summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorjsing <>2014-05-15 14:14:56 +0000
committerjsing <>2014-05-15 14:14:56 +0000
commitadc9381efba015741fc5ed51d459725dee87fb54 (patch)
treed1545fae6b44d7a9d7d6aa80a89b700911a313f3
parent06e9116771d440a4cc40f2d8654de552543b9c00 (diff)
downloadopenbsd-adc9381efba015741fc5ed51d459725dee87fb54.tar.gz
openbsd-adc9381efba015741fc5ed51d459725dee87fb54.tar.bz2
openbsd-adc9381efba015741fc5ed51d459725dee87fb54.zip
KNF.
Diffstat (limited to '')
-rw-r--r--src/lib/libcrypto/chacha/chacha-merged.c312
-rw-r--r--src/lib/libcrypto/chacha/chacha.h2
-rw-r--r--src/lib/libcrypto/evp/e_aes.c21
-rw-r--r--src/lib/libcrypto/evp/evp_aead.c128
-rw-r--r--src/lib/libcrypto/poly1305/poly1305-donna.c163
-rw-r--r--src/lib/libssl/src/crypto/chacha/chacha-merged.c312
-rw-r--r--src/lib/libssl/src/crypto/chacha/chacha.h2
-rw-r--r--src/lib/libssl/src/crypto/evp/e_aes.c21
-rw-r--r--src/lib/libssl/src/crypto/evp/evp_aead.c128
-rw-r--r--src/lib/libssl/src/crypto/poly1305/poly1305-donna.c163
-rw-r--r--src/regress/lib/libcrypto/aead/aeadtest.c13
-rw-r--r--src/regress/lib/libcrypto/poly1305/poly1305test.c84
12 files changed, 736 insertions, 613 deletions
diff --git a/src/lib/libcrypto/chacha/chacha-merged.c b/src/lib/libcrypto/chacha/chacha-merged.c
index 5ba813147a..5cd1dde072 100644
--- a/src/lib/libcrypto/chacha/chacha-merged.c
+++ b/src/lib/libcrypto/chacha/chacha-merged.c
@@ -43,14 +43,14 @@ typedef struct chacha_ctx chacha_ctx;
43 (U32V((v) << (n)) | ((v) >> (32 - (n)))) 43 (U32V((v) << (n)) | ((v) >> (32 - (n))))
44 44
45#define U8TO32_LITTLE(p) \ 45#define U8TO32_LITTLE(p) \
46 (((u32)((p)[0]) ) | \ 46 (((u32)((p)[0])) | \
47 ((u32)((p)[1]) << 8) | \ 47 ((u32)((p)[1]) << 8) | \
48 ((u32)((p)[2]) << 16) | \ 48 ((u32)((p)[2]) << 16) | \
49 ((u32)((p)[3]) << 24)) 49 ((u32)((p)[3]) << 24))
50 50
51#define U32TO8_LITTLE(p, v) \ 51#define U32TO8_LITTLE(p, v) \
52 do { \ 52 do { \
53 (p)[0] = U8V((v) ); \ 53 (p)[0] = U8V((v)); \
54 (p)[1] = U8V((v) >> 8); \ 54 (p)[1] = U8V((v) >> 8); \
55 (p)[2] = U8V((v) >> 16); \ 55 (p)[2] = U8V((v) >> 16); \
56 (p)[3] = U8V((v) >> 24); \ 56 (p)[3] = U8V((v) >> 24); \
@@ -71,167 +71,169 @@ static const char sigma[16] = "expand 32-byte k";
71static const char tau[16] = "expand 16-byte k"; 71static const char tau[16] = "expand 16-byte k";
72 72
73static inline void 73static inline void
74chacha_keysetup(chacha_ctx *x,const u8 *k,u32 kbits) 74chacha_keysetup(chacha_ctx *x, const u8 *k, u32 kbits)
75{ 75{
76 const char *constants; 76 const char *constants;
77 77
78 x->input[4] = U8TO32_LITTLE(k + 0); 78 x->input[4] = U8TO32_LITTLE(k + 0);
79 x->input[5] = U8TO32_LITTLE(k + 4); 79 x->input[5] = U8TO32_LITTLE(k + 4);
80 x->input[6] = U8TO32_LITTLE(k + 8); 80 x->input[6] = U8TO32_LITTLE(k + 8);
81 x->input[7] = U8TO32_LITTLE(k + 12); 81 x->input[7] = U8TO32_LITTLE(k + 12);
82 if (kbits == 256) { /* recommended */ 82 if (kbits == 256) { /* recommended */
83 k += 16; 83 k += 16;
84 constants = sigma; 84 constants = sigma;
85 } else { /* kbits == 128 */ 85 } else { /* kbits == 128 */
86 constants = tau; 86 constants = tau;
87 } 87 }
88 x->input[8] = U8TO32_LITTLE(k + 0); 88 x->input[8] = U8TO32_LITTLE(k + 0);
89 x->input[9] = U8TO32_LITTLE(k + 4); 89 x->input[9] = U8TO32_LITTLE(k + 4);
90 x->input[10] = U8TO32_LITTLE(k + 8); 90 x->input[10] = U8TO32_LITTLE(k + 8);
91 x->input[11] = U8TO32_LITTLE(k + 12); 91 x->input[11] = U8TO32_LITTLE(k + 12);
92 x->input[0] = U8TO32_LITTLE(constants + 0); 92 x->input[0] = U8TO32_LITTLE(constants + 0);
93 x->input[1] = U8TO32_LITTLE(constants + 4); 93 x->input[1] = U8TO32_LITTLE(constants + 4);
94 x->input[2] = U8TO32_LITTLE(constants + 8); 94 x->input[2] = U8TO32_LITTLE(constants + 8);
95 x->input[3] = U8TO32_LITTLE(constants + 12); 95 x->input[3] = U8TO32_LITTLE(constants + 12);
96} 96}
97 97
98static inline void 98static inline void
99chacha_ivsetup(chacha_ctx *x, const u8 *iv, const u8 *counter) 99chacha_ivsetup(chacha_ctx *x, const u8 *iv, const u8 *counter)
100{ 100{
101 x->input[12] = counter == NULL ? 0 : U8TO32_LITTLE(counter + 0); 101 x->input[12] = counter == NULL ? 0 : U8TO32_LITTLE(counter + 0);
102 x->input[13] = counter == NULL ? 0 : U8TO32_LITTLE(counter + 4); 102 x->input[13] = counter == NULL ? 0 : U8TO32_LITTLE(counter + 4);
103 x->input[14] = U8TO32_LITTLE(iv + 0); 103 x->input[14] = U8TO32_LITTLE(iv + 0);
104 x->input[15] = U8TO32_LITTLE(iv + 4); 104 x->input[15] = U8TO32_LITTLE(iv + 4);
105} 105}
106 106
107static inline void 107static inline void
108chacha_encrypt_bytes(chacha_ctx *x,const u8 *m,u8 *c,u32 bytes) 108chacha_encrypt_bytes(chacha_ctx *x, const u8 *m, u8 *c, u32 bytes)
109{ 109{
110 u32 x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15; 110 u32 x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15;
111 u32 j0, j1, j2, j3, j4, j5, j6, j7, j8, j9, j10, j11, j12, j13, j14, j15; 111 u32 j0, j1, j2, j3, j4, j5, j6, j7, j8, j9, j10, j11, j12, j13, j14, j15;
112 u8 *ctarget = NULL; 112 u8 *ctarget = NULL;
113 u8 tmp[64]; 113 u8 tmp[64];
114 u_int i; 114 u_int i;
115 115
116 if (!bytes) return; 116 if (!bytes)
117 117 return;
118 j0 = x->input[0]; 118
119 j1 = x->input[1]; 119 j0 = x->input[0];
120 j2 = x->input[2]; 120 j1 = x->input[1];
121 j3 = x->input[3]; 121 j2 = x->input[2];
122 j4 = x->input[4]; 122 j3 = x->input[3];
