],#96
|
||||
.inst 0xd50323bf // autiasp
|
||||
ret
|
||||
.size ChaCha20_512_neon,.-ChaCha20_512_neon
|
||||
___
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2013-2016 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2013-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -282,7 +282,7 @@ static int cms_kari_create_ephemeral_key(CMS_KeyAgreeRecipientInfo *kari,
|
||||
return rv;
|
||||
}
|
||||
|
||||
/* Initialise a ktri based on passed certificate and key */
|
||||
/* Initialise a kari based on passed certificate and key */
|
||||
|
||||
int cms_RecipientInfo_kari_init(CMS_RecipientInfo *ri, X509 *recip,
|
||||
EVP_PKEY *pk, unsigned int flags)
|
||||
@ -299,6 +299,9 @@ int cms_RecipientInfo_kari_init(CMS_RecipientInfo *ri, X509 *recip,
|
||||
kari->version = 3;
|
||||
|
||||
rek = M_ASN1_new_of(CMS_RecipientEncryptedKey);
|
||||
if (rek == NULL)
|
||||
return 0;
|
||||
|
||||
if (!sk_CMS_RecipientEncryptedKey_push(kari->recipientEncryptedKeys, rek)) {
|
||||
M_ASN1_free_of(rek, CMS_RecipientEncryptedKey);
|
||||
return 0;
|
||||
|
@ -373,6 +373,7 @@ int cms_RecipientInfo_pwri_crypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri,
|
||||
goto err;
|
||||
}
|
||||
|
||||
OPENSSL_clear_free(ec->key, ec->keylen);
|
||||
ec->key = key;
|
||||
ec->keylen = keylen;
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -348,10 +348,15 @@ static int def_load_bio(CONF *conf, BIO *in, long *line)
|
||||
psection = section;
|
||||
}
|
||||
p = eat_ws(conf, end);
|
||||
if (strncmp(pname, ".include", 8) == 0 && p != pname + 8) {
|
||||
if (strncmp(pname, ".include", 8) == 0
|
||||
&& (p != pname + 8 || *p == '=')) {
|
||||
char *include = NULL;
|
||||
BIO *next;
|
||||
|
||||
if (*p == '=') {
|
||||
p++;
|
||||
p = eat_ws(conf, p);
|
||||
}
|
||||
trim_ws(conf, p);
|
||||
if (!str_copy(conf, psection, &include, p))
|
||||
goto err;
|
||||
|
@ -2,7 +2,7 @@
|
||||
* WARNING: do not edit!
|
||||
* Generated by crypto/conf/keysets.pl
|
||||
*
|
||||
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -358,11 +358,36 @@ OPENSSL_INIT_SETTINGS *OPENSSL_INIT_new(void)
|
||||
|
||||
if (ret != NULL)
|
||||
memset(ret, 0, sizeof(*ret));
|
||||
ret->flags = DEFAULT_CONF_MFLAGS;
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
|
||||
#ifndef OPENSSL_NO_STDIO
|
||||
int OPENSSL_INIT_set_config_filename(OPENSSL_INIT_SETTINGS *settings,
|
||||
const char *filename)
|
||||
{
|
||||
char *newfilename = NULL;
|
||||
|
||||
if (filename != NULL) {
|
||||
newfilename = strdup(filename);
|
||||
if (newfilename == NULL)
|
||||
return 0;
|
||||
}
|
||||
|
||||
free(settings->filename);
|
||||
settings->filename = newfilename;
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
void OPENSSL_INIT_set_config_file_flags(OPENSSL_INIT_SETTINGS *settings,
|
||||
unsigned long flags)
|
||||
{
|
||||
settings->flags = flags;
|
||||
}
|
||||
|
||||
int OPENSSL_INIT_set_config_appname(OPENSSL_INIT_SETTINGS *settings,
|
||||
const char *appname)
|
||||
{
|
||||
@ -383,6 +408,7 @@ int OPENSSL_INIT_set_config_appname(OPENSSL_INIT_SETTINGS *settings,
|
||||
|
||||
void OPENSSL_INIT_free(OPENSSL_INIT_SETTINGS *settings)
|
||||
{
|
||||
free(settings->filename);
|
||||
free(settings->appname);
|
||||
free(settings);
|
||||
}
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2002-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -142,6 +142,9 @@ int CONF_modules_load_file(const char *filename, const char *appname,
|
||||
OPENSSL_free(file);
|
||||
NCONF_free(conf);
|
||||
|
||||
if (flags & CONF_MFLAGS_IGNORE_RETURN_CODES)
|
||||
return 1;
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2002-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -39,10 +39,24 @@ void OPENSSL_config(const char *appname)
|
||||
}
|
||||
#endif
|
||||
|
||||
void openssl_config_int(const char *appname)
|
||||
int openssl_config_int(const OPENSSL_INIT_SETTINGS *settings)
|
||||
{
|
||||
int ret;
|
||||
const char *filename;
|
||||
const char *appname;
|
||||
unsigned long flags;
|
||||
|
||||
if (openssl_configured)
|
||||
return;
|
||||
return 1;
|
||||
|
||||
filename = settings ? settings->filename : NULL;
|
||||
appname = settings ? settings->appname : NULL;
|
||||
flags = settings ? settings->flags : DEFAULT_CONF_MFLAGS;
|
||||
|
||||
#ifdef OPENSSL_INIT_DEBUG
|
||||
fprintf(stderr, "OPENSSL_INIT: openssl_config_int(%s, %s, %lu)\n",
|
||||
filename, appname, flags);
|
||||
#endif
|
||||
|
||||
OPENSSL_load_builtin_modules();
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
@ -51,11 +65,10 @@ void openssl_config_int(const char *appname)
|
||||
#endif
|
||||
ERR_clear_error();
|
||||
#ifndef OPENSSL_SYS_UEFI
|
||||
CONF_modules_load_file(NULL, appname,
|
||||
CONF_MFLAGS_DEFAULT_SECTION |
|
||||
CONF_MFLAGS_IGNORE_MISSING_FILE);
|
||||
ret = CONF_modules_load_file(filename, appname, flags);
|
||||
#endif
|
||||
openssl_configured = 1;
|
||||
return ret;
|
||||
}
|
||||
|
||||
void openssl_no_config_int(void)
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2015-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -78,6 +78,8 @@ static int ssl_module_init(CONF_IMODULE *md, const CONF *cnf)
|
||||
cnt = sk_CONF_VALUE_num(cmd_lists);
|
||||
ssl_module_free(md);
|
||||
ssl_names = OPENSSL_zalloc(sizeof(*ssl_names) * cnt);
|
||||
if (ssl_names == NULL)
|
||||
goto err;
|
||||
ssl_names_count = cnt;
|
||||
for (i = 0; i < ssl_names_count; i++) {
|
||||
struct ssl_conf_name_st *ssl_name = ssl_names + i;
|
||||
|
@ -1,5 +1,5 @@
|
||||
#! /usr/bin/env perl
|
||||
# Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
# Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
#
|
||||
# Licensed under the OpenSSL license (the "License"). You may not use
|
||||
# this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 1998-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1998-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
@ -352,9 +352,9 @@ void OPENSSL_showfatal(const char *fmta, ...)
|
||||
|
||||
/*
|
||||
* TODO: (For non GUI and no std error cases)
|
||||
* Add event logging feature here.
|
||||
* Add event logging feature here.
|
||||
*/
|
||||
|
||||
|
||||
# if !defined(NDEBUG)
|
||||
/*
|
||||
* We are in a situation where we tried to report a critical
|
||||
@ -393,7 +393,7 @@ void OPENSSL_showfatal(const char *fmta, ...)
|
||||
# endif
|
||||
# else
|
||||
MessageBox(NULL, buf, _T("OpenSSL: FATAL"), MB_OK | MB_ICONERROR);
|
||||
# endif
|
||||
# endif
|
||||
}
|
||||
#else
|
||||
void OPENSSL_showfatal(const char *fmta, ...)
|
||||
@ -460,4 +460,14 @@ uint32_t OPENSSL_rdtsc(void)
|
||||
{
|
||||
return 0;
|
||||
}
|
||||
|
||||
size_t OPENSSL_instrument_bus(unsigned int *out, size_t cnt)
|
||||
{
|
||||
return 0;
|
||||
}
|
||||
|
||||
size_t OPENSSL_instrument_bus2(unsigned int *out, size_t cnt, size_t max)
|
||||
{
|
||||
return 0;
|
||||
}
|
||||
#endif
|
||||
|
@ -1,4 +1,4 @@
|
||||
! Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
! Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
!
|
||||
! Licensed under the OpenSSL license (the "License"). You may not use
|
||||
! this file except in compliance with the License. You can obtain a copy
|
||||
@ -313,7 +313,7 @@ $4:
|
||||
sll out1, 28, out1 ! rotate
|
||||
xor $1, local1, $1 ! 1 finished, local1 now sbox 7
|
||||
|
||||
ld [global2+local2], local2 ! 2
|
||||
ld [global2+local2], local2 ! 2
|
||||
srl out0, 24, local1 ! 7
|
||||
or out1, local0, out1 ! rotate
|
||||
|
||||
@ -1392,7 +1392,7 @@ DES_ncbc_encrypt:
|
||||
add %o7,global1,global1
|
||||
sub global1,.PIC.DES_SPtrans-.des_and,out2
|
||||
|
||||
cmp in5, 0 ! enc
|
||||
cmp in5, 0 ! enc
|
||||
|
||||
be .ncbc.dec
|
||||
STPTR in4, IVEC
|
||||
|
@ -17,6 +17,7 @@
|
||||
#endif
|
||||
|
||||
#include "dso_locl.h"
|
||||
#include "e_os.h"
|
||||
|
||||
#ifdef DSO_DLFCN
|
||||
|
||||
@ -99,6 +100,7 @@ static int dlfcn_load(DSO *dso)
|
||||
/* See applicable comments in dso_dl.c */
|
||||
char *filename = DSO_convert_filename(dso, NULL);
|
||||
int flags = DLOPEN_FLAG;
|
||||
int saveerrno = get_last_sys_error();
|
||||
|
||||
if (filename == NULL) {
|
||||
DSOerr(DSO_F_DLFCN_LOAD, DSO_R_NO_FILENAME);
|
||||
@ -118,6 +120,11 @@ static int dlfcn_load(DSO *dso)
|
||||
ERR_add_error_data(4, "filename(", filename, "): ", dlerror());
|
||||
goto err;
|
||||
}
|
||||
/*
|
||||
* Some dlopen() implementations (e.g. solaris) do no preserve errno, even
|
||||
* on a successful call.
|
||||
*/
|
||||
set_sys_error(saveerrno);
|
||||
if (!sk_void_push(dso->meth_data, (char *)ptr)) {
|
||||
DSOerr(DSO_F_DLFCN_LOAD, DSO_R_STACK_ERROR);
|
||||
goto err;
|
||||
|
@ -1,5 +1,5 @@
|
||||
#! /usr/bin/env perl
|
||||
# Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
# Copyright 2015-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
#
|
||||
# Licensed under the OpenSSL license (the "License"). You may not use
|
||||
# this file except in compliance with the License. You can obtain a copy
|
||||
@ -119,6 +119,7 @@ $code.=<<___;
|
||||
.type ecp_nistz256_to_mont,%function
|
||||
.align 6
|
||||
ecp_nistz256_to_mont:
|
||||
.inst 0xd503233f // paciasp
|
||||
stp x29,x30,[sp,#-32]!
|
||||
add x29,sp,#0
|
||||
stp x19,x20,[sp,#16]
|
||||
@ -134,6 +135,7 @@ ecp_nistz256_to_mont:
|
||||
|
||||
ldp x19,x20,[sp,#16]
|
||||
ldp x29,x30,[sp],#32
|
||||
.inst 0xd50323bf // autiasp
|
||||
ret
|
||||
.size ecp_nistz256_to_mont,.-ecp_nistz256_to_mont
|
||||
|
||||
@ -142,6 +144,7 @@ ecp_nistz256_to_mont:
|
||||
.type ecp_nistz256_from_mont,%function
|
||||
.align 4
|
||||
ecp_nistz256_from_mont:
|
||||
.inst 0xd503233f // paciasp
|
||||
stp x29,x30,[sp,#-32]!
|
||||
add x29,sp,#0
|
||||
stp x19,x20,[sp,#16]
|
||||
@ -157,6 +160,7 @@ ecp_nistz256_from_mont:
|
||||
|
||||
ldp x19,x20,[sp,#16]
|
||||
ldp x29,x30,[sp],#32
|
||||
.inst 0xd50323bf // autiasp
|
||||
ret
|
||||
.size ecp_nistz256_from_mont,.-ecp_nistz256_from_mont
|
||||
|
||||
@ -166,6 +170,7 @@ ecp_nistz256_from_mont:
|
||||
.type ecp_nistz256_mul_mont,%function
|
||||
.align 4
|
||||
ecp_nistz256_mul_mont:
|
||||
.inst 0xd503233f // paciasp
|
||||
stp x29,x30,[sp,#-32]!
|
||||
add x29,sp,#0
|
||||
stp x19,x20,[sp,#16]
|
||||
@ -180,6 +185,7 @@ ecp_nistz256_mul_mont:
|
||||
|
||||
ldp x19,x20,[sp,#16]
|
||||
ldp x29,x30,[sp],#32
|
||||
.inst 0xd50323bf // autiasp
|
||||
ret
|
||||
.size ecp_nistz256_mul_mont,.-ecp_nistz256_mul_mont
|
||||
|
||||
@ -188,6 +194,7 @@ ecp_nistz256_mul_mont:
|
||||
.type ecp_nistz256_sqr_mont,%function
|
||||
.align 4
|
||||
ecp_nistz256_sqr_mont:
|
||||
.inst 0xd503233f // paciasp
|
||||
stp x29,x30,[sp,#-32]!
|
||||
add x29,sp,#0
|
||||
stp x19,x20,[sp,#16]
|
||||
@ -201,6 +208,7 @@ ecp_nistz256_sqr_mont:
|
||||
|
||||
ldp x19,x20,[sp,#16]
|
||||
ldp x29,x30,[sp],#32
|
||||
.inst 0xd50323bf // autiasp
|
||||
ret
|
||||
.size ecp_nistz256_sqr_mont,.-ecp_nistz256_sqr_mont
|
||||
|
||||
@ -210,6 +218,7 @@ ecp_nistz256_sqr_mont:
|
||||
.type ecp_nistz256_add,%function
|
||||
.align 4
|
||||
ecp_nistz256_add:
|
||||
.inst 0xd503233f // paciasp
|
||||
stp x29,x30,[sp,#-16]!
|
||||
add x29,sp,#0
|
||||
|
||||
@ -223,6 +232,7 @@ ecp_nistz256_add:
|
||||
bl __ecp_nistz256_add
|
||||
|
||||
ldp x29,x30,[sp],#16
|
||||
.inst 0xd50323bf // autiasp
|
||||
ret
|
||||
.size ecp_nistz256_add,.-ecp_nistz256_add
|
||||
|
||||
@ -231,6 +241,7 @@ ecp_nistz256_add:
|
||||
.type ecp_nistz256_div_by_2,%function
|
||||
.align 4
|
||||
ecp_nistz256_div_by_2:
|
||||
.inst 0xd503233f // paciasp
|
||||
stp x29,x30,[sp,#-16]!