123 j5 = x->input[5]; 123 j4 = x->input[4];
124 j6 = x->input[6]; 124 j5 = x->input[5];
125 j7 = x->input[7]; 125 j6 = x->input[6];
126 j8 = x->input[8]; 126 j7 = x->input[7];
127 j9 = x->input[9]; 127 j8 = x->input[8];
128 j10 = x->input[10]; 128 j9 = x->input[9];
129 j11 = x->input[11]; 129 j10 = x->input[10];
130 j12 = x->input[12]; 130 j11 = x->input[11];
131 j13 = x->input[13]; 131 j12 = x->input[12];
132 j14 = x->input[14]; 132 j13 = x->input[13];
133 j15 = x->input[15]; 133 j14 = x->input[14];
134 134 j15 = x->input[15];
135 for (;;) { 135
136 if (bytes < 64) { 136 for (;;) {
137 for (i = 0;i < bytes;++i) tmp[i] = m[i]; 137 if (bytes < 64) {
138 m = tmp; 138 for (i = 0;i < bytes;++i) tmp[i] = m[i];
139 ctarget = c; 139 m = tmp;
140 c = tmp; 140 ctarget = c;
141 } 141 c = tmp;
142 x0 = j0; 142 }
143 x1 = j1; 143 x0 = j0;
144 x2 = j2; 144 x1 = j1;
145 x3 = j3; 145 x2 = j2;
146 x4 = j4; 146 x3 = j3;
147 x5 = j5; 147 x4 = j4;
148 x6 = j6; 148 x5 = j5;
149 x7 = j7; 149 x6 = j6;
150 x8 = j8; 150 x7 = j7;
151 x9 = j9; 151 x8 = j8;
152 x10 = j10; 152 x9 = j9;
153 x11 = j11; 153 x10 = j10;
154 x12 = j12; 154 x11 = j11;
155 x13 = j13; 155 x12 = j12;
156 x14 = j14; 156 x13 = j13;
157 x15 = j15; 157 x14 = j14;
158 for (i = 20;i > 0;i -= 2) { 158 x15 = j15;
159 QUARTERROUND( x0, x4, x8,x12) 159 for (i = 20; i > 0; i -= 2) {
160 QUARTERROUND( x1, x5, x9,x13) 160 QUARTERROUND(x0, x4, x8, x12)
161 QUARTERROUND( x2, x6,x10,x14) 161 QUARTERROUND(x1, x5, x9, x13)
162 QUARTERROUND( x3, x7,x11,x15) 162 QUARTERROUND(x2, x6, x10, x14)
163 QUARTERROUND( x0, x5,x10,x15) 163 QUARTERROUND(x3, x7, x11, x15)
164 QUARTERROUND( x1, x6,x11,x12) 164 QUARTERROUND(x0, x5, x10, x15)
165 QUARTERROUND( x2, x7, x8,x13) 165 QUARTERROUND(x1, x6, x11, x12)
166 QUARTERROUND( x3, x4, x9,x14) 166 QUARTERROUND(x2, x7, x8, x13)
167 } 167 QUARTERROUND(x3, x4, x9, x14)
168 x0 = PLUS(x0,j0); 168 }
169 x1 = PLUS(x1,j1); 169 x0 = PLUS(x0, j0);
170 x2 = PLUS(x2,j2); 170 x1 = PLUS(x1, j1);
171 x3 = PLUS(x3,j3); 171 x2 = PLUS(x2, j2);
172 x4 = PLUS(x4,j4); 172 x3 = PLUS(x3, j3);
173 x5 = PLUS(x5,j5); 173 x4 = PLUS(x4, j4);
174 x6 = PLUS(x6,j6); 174 x5 = PLUS(x5, j5);
175 x7 = PLUS(x7,j7); 175 x6 = PLUS(x6, j6);
176 x8 = PLUS(x8,j8); 176 x7 = PLUS(x7, j7);
177 x9 = PLUS(x9,j9); 177 x8 = PLUS(x8, j8);
178 x10 = PLUS(x10,j10); 178 x9 = PLUS(x9, j9);
179 x11 = PLUS(x11,j11); 179 x10 = PLUS(x10, j10);
180 x12 = PLUS(x12,j12); 180 x11 = PLUS(x11, j11);
181 x13 = PLUS(x13,j13); 181 x12 = PLUS(x12, j12);
182 x14 = PLUS(x14,j14); 182 x13 = PLUS(x13, j13);
183 x15 = PLUS(x15,j15); 183 x14 = PLUS(x14, j14);
184 184 x15 = PLUS(x15, j15);
185 x0 = XOR(x0,U8TO32_LITTLE(m + 0)); 185
186 x1 = XOR(x1,U8TO32_LITTLE(m + 4)); 186 x0 = XOR(x0, U8TO32_LITTLE(m + 0));
187 x2 = XOR(x2,U8TO32_LITTLE(m + 8)); 187 x1 = XOR(x1, U8TO32_LITTLE(m + 4));
188 x3 = XOR(x3,U8TO32_LITTLE(m + 12)); 188 x2 = XOR(x2, U8TO32_LITTLE(m + 8));
189 x4 = XOR(x4,U8TO32_LITTLE(m + 16)); 189 x3 = XOR(x3, U8TO32_LITTLE(m + 12));
190 x5 = XOR(x5,U8TO32_LITTLE(m + 20)); 190 x4 = XOR(x4, U8TO32_LITTLE(m + 16));
191 x6 = XOR(x6,U8TO32_LITTLE(m + 24)); 191 x5 = XOR(x5, U8TO32_LITTLE(m + 20));
192 x7 = XOR(x7,U8TO32_LITTLE(m + 28)); 192 x6 = XOR(x6, U8TO32_LITTLE(m + 24));
193 x8 = XOR(x8,U8TO32_LITTLE(m + 32)); 193 x7 = XOR(x7, U8TO32_LITTLE(m + 28));
194 x9 = XOR(x9,U8TO32_LITTLE(m + 36)); 194 x8 = XOR(x8, U8TO32_LITTLE(m + 32));
195 x10 = XOR(x10,U8TO32_LITTLE(m + 40)); 195 x9 = XOR(x9, U8TO32_LITTLE(m + 36));
196 x11 = XOR(x11,U8TO32_LITTLE(m + 44)); 196 x10 = XOR(x10, U8TO32_LITTLE(m + 40));
197 x12 = XOR(x12,U8TO32_LITTLE(m + 48)); 197 x11 = XOR(x11, U8TO32_LITTLE(m + 44));
198 x13 = XOR(x13,U8TO32_LITTLE(m + 52)); 198 x12 = XOR(x12, U8TO32_LITTLE(m + 48));
199 x14 = XOR(x14,U8TO32_LITTLE(m + 56)); 199 x13 = XOR(x13, U8TO32_LITTLE(m + 52));
200 x15 = XOR(x15,U8TO32_LITTLE(m + 60)); 200 x14 = XOR(x14, U8TO32_LITTLE(m + 56));
201 201 x15 = XOR(x15, U8TO32_LITTLE(m + 60));
202 j12 = PLUSONE(j12); 202
203 if (!j12) { 203 j12 = PLUSONE(j12);
204 j13 = PLUSONE(j13); 204 if (!j12) {
205 /* stopping at 2^70 bytes per nonce is user's responsibility */ 205 j13 = PLUSONE(j13);
206 } 206 /* stopping at 2^70 bytes per nonce is user's responsibility */
207 207 }
208 U32TO8_LITTLE(c + 0,x0); 208
209 U32TO8_LITTLE(c + 4,x1); 209 U32TO8_LITTLE(c + 0, x0);
210 U32TO8_LITTLE(c + 8,x2); 210 U32TO8_LITTLE(c + 4, x1);
211 U32TO8_LITTLE(c + 12,x3); 211 U32TO8_LITTLE(c + 8, x2);
212 U32TO8_LITTLE(c + 16,x4); 212 U32TO8_LITTLE(c + 12, x3);
213 U32TO8_LITTLE(c + 20,x5); 213 U32TO8_LITTLE(c + 16, x4);
214 U32TO8_LITTLE(c + 24,x6); 214 U32TO8_LITTLE(c + 20, x5);
215 U32TO8_LITTLE(c + 28,x7); 215 U32TO8_LITTLE(c + 24, x6);
216 U32TO8_LITTLE(c + 32,x8); 216 U32TO8_LITTLE(c + 28, x7);
217 U32TO8_LITTLE(c + 36,x9); 217 U32TO8_LITTLE(c + 32, x8);
218 U32TO8_LITTLE(c + 40,x10); 218 U32TO8_LITTLE(c + 36, x9);
219 U32TO8_LITTLE(c + 44,x11); 219 U32TO8_LITTLE(c + 40, x10);
220 U32TO8_LITTLE(c + 48,x12); 220 U32TO8_LITTLE(c + 44, x11);
221 U32TO8_LITTLE(c + 52,x13); 221 U32TO8_LITTLE(c + 48, x12);
222 U32TO8_LITTLE(c + 56,x14); 222 U32TO8_LITTLE(c + 52, x13);
223 U32TO8_LITTLE(c + 60,x15); 223 U32TO8_LITTLE(c + 56, x14);
224 224 U32TO8_LITTLE(c + 60, x15);
225 if (bytes <= 64) { 225
226 if (bytes < 64) { 226 if (bytes <= 64) {
227 for (i = 0;i < bytes;++i) ctarget[i] = c[i]; 227 if (bytes < 64) {
228 } 228 for (i = 0; i < bytes; ++i)
229 x->input[12] = j12; 229 ctarget[i] = c[i];
230 x->input[13] = j13; 230 }
231 return; 231 x->input[12] = j12;
232 } 232 x->input[13] = j13;
233 bytes -= 64; 233 return;
234 c += 64; 234 }
235 m += 64; 235 bytes -= 64;
236 } 236 c += 64;
237 m += 64;
238 }
237} 239}
diff --git a/src/lib/libcrypto/chacha/chacha.h b/src/lib/libcrypto/chacha/chacha.h
index 456d960ed9..8312273cea 100644
--- a/src/lib/libcrypto/chacha/chacha.h
+++ b/src/lib/libcrypto/chacha/chacha.h
@@ -30,7 +30,7 @@ extern "C" {
30#endif 30#endif
31 31
32typedef struct { 32typedef struct {
33 unsigned int input[16]; 33 unsigned int input[16];
34} ChaCha_ctx; 34} ChaCha_ctx;
35 35
36void ChaCha_set_key(ChaCha_ctx *ctx, const unsigned char *key, 36void ChaCha_set_key(ChaCha_ctx *ctx, const unsigned char *key,
diff --git a/src/lib/libcrypto/evp/e_aes.c b/src/lib/libcrypto/evp/e_aes.c
index e4d9457c96..4da61b8f62 100644
--- a/src/lib/libcrypto/evp/e_aes.c
+++ b/src/lib/libcrypto/evp/e_aes.c
@@ -658,7 +658,8 @@ aes_gcm_cleanup(EVP_CIPHER_CTX *c)
658 658
659/* increment counter (64-bit int) by 1 */ 659/* increment counter (64-bit int) by 1 */
660static void 660static void
661ctr64_inc(unsigned char *counter) { 661ctr64_inc(unsigned char *counter)
662{
662 int n = 8; 663 int n = 8;
663 unsigned char c; 664 unsigned char c;
664 665
@@ -991,11 +992,11 @@ aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
991 | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \ 992 | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
992 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT) 993 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT)
993 994
994BLOCK_CIPHER_custom(NID_aes, 128, 1,12, gcm, GCM, 995BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, gcm, GCM,
995 EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS) 996 EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS)
996BLOCK_CIPHER_custom(NID_aes, 192, 1,12, gcm, GCM, 997BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, gcm, GCM,
997 EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS) 998 EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS)
998BLOCK_CIPHER_custom(NID_aes, 256, 1,12, gcm, GCM, 999BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, gcm, GCM,
999 EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS) 1000 EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS)
1000 1001
1001static int 1002static int
@@ -1104,8 +1105,8 @@ aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1104#define XTS_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV \ 1105#define XTS_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV \
1105 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT) 1106 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT)
1106 1107
1107BLOCK_CIPHER_custom(NID_aes, 128, 1,16, xts, XTS, EVP_CIPH_FLAG_FIPS|XTS_FLAGS) 1108BLOCK_CIPHER_custom(NID_aes, 128, 1, 16, xts, XTS, EVP_CIPH_FLAG_FIPS|XTS_FLAGS)
1108BLOCK_CIPHER_custom(NID_aes, 256, 1,16, xts, XTS, EVP_CIPH_FLAG_FIPS|XTS_FLAGS) 1109BLOCK_CIPHER_custom(NID_aes, 256, 1, 16, xts, XTS, EVP_CIPH_FLAG_FIPS|XTS_FLAGS)
1109 1110
1110static int 1111static int
1111aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) 1112aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
@@ -1254,11 +1255,11 @@ aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1254 1255
1255#define aes_ccm_cleanup NULL 1256#define aes_ccm_cleanup NULL
1256 1257
1257BLOCK_CIPHER_custom(NID_aes, 128, 1,12, ccm, CCM, 1258BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, ccm, CCM,
1258 EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS) 1259 EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
1259BLOCK_CIPHER_custom(NID_aes, 192, 1,12, ccm, CCM, 1260BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, ccm, CCM,
1260 EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS) 1261 EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
1261BLOCK_CIPHER_custom(NID_aes, 256, 1,12, ccm, CCM, 1262BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, ccm, CCM,
1262 EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS) 1263 EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
1263 1264
1264#define EVP_AEAD_AES_GCM_TAG_LEN 16 1265#define EVP_AEAD_AES_GCM_TAG_LEN 16
@@ -1390,7 +1391,7 @@ aead_aes_gcm_open(const EVP_AEAD_CTX *ctx, unsigned char *out,
1390 1391
1391 if (gcm_ctx->ctr) { 1392 if (gcm_ctx->ctr) {
1392 if (CRYPTO_gcm128_decrypt_ctr32(&gcm, in + bulk, out + bulk, 1393 if (CRYPTO_gcm128_decrypt_ctr32(&gcm, in + bulk, out + bulk,
1393 in_len-bulk-gcm_ctx->tag_len, gcm_ctx->ctr)) 1394 in_len - bulk - gcm_ctx->tag_len, gcm_ctx->ctr))
1394 return -1; 1395 return -1;
1395 } else { 1396 } else {
1396 if (CRYPTO_gcm128_decrypt(&gcm, in + bulk, out + bulk, 1397 if (CRYPTO_gcm128_decrypt(&gcm, in + bulk, out + bulk,
diff --git a/src/lib/libcrypto/evp/evp_aead.c b/src/lib/libcrypto/evp/evp_aead.c
index 137e3dd05b..c8ba1df54a 100644
--- a/src/lib/libcrypto/evp/evp_aead.c
+++ b/src/lib/libcrypto/evp/evp_aead.c
@@ -4,21 +4,21 @@
4 * This package is an SSL implementation written 4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com). 5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL. 6 * The implementation was written so as to conform with Netscapes SSL.