|
||||
add x29,sp,#0
|
||||
|
||||
@ -242,6 +253,7 @@ ecp_nistz256_div_by_2:
|
||||
bl __ecp_nistz256_div_by_2
|
||||
|
||||
ldp x29,x30,[sp],#16
|
||||
.inst 0xd50323bf // autiasp
|
||||
ret
|
||||
.size ecp_nistz256_div_by_2,.-ecp_nistz256_div_by_2
|
||||
|
||||
@ -250,6 +262,7 @@ ecp_nistz256_div_by_2:
|
||||
.type ecp_nistz256_mul_by_2,%function
|
||||
.align 4
|
||||
ecp_nistz256_mul_by_2:
|
||||
.inst 0xd503233f // paciasp
|
||||
stp x29,x30,[sp,#-16]!
|
||||
add x29,sp,#0
|
||||
|
||||
@ -265,6 +278,7 @@ ecp_nistz256_mul_by_2:
|
||||
bl __ecp_nistz256_add // ret = a+a // 2*a
|
||||
|
||||
ldp x29,x30,[sp],#16
|
||||
.inst 0xd50323bf // autiasp
|
||||
ret
|
||||
.size ecp_nistz256_mul_by_2,.-ecp_nistz256_mul_by_2
|
||||
|
||||
@ -273,6 +287,7 @@ ecp_nistz256_mul_by_2:
|
||||
.type ecp_nistz256_mul_by_3,%function
|
||||
.align 4
|
||||
ecp_nistz256_mul_by_3:
|
||||
.inst 0xd503233f // paciasp
|
||||
stp x29,x30,[sp,#-16]!
|
||||
add x29,sp,#0
|
||||
|
||||
@ -299,6 +314,7 @@ ecp_nistz256_mul_by_3:
|
||||
bl __ecp_nistz256_add // ret += a // 2*a+a=3*a
|
||||
|
||||
ldp x29,x30,[sp],#16
|
||||
.inst 0xd50323bf // autiasp
|
||||
ret
|
||||
.size ecp_nistz256_mul_by_3,.-ecp_nistz256_mul_by_3
|
||||
|
||||
@ -308,6 +324,7 @@ ecp_nistz256_mul_by_3:
|
||||
.type ecp_nistz256_sub,%function
|
||||
.align 4
|
||||
ecp_nistz256_sub:
|
||||
.inst 0xd503233f // paciasp
|
||||
stp x29,x30,[sp,#-16]!
|
||||
add x29,sp,#0
|
||||
|
||||
@ -319,6 +336,7 @@ ecp_nistz256_sub:
|
||||
bl __ecp_nistz256_sub_from
|
||||
|
||||
ldp x29,x30,[sp],#16
|
||||
.inst 0xd50323bf // autiasp
|
||||
ret
|
||||
.size ecp_nistz256_sub,.-ecp_nistz256_sub
|
||||
|
||||
@ -327,6 +345,7 @@ ecp_nistz256_sub:
|
||||
.type ecp_nistz256_neg,%function
|
||||
.align 4
|
||||
ecp_nistz256_neg:
|
||||
.inst 0xd503233f // paciasp
|
||||
stp x29,x30,[sp,#-16]!
|
||||
add x29,sp,#0
|
||||
|
||||
@ -341,6 +360,7 @@ ecp_nistz256_neg:
|
||||
bl __ecp_nistz256_sub_from
|
||||
|
||||
ldp x29,x30,[sp],#16
|
||||
.inst 0xd50323bf // autiasp
|
||||
ret
|
||||
.size ecp_nistz256_neg,.-ecp_nistz256_neg
|
||||
|
||||
@ -701,6 +721,7 @@ $code.=<<___;
|
||||
.type ecp_nistz256_point_double,%function
|
||||
.align 5
|
||||
ecp_nistz256_point_double:
|
||||
.inst 0xd503233f // paciasp
|
||||
stp x29,x30,[sp,#-80]!
|
||||
add x29,sp,#0
|
||||
stp x19,x20,[sp,#16]
|
||||
@ -835,6 +856,7 @@ ecp_nistz256_point_double:
|
||||
ldp x19,x20,[x29,#16]
|
||||
ldp x21,x22,[x29,#32]
|
||||
ldp x29,x30,[sp],#80
|
||||
.inst 0xd50323bf // autiasp
|
||||
ret
|
||||
.size ecp_nistz256_point_double,.-ecp_nistz256_point_double
|
||||
___
|
||||
@ -857,6 +879,7 @@ $code.=<<___;
|
||||
.type ecp_nistz256_point_add,%function
|
||||
.align 5
|
||||
ecp_nistz256_point_add:
|
||||
.inst 0xd503233f // paciasp
|
||||
stp x29,x30,[sp,#-80]!
|
||||
add x29,sp,#0
|
||||
stp x19,x20,[sp,#16]
|
||||
@ -1094,12 +1117,13 @@ $code.=<<___;
|
||||
stp $acc2,$acc3,[$rp_real,#$i+16]
|
||||
|
||||
.Ladd_done:
|
||||
add sp,x29,#0 // destroy frame
|
||||
add sp,x29,#0 // destroy frame
|
||||
ldp x19,x20,[x29,#16]
|
||||
ldp x21,x22,[x29,#32]
|
||||
ldp x23,x24,[x29,#48]
|
||||
ldp x25,x26,[x29,#64]
|
||||
ldp x29,x30,[sp],#80
|
||||
.inst 0xd50323bf // autiasp
|
||||
ret
|
||||
.size ecp_nistz256_point_add,.-ecp_nistz256_point_add
|
||||
___
|
||||
@ -1121,6 +1145,7 @@ $code.=<<___;
|
||||
.type ecp_nistz256_point_add_affine,%function
|
||||
.align 5
|
||||
ecp_nistz256_point_add_affine:
|
||||
.inst 0xd503233f // paciasp
|
||||
stp x29,x30,[sp,#-80]!
|
||||
add x29,sp,#0
|
||||
stp x19,x20,[sp,#16]
|
||||
@ -1309,6 +1334,7 @@ $code.=<<___;
|
||||
ldp x23,x24,[x29,#48]
|
||||
ldp x25,x26,[x29,#64]
|
||||
ldp x29,x30,[sp],#80
|
||||
.inst 0xd50323bf // autiasp
|
||||
ret
|
||||
.size ecp_nistz256_point_add_affine,.-ecp_nistz256_point_add_affine
|
||||
___
|
||||
|
@ -1,5 +1,5 @@
|
||||
#! /usr/bin/env perl
|
||||
# Copyright 2014-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
# Copyright 2014-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
# Copyright (c) 2014, Intel Corporation. All Rights Reserved.
|
||||
# Copyright (c) 2015 CloudFlare, Inc.
|
||||
#
|
||||
@ -1674,6 +1674,7 @@ $code.=<<___;
|
||||
.type __ecp_nistz256_mul_montq,\@abi-omnipotent
|
||||
.align 32
|
||||
__ecp_nistz256_mul_montq:
|
||||
.cfi_startproc
|
||||
########################################################################
|
||||
# Multiply a by b[0]
|
||||
mov %rax, $t1
|
||||
@ -1885,6 +1886,7 @@ __ecp_nistz256_mul_montq:
|
||||
mov $acc1, 8*3($r_ptr)
|
||||
|
||||
ret
|
||||
.cfi_endproc
|
||||
.size __ecp_nistz256_mul_montq,.-__ecp_nistz256_mul_montq
|
||||
|
||||
################################################################################
|
||||
@ -1968,6 +1970,7 @@ $code.=<<___;
|
||||
.type __ecp_nistz256_sqr_montq,\@abi-omnipotent
|
||||
.align 32
|
||||
__ecp_nistz256_sqr_montq:
|
||||
.cfi_startproc
|
||||
mov %rax, $acc5
|
||||
mulq $acc6 # a[1]*a[0]
|
||||
mov %rax, $acc1
|
||||
@ -2125,6 +2128,7 @@ __ecp_nistz256_sqr_montq:
|
||||
mov $acc7, 8*3($r_ptr)
|
||||
|
||||
ret
|
||||
.cfi_endproc
|
||||
.size __ecp_nistz256_sqr_montq,.-__ecp_nistz256_sqr_montq
|
||||
___
|
||||
|
||||
@ -2133,6 +2137,7 @@ $code.=<<___;
|
||||
.type __ecp_nistz256_mul_montx,\@abi-omnipotent
|
||||
.align 32
|
||||
__ecp_nistz256_mul_montx:
|
||||
.cfi_startproc
|
||||
########################################################################
|
||||
# Multiply by b[0]
|
||||
mulx $acc1, $acc0, $acc1
|
||||
@ -2295,11 +2300,13 @@ __ecp_nistz256_mul_montx:
|
||||
mov $acc1, 8*3($r_ptr)
|
||||
|
||||
ret
|
||||
.cfi_endproc
|
||||
.size __ecp_nistz256_mul_montx,.-__ecp_nistz256_mul_montx
|
||||
|
||||
.type __ecp_nistz256_sqr_montx,\@abi-omnipotent
|
||||
.align 32
|
||||
__ecp_nistz256_sqr_montx:
|
||||
.cfi_startproc
|
||||
mulx $acc6, $acc1, $acc2 # a[0]*a[1]
|
||||
mulx $acc7, $t0, $acc3 # a[0]*a[2]
|
||||
xor %eax, %eax
|
||||
@ -2423,6 +2430,7 @@ __ecp_nistz256_sqr_montx:
|
||||
mov $acc7, 8*3($r_ptr)
|
||||
|
||||
ret
|
||||
.cfi_endproc
|
||||
.size __ecp_nistz256_sqr_montx,.-__ecp_nistz256_sqr_montx
|
||||
___
|
||||
}
|
||||
@ -2578,6 +2586,7 @@ ecp_nistz256_scatter_w5:
|
||||
.type ecp_nistz256_gather_w5,\@abi-omnipotent
|
||||
.align 32
|
||||
ecp_nistz256_gather_w5:
|
||||
.cfi_startproc
|
||||
___
|
||||
$code.=<<___ if ($avx>1);
|
||||
mov OPENSSL_ia32cap_P+8(%rip), %eax
|
||||
@ -2666,6 +2675,7 @@ $code.=<<___ if ($win64);
|
||||
___
|
||||
$code.=<<___;
|
||||
ret
|
||||
.cfi_endproc
|
||||
.LSEH_end_ecp_nistz256_gather_w5:
|
||||
.size ecp_nistz256_gather_w5,.-ecp_nistz256_gather_w5
|
||||
|
||||
@ -2694,6 +2704,7 @@ ecp_nistz256_scatter_w7:
|
||||
.type ecp_nistz256_gather_w7,\@abi-omnipotent
|
||||
.align 32
|
||||
ecp_nistz256_gather_w7:
|
||||
.cfi_startproc
|
||||
___
|
||||
$code.=<<___ if ($avx>1);
|
||||
mov OPENSSL_ia32cap_P+8(%rip), %eax
|
||||
@ -2771,6 +2782,7 @@ $code.=<<___ if ($win64);
|
||||
___
|
||||
$code.=<<___;
|
||||
ret
|
||||
.cfi_endproc
|
||||
.LSEH_end_ecp_nistz256_gather_w7:
|
||||
.size ecp_nistz256_gather_w7,.-ecp_nistz256_gather_w7
|
||||
___
|
||||
@ -2787,6 +2799,7 @@ $code.=<<___;
|
||||
.type ecp_nistz256_avx2_gather_w5,\@abi-omnipotent
|
||||
.align 32
|
||||
ecp_nistz256_avx2_gather_w5:
|
||||
.cfi_startproc
|
||||
.Lavx2_gather_w5:
|
||||
vzeroupper
|
||||
___
|
||||
@ -2874,6 +2887,7 @@ $code.=<<___ if ($win64);
|
||||
___
|
||||
$code.=<<___;
|
||||
ret
|
||||
.cfi_endproc
|
||||
.LSEH_end_ecp_nistz256_avx2_gather_w5:
|
||||
.size ecp_nistz256_avx2_gather_w5,.-ecp_nistz256_avx2_gather_w5
|
||||
___
|
||||
@ -2893,6 +2907,7 @@ $code.=<<___;
|
||||
.type ecp_nistz256_avx2_gather_w7,\@abi-omnipotent
|
||||
.align 32
|
||||
ecp_nistz256_avx2_gather_w7:
|
||||
.cfi_startproc
|
||||
.Lavx2_gather_w7:
|
||||
vzeroupper
|
||||
___
|
||||
@ -2995,6 +3010,7 @@ $code.=<<___ if ($win64);
|
||||
___
|
||||
$code.=<<___;
|
||||
ret
|
||||
.cfi_endproc
|
||||
.LSEH_end_ecp_nistz256_avx2_gather_w7:
|
||||
.size ecp_nistz256_avx2_gather_w7,.-ecp_nistz256_avx2_gather_w7
|
||||
___
|
||||
@ -3064,6 +3080,7 @@ $code.=<<___;
|
||||
.type __ecp_nistz256_add_toq,\@abi-omnipotent
|
||||
.align 32
|
||||
__ecp_nistz256_add_toq:
|
||||
.cfi_startproc
|
||||
xor $t4,$t4
|
||||
add 8*0($b_ptr), $a0
|
||||
adc 8*1($b_ptr), $a1
|
||||
@ -3091,11 +3108,13 @@ __ecp_nistz256_add_toq:
|
||||
mov $a3, 8*3($r_ptr)
|
||||
|
||||
ret
|
||||
.cfi_endproc
|
||||
.size __ecp_nistz256_add_toq,.-__ecp_nistz256_add_toq
|
||||
|
||||
.type __ecp_nistz256_sub_fromq,\@abi-omnipotent
|
||||
.align 32
|
||||
__ecp_nistz256_sub_fromq:
|
||||
.cfi_startproc
|
||||
sub 8*0($b_ptr), $a0
|
||||
sbb 8*1($b_ptr), $a1
|
||||
mov $a0, $t0
|
||||
@ -3122,11 +3141,13 @@ __ecp_nistz256_sub_fromq:
|
||||
mov $a3, 8*3($r_ptr)
|
||||
|
||||
ret
|
||||
.cfi_endproc
|
||||
.size __ecp_nistz256_sub_fromq,.-__ecp_nistz256_sub_fromq
|
||||
|
||||
.type __ecp_nistz256_subq,\@abi-omnipotent
|
||||
.align 32
|
||||
__ecp_nistz256_subq:
|
||||
.cfi_startproc
|
||||
sub $a0, $t0
|
||||
sbb $a1, $t1
|
||||
mov $t0, $a0
|
||||
@ -3149,11 +3170,13 @@ __ecp_nistz256_subq:
|
||||
cmovnz $t3, $a3
|
||||
|
||||
ret
|
||||
.cfi_endproc
|
||||
.size __ecp_nistz256_subq,.-__ecp_nistz256_subq
|
||||
|
||||
.type __ecp_nistz256_mul_by_2q,\@abi-omnipotent
|
||||
.align 32
|
||||
__ecp_nistz256_mul_by_2q:
|
||||
.cfi_startproc
|
||||
xor $t4, $t4
|
||||
add $a0, $a0 # a0:a3+a0:a3
|
||||
adc $a1, $a1
|
||||
@ -3181,6 +3204,7 @@ __ecp_nistz256_mul_by_2q:
|
||||
mov $a3, 8*3($r_ptr)
|
||||
|
||||
ret
|
||||
.cfi_endproc
|
||||
.size __ecp_nistz256_mul_by_2q,.-__ecp_nistz256_mul_by_2q
|
||||
___
|
||||
}
|
||||
@ -3620,7 +3644,9 @@ $code.=<<___;
|
||||
movq %xmm1, $a_ptr # restore $a_ptr
|
||||
movq %xmm0, $r_ptr # restore $r_ptr
|
||||
add \$`32*(18-5)`, %rsp # difference in frame sizes
|
||||
.cfi_adjust_cfa_offset `-32*(18-5)`
|
||||
jmp .Lpoint_double_shortcut$x
|
||||
.cfi_adjust_cfa_offset `32*(18-5)`
|
||||
|
||||
.align 32
|
||||
.Ladd_proceed$x:
|
||||
@ -4156,6 +4182,7 @@ $code.=<<___;
|
||||
.type __ecp_nistz256_add_tox,\@abi-omnipotent
|
||||
.align 32
|
||||
__ecp_nistz256_add_tox:
|
||||
.cfi_startproc
|
||||