7 * 7 *
8 * This library is free for commercial and non-commercial use as long as 8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions 9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA, 10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms 12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 * 14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in 15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed. 16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution 17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used. 18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or 19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package. 20 * in documentation (online or textual) provided with the package.
21 * 21 *
22 * Redistribution and use in source and binary forms, with or without 22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions 23 * modification, are permitted provided that the following conditions
24 * are met: 24 * are met:
@@ -33,10 +33,10 @@
33 * Eric Young (eay@cryptsoft.com)" 33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library 34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-). 35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from 36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement: 37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 * 39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -48,7 +48,7 @@
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE. 50 * SUCH DAMAGE.
51 * 51 *
52 * The licence and distribution terms for any publically available version or 52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be 53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence 54 * copied and put under another distribution licence
@@ -63,46 +63,50 @@
63 63
64#include "evp_locl.h" 64#include "evp_locl.h"
65 65
66size_t EVP_AEAD_key_length(const EVP_AEAD *aead) 66size_t
67 { 67EVP_AEAD_key_length(const EVP_AEAD *aead)
68{
68 return aead->key_len; 69 return aead->key_len;
69 } 70}
70 71
71size_t EVP_AEAD_nonce_length(const EVP_AEAD *aead) 72size_t
72 { 73EVP_AEAD_nonce_length(const EVP_AEAD *aead)
74{
73 return aead->nonce_len; 75 return aead->nonce_len;
74 } 76}
75 77
76size_t EVP_AEAD_max_overhead(const EVP_AEAD *aead) 78size_t
77 { 79EVP_AEAD_max_overhead(const EVP_AEAD *aead)
80{
78 return aead->overhead; 81 return aead->overhead;
79 } 82}
80 83
81size_t EVP_AEAD_max_tag_len(const EVP_AEAD *aead) 84size_t
82 { 85EVP_AEAD_max_tag_len(const EVP_AEAD *aead)
86{
83 return aead->max_tag_len; 87 return aead->max_tag_len;
84 } 88}
85 89
86int EVP_AEAD_CTX_init(EVP_AEAD_CTX *ctx, const EVP_AEAD *aead, 90int
87 const unsigned char *key, size_t key_len, 91EVP_AEAD_CTX_init(EVP_AEAD_CTX *ctx, const EVP_AEAD *aead,
88 size_t tag_len, ENGINE *impl) 92 const unsigned char *key, size_t key_len, size_t tag_len, ENGINE *impl)
89 { 93{
90 ctx->aead = aead; 94 ctx->aead = aead;
91 if (key_len != aead->key_len) 95 if (key_len != aead->key_len) {
92 { 96 EVPerr(EVP_F_EVP_AEAD_CTX_INIT, EVP_R_UNSUPPORTED_KEY_SIZE);
93 EVPerr(EVP_F_EVP_AEAD_CTX_INIT,EVP_R_UNSUPPORTED_KEY_SIZE);
94 return 0; 97 return 0;
95 }
96 return aead->init(ctx, key, key_len, tag_len);
97 } 98 }
99 return aead->init(ctx, key, key_len, tag_len);
100}
98 101
99void EVP_AEAD_CTX_cleanup(EVP_AEAD_CTX *ctx) 102void
100 { 103EVP_AEAD_CTX_cleanup(EVP_AEAD_CTX *ctx)
104{
101 if (ctx->aead == NULL) 105 if (ctx->aead == NULL)
102 return; 106 return;
103 ctx->aead->cleanup(ctx); 107 ctx->aead->cleanup(ctx);
104 ctx->aead = NULL; 108 ctx->aead = NULL;
105 } 109}
106 110
107/* check_alias returns 0 if out points within the buffer determined by in 111/* check_alias returns 0 if out points within the buffer determined by in
108 * and in_len and 1 otherwise. 112 * and in_len and 1 otherwise.
@@ -112,41 +116,39 @@ void EVP_AEAD_CTX_cleanup(EVP_AEAD_CTX *ctx)
112 * stomp input that hasn't been read yet. 116 * stomp input that hasn't been read yet.