xor $t4, $t4
|
||||
adc 8*0($b_ptr), $a0
|
||||
adc 8*1($b_ptr), $a1
|
||||
@ -4184,11 +4211,13 @@ __ecp_nistz256_add_tox:
|
||||
mov $a3, 8*3($r_ptr)
|
||||
|
||||
ret
|
||||
.cfi_endproc
|
||||
.size __ecp_nistz256_add_tox,.-__ecp_nistz256_add_tox
|
||||
|
||||
.type __ecp_nistz256_sub_fromx,\@abi-omnipotent
|
||||
.align 32
|
||||
__ecp_nistz256_sub_fromx:
|
||||
.cfi_startproc
|
||||
xor $t4, $t4
|
||||
sbb 8*0($b_ptr), $a0
|
||||
sbb 8*1($b_ptr), $a1
|
||||
@ -4217,11 +4246,13 @@ __ecp_nistz256_sub_fromx:
|
||||
mov $a3, 8*3($r_ptr)
|
||||
|
||||
ret
|
||||
.cfi_endproc
|
||||
.size __ecp_nistz256_sub_fromx,.-__ecp_nistz256_sub_fromx
|
||||
|
||||
.type __ecp_nistz256_subx,\@abi-omnipotent
|
||||
.align 32
|
||||
__ecp_nistz256_subx:
|
||||
.cfi_startproc
|
||||
xor $t4, $t4
|
||||
sbb $a0, $t0
|
||||
sbb $a1, $t1
|
||||
@ -4246,11 +4277,13 @@ __ecp_nistz256_subx:
|
||||
cmovc $t3, $a3
|
||||
|
||||
ret
|
||||
.cfi_endproc
|
||||
.size __ecp_nistz256_subx,.-__ecp_nistz256_subx
|
||||
|
||||
.type __ecp_nistz256_mul_by_2x,\@abi-omnipotent
|
||||
.align 32
|
||||
__ecp_nistz256_mul_by_2x:
|
||||
.cfi_startproc
|
||||
xor $t4, $t4
|
||||
adc $a0, $a0 # a0:a3+a0:a3
|
||||
adc $a1, $a1
|
||||
@ -4279,6 +4312,7 @@ __ecp_nistz256_mul_by_2x:
|
||||
mov $a3, 8*3($r_ptr)
|
||||
|
||||
ret
|
||||
.cfi_endproc
|
||||
.size __ecp_nistz256_mul_by_2x,.-__ecp_nistz256_mul_by_2x
|
||||
___
|
||||
}
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -246,10 +246,36 @@ c448_error_t c448_ed448_verify(
|
||||
uint8_t context_len)
|
||||
{
|
||||
curve448_point_t pk_point, r_point;
|
||||
c448_error_t error =
|
||||
curve448_point_decode_like_eddsa_and_mul_by_ratio(pk_point, pubkey);
|
||||
c448_error_t error;
|
||||
curve448_scalar_t challenge_scalar;
|
||||
curve448_scalar_t response_scalar;
|
||||
/* Order in little endian format */
|
||||
static const uint8_t order[] = {
|
||||
0xF3, 0x44, 0x58, 0xAB, 0x92, 0xC2, 0x78, 0x23, 0x55, 0x8F, 0xC5, 0x8D,
|
||||
0x72, 0xC2, 0x6C, 0x21, 0x90, 0x36, 0xD6, 0xAE, 0x49, 0xDB, 0x4E, 0xC4,
|
||||
0xE9, 0x23, 0xCA, 0x7C, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x3F, 0x00
|
||||
};
|
||||
int i;
|
||||
|
||||
/*
|
||||
* Check that s (second 57 bytes of the sig) is less than the order. Both
|
||||
* s and the order are in little-endian format. This can be done in
|
||||
* variable time, since if this is not the case the signature if publicly
|
||||
* invalid.
|
||||
*/
|
||||
for (i = EDDSA_448_PUBLIC_BYTES - 1; i >= 0; i--) {
|
||||
if (signature[i + EDDSA_448_PUBLIC_BYTES] > order[i])
|
||||
return C448_FAILURE;
|
||||
if (signature[i + EDDSA_448_PUBLIC_BYTES] < order[i])
|
||||
break;
|
||||
}
|
||||
if (i < 0)
|
||||
return C448_FAILURE;
|
||||
|
||||
error =
|
||||
curve448_point_decode_like_eddsa_and_mul_by_ratio(pk_point, pubkey);
|
||||
|
||||
if (C448_SUCCESS != error)
|
||||
return error;
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2015-2016 Cryptography Research, Inc.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
@ -116,7 +116,7 @@ void curve448_scalar_encode(unsigned char ser[C448_SCALAR_BYTES],
|
||||
|
||||
/*
|
||||
* Add two scalars. |a|, |b| and |out| may alias each other.
|
||||
*
|
||||
*
|
||||
* a (in): One scalar.
|
||||
* b (in): Another scalar.
|
||||
* out (out): a+b.
|
||||
@ -135,7 +135,7 @@ void curve448_scalar_sub(curve448_scalar_t out,
|
||||
|
||||
/*
|
||||
* Multiply two scalars. |a|, |b| and |out| may alias each other.
|
||||
*
|
||||
*
|
||||
* a (in): One scalar.
|
||||
* b (in): Another scalar.
|
||||
* out (out): a*b.
|
||||
@ -145,7 +145,7 @@ void curve448_scalar_mul(curve448_scalar_t out,
|
||||
|
||||
/*
|
||||
* Halve a scalar. |a| and |out| may alias each other.
|
||||
*
|
||||
*
|
||||
* a (in): A scalar.
|
||||
* out (out): a/2.
|
||||
*/
|
||||
@ -154,7 +154,7 @@ void curve448_scalar_halve(curve448_scalar_t out, const curve448_scalar_t a);
|
||||
/*
|
||||
* Copy a scalar. The scalars may alias each other, in which case this
|
||||
* function does nothing.
|
||||
*
|
||||
*
|
||||
* a (in): A scalar.
|
||||
* out (out): Will become a copy of a.
|
||||
*/
|
||||
@ -183,7 +183,7 @@ static ossl_inline void curve448_point_copy(curve448_point_t a,
|
||||
*
|
||||
* a (in): A point.
|
||||
* b (in): Another point.
|
||||
*
|
||||
*
|
||||
* Returns:
|
||||
* C448_TRUE: The points are equal.
|
||||
* C448_FALSE: The points are not equal.
|
||||
@ -243,7 +243,7 @@ void curve448_point_mul_by_ratio_and_encode_like_x448(
|
||||
/*
|
||||
* RFC 7748 Diffie-Hellman base point scalarmul. This function uses a different
|
||||
* (non-Decaf) encoding.
|
||||
*
|
||||
*
|
||||
* out (out): The scaled point base*scalar
|
||||
* scalar (in): The scalar to multiply by.
|
||||
*/
|
||||
@ -273,7 +273,7 @@ void curve448_precomputed_scalarmul(curve448_point_t scaled,
|
||||
* base2 (in): A second point to be scaled.
|
||||
* scalar2 (in) A second scalar to multiply by.
|
||||
*
|
||||
* Warning: This function takes variable time, and may leak the scalars used.
|
||||
* Warning: This function takes variable time, and may leak the scalars used.
|
||||
* It is designed for signature verification.
|
||||
*/
|
||||
void curve448_base_double_scalarmul_non_secret(curve448_point_t combo,
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2002-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
@ -810,7 +810,7 @@ int ec_GF2m_simple_ladder_post(const EC_GROUP *group,
|
||||
|| !group->meth->field_mul(group, t2, t2, t0, ctx)
|
||||
|| !BN_GF2m_add(t1, t2, t1)
|
||||
|| !group->meth->field_mul(group, t2, p->X, t0, ctx)
|
||||
|| !BN_GF2m_mod_inv(t2, t2, group->field, ctx)
|
||||
|| !group->meth->field_inv(group, t2, t2, ctx)
|
||||
|| !group->meth->field_mul(group, t1, t1, t2, ctx)
|
||||
|| !group->meth->field_mul(group, r->X, r->Z, t2, ctx)
|
||||
|| !BN_GF2m_add(t2, p->X, r->X)
|
||||
@ -889,6 +889,21 @@ int ec_GF2m_simple_points_mul(const EC_GROUP *group, EC_POINT *r,
|
||||
return ret;
|
||||
}
|
||||
|
||||
/*-
|
||||
* Computes the multiplicative inverse of a in GF(2^m), storing the result in r.
|
||||
* If a is zero (or equivalent), you'll get a EC_R_CANNOT_INVERT error.
|
||||
* SCA hardening is with blinding: BN_GF2m_mod_inv does that.
|
||||
*/
|
||||
static int ec_GF2m_simple_field_inv(const EC_GROUP *group, BIGNUM *r,
|
||||
const BIGNUM *a, BN_CTX *ctx)
|
||||
{
|
||||
int ret;
|
||||
|
||||
if (!(ret = BN_GF2m_mod_inv(r, a, group->field, ctx)))
|
||||
ECerr(EC_F_EC_GF2M_SIMPLE_FIELD_INV, EC_R_CANNOT_INVERT);
|
||||
return ret;
|
||||
}
|
||||
|
||||
const EC_METHOD *EC_GF2m_simple_method(void)
|
||||
{
|
||||
static const EC_METHOD ret = {
|
||||
@ -929,6 +944,7 @@ const EC_METHOD *EC_GF2m_simple_method(void)
|
||||
ec_GF2m_simple_field_mul,
|
||||
ec_GF2m_simple_field_sqr,
|
||||
ec_GF2m_simple_field_div,
|
||||
ec_GF2m_simple_field_inv,
|
||||
0, /* field_encode */
|
||||
0, /* field_decode */
|
||||
0, /* field_set_to_one */
|
||||
|
@ -505,7 +505,7 @@ static int ec_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
|
||||
|
||||
case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
|
||||
*(int *)arg2 = NID_sha256;
|
||||
return 2;
|
||||
return 1;
|
||||
|
||||
case ASN1_PKEY_CTRL_SET1_TLS_ENCPT:
|
||||
return EC_KEY_oct2key(EVP_PKEY_get0_EC_KEY(pkey), arg2, arg1, NULL);
|
||||
|
@ -1,6 +1,6 @@
|
||||
/*
|
||||
* Generated by util/mkerr.pl DO NOT EDIT
|
||||
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -66,6 +66,8 @@ static const ERR_STRING_DATA EC_str_functs[] = {
|
||||
"ec_asn1_group2fieldid"},
|
||||
{ERR_PACK(ERR_LIB_EC, EC_F_EC_GF2M_MONTGOMERY_POINT_MULTIPLY, 0),
|
||||
"ec_GF2m_montgomery_point_multiply"},
|
||||
{ERR_PACK(ERR_LIB_EC, EC_F_EC_GF2M_SIMPLE_FIELD_INV, 0),
|
||||
"ec_GF2m_simple_field_inv"},
|
||||
{ERR_PACK(ERR_LIB_EC, EC_F_EC_GF2M_SIMPLE_GROUP_CHECK_DISCRIMINANT, 0),
|
||||
"ec_GF2m_simple_group_check_discriminant"},
|
||||
{ERR_PACK(ERR_LIB_EC, EC_F_EC_GF2M_SIMPLE_GROUP_SET_CURVE, 0),
|
||||
@ -90,6 +92,8 @@ static const ERR_STRING_DATA EC_str_functs[] = {
|
||||
"ec_GFp_mont_field_decode"},
|
||||
{ERR_PACK(ERR_LIB_EC, EC_F_EC_GFP_MONT_FIELD_ENCODE, 0),
|
||||
"ec_GFp_mont_field_encode"},
|
||||
{ERR_PACK(ERR_LIB_EC, EC_F_EC_GFP_MONT_FIELD_INV, 0),
|
||||
"ec_GFp_mont_field_inv"},
|
||||
{ERR_PACK(ERR_LIB_EC, EC_F_EC_GFP_MONT_FIELD_MUL, 0),
|
||||
"ec_GFp_mont_field_mul"},
|
||||
{ERR_PACK(ERR_LIB_EC, EC_F_EC_GFP_MONT_FIELD_SET_TO_ONE, 0),
|
||||
@ -124,6 +128,8 @@ static const ERR_STRING_DATA EC_str_functs[] = {
|
||||
"ec_GFp_nist_group_set_curve"},
|
||||
{ERR_PACK(ERR_LIB_EC, EC_F_EC_GFP_SIMPLE_BLIND_COORDINATES, 0),
|
||||
"ec_GFp_simple_blind_coordinates"},
|
||||
{ERR_PACK(ERR_LIB_EC, EC_F_EC_GFP_SIMPLE_FIELD_INV, 0),
|
||||
"ec_GFp_simple_field_inv"},
|
||||
{ERR_PACK(ERR_LIB_EC, EC_F_EC_GFP_SIMPLE_GROUP_CHECK_DISCRIMINANT, 0),
|
||||
"ec_GFp_simple_group_check_discriminant"},
|
||||
{ERR_PACK(ERR_LIB_EC, EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE, 0),
|
||||
@ -287,6 +293,7 @@ static const ERR_STRING_DATA EC_str_reasons[] = {
|
||||
{ERR_PACK(ERR_LIB_EC, 0, EC_R_BAD_SIGNATURE), "bad signature"},
|
||||
{ERR_PACK(ERR_LIB_EC, 0, EC_R_BIGNUM_OUT_OF_RANGE), "bignum out of range"},
|
||||
{ERR_PACK(ERR_LIB_EC, 0, EC_R_BUFFER_TOO_SMALL), "buffer too small"},
|
||||
{ERR_PACK(ERR_LIB_EC, 0, EC_R_CANNOT_INVERT), "cannot invert"},
|
||||
{ERR_PACK(ERR_LIB_EC, 0, EC_R_COORDINATES_OUT_OF_RANGE),
|
||||
"coordinates out of range"},
|
||||
{ERR_PACK(ERR_LIB_EC, 0, EC_R_CURVE_DOES_NOT_SUPPORT_ECDH),
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
@ -15,7 +15,6 @@
|
||||
#include <openssl/bn.h>
|
||||
#include "internal/refcount.h"
|
||||
#include "internal/ec_int.h"
|
||||
#include "curve448/curve448_lcl.h"
|
||||
|
||||
#if defined(__SUNPRO_C)
|
||||
# if __SUNPRO_C >= 0x520
|
||||
@ -154,6 +153,13 @@ struct ec_method_st {
|
||||
int (*field_sqr) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *);
|
||||
int (*field_div) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
|
||||
const BIGNUM *b, BN_CTX *);
|
||||
/*-
|
||||
* 'field_inv' computes the multipicative inverse of a in the field,
|
||||
* storing the result in r.