113 * 117 *
114 * This function checks for that case. */ 118 * This function checks for that case. */
115static int check_alias(const unsigned char *in, size_t in_len, 119static int
116 const unsigned char *out) 120check_alias(const unsigned char *in, size_t in_len, const unsigned char *out)
117 { 121{
118 if (out <= in) 122 if (out <= in)
119 return 1; 123 return 1;
120 if (in + in_len <= out) 124 if (in + in_len <= out)
121 return 1; 125 return 1;
122 return 0; 126 return 0;
123 } 127}
124 128
125ssize_t EVP_AEAD_CTX_seal(const EVP_AEAD_CTX *ctx, 129ssize_t
126 unsigned char *out, size_t max_out_len, 130EVP_AEAD_CTX_seal(const EVP_AEAD_CTX *ctx, unsigned char *out,
127 const unsigned char *nonce, size_t nonce_len, 131 size_t max_out_len, const unsigned char *nonce, size_t nonce_len,
128 const unsigned char *in, size_t in_len, 132 const unsigned char *in, size_t in_len, const unsigned char *ad,
129 const unsigned char *ad, size_t ad_len) 133 size_t ad_len)
130 { 134{
131 size_t possible_out_len = in_len + ctx->aead->overhead; 135 size_t possible_out_len = in_len + ctx->aead->overhead;
132 ssize_t r; 136 ssize_t r;
133 137
134 if (possible_out_len < in_len /* overflow */ || 138 if (possible_out_len < in_len /* overflow */ ||
135 possible_out_len > SSIZE_MAX /* return value cannot be 139 possible_out_len > SSIZE_MAX /* return value cannot be
136 represented */) 140 represented */) {
137 {
138 EVPerr(EVP_F_EVP_AEAD_CTX_SEAL, EVP_R_TOO_LARGE); 141 EVPerr(EVP_F_EVP_AEAD_CTX_SEAL, EVP_R_TOO_LARGE);
139 goto error; 142 goto error;
140 } 143 }
141 144
142 if (!check_alias(in, in_len, out)) 145 if (!check_alias(in, in_len, out)) {
143 {
144 EVPerr(EVP_F_EVP_AEAD_CTX_SEAL, EVP_R_OUTPUT_ALIASES_INPUT); 146 EVPerr(EVP_F_EVP_AEAD_CTX_SEAL, EVP_R_OUTPUT_ALIASES_INPUT);
145 goto error; 147 goto error;
146 } 148 }
147 149
148 r = ctx->aead->seal(ctx, out, max_out_len, nonce, nonce_len, 150 r = ctx->aead->seal(ctx, out, max_out_len, nonce, nonce_len,
149 in, in_len, ad, ad_len); 151 in, in_len, ad, ad_len);
150 if (r >= 0) 152 if (r >= 0)
151 return r; 153 return r;
152 154
@@ -155,30 +157,28 @@ error:
155 * that doesn't check the return value doesn't send raw data. */ 157 * that doesn't check the return value doesn't send raw data. */
156 memset(out, 0, max_out_len); 158 memset(out, 0, max_out_len);
157 return -1; 159 return -1;
158 } 160}
159 161
160ssize_t EVP_AEAD_CTX_open(const EVP_AEAD_CTX *ctx, 162ssize_t
161 unsigned char *out, size_t max_out_len, 163EVP_AEAD_CTX_open(const EVP_AEAD_CTX *ctx, unsigned char *out,
162 const unsigned char *nonce, size_t nonce_len, 164 size_t max_out_len, const unsigned char *nonce, size_t nonce_len,
163 const unsigned char *in, size_t in_len, 165 const unsigned char *in, size_t in_len, const unsigned char *ad,
164 const unsigned char *ad, size_t ad_len) 166 size_t ad_len)
165 { 167{
166 ssize_t r; 168 ssize_t r;
167 169
168 if (in_len > SSIZE_MAX) 170 if (in_len > SSIZE_MAX) {
169 {
170 EVPerr(EVP_F_EVP_AEAD_CTX_OPEN, EVP_R_TOO_LARGE); 171 EVPerr(EVP_F_EVP_AEAD_CTX_OPEN, EVP_R_TOO_LARGE);
171 goto error; /* may not be able to represent return value. */ 172 goto error; /* may not be able to represent return value. */
172 } 173 }
173 174
174 if (!check_alias(in, in_len, out)) 175 if (!check_alias(in, in_len, out)) {
175 {
176 EVPerr(EVP_F_EVP_AEAD_CTX_OPEN, EVP_R_OUTPUT_ALIASES_INPUT); 176 EVPerr(EVP_F_EVP_AEAD_CTX_OPEN, EVP_R_OUTPUT_ALIASES_INPUT);
177 goto error; 177 goto error;
178 } 178 }
179 179
180 r = ctx->aead->open(ctx, out, max_out_len, nonce, nonce_len, 180 r = ctx->aead->open(ctx, out, max_out_len, nonce, nonce_len,
181 in, in_len, ad, ad_len); 181 in, in_len, ad, ad_len);
182 182
183 if (r >= 0) 183 if (r >= 0)
184 return r; 184 return r;
@@ -189,4 +189,4 @@ error:
189 * data. */ 189 * data. */
190 memset(out, 0, max_out_len); 190 memset(out, 0, max_out_len);
191 return -1; 191 return -1;
192 } 192}
diff --git a/src/lib/libcrypto/poly1305/poly1305-donna.c b/src/lib/libcrypto/poly1305/poly1305-donna.c
index 642a30b376..83d862f633 100644
--- a/src/lib/libcrypto/poly1305/poly1305-donna.c
+++ b/src/lib/libcrypto/poly1305/poly1305-donna.c
@@ -32,32 +32,34 @@ typedef struct poly1305_state_internal_t {
32 32
33/* interpret four 8 bit unsigned integers as a 32 bit unsigned integer in little endian */ 33/* interpret four 8 bit unsigned integers as a 32 bit unsigned integer in little endian */
34static unsigned long 34static unsigned long
35U8TO32(const unsigned char *p) { 35U8TO32(const unsigned char *p)
36 return 36{
37 (((unsigned long)(p[0] & 0xff) ) | 37 return (((unsigned long)(p[0] & 0xff)) |
38 ((unsigned long)(p[1] & 0xff) << 8) | 38 ((unsigned long)(p[1] & 0xff) << 8) |
39 ((unsigned long)(p[2] & 0xff) << 16) | 39 ((unsigned long)(p[2] & 0xff) << 16) |
40 ((unsigned long)(p[3] & 0xff) << 24)); 40 ((unsigned long)(p[3] & 0xff) << 24));
41} 41}
42 42
43/* store a 32 bit unsigned integer as four 8 bit unsigned integers in little endian */ 43/* store a 32 bit unsigned integer as four 8 bit unsigned integers in little endian */
44static void 44static void
45U32TO8(unsigned char *p, unsigned long v) { 45U32TO8(unsigned char *p, unsigned long v)
46 p[0] = (v ) & 0xff; 46{
47 p[0] = (v) & 0xff;
47 p[1] = (v >> 8) & 0xff; 48 p[1] = (v >> 8) & 0xff;
48 p[2] = (v >> 16) & 0xff; 49 p[2] = (v >> 16) & 0xff;
49 p[3] = (v >> 24) & 0xff; 50 p[3] = (v >> 24) & 0xff;
50} 51}
51 52
52static inline void 53static inline void
53poly1305_init(poly1305_context *ctx, const unsigned char key[32]) { 54poly1305_init(poly1305_context *ctx, const unsigned char key[32])
55{
54 poly1305_state_internal_t *st = (poly1305_state_internal_t *)ctx; 56 poly1305_state_internal_t *st = (poly1305_state_internal_t *)ctx;
55 57
56 /* r &= 0xffffffc0ffffffc0ffffffc0fffffff */ 58 /* r &= 0xffffffc0ffffffc0ffffffc0fffffff */
57 st->r[0] = (U8TO32(&key[ 0]) ) & 0x3ffffff; 59 st->r[0] = (U8TO32(&key[0])) & 0x3ffffff;
58 st->r[1] = (U8TO32(&key[ 3]) >> 2) & 0x3ffff03; 60 st->r[1] = (U8TO32(&key[3]) >> 2) & 0x3ffff03;
59 st->r[2] = (U8TO32(&key[ 6]) >> 4) & 0x3ffc0ff; 61 st->r[2] = (U8TO32(&key[6]) >> 4) & 0x3ffc0ff;
60 st->r[3] = (U8TO32(&key[ 9]) >> 6) & 0x3f03fff; 62 st->r[3] = (U8TO32(&key[9]) >> 6) & 0x3f03fff;
61 st->r[4] = (U8TO32(&key[12]) >> 8) & 0x00fffff; 63 st->r[4] = (U8TO32(&key[12]) >> 8) & 0x00fffff;
62 64
63 /* h = 0 */ 65 /* h = 0 */
@@ -78,12 +80,13 @@ poly1305_init(poly1305_context *ctx, const unsigned char key[32]) {
78} 80}
79 81
80static void 82static void
81poly1305_blocks(poly1305_state_internal_t *st, const unsigned char *m, size_t bytes) { 83poly1305_blocks(poly1305_state_internal_t *st, const unsigned char *m, size_t bytes)
84{
82 const unsigned long hibit = (st->final) ? 0 : (1 << 24); /* 1 << 128 */ 85 const unsigned long hibit = (st->final) ? 0 : (1 << 24); /* 1 << 128 */
83 unsigned long r0,r1,r2,r3,r4; 86 unsigned long r0, r1, r2, r3, r4;
84 unsigned long s1,s2,s3,s4; 87 unsigned long s1, s2, s3, s4;
85 unsigned long h0,h1,h2,h3,h4; 88 unsigned long h0, h1, h2, h3, h4;
86 unsigned long long d0,d1,d2,d3,d4; 89 unsigned long long d0, d1, d2, d3, d4;
87 unsigned long c; 90 unsigned long c;
88 91
89 r0 = st->r[0]; 92 r0 = st->r[0];
@@ -105,26 +108,57 @@ poly1305_blocks(poly1305_state_internal_t *st, const unsigned char *m, size_t by
105 108
106 while (bytes >= poly1305_block_size) { 109 while (bytes >= poly1305_block_size) {
107 /* h += m[i] */ 110 /* h += m[i] */
108 h0 += (U8TO32(m+ 0) ) & 0x3ffffff; 111 h0 += (U8TO32(m + 0)) & 0x3ffffff;
109 h1 += (U8TO32(m+ 3) >> 2) & 0x3ffffff; 112 h1 += (U8TO32(m + 3) >> 2) & 0x3ffffff;
110 h2 += (U8TO32(m+ 6) >> 4) & 0x3ffffff; 113 h2 += (U8TO32(m + 6) >> 4) & 0x3ffffff;
111 h3 += (U8TO32(m+ 9) >> 6) & 0x3ffffff; 114 h3 += (U8TO32(m + 9) >> 6) & 0x3ffffff;
112 h4 += (U8TO32(m+12) >> 8) | hibit; 115 h4 += (U8TO32(m + 12) >> 8) | hibit;
113 116
114 /* h *= r */ 117 /* h *= r */
115 d0 = ((unsigned long long)h0 * r0) + ((unsigned long long)h1 * s4) + ((unsigned long long)h2 * s3) + ((unsigned long long)h3 * s2) + ((unsigned long long)h4 * s1); 118 d0 = ((unsigned long long)h0 * r0) +
116 d1 = ((unsigned long long)h0 * r1) + ((unsigned long long)h1 * r0) + ((unsigned long long)h2 * s4) + ((unsigned long long)h3 * s3) + ((unsigned long long)h4 * s2); 119 ((unsigned long long)h1 * s4) +
117 d2 = ((unsigned long long)h0 * r2) + ((unsigned long long)h1 * r1) + ((unsigned long long)h2 * r0) + ((unsigned long long)h3 * s4) + ((unsigned long long)h4 * s3); 120 ((unsigned long long)h2 * s3) +
118 d3 = ((unsigned long long)h0 * r3) + ((unsigned long long)h1 * r2) + ((unsigned long long)h2 * r1) + ((unsigned long long)h3 * r0) + ((unsigned long long)h4 * s4); 121 ((unsigned long long)h3 * s2) +
119 d4 = ((unsigned long long)h0 * r4) + ((unsigned long long)h1 * r3) + ((unsigned long long)h2 * r2) + ((unsigned long long)h3 * r1) + ((unsigned long long)h4 * r0); 122 ((unsigned long long)h4 * s1);
123 d1 = ((unsigned long long)h0 * r1) +
124 ((unsigned long long)h1 * r0) +
125 ((unsigned long long)h2 * s4) +
126 ((unsigned long long)h3 * s3) +
127 ((unsigned long long)h4 * s2);
128 d2 = ((unsigned long long)h0 * r2) +
129 ((unsigned long long)h1 * r1) +
130 ((unsigned long long)h2 * r0) +
131 ((unsigned long long)h3 * s4) +
132 ((unsigned long long)h4 * s3);
133 d3 = ((unsigned long long)h0 * r3) +
134 ((unsigned long long)h1 * r2) +
135 ((unsigned long long)h2 * r1) +
136 ((unsigned long long)h3 * r0) +
137 ((unsigned long long)h4 * s4);
138 d4 = ((unsigned long long)h0 * r4) +
139 ((unsigned long long)h1 * r3) +
140 ((unsigned long long)h2 * r2) +
141 ((unsigned long long)h3 * r1) +
142 ((unsigned long long)h4 * r0);
120 143
121 /* (partial) h %= p */ 144 /* (partial) h %= p */
122 c = (unsigned long)(d0 >> 26); h0 = (unsigned long)d0 & 0x3ffffff; 145 c = (unsigned long)(d0 >> 26);
123 d1 += c; c = (unsigned long)(d1 >> 26); h1 = (unsigned long)d1 & 0x3ffffff; 146 h0 = (unsigned long)d0 & 0x3ffffff;