|
||||
*
|
||||
* If 'a' is zero (or equivalent), you'll get an EC_R_CANNOT_INVERT error.
|
||||
*/
|
||||
int (*field_inv) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *);
|
||||
/* e.g. to Montgomery */
|
||||
int (*field_encode) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
|
||||
BN_CTX *);
|
||||
@ -390,6 +396,8 @@ int ec_GFp_simple_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
|
||||
const BIGNUM *b, BN_CTX *);
|
||||
int ec_GFp_simple_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
|
||||
BN_CTX *);
|
||||
int ec_GFp_simple_field_inv(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
|
||||
BN_CTX *);
|
||||
int ec_GFp_simple_blind_coordinates(const EC_GROUP *group, EC_POINT *p,
|
||||
BN_CTX *ctx);
|
||||
int ec_GFp_simple_ladder_pre(const EC_GROUP *group,
|
||||
@ -413,6 +421,8 @@ int ec_GFp_mont_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
|
||||
const BIGNUM *b, BN_CTX *);
|
||||
int ec_GFp_mont_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
|
||||
BN_CTX *);
|
||||
int ec_GFp_mont_field_inv(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
|
||||
BN_CTX *);
|
||||
int ec_GFp_mont_field_encode(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
|
||||
BN_CTX *);
|
||||
int ec_GFp_mont_field_decode(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
@ -50,6 +50,7 @@ const EC_METHOD *EC_GFp_mont_method(void)
|
||||
ec_GFp_mont_field_mul,
|
||||
ec_GFp_mont_field_sqr,
|
||||
0 /* field_div */ ,
|
||||
ec_GFp_mont_field_inv,
|
||||
ec_GFp_mont_field_encode,
|
||||
ec_GFp_mont_field_decode,
|
||||
ec_GFp_mont_field_set_to_one,
|
||||
@ -206,6 +207,54 @@ int ec_GFp_mont_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
|
||||
return BN_mod_mul_montgomery(r, a, a, group->field_data1, ctx);
|
||||
}
|
||||
|
||||
/*-
|
||||
* Computes the multiplicative inverse of a in GF(p), storing the result in r.
|
||||
* If a is zero (or equivalent), you'll get a EC_R_CANNOT_INVERT error.
|
||||
* We have a Mont structure, so SCA hardening is FLT inversion.
|
||||
*/
|
||||
int ec_GFp_mont_field_inv(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
|
||||
BN_CTX *ctx)
|
||||
{
|
||||
BIGNUM *e = NULL;
|
||||
BN_CTX *new_ctx = NULL;
|
||||
int ret = 0;
|
||||
|
||||
if (group->field_data1 == NULL)
|
||||
return 0;
|
||||
|
||||
if (ctx == NULL && (ctx = new_ctx = BN_CTX_secure_new()) == NULL)
|
||||
return 0;
|
||||
|
||||
BN_CTX_start(ctx);
|
||||
if ((e = BN_CTX_get(ctx)) == NULL)
|
||||
goto err;
|
||||
|
||||
/* Inverse in constant time with Fermats Little Theorem */
|
||||
if (!BN_set_word(e, 2))
|
||||
goto err;
|
||||
if (!BN_sub(e, group->field, e))
|
||||
goto err;
|
||||
/*-
|
||||
* Exponent e is public.
|
||||
* No need for scatter-gather or BN_FLG_CONSTTIME.
|
||||
*/
|
||||
if (!BN_mod_exp_mont(r, a, e, group->field, ctx, group->field_data1))
|
||||
goto err;
|
||||
|
||||
/* throw an error on zero */
|
||||
if (BN_is_zero(r)) {
|
||||
ECerr(EC_F_EC_GFP_MONT_FIELD_INV, EC_R_CANNOT_INVERT);
|
||||
goto err;
|
||||
}
|
||||
|
||||
ret = 1;
|
||||
|
||||
err:
|
||||
BN_CTX_end(ctx);
|
||||
BN_CTX_free(new_ctx);
|
||||
return ret;
|
||||
}
|
||||
|
||||
int ec_GFp_mont_field_encode(const EC_GROUP *group, BIGNUM *r,
|
||||
const BIGNUM *a, BN_CTX *ctx)
|
||||
{
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
@ -52,6 +52,7 @@ const EC_METHOD *EC_GFp_nist_method(void)
|
||||
ec_GFp_nist_field_mul,
|
||||
ec_GFp_nist_field_sqr,
|
||||
0 /* field_div */ ,
|
||||
ec_GFp_simple_field_inv,
|
||||
0 /* field_encode */ ,
|
||||
0 /* field_decode */ ,
|
||||
0, /* field_set_to_one */
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2010-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2010-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -279,6 +279,7 @@ const EC_METHOD *EC_GFp_nistp224_method(void)
|
||||
ec_GFp_nist_field_mul,
|
||||
ec_GFp_nist_field_sqr,
|
||||
0 /* field_div */ ,
|
||||
ec_GFp_simple_field_inv,
|
||||
0 /* field_encode */ ,
|
||||
0 /* field_decode */ ,
|
||||
0, /* field_set_to_one */
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2011-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2011-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -1810,6 +1810,7 @@ const EC_METHOD *EC_GFp_nistp256_method(void)
|
||||
ec_GFp_nist_field_mul,
|
||||
ec_GFp_nist_field_sqr,
|
||||
0 /* field_div */ ,
|
||||
ec_GFp_simple_field_inv,
|
||||
0 /* field_encode */ ,
|
||||
0 /* field_decode */ ,
|
||||
0, /* field_set_to_one */
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2011-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2011-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -1647,6 +1647,7 @@ const EC_METHOD *EC_GFp_nistp521_method(void)
|
||||
ec_GFp_nist_field_mul,
|
||||
ec_GFp_nist_field_sqr,
|
||||
0 /* field_div */ ,
|
||||
ec_GFp_simple_field_inv,
|
||||
0 /* field_encode */ ,
|
||||
0 /* field_decode */ ,
|
||||
0, /* field_set_to_one */
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2014-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2014-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright (c) 2014, Intel Corporation. All Rights Reserved.
|
||||
* Copyright (c) 2015, CloudFlare, Inc.
|
||||
*
|
||||
@ -1677,6 +1677,7 @@ const EC_METHOD *EC_GFp_nistz256_method(void)
|
||||
ec_GFp_mont_field_mul,
|
||||
ec_GFp_mont_field_sqr,
|
||||
0, /* field_div */
|
||||
ec_GFp_mont_field_inv,
|
||||
ec_GFp_mont_field_encode,
|
||||
ec_GFp_mont_field_decode,
|
||||
ec_GFp_mont_field_set_to_one,
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
@ -51,6 +51,7 @@ const EC_METHOD *EC_GFp_simple_method(void)
|
||||
ec_GFp_simple_field_mul,
|
||||
ec_GFp_simple_field_sqr,
|
||||
0 /* field_div */ ,
|
||||
ec_GFp_simple_field_inv,
|
||||
0 /* field_encode */ ,
|
||||
0 /* field_decode */ ,
|
||||
0, /* field_set_to_one */
|
||||
@ -553,7 +554,7 @@ int ec_GFp_simple_point_get_affine_coordinates(const EC_GROUP *group,
|
||||
}
|
||||
}
|
||||
} else {
|
||||
if (!BN_mod_inverse(Z_1, Z_, group->field, ctx)) {
|
||||
if (!group->meth->field_inv(group, Z_1, Z_, ctx)) {
|
||||
ECerr(EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES,
|
||||
ERR_R_BN_LIB);
|
||||
goto err;
|
||||
@ -1266,7 +1267,7 @@ int ec_GFp_simple_points_make_affine(const EC_GROUP *group, size_t num,
|
||||
* points[i]->Z by its inverse.
|
||||
*/
|
||||
|
||||
if (!BN_mod_inverse(tmp, prod_Z[num - 1], group->field, ctx)) {
|
||||
if (!group->meth->field_inv(group, tmp, prod_Z[num - 1], ctx)) {
|
||||
ECerr(EC_F_EC_GFP_SIMPLE_POINTS_MAKE_AFFINE, ERR_R_BN_LIB);
|
||||
goto err;
|
||||
}
|
||||
@ -1369,6 +1370,50 @@ int ec_GFp_simple_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
|
||||
return BN_mod_sqr(r, a, group->field, ctx);
|
||||
}
|
||||
|
||||
/*-
|
||||
* Computes the multiplicative inverse of a in GF(p), storing the result in r.
|
||||
* If a is zero (or equivalent), you'll get a EC_R_CANNOT_INVERT error.
|
||||
* Since we don't have a Mont structure here, SCA hardening is with blinding.
|
||||
*/
|
||||
int ec_GFp_simple_field_inv(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
|
||||
BN_CTX *ctx)
|
||||
{
|
||||
BIGNUM *e = NULL;
|
||||
BN_CTX *new_ctx = NULL;
|
||||
int ret = 0;
|
||||
|
||||
if (ctx == NULL && (ctx = new_ctx = BN_CTX_secure_new()) == NULL)
|
||||
return 0;
|
||||
|
||||
BN_CTX_start(ctx);
|
||||
if ((e = BN_CTX_get(ctx)) == NULL)
|
||||
goto err;
|
||||
|
||||
do {
|
||||
if (!BN_priv_rand_range(e, group->field))
|
||||
goto err;
|
||||
} while (BN_is_zero(e));
|
||||
|
||||
/* r := a * e */
|
||||
if (!group->meth->field_mul(group, r, a, e, ctx))
|
||||
goto err;
|
||||
/* r := 1/(a * e) */
|
||||
if (!BN_mod_inverse(r, r, group->field, ctx)) {
|
||||
ECerr(EC_F_EC_GFP_SIMPLE_FIELD_INV, EC_R_CANNOT_INVERT);
|
||||
goto err;
|
||||
}
|
||||
/* r := e/(a * e) = 1/a */
|
||||
if (!group->meth->field_mul(group, r, r, e, ctx))
|
||||
goto err;
|
||||
|
||||
ret = 1;
|
||||
|
||||
err:
|
||||
BN_CTX_end(ctx);
|
||||
BN_CTX_free(new_ctx);
|
||||
return ret;
|
||||
}
|
||||
|
||||
/*-
|
||||
* Apply randomization of EC point projective coordinates:
|
||||
*
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2006-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -15,6 +15,7 @@
|
||||
#include "internal/asn1_int.h"
|
||||
#include "internal/evp_int.h"
|
||||
#include "ec_lcl.h"
|
||||
#include "curve448/curve448_lcl.h"
|
||||
|
||||
#define X25519_BITS 253
|
||||
#define X25519_SECURITY_BITS 128
|
||||
|
@ -26,7 +26,7 @@ algorithm/mode pair are;
|
||||
EVP_EncryptInit(&ctx, cipher, key, iv);
|
||||
[ ... use EVP_EncryptUpdate() and EVP_EncryptFinal() ...]