124 d2 += c; c = (unsigned long)(d2 >> 26); h2 = (unsigned long)d2 & 0x3ffffff; 147 d1 += c;
125 d3 += c; c = (unsigned long)(d3 >> 26); h3 = (unsigned long)d3 & 0x3ffffff; 148 c = (unsigned long)(d1 >> 26);
126 d4 += c; c = (unsigned long)(d4 >> 26); h4 = (unsigned long)d4 & 0x3ffffff; 149 h1 = (unsigned long)d1 & 0x3ffffff;
127 h0 += c * 5; c = (h0 >> 26); h0 = h0 & 0x3ffffff; 150 d2 += c;
151 c = (unsigned long)(d2 >> 26);
152 h2 = (unsigned long)d2 & 0x3ffffff;
153 d3 += c;
154 c = (unsigned long)(d3 >> 26);
155 h3 = (unsigned long)d3 & 0x3ffffff;
156 d4 += c;
157 c = (unsigned long)(d4 >> 26);
158 h4 = (unsigned long)d4 & 0x3ffffff;
159 h0 += c * 5;
160 c = (h0 >> 26);
161 h0 = h0 & 0x3ffffff;
128 h1 += c; 162 h1 += c;
129 163
130 m += poly1305_block_size; 164 m += poly1305_block_size;
@@ -139,7 +173,8 @@ poly1305_blocks(poly1305_state_internal_t *st, const unsigned char *m, size_t by
139} 173}
140 174
141static inline void 175static inline void
142poly1305_update(poly1305_context *ctx, const unsigned char *m, size_t bytes) { 176poly1305_update(poly1305_context *ctx, const unsigned char *m, size_t bytes)
177{
143 poly1305_state_internal_t *st = (poly1305_state_internal_t *)ctx; 178 poly1305_state_internal_t *st = (poly1305_state_internal_t *)ctx;
144 size_t i; 179 size_t i;
145 180
@@ -176,10 +211,11 @@ poly1305_update(poly1305_context *ctx, const unsigned char *m, size_t bytes) {
176} 211}
177 212
178static inline void 213static inline void
179poly1305_finish(poly1305_context *ctx, unsigned char mac[16]) { 214poly1305_finish(poly1305_context *ctx, unsigned char mac[16])
215{
180 poly1305_state_internal_t *st = (poly1305_state_internal_t *)ctx; 216 poly1305_state_internal_t *st = (poly1305_state_internal_t *)ctx;
181 unsigned long h0,h1,h2,h3,h4,c; 217 unsigned long h0, h1, h2, h3, h4, c;
182 unsigned long g0,g1,g2,g3,g4; 218 unsigned long g0, g1, g2, g3, g4;
183 unsigned long long f; 219 unsigned long long f;
184 unsigned long mask; 220 unsigned long mask;
185 221
@@ -200,18 +236,35 @@ poly1305_finish(poly1305_context *ctx, unsigned char mac[16]) {
200 h3 = st->h[3]; 236 h3 = st->h[3];
201 h4 = st->h[4]; 237 h4 = st->h[4];
202 238
203 c = h1 >> 26; h1 = h1 & 0x3ffffff; 239 c = h1 >> 26;
204 h2 += c; c = h2 >> 26; h2 = h2 & 0x3ffffff; 240 h1 = h1 & 0x3ffffff;
205 h3 += c; c = h3 >> 26; h3 = h3 & 0x3ffffff; 241 h2 += c;
206 h4 += c; c = h4 >> 26; h4 = h4 & 0x3ffffff; 242 c = h2 >> 26;
207 h0 += c * 5; c = h0 >> 26; h0 = h0 & 0x3ffffff; 243 h2 = h2 & 0x3ffffff;
208 h1 += c; 244 h3 += c;
245 c = h3 >> 26;
246 h3 = h3 & 0x3ffffff;
247 h4 += c;
248 c = h4 >> 26;
249 h4 = h4 & 0x3ffffff;
250 h0 += c * 5;
251 c = h0 >> 26;
252 h0 = h0 & 0x3ffffff;
253 h1 += c;
209 254
210 /* compute h + -p */ 255 /* compute h + -p */
211 g0 = h0 + 5; c = g0 >> 26; g0 &= 0x3ffffff; 256 g0 = h0 + 5;
212 g1 = h1 + c; c = g1 >> 26; g1 &= 0x3ffffff; 257 c = g0 >> 26;
213 g2 = h2 + c; c = g2 >> 26; g2 &= 0x3ffffff; 258 g0 &= 0x3ffffff;
214 g3 = h3 + c; c = g3 >> 26; g3 &= 0x3ffffff; 259 g1 = h1 + c;
260 c = g1 >> 26;
261 g1 &= 0x3ffffff;
262 g2 = h2 + c;
263 c = g2 >> 26;
264 g2 &= 0x3ffffff;
265 g3 = h3 + c;
266 c = g3 >> 26;
267 g3 &= 0x3ffffff;
215 g4 = h4 + c - (1 << 26); 268 g4 = h4 + c - (1 << 26);
216 269
217 /* select h if h < p, or h + -p if h >= p */ 270 /* select h if h < p, or h + -p if h >= p */
@@ -229,16 +282,20 @@ poly1305_finish(poly1305_context *ctx, unsigned char mac[16]) {
229 h4 = (h4 & mask) | g4; 282 h4 = (h4 & mask) | g4;
230 283
231 /* h = h % (2^128) */ 284 /* h = h % (2^128) */
232 h0 = ((h0 ) | (h1 << 26)) & 0xffffffff; 285 h0 = ((h0) | (h1 << 26)) & 0xffffffff;
233 h1 = ((h1 >> 6) | (h2 << 20)) & 0xffffffff; 286 h1 = ((h1 >> 6) | (h2 << 20)) & 0xffffffff;
234 h2 = ((h2 >> 12) | (h3 << 14)) & 0xffffffff; 287 h2 = ((h2 >> 12) | (h3 << 14)) & 0xffffffff;
235 h3 = ((h3 >> 18) | (h4 << 8)) & 0xffffffff; 288 h3 = ((h3 >> 18) | (h4 << 8)) & 0xffffffff;
236 289
237 /* mac = (h + pad) % (2^128) */ 290 /* mac = (h + pad) % (2^128) */
238 f = (unsigned long long)h0 + st->pad[0] ; h0 = (unsigned long)f; 291 f = (unsigned long long)h0 + st->pad[0];
239 f = (unsigned long long)h1 + st->pad[1] + (f >> 32); h1 = (unsigned long)f; 292 h0 = (unsigned long)f;
240 f = (unsigned long long)h2 + st->pad[2] + (f >> 32); h2 = (unsigned long)f; 293 f = (unsigned long long)h1 + st->pad[1] + (f >> 32);
241 f = (unsigned long long)h3 + st->pad[3] + (f >> 32); h3 = (unsigned long)f; 294 h1 = (unsigned long)f;
295 f = (unsigned long long)h2 + st->pad[2] + (f >> 32);
296 h2 = (unsigned long)f;
297 f = (unsigned long long)h3 + st->pad[3] + (f >> 32);
298 h3 = (unsigned long)f;
242 299
243 U32TO8(mac + 0, h0); 300 U32TO8(mac + 0, h0);
244 U32TO8(mac + 4, h1); 301 U32TO8(mac + 4, h1);
diff --git a/src/lib/libssl/src/crypto/chacha/chacha-merged.c b/src/lib/libssl/src/crypto/chacha/chacha-merged.c
index 5ba813147a..5cd1dde072 100644