|
||||
|
||||
(ii) indirectly;
|
||||
(ii) indirectly;
|
||||
OpenSSL_add_all_ciphers();
|
||||
cipher = EVP_get_cipherbyname("des_cbc");
|
||||
EVP_EncryptInit(&ctx, cipher, key, iv);
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -37,6 +37,15 @@
|
||||
*/
|
||||
static int cfd;
|
||||
|
||||
static int clean_devcrypto_session(struct session_op *sess) {
|
||||
if (ioctl(cfd, CIOCFSESSION, &sess->ses) < 0) {
|
||||
SYSerr(SYS_F_IOCTL, errno);
|
||||
return 0;
|
||||
}
|
||||
memset(sess, 0, sizeof(struct session_op));
|
||||
return 1;
|
||||
}
|
||||
|
||||
/******************************************************************************
|
||||
*
|
||||
* Ciphers
|
||||
@ -49,10 +58,12 @@ static int cfd;
|
||||
|
||||
struct cipher_ctx {
|
||||
struct session_op sess;
|
||||
|
||||
/* to pass from init to do_cipher */
|
||||
const unsigned char *iv;
|
||||
int op; /* COP_ENCRYPT or COP_DECRYPT */
|
||||
unsigned long mode; /* EVP_CIPH_*_MODE */
|
||||
|
||||
/* to handle ctr mode being a stream cipher */
|
||||
unsigned char partial[EVP_MAX_BLOCK_LENGTH];
|
||||
unsigned int blocksize, num;
|
||||
};
|
||||
|
||||
static const struct cipher_data_st {
|
||||
@ -89,9 +100,9 @@ static const struct cipher_data_st {
|
||||
{ NID_aes_256_xts, 16, 256 / 8 * 2, 16, EVP_CIPH_XTS_MODE, CRYPTO_AES_XTS },
|
||||
#endif
|
||||
#if !defined(CHECK_BSD_STYLE_MACROS) || defined(CRYPTO_AES_ECB)
|
||||
{ NID_aes_128_ecb, 16, 128 / 8, 16, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB },
|
||||
{ NID_aes_192_ecb, 16, 192 / 8, 16, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB },
|
||||
{ NID_aes_256_ecb, 16, 256 / 8, 16, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB },
|
||||
{ NID_aes_128_ecb, 16, 128 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB },
|
||||
{ NID_aes_192_ecb, 16, 192 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB },
|
||||
{ NID_aes_256_ecb, 16, 256 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB },
|
||||
#endif
|
||||
#if 0 /* Not yet supported */
|
||||
{ NID_aes_128_gcm, 16, 128 / 8, 16, EVP_CIPH_GCM_MODE, CRYPTO_AES_GCM },
|
||||
@ -143,11 +154,17 @@ static int cipher_init(EVP_CIPHER_CTX *ctx, const unsigned char *key,
|
||||
const struct cipher_data_st *cipher_d =
|
||||
get_cipher_data(EVP_CIPHER_CTX_nid(ctx));
|
||||
|
||||
memset(&cipher_ctx->sess, 0, sizeof(cipher_ctx->sess));
|
||||
/* cleanup a previous session */
|
||||
if (cipher_ctx->sess.ses != 0 &&
|
||||
clean_devcrypto_session(&cipher_ctx->sess) == 0)
|
||||
return 0;
|
||||
|
||||
cipher_ctx->sess.cipher = cipher_d->devcryptoid;
|
||||
cipher_ctx->sess.keylen = cipher_d->keylen;
|
||||
cipher_ctx->sess.key = (void *)key;
|
||||
cipher_ctx->op = enc ? COP_ENCRYPT : COP_DECRYPT;
|
||||
cipher_ctx->mode = cipher_d->flags & EVP_CIPH_MODE;
|
||||
cipher_ctx->blocksize = cipher_d->blocksize;
|
||||
if (ioctl(cfd, CIOCGSESSION, &cipher_ctx->sess) < 0) {
|
||||
SYSerr(SYS_F_IOCTL, errno);
|
||||
return 0;
|
||||
@ -162,8 +179,11 @@ static int cipher_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
|
||||
struct cipher_ctx *cipher_ctx =
|
||||
(struct cipher_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx);
|
||||
struct crypt_op cryp;
|
||||
unsigned char *iv = EVP_CIPHER_CTX_iv_noconst(ctx);
|
||||
#if !defined(COP_FLAG_WRITE_IV)
|
||||
unsigned char saved_iv[EVP_MAX_IV_LENGTH];
|
||||
const unsigned char *ivptr;
|
||||
size_t nblocks, ivlen;
|
||||
#endif
|
||||
|
||||
memset(&cryp, 0, sizeof(cryp));
|
||||
@ -171,19 +191,28 @@ static int cipher_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
|
||||
cryp.len = inl;
|
||||
cryp.src = (void *)in;
|
||||
cryp.dst = (void *)out;
|
||||
cryp.iv = (void *)EVP_CIPHER_CTX_iv_noconst(ctx);
|
||||
cryp.iv = (void *)iv;
|
||||
cryp.op = cipher_ctx->op;
|
||||
#if !defined(COP_FLAG_WRITE_IV)
|
||||
cryp.flags = 0;
|
||||
|
||||
if (EVP_CIPHER_CTX_iv_length(ctx) > 0) {
|
||||
assert(inl >= EVP_CIPHER_CTX_iv_length(ctx));
|
||||
if (!EVP_CIPHER_CTX_encrypting(ctx)) {
|
||||
unsigned char *ivptr = in + inl - EVP_CIPHER_CTX_iv_length(ctx);
|
||||
ivlen = EVP_CIPHER_CTX_iv_length(ctx);
|
||||
if (ivlen > 0)
|
||||
switch (cipher_ctx->mode) {
|
||||
case EVP_CIPH_CBC_MODE:
|
||||
assert(inl >= ivlen);
|
||||
if (!EVP_CIPHER_CTX_encrypting(ctx)) {
|
||||
ivptr = in + inl - ivlen;
|
||||
memcpy(saved_iv, ivptr, ivlen);
|
||||
}
|
||||
break;
|
||||
|
||||
memcpy(saved_iv, ivptr, EVP_CIPHER_CTX_iv_length(ctx));
|
||||
case EVP_CIPH_CTR_MODE:
|
||||
break;
|
||||
|
||||
default: /* should not happen */
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
#else
|
||||
cryp.flags = COP_FLAG_WRITE_IV;
|
||||
#endif
|
||||
@ -194,32 +223,113 @@ static int cipher_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
|
||||
}
|
||||
|
||||
#if !defined(COP_FLAG_WRITE_IV)
|
||||
if (EVP_CIPHER_CTX_iv_length(ctx) > 0) {
|
||||
unsigned char *ivptr = saved_iv;
|
||||
if (ivlen > 0)
|
||||
switch (cipher_ctx->mode) {
|
||||
case EVP_CIPH_CBC_MODE:
|
||||
assert(inl >= ivlen);
|
||||
if (EVP_CIPHER_CTX_encrypting(ctx))
|
||||
ivptr = out + inl - ivlen;
|
||||
else
|
||||
ivptr = saved_iv;
|
||||
|
||||
assert(inl >= EVP_CIPHER_CTX_iv_length(ctx));
|
||||
if (!EVP_CIPHER_CTX_encrypting(ctx))
|
||||
ivptr = out + inl - EVP_CIPHER_CTX_iv_length(ctx);
|
||||
memcpy(iv, ivptr, ivlen);
|
||||
break;
|
||||
|
||||
memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), ivptr,
|
||||
EVP_CIPHER_CTX_iv_length(ctx));
|
||||
}
|
||||
case EVP_CIPH_CTR_MODE:
|
||||
nblocks = (inl + cipher_ctx->blocksize - 1)
|
||||
/ cipher_ctx->blocksize;
|
||||
do {
|
||||
ivlen--;
|
||||
nblocks += iv[ivlen];
|
||||
iv[ivlen] = (uint8_t) nblocks;
|
||||
nblocks >>= 8;
|
||||
} while (ivlen);
|
||||
break;
|
||||
|
||||
default: /* should not happen */
|
||||
return 0;
|
||||
}
|
||||
#endif
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
static int ctr_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
|
||||
const unsigned char *in, size_t inl)
|
||||
{
|
||||
struct cipher_ctx *cipher_ctx =
|
||||
(struct cipher_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx);
|
||||
size_t nblocks, len;
|
||||
|
||||
/* initial partial block */
|
||||
while (cipher_ctx->num && inl) {
|
||||
(*out++) = *(in++) ^ cipher_ctx->partial[cipher_ctx->num];
|
||||
--inl;
|
||||
cipher_ctx->num = (cipher_ctx->num + 1) % cipher_ctx->blocksize;
|
||||
}
|
||||
|
||||
/* full blocks */
|
||||
if (inl > (unsigned int) cipher_ctx->blocksize) {
|
||||
nblocks = inl/cipher_ctx->blocksize;
|
||||
len = nblocks * cipher_ctx->blocksize;
|
||||
if (cipher_do_cipher(ctx, out, in, len) < 1)
|
||||
return 0;
|
||||
inl -= len;
|
||||
out += len;
|
||||
in += len;
|
||||
}
|
||||
|
||||
/* final partial block */
|
||||
if (inl) {
|
||||
memset(cipher_ctx->partial, 0, cipher_ctx->blocksize);
|
||||
if (cipher_do_cipher(ctx, cipher_ctx->partial, cipher_ctx->partial,
|
||||
cipher_ctx->blocksize) < 1)
|
||||
return 0;
|
||||
while (inl--) {
|
||||
out[cipher_ctx->num] = in[cipher_ctx->num]
|
||||
^ cipher_ctx->partial[cipher_ctx->num];
|
||||
cipher_ctx->num++;
|
||||
}
|
||||
}
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
static int cipher_ctrl(EVP_CIPHER_CTX *ctx, int type, int p1, void* p2)
|
||||
{
|
||||
struct cipher_ctx *cipher_ctx =
|
||||
(struct cipher_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx);
|
||||
EVP_CIPHER_CTX *to_ctx = (EVP_CIPHER_CTX *)p2;
|
||||
struct cipher_ctx *to_cipher_ctx;
|
||||
|
||||
switch (type) {
|
||||
case EVP_CTRL_COPY:
|
||||
if (cipher_ctx == NULL)
|
||||
return 1;
|
||||
/* when copying the context, a new session needs to be initialized */
|
||||
to_cipher_ctx =
|
||||
(struct cipher_ctx *)EVP_CIPHER_CTX_get_cipher_data(to_ctx);
|
||||
memset(&to_cipher_ctx->sess, 0, sizeof(to_cipher_ctx->sess));
|
||||
return cipher_init(to_ctx, cipher_ctx->sess.key, EVP_CIPHER_CTX_iv(ctx),
|
||||
(cipher_ctx->op == COP_ENCRYPT));
|
||||
|
||||
case EVP_CTRL_INIT:
|
||||
memset(&cipher_ctx->sess, 0, sizeof(cipher_ctx->sess));
|
||||
return 1;
|
||||
|
||||
default:
|
||||
break;
|
||||
}
|
||||
|
||||
return -1;
|
||||
}
|
||||
|
||||
static int cipher_cleanup(EVP_CIPHER_CTX *ctx)
|
||||
{
|
||||
struct cipher_ctx *cipher_ctx =
|
||||
(struct cipher_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx);
|
||||
|
||||
if (ioctl(cfd, CIOCFSESSION, &cipher_ctx->sess.ses) < 0) {
|
||||
SYSerr(SYS_F_IOCTL, errno);
|
||||
return 0;
|
||||
}
|
||||
|
||||
return 1;
|
||||
return clean_devcrypto_session(&cipher_ctx->sess);
|
||||
}
|
||||
|
||||
/*
|
||||
@ -235,6 +345,7 @@ static void prepare_cipher_methods(void)
|
||||
{
|
||||
size_t i;
|
||||
struct session_op sess;
|
||||
unsigned long cipher_mode;
|
||||
|
||||
memset(&sess, 0, sizeof(sess));
|
||||
sess.key = (void *)"01234567890123456789012345678901234567890123456789";
|
||||
@ -252,18 +363,26 @@ static void prepare_cipher_methods(void)
|
||||
|| ioctl(cfd, CIOCFSESSION, &sess.ses) < 0)
|
||||
continue;
|
||||
|
||||
cipher_mode = cipher_data[i].flags & EVP_CIPH_MODE;
|
||||
|
||||
if ((known_cipher_methods[i] =
|
||||
EVP_CIPHER_meth_new(cipher_data[i].nid,
|
||||
cipher_data[i].blocksize,
|
||||
cipher_mode == EVP_CIPH_CTR_MODE ? 1 :
|
||||
cipher_data[i].blocksize,
|
||||
cipher_data[i].keylen)) == NULL
|
||||
|| !EVP_CIPHER_meth_set_iv_length(known_cipher_methods[i],
|
||||
cipher_data[i].ivlen)
|
||||
|| !EVP_CIPHER_meth_set_flags(known_cipher_methods[i],
|
||||
cipher_data[i].flags
|
||||
| EVP_CIPH_CUSTOM_COPY
|
||||
| EVP_CIPH_CTRL_INIT
|
||||
| EVP_CIPH_FLAG_DEFAULT_ASN1)
|
||||
|| !EVP_CIPHER_meth_set_init(known_cipher_methods[i], cipher_init)
|
||||
|| !EVP_CIPHER_meth_set_do_cipher(known_cipher_methods[i],
|
||||
cipher_mode == EVP_CIPH_CTR_MODE ?
|
||||
ctr_do_cipher :
|
||||
cipher_do_cipher)
|
||||
|| !EVP_CIPHER_meth_set_ctrl(known_cipher_methods[i], cipher_ctrl)
|
||||
|| !EVP_CIPHER_meth_set_cleanup(known_cipher_methods[i],
|
||||
cipher_cleanup)
|
||||
|| !EVP_CIPHER_meth_set_impl_ctx_size(known_cipher_methods[i],
|
||||
@ -340,34 +459,36 @@ static int devcrypto_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
|
||||
|
||||
struct digest_ctx {
|
||||
struct session_op sess;
|
||||
int init;
|
||||
/* This signals that the init function was called, not that it succeeded. */
|
||||
int init_called;
|
||||
};
|
||||
|
||||
static const struct digest_data_st {
|
||||
int nid;
|
||||
int blocksize;
|
||||
int digestlen;
|
||||
int devcryptoid;
|
||||
} digest_data[] = {
|
||||
#ifndef OPENSSL_NO_MD5
|
||||
{ NID_md5, 16, CRYPTO_MD5 },
|
||||
{ NID_md5, /* MD5_CBLOCK */ 64, 16, CRYPTO_MD5 },
|
||||
#endif
|
||||
{ NID_sha1, 20, CRYPTO_SHA1 },
|
||||
{ NID_sha1, SHA_CBLOCK, 20, CRYPTO_SHA1 },
|
||||
#ifndef OPENSSL_NO_RMD160
|
||||
# if !defined(CHECK_BSD_STYLE_MACROS) || defined(CRYPTO_RIPEMD160)
|
||||
{ NID_ripemd160, 20, CRYPTO_RIPEMD160 },
|
||||
{ NID_ripemd160, /* RIPEMD160_CBLOCK */ 64, 20, CRYPTO_RIPEMD160 },
|
||||
# endif
|
||||
#endif
|
||||
#if !defined(CHECK_BSD_STYLE_MACROS) || defined(CRYPTO_SHA2_224)
|
||||
{ NID_sha224, 224 / 8, CRYPTO_SHA2_224 },
|
||||
{ NID_sha224, SHA256_CBLOCK, 224 / 8, CRYPTO_SHA2_224 },
|
||||
#endif
|
||||
#if !defined(CHECK_BSD_STYLE_MACROS) || defined(CRYPTO_SHA2_256)
|
||||
{ NID_sha256, 256 / 8, CRYPTO_SHA2_256 },
|
||||
{ NID_sha256, SHA256_CBLOCK, 256 / 8, CRYPTO_SHA2_256 },
|
||||
#endif
|
||||
#if !defined(CHECK_BSD_STYLE_MACROS) || defined(CRYPTO_SHA2_384)
|
||||
{ NID_sha384, 384 / 8, CRYPTO_SHA2_384 },
|
||||
{ NID_sha384, SHA512_CBLOCK, 384 / 8, CRYPTO_SHA2_384 },
|
||||
#endif
|
||||
#if !defined(CHECK_BSD_STYLE_MACROS) || defined(CRYPTO_SHA2_512)
|
||||
{ NID_sha512, 512 / 8, CRYPTO_SHA2_512 },
|
||||
{ NID_sha512, SHA512_CBLOCK, 512 / 8, CRYPTO_SHA2_512 },
|
||||
#endif
|
||||
};
|
||||
|
||||
@ -405,7 +526,7 @@ static int digest_init(EVP_MD_CTX *ctx)
|
||||
const struct digest_data_st *digest_d =
|
||||
get_digest_data(EVP_MD_CTX_type(ctx));
|
||||
|
||||
digest_ctx->init = 1;
|
||||
digest_ctx->init_called = 1;
|
||||
|
||||
memset(&digest_ctx->sess, 0, sizeof(digest_ctx->sess));
|
||||
digest_ctx->sess.mac = digest_d->devcryptoid;
|
||||
@ -440,6 +561,9 @@ static int digest_update(EVP_MD_CTX *ctx, const void *data, size_t count)
|
||||
if (count == 0)
|
||||
return 1;
|
||||
|
||||
if (digest_ctx == NULL)
|
||||
return 0;
|
||||
|
||||
if (digest_op(digest_ctx, data, count, NULL, COP_FLAG_UPDATE) < 0) {
|
||||
SYSerr(SYS_F_IOCTL, errno);
|
||||
return 0;
|
||||
@ -453,11 +577,9 @@ static int digest_final(EVP_MD_CTX *ctx, unsigned char *md)
|
||||
struct digest_ctx *digest_ctx =
|
||||
(struct digest_ctx *)EVP_MD_CTX_md_data(ctx);
|
||||
|
||||
if (digest_op(digest_ctx, NULL, 0, md, COP_FLAG_FINAL) < 0) {
|
||||
SYSerr(SYS_F_IOCTL, errno);
|
||||
if (md == NULL || digest_ctx == NULL)
|
||||
return 0;
|
||||
}
|
||||
if (ioctl(cfd, CIOCFSESSION, &digest_ctx->sess.ses) < 0) {
|
||||
if (digest_op(digest_ctx, NULL, 0, md, COP_FLAG_FINAL) < 0) {
|
||||
SYSerr(SYS_F_IOCTL, errno);
|
||||
return 0;
|
||||
}
|
||||
@ -473,14 +595,9 @@ static int digest_copy(EVP_MD_CTX *to, const EVP_MD_CTX *from)
|
||||
(struct digest_ctx *)EVP_MD_CTX_md_data(to);
|
||||
struct cphash_op cphash;
|
||||
|
||||
if (digest_from == NULL)
|
||||
if (digest_from == NULL || digest_from->init_called != 1)
|
||||
return 1;
|
||||
|
||||
if (digest_from->init != 1) {
|
||||
SYSerr(SYS_F_IOCTL, EINVAL);
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (!digest_init(to)) {
|
||||
SYSerr(SYS_F_IOCTL, errno);
|
||||
return 0;
|
||||
@ -497,7 +614,37 @@ static int digest_copy(EVP_MD_CTX *to, const EVP_MD_CTX *from)
|
||||
|
||||
static int digest_cleanup(EVP_MD_CTX *ctx)
|
||||
{
|
||||
return 1;
|
||||
struct digest_ctx *digest_ctx =
|
||||
(struct digest_ctx *)EVP_MD_CTX_md_data(ctx);
|
||||
|
||||
if (digest_ctx == NULL)
|
||||
return 1;
|
||||
|
||||
return clean_devcrypto_session(&digest_ctx->sess);
|
||||
}
|
||||
|
||||
static int devcrypto_test_digest(size_t digest_data_index)
|
||||
{
|
||||
struct session_op sess1, sess2;
|
||||
struct cphash_op cphash;
|
||||
int ret=0;
|
||||
|
||||
memset(&sess1, 0, sizeof(sess1));
|
||||
memset(&sess2, 0, sizeof(sess2));
|
||||
sess1.mac = digest_data[digest_data_index].devcryptoid;
|
||||
if (ioctl(cfd, CIOCGSESSION, &sess1) < 0)
|
||||
return 0;
|
||||
/* Make sure the driver is capable of hash state copy */
|
||||
sess2.mac = sess1.mac;
|
||||
if (ioctl(cfd, CIOCGSESSION, &sess2) >= 0) {
|
||||
cphash.src_ses = sess1.ses;
|
||||
cphash.dst_ses = sess2.ses;
|
||||
if (ioctl(cfd, CIOCCPHASH, &cphash) >= 0)
|
||||
ret = 1;
|
||||
ioctl(cfd, CIOCFSESSION, &sess2.ses);
|
||||
}
|
||||
ioctl(cfd, CIOCFSESSION, &sess1.ses);
|
||||
return ret;
|
||||
}
|
||||
|
||||
/*
|
||||
@ -512,24 +659,20 @@ static EVP_MD *known_digest_methods[OSSL_NELEM(digest_data)] = { NULL, };
|
||||
static void prepare_digest_methods(void)
|
||||
{
|
||||
size_t i;
|
||||
struct session_op sess;
|
||||
|
||||
memset(&sess, 0, sizeof(sess));
|
||||
|
||||
for (i = 0, known_digest_nids_amount = 0; i < OSSL_NELEM(digest_data);
|
||||
i++) {
|
||||
|
||||
/*
|
||||
* Check that the algo is really availably by trying to open and close
|
||||
* a session.
|
||||
* Check that the algo is usable
|
||||
*/
|
||||
sess.mac = digest_data[i].devcryptoid;
|
||||
if (ioctl(cfd, CIOCGSESSION, &sess) < 0
|
||||
|| ioctl(cfd, CIOCFSESSION, &sess.ses) < 0)
|
||||
if (!devcrypto_test_digest(i))
|
||||
continue;
|
||||
|
||||
if ((known_digest_methods[i] = EVP_MD_meth_new(digest_data[i].nid,
|
||||
NID_undef)) == NULL
|
||||
|| !EVP_MD_meth_set_input_blocksize(known_digest_methods[i],
|
||||
digest_data[i].blocksize)
|
||||
|| !EVP_MD_meth_set_result_size(known_digest_methods[i],
|
||||
digest_data[i].digestlen)
|
||||
|| !EVP_MD_meth_set_init(known_digest_methods[i], digest_init)
|
||||
@ -620,15 +763,10 @@ void engine_load_devcrypto_int()
|
||||
#ifndef ENGINE_DEVCRYPTO_DEBUG
|
||||
if (errno != ENOENT)
|
||||
#endif
|
||||
fprintf(stderr, "Could not open /dev/crypto: %s\n", strerror(errno));
|
||||
fprintf(stderr, "Could not open /dev/crypto: %s\n", strerror(errno));
|
||||
return;
|
||||
}
|
||||
|
||||
prepare_cipher_methods();
|
||||
#ifdef IMPLEMENT_DIGEST
|
||||
prepare_digest_methods();
|
||||
#endif
|
||||
|
||||
if ((e = ENGINE_new()) == NULL
|
||||
|| !ENGINE_set_destroy_function(e, devcrypto_unload)) {
|
||||
ENGINE_free(e);
|
||||
@ -641,6 +779,11 @@ void engine_load_devcrypto_int()
|
||||
return;
|
||||
}
|
||||
|
||||
prepare_cipher_methods();
|
||||
#ifdef IMPLEMENT_DIGEST
|
||||
prepare_digest_methods();
|
||||
#endif
|
||||
|
||||
if (!ENGINE_set_id(e, "devcrypto")
|
||||
|| !ENGINE_set_name(e, "/dev/crypto engine")
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -124,7 +124,7 @@ static int int_cleanup_check(int create)
|
||||
static ENGINE_CLEANUP_ITEM *int_cleanup_item(ENGINE_CLEANUP_CB *cb)
|
||||
{
|
||||
ENGINE_CLEANUP_ITEM *item;
|
||||
|
||||
|
||||
if ((item = OPENSSL_malloc(sizeof(*item))) == NULL) {
|
||||
ENGINEerr(ENGINE_F_INT_CLEANUP_ITEM, ERR_R_MALLOC_FAILURE);
|
||||
return NULL;
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -19,6 +19,9 @@
|
||||
#include <openssl/bio.h>
|
||||
#include <openssl/opensslconf.h>
|
||||
#include "internal/thread_once.h"
|
||||
#include "internal/ctype.h"
|
||||
#include "internal/constant_time_locl.h"
|
||||
#include "e_os.h"
|
||||
|
||||
static int err_load_strings(const ERR_STRING_DATA *str);
|
||||
|
||||
@ -181,8 +184,9 @@ static ERR_STRING_DATA *int_err_get_item(const ERR_STRING_DATA *d)
|
||||
}
|
||||
|
||||
#ifndef OPENSSL_NO_ERR
|
||||
/* A measurement on Linux 2018-11-21 showed about 3.5kib */
|
||||
# define SPACE_SYS_STR_REASONS 4 * 1024
|
||||
# define NUM_SYS_STR_REASONS 127
|
||||
# define LEN_SYS_STR_REASON 32
|
||||
|
||||
static ERR_STRING_DATA SYS_str_reasons[NUM_SYS_STR_REASONS + 1];
|
||||
/*
|
||||
@ -198,9 +202,12 @@ static ERR_STRING_DATA SYS_str_reasons[NUM_SYS_STR_REASONS + 1];
|
||||
static void build_SYS_str_reasons(void)
|
||||
{
|
||||
/* OPENSSL_malloc cannot be used here, use static storage instead */
|
||||
static char strerror_tab[NUM_SYS_STR_REASONS][LEN_SYS_STR_REASON];
|
||||
static char strerror_pool[SPACE_SYS_STR_REASONS];
|
||||
char *cur = strerror_pool;
|
||||
size_t cnt = 0;
|
||||
static int init = 1;
|
||||
int i;
|
||||
int saveerrno = get_last_sys_error();
|
||||
|
||||
CRYPTO_THREAD_write_lock(err_string_lock);
|
||||
if (!init) {
|
||||
@ -213,9 +220,26 @@ static void build_SYS_str_reasons(void)
|
||||
|
||||
str->error = ERR_PACK(ERR_LIB_SYS, 0, i);
|
||||
if (str->string == NULL) {
|
||||
char (*dest)[LEN_SYS_STR_REASON] = &(strerror_tab[i - 1]);
|
||||
if (openssl_strerror_r(i, *dest, sizeof(*dest)))
|
||||
str->string = *dest;
|
||||
if (openssl_strerror_r(i, cur, sizeof(strerror_pool) - cnt)) {
|
||||
size_t l = strlen(cur);
|
||||
|
||||
str->string = cur;
|
||||
cnt += l;
|
||||
if (cnt > sizeof(strerror_pool))
|
||||
cnt = sizeof(strerror_pool);
|
||||
cur += l;
|
||||
|
||||
/*
|
||||
* VMS has an unusual quirk of adding spaces at the end of
|
||||
* some (most? all?) messages. Lets trim them off.
|
||||
*/
|
||||
while (ossl_isspace(cur[-1])) {
|
||||
cur--;
|
||||
cnt--;
|
||||
}
|
||||
*cur++ = '\0';
|
||||
cnt++;
|
||||
}
|
||||
}
|
||||
if (str->string == NULL)
|
||||
str->string = "unknown";
|
||||
@ -229,6 +253,8 @@ static void build_SYS_str_reasons(void)
|
||||
init = 0;
|
||||
|
||||
CRYPTO_THREAD_unlock(err_string_lock);
|
||||
/* openssl_strerror_r could change errno, but we want to preserve it */
|
||||
set_sys_error(saveerrno);
|
||||
err_load_strings(SYS_str_reasons);
|
||||
}
|
||||
#endif
|
||||
@ -671,6 +697,7 @@ DEFINE_RUN_ONCE_STATIC(err_do_init)
|
||||
ERR_STATE *ERR_get_state(void)
|
||||
{
|
||||
ERR_STATE *state;
|
||||
int saveerrno = get_last_sys_error();
|
||||
|
||||
if (!OPENSSL_init_crypto(OPENSSL_INIT_BASE_ONLY, NULL))
|
||||
return NULL;
|
||||
@ -702,6 +729,7 @@ ERR_STATE *ERR_get_state(void)
|
||||
OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
|
||||
}
|
||||
|
||||
set_sys_error(saveerrno);
|
||||
return state;
|
||||
}
|
||||
|
||||
@ -711,6 +739,20 @@ ERR_STATE *ERR_get_state(void)
|
||||
*/
|
||||
int err_shelve_state(void **state)
|
||||
{
|
||||
int saveerrno = get_last_sys_error();
|
||||
|
||||
/*
|
||||
* Note, at present our only caller is OPENSSL_init_crypto(), indirectly
|
||||
* via ossl_init_load_crypto_nodelete(), by which point the requested
|
||||
* "base" initialization has already been performed, so the below call is a
|
||||
* NOOP, that re-enters OPENSSL_init_crypto() only to quickly return.
|
||||
*
|
||||
* If are no other valid callers of this function, the call below can be
|
||||
* removed, avoiding the re-entry into OPENSSL_init_crypto(). If there are
|
||||
* potential uses that are not from inside OPENSSL_init_crypto(), then this
|
||||
* call is needed, but some care is required to make sure that the re-entry
|
||||
* remains a NOOP.
|
||||
*/
|
||||
if (!OPENSSL_init_crypto(OPENSSL_INIT_BASE_ONLY, NULL))
|
||||
return 0;
|
||||
|
||||
@ -721,6 +763,7 @@ int err_shelve_state(void **state)
|
||||
if (!CRYPTO_THREAD_set_local(&err_thread_local, (ERR_STATE*)-1))
|
||||
return 0;
|
||||
|
||||
set_sys_error(saveerrno);
|
||||
return 1;
|
||||
}
|
||||
|
||||
@ -747,20 +790,31 @@ int ERR_get_next_error_library(void)
|
||||
return ret;
|
||||
}
|
||||
|
||||
void ERR_set_error_data(char *data, int flags)
|
||||
static int err_set_error_data_int(char *data, int flags)
|
||||
{
|
||||
ERR_STATE *es;
|
||||
int i;
|
||||
|
||||
es = ERR_get_state();
|
||||
if (es == NULL)
|
||||
return;
|
||||
return 0;
|
||||
|
||||
i = es->top;
|
||||
|
||||
err_clear_data(es, i);
|
||||
es->err_data[i] = data;
|
||||
es->err_data_flags[i] = flags;
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
void ERR_set_error_data(char *data, int flags)
|
||||
{
|
||||
/*
|
||||
* This function is void so we cannot propagate the error return. Since it
|
||||
* is also in the public API we can't change the return type.
|
||||
*/
|
||||
err_set_error_data_int(data, flags);
|
||||
}
|
||||
|
||||
void ERR_add_error_data(int num, ...)
|
||||
@ -800,7 +854,8 @@ void ERR_add_error_vdata(int num, va_list args)
|
||||
}
|
||||
OPENSSL_strlcat(str, a, (size_t)s + 1);
|
||||
}
|
||||
ERR_set_error_data(str, ERR_TXT_MALLOCED | ERR_TXT_STRING);
|
||||
if (!err_set_error_data_int(str, ERR_TXT_MALLOCED | ERR_TXT_STRING))
|
||||
OPENSSL_free(str);
|
||||
}
|
||||
|
||||
int ERR_set_mark(void)
|
||||
@ -857,3 +912,42 @@ int ERR_clear_last_mark(void)
|
||||
es->err_flags[top] &= ~ERR_FLAG_MARK;
|
||||
return 1;
|
||||
}
|
||||
|
||||
#ifdef UINTPTR_T
|
||||
# undef UINTPTR_T
|
||||
#endif
|
||||
/*
|
||||
* uintptr_t is the answer, but unfortunately C89, current "least common
|
||||
* denominator" doesn't define it. Most legacy platforms typedef it anyway,
|
||||
* so that attempt to fill the gaps means that one would have to identify
|
||||
* that track these gaps, which would be undesirable. Macro it is...
|
||||
*/
|
||||
#if defined(__VMS) && __INITIAL_POINTER_SIZE==64
|
||||
/*
|
||||
* But we can't use size_t on VMS, because it adheres to sizeof(size_t)==4
|
||||
* even in 64-bit builds, which means that it won't work as mask.
|
||||
*/
|
||||
# define UINTPTR_T unsigned long long
|
||||
#else
|
||||
# define UINTPTR_T size_t
|
||||
#endif
|
||||
|
||||
void err_clear_last_constant_time(int clear)
|
||||
{
|
||||
ERR_STATE *es;
|
||||
int top;
|
||||
|
||||
es = ERR_get_state();
|
||||
if (es == NULL)
|
||||
return;
|
||||
|
||||
top = es->top;
|
||||
|
||||
es->err_flags[top] &= ~(0 - clear);
|
||||
es->err_buffer[top] &= ~(0UL - clear);
|
||||
es->err_file[top] = (const char *)((UINTPTR_T)es->err_file[top] &
|
||||
~((UINTPTR_T)0 - clear));
|
||||
es->err_line[top] |= 0 - clear;
|
||||
|
||||
es->top = (top + ERR_NUM_ERRORS - clear) % ERR_NUM_ERRORS;
|
||||
}
|
||||
|
@ -1,4 +1,4 @@
|
||||
# Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
# Copyright 1999-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
#
|
||||
# Licensed under the OpenSSL license (the "License"). You may not use
|
||||
# this file except in compliance with the License. You can obtain a copy
|
||||
@ -519,6 +519,7 @@ EC_F_ECX_PUB_ENCODE:268:ecx_pub_encode
|
||||
EC_F_EC_ASN1_GROUP2CURVE:153:ec_asn1_group2curve
|
||||
EC_F_EC_ASN1_GROUP2FIELDID:154:ec_asn1_group2fieldid
|
||||
EC_F_EC_GF2M_MONTGOMERY_POINT_MULTIPLY:208:ec_GF2m_montgomery_point_multiply
|
||||
EC_F_EC_GF2M_SIMPLE_FIELD_INV:296:ec_GF2m_simple_field_inv
|
||||
EC_F_EC_GF2M_SIMPLE_GROUP_CHECK_DISCRIMINANT:159:\
|
||||
ec_GF2m_simple_group_check_discriminant
|
||||
EC_F_EC_GF2M_SIMPLE_GROUP_SET_CURVE:195:ec_GF2m_simple_group_set_curve
|
||||
@ -535,6 +536,7 @@ EC_F_EC_GF2M_SIMPLE_SET_COMPRESSED_COORDINATES:164:\
|
||||
ec_GF2m_simple_set_compressed_coordinates
|
||||
EC_F_EC_GFP_MONT_FIELD_DECODE:133:ec_GFp_mont_field_decode
|
||||
EC_F_EC_GFP_MONT_FIELD_ENCODE:134:ec_GFp_mont_field_encode
|
||||
EC_F_EC_GFP_MONT_FIELD_INV:297:ec_GFp_mont_field_inv
|
||||
EC_F_EC_GFP_MONT_FIELD_MUL:131:ec_GFp_mont_field_mul
|
||||
EC_F_EC_GFP_MONT_FIELD_SET_TO_ONE:209:ec_GFp_mont_field_set_to_one
|
||||
EC_F_EC_GFP_MONT_FIELD_SQR:132:ec_GFp_mont_field_sqr
|
||||
@ -555,6 +557,7 @@ EC_F_EC_GFP_NIST_FIELD_MUL:200:ec_GFp_nist_field_mul
|
||||
EC_F_EC_GFP_NIST_FIELD_SQR:201:ec_GFp_nist_field_sqr
|
||||
EC_F_EC_GFP_NIST_GROUP_SET_CURVE:202:ec_GFp_nist_group_set_curve
|
||||
EC_F_EC_GFP_SIMPLE_BLIND_COORDINATES:287:ec_GFp_simple_blind_coordinates
|
||||
EC_F_EC_GFP_SIMPLE_FIELD_INV:298:ec_GFp_simple_field_inv
|
||||
EC_F_EC_GFP_SIMPLE_GROUP_CHECK_DISCRIMINANT:165:\
|
||||
ec_GFp_simple_group_check_discriminant
|
||||
EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE:166:ec_GFp_simple_group_set_curve
|
||||
@ -737,6 +740,7 @@ EVP_F_EVP_DECRYPTFINAL_EX:101:EVP_DecryptFinal_ex
|
||||
EVP_F_EVP_DECRYPTUPDATE:166:EVP_DecryptUpdate
|
||||
EVP_F_EVP_DIGESTFINALXOF:174:EVP_DigestFinalXOF
|
||||
EVP_F_EVP_DIGESTINIT_EX:128:EVP_DigestInit_ex
|
||||
EVP_F_EVP_ENCRYPTDECRYPTUPDATE:219:evp_EncryptDecryptUpdate
|
||||
EVP_F_EVP_ENCRYPTFINAL_EX:127:EVP_EncryptFinal_ex
|
||||
EVP_F_EVP_ENCRYPTUPDATE:167:EVP_EncryptUpdate
|
||||
EVP_F_EVP_MD_CTX_COPY_EX:110:EVP_MD_CTX_copy_ex
|
||||
@ -2115,6 +2119,7 @@ EC_R_ASN1_ERROR:115:asn1 error
|
||||
EC_R_BAD_SIGNATURE:156:bad signature
|
||||
EC_R_BIGNUM_OUT_OF_RANGE:144:bignum out of range
|
||||
EC_R_BUFFER_TOO_SMALL:100:buffer too small
|
||||
EC_R_CANNOT_INVERT:165:cannot invert
|
||||
EC_R_COORDINATES_OUT_OF_RANGE:146:coordinates out of range
|
||||
EC_R_CURVE_DOES_NOT_SUPPORT_ECDH:160:curve does not support ecdh
|
||||
EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING:159:curve does not support signing
|
||||
@ -2722,6 +2727,8 @@ SSL_R_MISSING_SRP_PARAM:358:can't find SRP server param
|
||||
SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION:209:missing supported groups extension
|
||||
SSL_R_MISSING_TMP_DH_KEY:171:missing tmp dh key
|
||||
SSL_R_MISSING_TMP_ECDH_KEY:311:missing tmp ecdh key
|
||||
SSL_R_MIXED_HANDSHAKE_AND_NON_HANDSHAKE_DATA:293:\
|
||||
mixed handshake and non handshake data
|
||||
SSL_R_NOT_ON_RECORD_BOUNDARY:182:not on record boundary
|
||||
SSL_R_NOT_REPLACING_CERTIFICATE:289:not replacing certificate
|
||||
SSL_R_NOT_SERVER:284:not server
|
||||
|
@ -294,8 +294,9 @@ int is_partially_overlapping(const void *ptr1, const void *ptr2, int len)
|
||||
return overlapped;
|
||||
}
|
||||
|
||||
int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
|
||||
const unsigned char *in, int inl)
|
||||
static int evp_EncryptDecryptUpdate(EVP_CIPHER_CTX *ctx,
|
||||
unsigned char *out, int *outl,
|
||||
const unsigned char *in, int inl)
|
||||
{
|
||||
int i, j, bl, cmpl = inl;
|
||||
|
||||
@ -307,7 +308,7 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
|
||||
if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) {
|
||||
/* If block size > 1 then the cipher will have to do this check */
|
||||
if (bl == 1 && is_partially_overlapping(out, in, cmpl)) {
|
||||
EVPerr(EVP_F_EVP_ENCRYPTUPDATE, EVP_R_PARTIALLY_OVERLAPPING);
|
||||
EVPerr(EVP_F_EVP_ENCRYPTDECRYPTUPDATE, EVP_R_PARTIALLY_OVERLAPPING);
|
||||
return 0;
|
||||
}
|
||||
|
||||
@ -324,7 +325,7 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
|
||||
return inl == 0;
|
||||
}
|
||||
if (is_partially_overlapping(out + ctx->buf_len, in, cmpl)) {
|
||||
EVPerr(EVP_F_EVP_ENCRYPTUPDATE, EVP_R_PARTIALLY_OVERLAPPING);
|
||||
EVPerr(EVP_F_EVP_ENCRYPTDECRYPTUPDATE, EVP_R_PARTIALLY_OVERLAPPING);
|
||||
return 0;
|
||||
}
|
||||
|
||||
@ -371,6 +372,19 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
|
||||
return 1;
|
||||
}
|
||||
|
||||
|
||||
int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
|
||||
const unsigned char *in, int inl)
|
||||
{
|
||||
/* Prevent accidental use of decryption context when encrypting */
|
||||
if (!ctx->encrypt) {
|
||||
EVPerr(EVP_F_EVP_ENCRYPTUPDATE, EVP_R_INVALID_OPERATION);
|
||||
return 0;
|
||||
}
|
||||
|
||||
return evp_EncryptDecryptUpdate(ctx, out, outl, in, inl);
|
||||
}
|
||||
|
||||
int EVP_EncryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
|
||||
{
|
||||
int ret;
|
||||
@ -383,6 +397,12 @@ int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
|
||||
int n, ret;
|
||||
unsigned int i, b, bl;
|
||||
|
||||
/* Prevent accidental use of decryption context when encrypting */
|
||||
if (!ctx->encrypt) {
|
||||
EVPerr(EVP_F_EVP_ENCRYPTFINAL_EX, EVP_R_INVALID_OPERATION);
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) {
|
||||
ret = ctx->cipher->do_cipher(ctx, out, NULL, 0);
|
||||
if (ret < 0)
|
||||
@ -426,6 +446,12 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
|
||||
int fix_len, cmpl = inl;
|
||||
unsigned int b;
|
||||
|
||||
/* Prevent accidental use of encryption context when decrypting */
|
||||
if (ctx->encrypt) {
|
||||
EVPerr(EVP_F_EVP_DECRYPTUPDATE, EVP_R_INVALID_OPERATION);
|
||||
return 0;
|
||||
}
|
||||
|
||||
b = ctx->cipher->block_size;
|
||||
|
||||
if (EVP_CIPHER_CTX_test_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS))
|
||||
@ -452,7 +478,7 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
|
||||
}
|
||||
|
||||
if (ctx->flags & EVP_CIPH_NO_PADDING)
|
||||
return EVP_EncryptUpdate(ctx, out, outl, in, inl);
|
||||
return evp_EncryptDecryptUpdate(ctx, out, outl, in, inl);
|
||||
|
||||
OPENSSL_assert(b <= sizeof(ctx->final));
|
||||
|
||||
@ -469,7 +495,7 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
|
||||
} else
|
||||
fix_len = 0;
|
||||
|
||||
if (!EVP_EncryptUpdate(ctx, out, outl, in, inl))
|
||||
if (!evp_EncryptDecryptUpdate(ctx, out, outl, in, inl))
|
||||
return 0;
|
||||
|
||||
/*
|
||||
@ -500,6 +526,13 @@ int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
|
||||
{
|
||||
int i, n;
|
||||
unsigned int b;
|
||||
|
||||
/* Prevent accidental use of encryption context when decrypting */
|
||||
if (ctx->encrypt) {
|
||||
EVPerr(EVP_F_EVP_DECRYPTFINAL_EX, EVP_R_INVALID_OPERATION);
|
||||
return 0;
|
||||
}
|
||||
|
||||
*outl = 0;
|
||||
|
||||
if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) {
|
||||
|
@ -50,6 +50,8 @@ static const ERR_STRING_DATA EVP_str_functs[] = {
|
||||
{ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_DECRYPTUPDATE, 0), "EVP_DecryptUpdate"},
|
||||
{ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_DIGESTFINALXOF, 0), "EVP_DigestFinalXOF"},
|
||||
{ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_DIGESTINIT_EX, 0), "EVP_DigestInit_ex"},
|
||||
{ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_ENCRYPTDECRYPTUPDATE, 0),
|
||||
"evp_EncryptDecryptUpdate"},
|
||||
{ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_ENCRYPTFINAL_EX, 0),
|
||||
"EVP_EncryptFinal_ex"},
|
||||
{ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_ENCRYPTUPDATE, 0), "EVP_EncryptUpdate"},
|
||||
|
@ -42,7 +42,7 @@ int EVP_PKEY_security_bits(const EVP_PKEY *pkey)
|
||||
return pkey->ameth->pkey_security_bits(pkey);
|
||||
}
|
||||
|
||||
int EVP_PKEY_size(EVP_PKEY *pkey)
|
||||
int EVP_PKEY_size(const EVP_PKEY *pkey)
|
||||
{
|
||||
if (pkey && pkey->ameth && pkey->ameth->pkey_size)
|
||||
return pkey->ameth->pkey_size(pkey);
|
||||
|
@ -65,7 +65,10 @@ int bn_set_words(BIGNUM *a, const BN_ULONG *words, int num_words);
|
||||
* is customarily arranged by bn_correct_top. Output from below functions
|
||||
* is not processed with bn_correct_top, and for this reason it may not be
|
||||
* returned out of public API. It may only be passed internally into other
|
||||
* functions known to support non-minimal or zero-padded BIGNUMs.
|
||||
* functions known to support non-minimal or zero-padded BIGNUMs. Even
|
||||
* though the goal is to facilitate constant-time-ness, not each subroutine
|
||||
* is constant-time by itself. They all have pre-conditions, consult source
|
||||
* code...
|
||||
*/
|
||||
int bn_mul_mont_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
|
||||
BN_MONT_CTX *mont, BN_CTX *ctx);
|
||||
@ -79,5 +82,9 @@ int bn_mod_sub_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
|
||||
const BIGNUM *m);
|
||||
int bn_mul_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);
|
||||
int bn_sqr_fixed_top(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx);
|
||||
int bn_lshift_fixed_top(BIGNUM *r, const BIGNUM *a, int n);
|
||||
int bn_rshift_fixed_top(BIGNUM *r, const BIGNUM *a, int n);
|
||||
int bn_div_fixed_top(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m,
|
||||
const BIGNUM *d, BN_CTX *ctx);
|
||||
|
||||
#endif
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -100,10 +100,6 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_base)
|
||||
return 0;
|
||||
if ((init_lock = CRYPTO_THREAD_lock_new()) == NULL)
|
||||
goto err;
|
||||
#ifndef OPENSSL_SYS_UEFI
|
||||
if (atexit(OPENSSL_cleanup) != 0)
|
||||
goto err;
|
||||
#endif
|
||||
OPENSSL_cpuid_setup();
|
||||
|
||||
destructor_key.value = key;
|
||||
@ -121,13 +117,53 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_base)
|
||||
return 0;
|
||||
}
|
||||
|
||||
static CRYPTO_ONCE register_atexit = CRYPTO_ONCE_STATIC_INIT;
|
||||
#if !defined(OPENSSL_SYS_UEFI) && defined(_WIN32)
|
||||
static int win32atexit(void)
|
||||
{
|
||||
OPENSSL_cleanup();
|
||||
return 0;
|
||||
}
|
||||
#endif
|
||||
|
||||
DEFINE_RUN_ONCE_STATIC(ossl_init_register_atexit)
|
||||
{
|
||||
#ifdef OPENSSL_INIT_DEBUG
|
||||
fprintf(stderr, "OPENSSL_INIT: ossl_init_register_atexit()\n");
|
||||
#endif
|
||||
#ifndef OPENSSL_SYS_UEFI
|
||||
# ifdef _WIN32
|
||||
/* We use _onexit() in preference because it gets called on DLL unload */
|
||||
if (_onexit(win32atexit) == NULL)
|
||||
return 0;
|
||||
# else
|
||||
if (atexit(OPENSSL_cleanup) != 0)
|
||||
return 0;
|
||||
# endif
|
||||
#endif
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
DEFINE_RUN_ONCE_STATIC_ALT(ossl_init_no_register_atexit,
|
||||
ossl_init_register_atexit)
|
||||
{
|
||||
#ifdef OPENSSL_INIT_DEBUG
|
||||
fprintf(stderr, "OPENSSL_INIT: ossl_init_no_register_atexit ok!\n");
|
||||
#endif
|
||||
/* Do nothing in this case */
|
||||
return 1;
|
||||
}
|
||||
|
||||
static CRYPTO_ONCE load_crypto_nodelete = CRYPTO_ONCE_STATIC_INIT;
|
||||
DEFINE_RUN_ONCE_STATIC(ossl_init_load_crypto_nodelete)
|
||||
{
|
||||
#ifdef OPENSSL_INIT_DEBUG
|
||||
fprintf(stderr, "OPENSSL_INIT: ossl_init_load_crypto_nodelete()\n");
|
||||
#endif
|
||||
#if !defined(OPENSSL_NO_DSO) && !defined(OPENSSL_USE_NODELETE)
|
||||
#if !defined(OPENSSL_NO_DSO) \
|
||||
&& !defined(OPENSSL_USE_NODELETE) \
|
||||
&& !defined(OPENSSL_NO_PINSHARED)
|
||||
# ifdef DSO_WIN32
|
||||
{
|
||||
HMODULE handle = NULL;
|
||||
@ -177,12 +213,6 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_load_crypto_nodelete)
|
||||
|
||||
static CRYPTO_ONCE load_crypto_strings = CRYPTO_ONCE_STATIC_INIT;
|
||||
static int load_crypto_strings_inited = 0;
|
||||
DEFINE_RUN_ONCE_STATIC(ossl_init_no_load_crypto_strings)
|
||||
{
|
||||
/* Do nothing in this case */
|
||||
return 1;
|
||||
}
|
||||
|
||||
DEFINE_RUN_ONCE_STATIC(ossl_init_load_crypto_strings)
|
||||
{
|
||||
int ret = 1;
|
||||
@ -201,6 +231,13 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_load_crypto_strings)
|
||||
return ret;
|
||||
}
|
||||
|
||||
DEFINE_RUN_ONCE_STATIC_ALT(ossl_init_no_load_crypto_strings,
|
||||
ossl_init_load_crypto_strings)
|
||||
{
|
||||
/* Do nothing in this case */
|
||||
return 1;
|
||||
}
|
||||
|
||||
static CRYPTO_ONCE add_all_ciphers = CRYPTO_ONCE_STATIC_INIT;
|
||||
DEFINE_RUN_ONCE_STATIC(ossl_init_add_all_ciphers)
|
||||
{
|
||||
@ -218,6 +255,13 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_add_all_ciphers)
|
||||
return 1;
|
||||
}
|
||||
|
||||
DEFINE_RUN_ONCE_STATIC_ALT(ossl_init_no_add_all_ciphers,
|
||||
ossl_init_add_all_ciphers)
|
||||
{
|
||||
/* Do nothing */
|
||||
return 1;
|
||||
}
|
||||
|
||||
static CRYPTO_ONCE add_all_digests = CRYPTO_ONCE_STATIC_INIT;
|
||||
DEFINE_RUN_ONCE_STATIC(ossl_init_add_all_digests)
|
||||
{
|
||||
@ -235,7 +279,8 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_add_all_digests)
|
||||
return 1;
|
||||
}
|
||||
|
||||
DEFINE_RUN_ONCE_STATIC(ossl_init_no_add_algs)
|
||||
DEFINE_RUN_ONCE_STATIC_ALT(ossl_init_no_add_all_digests,
|
||||
ossl_init_add_all_digests)
|
||||
{
|
||||
/* Do nothing */
|
||||
return 1;
|
||||
@ -243,19 +288,14 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_no_add_algs)
|
||||
|
||||
static CRYPTO_ONCE config = CRYPTO_ONCE_STATIC_INIT;
|
||||
static int config_inited = 0;
|
||||
static const char *appname;
|
||||
static const OPENSSL_INIT_SETTINGS *conf_settings = NULL;
|
||||
DEFINE_RUN_ONCE_STATIC(ossl_init_config)
|
||||
{
|
||||
#ifdef OPENSSL_INIT_DEBUG
|
||||
fprintf(stderr,
|
||||
"OPENSSL_INIT: ossl_init_config: openssl_config(%s)\n",
|
||||
appname == NULL ? "NULL" : appname);
|
||||
#endif
|
||||
openssl_config_int(appname);
|
||||
int ret = openssl_config_int(conf_settings);
|
||||
config_inited = 1;
|
||||
return 1;
|
||||
return ret;
|
||||
}
|
||||
DEFINE_RUN_ONCE_STATIC(ossl_init_no_config)
|
||||
DEFINE_RUN_ONCE_STATIC_ALT(ossl_init_no_config, ossl_init_config)
|
||||
{
|
||||
#ifdef OPENSSL_INIT_DEBUG
|
||||
fprintf(stderr,
|
||||
@ -586,17 +626,43 @@ int OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings)
|
||||
return 0;
|
||||
}
|
||||
|
||||
/*
|
||||
* When the caller specifies OPENSSL_INIT_BASE_ONLY, that should be the
|
||||
* *only* option specified. With that option we return immediately after
|
||||
* doing the requested limited initialization. Note that
|
||||
* err_shelve_state() called by us via ossl_init_load_crypto_nodelete()
|
||||
* re-enters OPENSSL_init_crypto() with OPENSSL_INIT_BASE_ONLY, but with
|
||||
* base already initialized this is a harmless NOOP.
|
||||
*
|
||||
* If we remain the only caller of err_shelve_state() the recursion should
|
||||
* perhaps be removed, but if in doubt, it can be left in place.
|
||||
*/
|
||||
if (!RUN_ONCE(&base, ossl_init_base))
|
||||
return 0;
|
||||
if (opts & OPENSSL_INIT_BASE_ONLY)
|
||||
return 1;
|
||||
|
||||
if (!(opts & OPENSSL_INIT_BASE_ONLY)
|
||||
&& !RUN_ONCE(&load_crypto_nodelete,
|
||||
ossl_init_load_crypto_nodelete))
|
||||
/*
|
||||
* Now we don't always set up exit handlers, the INIT_BASE_ONLY calls
|
||||
* should not have the side-effect of setting up exit handlers, and
|
||||
* therefore, this code block is below the INIT_BASE_ONLY-conditioned early
|
||||
* return above.
|
||||
*/
|
||||
if ((opts & OPENSSL_INIT_NO_ATEXIT) != 0) {
|
||||
if (!RUN_ONCE_ALT(®ister_atexit, ossl_init_no_register_atexit,
|
||||
ossl_init_register_atexit))
|
||||
return 0;
|
||||
} else if (!RUN_ONCE(®ister_atexit, ossl_init_register_atexit)) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (!RUN_ONCE(&load_crypto_nodelete, ossl_init_load_crypto_nodelete))
|
||||
return 0;
|
||||
|
||||
if ((opts & OPENSSL_INIT_NO_LOAD_CRYPTO_STRINGS)
|
||||
&& !RUN_ONCE(&load_crypto_strings,
|
||||
ossl_init_no_load_crypto_strings))
|
||||
&& !RUN_ONCE_ALT(&load_crypto_strings,
|
||||
ossl_init_no_load_crypto_strings,
|
||||
ossl_init_load_crypto_strings))
|
||||
return 0;
|
||||
|
||||
if ((opts & OPENSSL_INIT_LOAD_CRYPTO_STRINGS)
|
||||
@ -604,7 +670,8 @@ int OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings)
|
||||
return 0;
|
||||
|
||||
if ((opts & OPENSSL_INIT_NO_ADD_ALL_CIPHERS)
|
||||
&& !RUN_ONCE(&add_all_ciphers, ossl_init_no_add_algs))
|
||||
&& !RUN_ONCE_ALT(&add_all_ciphers, ossl_init_no_add_all_ciphers,
|
||||
ossl_init_add_all_ciphers))
|
||||
return 0;
|
||||
|
||||
if ((opts & OPENSSL_INIT_ADD_ALL_CIPHERS)
|
||||
@ -612,7 +679,8 @@ int OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings)
|
||||
return 0;
|
||||
|
||||
if ((opts & OPENSSL_INIT_NO_ADD_ALL_DIGESTS)
|
||||
&& !RUN_ONCE(&add_all_digests, ossl_init_no_add_algs))
|
||||
&& !RUN_ONCE_ALT(&add_all_digests, ossl_init_no_add_all_digests,
|
||||
ossl_init_add_all_digests))
|
||||
return 0;
|
||||
|
||||
if ((opts & OPENSSL_INIT_ADD_ALL_DIGESTS)
|
||||
@ -624,14 +692,15 @@ int OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings)
|
||||
return 0;
|
||||
|
||||
if ((opts & OPENSSL_INIT_NO_LOAD_CONFIG)
|
||||
&& !RUN_ONCE(&config, ossl_init_no_config))
|
||||
&& !RUN_ONCE_ALT(&config, ossl_init_no_config, ossl_init_config))
|
||||
return 0;
|
||||
|
||||
if (opts & OPENSSL_INIT_LOAD_CONFIG) {
|
||||
int ret;
|
||||
CRYPTO_THREAD_write_lock(init_lock);
|
||||
appname = (settings == NULL) ? NULL : settings->appname;
|
||||
conf_settings = settings;
|
||||
ret = RUN_ONCE(&config, ossl_init_config);
|
||||
conf_settings = NULL;
|
||||
CRYPTO_THREAD_unlock(init_lock);
|
||||
if (!ret)
|
||||
return 0;
|
||||
@ -695,7 +764,9 @@ int OPENSSL_atexit(void (*handler)(void))
|
||||
{
|
||||
OPENSSL_INIT_STOP *newhand;
|
||||
|
||||
#if !defined(OPENSSL_NO_DSO) && !defined(OPENSSL_USE_NODELETE)
|
||||
#if !defined(OPENSSL_NO_DSO) \
|
||||
&& !defined(OPENSSL_USE_NODELETE)\
|
||||
&& !defined(OPENSSL_NO_PINSHARED)
|
||||
{
|
||||
union {
|
||||
void *sym;
|
||||
|
@ -1,5 +1,5 @@
|
||||
#! /usr/bin/env perl
|
||||
# Copyright 2010-2016 The OpenSSL Project Authors. All Rights Reserved.
|
||||
# Copyright 2010-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
#
|
||||
# Licensed under the OpenSSL license (the "License"). You may not use
|
||||
# this file except in compliance with the License. You can obtain a copy
|
||||
@ -529,6 +529,7 @@ $code.=<<___;
|
||||
.type gcm_init_clmul,\@abi-omnipotent
|
||||
.align 16
|
||||
gcm_init_clmul:
|
||||
.cfi_startproc
|
||||
.L_init_clmul:
|
||||
___
|
||||
$code.=<<___ if ($win64);
|
||||
@ -598,6 +599,7 @@ $code.=<<___ if ($win64);
|
||||
___
|
||||
$code.=<<___;
|
||||
ret
|
||||
.cfi_endproc
|
||||
.size gcm_init_clmul,.-gcm_init_clmul
|
||||
___
|
||||
}
|
||||
@ -609,6 +611,7 @@ $code.=<<___;
|
||||
.type gcm_gmult_clmul,\@abi-omnipotent
|
||||
.align 16
|
||||
gcm_gmult_clmul:
|
||||
.cfi_startproc
|
||||
.L_gmult_clmul:
|
||||
movdqu ($Xip),$Xi
|
||||
movdqa .Lbswap_mask(%rip),$T3
|
||||
@ -645,6 +648,7 @@ $code.=<<___;
|
||||
pshufb $T3,$Xi
|
||||
movdqu $Xi,($Xip)
|
||||
ret
|
||||
.cfi_endproc
|
||||
.size gcm_gmult_clmul,.-gcm_gmult_clmul
|
||||
___
|
||||
}
|
||||
@ -658,6 +662,7 @@ $code.=<<___;
|
||||
.type gcm_ghash_clmul,\@abi-omnipotent
|
||||
.align 32
|
||||
gcm_ghash_clmul:
|
||||
.cfi_startproc
|
||||
.L_ghash_clmul:
|
||||
___
|
||||
$code.=<<___ if ($win64);
|
||||
@ -1005,6 +1010,7 @@ $code.=<<___ if ($win64);
|
||||
___
|
||||
$code.=<<___;
|
||||
ret
|
||||
.cfi_endproc
|
||||
.size gcm_ghash_clmul,.-gcm_ghash_clmul
|
||||
___
|
||||
}
|
||||
@ -1014,6 +1020,7 @@ $code.=<<___;
|
||||
.type gcm_init_avx,\@abi-omnipotent
|
||||
.align 32
|
||||
gcm_init_avx:
|
||||
.cfi_startproc
|
||||
___
|
||||
if ($avx) {
|
||||
my ($Htbl,$Xip)=@_4args;
|
||||
@ -1142,6 +1149,7 @@ $code.=<<___ if ($win64);
|
||||
___
|
||||
$code.=<<___;
|
||||
ret
|
||||
.cfi_endproc
|
||||
.size gcm_init_avx,.-gcm_init_avx
|
||||
___
|
||||
} else {
|
||||
@ -1156,7 +1164,9 @@ $code.=<<___;
|
||||
.type gcm_gmult_avx,\@abi-omnipotent
|
||||
.align 32
|
||||
gcm_gmult_avx:
|
||||
.cfi_startproc
|
||||
jmp .L_gmult_clmul
|
||||
.cfi_endproc
|
||||
.size gcm_gmult_avx,.-gcm_gmult_avx
|
||||
___
|
||||
|
||||
@ -1165,6 +1175,7 @@ $code.=<<___;
|
||||
.type gcm_ghash_avx,\@abi-omnipotent
|
||||
.align 32
|
||||
gcm_ghash_avx:
|
||||
.cfi_startproc
|
||||
___
|
||||
if ($avx) {
|
||||
my ($Xip,$Htbl,$inp,$len)=@_4args;
|
||||
@ -1577,6 +1588,7 @@ $code.=<<___ if ($win64);
|
||||
___
|
||||
$code.=<<___;
|
||||
ret
|
||||
.cfi_endproc
|
||||
.size gcm_ghash_avx,.-gcm_ghash_avx
|
||||
___
|
||||
} else {
|
||||
|
@ -2,7 +2,7 @@
|
||||
* WARNING: do not edit!
|
||||
* Generated by crypto/objects/obj_dat.pl
|
||||
*
|
||||
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
|
@ -1,5 +1,5 @@
|
||||
#! /usr/bin/env perl
|
||||
# Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
# Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
#
|
||||
# Licensed under the OpenSSL license (the "License"). You may not use
|
||||
# this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -2,7 +2,7 @@
|
||||
* WARNING: do not edit!
|
||||
* Generated by objxref.pl
|
||||
*
|
||||
* Copyright 1998-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1998-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -1,5 +1,5 @@
|
||||
#! /usr/bin/env perl
|
||||
# Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
# Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
#
|
||||
# Licensed under the OpenSSL license (the "License"). You may not use
|
||||
# this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -1,5 +1,5 @@
|
||||
#! /usr/bin/env perl
|
||||
# Copyright 1998-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
# Copyright 1998-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
#
|
||||
# Licensed under the OpenSSL license (the "License"). You may not use
|
||||
# this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -297,7 +297,7 @@ int PEM_X509_INFO_write_bio(BIO *bp, X509_INFO *xi, EVP_CIPHER *enc,
|
||||
goto err;
|
||||
}
|
||||
|
||||
/* Create the right magic header stuff */
|
||||
/* Create the right magic header stuff */
|
||||
buf[0] = '\0';
|
||||
PEM_proc_type(buf, PEM_TYPE_ENCRYPTED);
|
||||
PEM_dek_info(buf, objstr, EVP_CIPHER_iv_length(enc),
|
||||
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user