--- a/src/lib/libssl/src/crypto/chacha/chacha-merged.c
+++ b/src/lib/libssl/src/crypto/chacha/chacha-merged.c
@@ -43,14 +43,14 @@ typedef struct chacha_ctx chacha_ctx;
43 (U32V((v) << (n)) | ((v) >> (32 - (n)))) 43 (U32V((v) << (n)) | ((v) >> (32 - (n))))
44 44
45#define U8TO32_LITTLE(p) \ 45#define U8TO32_LITTLE(p) \
46 (((u32)((p)[0]) ) | \ 46 (((u32)((p)[0])) | \
47 ((u32)((p)[1]) << 8) | \ 47 ((u32)((p)[1]) << 8) | \
48 ((u32)((p)[2]) << 16) | \ 48 ((u32)((p)[2]) << 16) | \
49 ((u32)((p)[3]) << 24)) 49 ((u32)((p)[3]) << 24))
50 50
51#define U32TO8_LITTLE(p, v) \ 51#define U32TO8_LITTLE(p, v) \
52 do { \ 52 do { \
53 (p)[0] = U8V((v) ); \ 53 (p)[0] = U8V((v)); \
54 (p)[1] = U8V((v) >> 8); \ 54 (p)[1] = U8V((v) >> 8); \
55 (p)[2] = U8V((v) >> 16); \ 55 (p)[2] = U8V((v) >> 16); \
56 (p)[3] = U8V((v) >> 24); \ 56 (p)[3] = U8V((v) >> 24); \
@@ -71,167 +71,169 @@ static const char sigma[16] = "expand 32-byte k";
71static const char tau[16] = "expand 16-byte k"; 71static const char tau[16] = "expand 16-byte k";
72 72
73static inline void 73static inline void
74chacha_keysetup(chacha_ctx *x,const u8 *k,u32 kbits) 74chacha_keysetup(chacha_ctx *x, const u8 *k, u32 kbits)
75{ 75{
76 const char *constants; 76 const char *constants;
77 77
78 x->input[4] = U8TO32_LITTLE(k + 0); 78 x->input[4] = U8TO32_LITTLE(k + 0);
79 x->input[5] = U8TO32_LITTLE(k + 4); 79 x->input[5] = U8TO32_LITTLE(k + 4);
80 x->input[6] = U8TO32_LITTLE(k + 8); 80 x->input[6] = U8TO32_LITTLE(k + 8);
81 x->input[7] = U8TO32_LITTLE(k + 12); 81 x->input[7] = U8TO32_LITTLE(k + 12);
82 if (kbits == 256) { /* recommended */ 82 if (kbits == 256) { /* recommended */
83 k += 16; 83 k += 16;
84 constants = sigma; 84 constants = sigma;
85 } else { /* kbits == 128 */ 85 } else { /* kbits == 128 */
86 constants = tau; 86 constants = tau;
87 } 87 }
88 x->input[8] = U8TO32_LITTLE(k + 0); 88 x->input[8] = U8TO32_LITTLE(k + 0);
89 x->input[9] = U8TO32_LITTLE(k + 4); 89 x->input[9] = U8TO32_LITTLE(k + 4);
90 x->input[10] = U8TO32_LITTLE(k + 8); 90 x->input[10] = U8TO32_LITTLE(k + 8);
91 x->input[11] = U8TO32_LITTLE(k + 12); 91 x->input[11] = U8TO32_LITTLE(k + 12);
92 x->input[0] = U8TO32_LITTLE(constants + 0); 92 x->input[0] = U8TO32_LITTLE(constants + 0);
93 x->input[1] = U8TO32_LITTLE(constants + 4); 93 x->input[1] = U8TO32_LITTLE(constants + 4);
94 x->input[2] = U8TO32_LITTLE(constants + 8); 94 x->input[2] = U8TO32_LITTLE(constants + 8);
95 x->input[3] = U8TO32_LITTLE(constants + 12); 95 x->input[3] = U8TO32_LITTLE(constants + 12);
96} 96}
97 97
98static inline void 98static inline void
99chacha_ivsetup(chacha_ctx *x, const u8 *iv, const u8 *counter) 99chacha_ivsetup(chacha_ctx *x, const u8 *iv, const u8 *counter)
100{ 100{
101 x->input[12] = counter == NULL ? 0 : U8TO32_LITTLE(counter + 0); 101 x->input[12] = counter == NULL ? 0 : U8TO32_LITTLE(counter + 0);
102 x->input[13] = counter == NULL ? 0 : U8TO32_LITTLE(counter + 4); 102 x->input[13] = counter == NULL ? 0 : U8TO32_LITTLE(counter + 4);
103 x->input[14] = U8TO32_LITTLE(iv + 0); 103 x->input[14] = U8TO32_LITTLE(iv + 0);
104 x->input[15] = U8TO32_LITTLE(iv + 4); 104 x->input[15] = U8TO32_LITTLE(iv + 4);
105} 105}
106 106
107static inline void 107static inline void
108chacha_encrypt_bytes(chacha_ctx *x,const u8 *m,u8 *c,u32 bytes) 108chacha_encrypt_bytes(chacha_ctx *x, const u8 *m, u8 *c, u32 bytes)
109{ 109{
110 u32 x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15; 110 u32 x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15;
111 u32 j0, j1, j2, j3, j4, j5, j6, j7, j8, j9, j10, j11, j12, j13, j14, j15; 111 u32 j0, j1, j2, j3, j4, j5, j6, j7, j8, j9, j10, j11, j12, j13, j14, j15;
112 u8 *ctarget = NULL; 112 u8 *ctarget = NULL;
113 u8 tmp[64]; 113 u8 tmp[64];
114 u_int i; 114 u_int i;
115 115
116 if (!bytes) return; 116 if (!bytes)
117 117 return;
118 j0 = x->input[0]; 118
119 j1 = x->input[1]; 119 j0 = x->input[0];
120 j2 = x->input[2]; 120 j1 = x->input[1];
121 j3 = x->input[3]; 121 j2 = x->input[2];
122 j4 = x->input[4]; 122 j3 = x->input[3];
123 j5 = x->input[5]; 123 j4 = x->input[4];
124 j6 = x->input[6]; 124 j5 = x->input[5];
125 j7 = x->input[7]; 125 j6 = x->input[6];
126 j8 = x->input[8]; 126 j7 = x->input[7];
127 j9 = x->input[9]; 127 j8 = x->input[8];
128 j10 = x->input[10]; 128 j9 = x->input[9];
129 j11 = x->input[11]; 129 j10 = x->input[10];
130 j12 = x->input[12]; 130 j11 = x->input[11];
131 j13 = x->input[13]; 131 j12 = x->input[12];
132 j14 = x->input[14]; 132 j13 = x->input[13];
133 j15 = x->input[15]; 133 j14 = x->input[14];
134 134 j15 = x->input[15];
135 for (;;) { 135
136 if (bytes < 64) { 136 for (;;) {
137 for (i = 0;i < bytes;++i) tmp[i] = m[i]; 137 if (bytes < 64) {
138 m = tmp; 138 for (i = 0;i < bytes;++i) tmp[i] = m[i];
139 ctarget = c; 139 m = tmp;
140 c = tmp; 140 ctarget = c;
141 } 141 c = tmp;
142 x0 = j0; 142 }
143 x1 = j1; 143 x0 = j0;
144 x2 = j2; 144 x1 = j1;
145 x3 = j3; 145 x2 = j2;
146 x4 = j4; 146 x3 = j3;
147 x5 = j5; 147 x4 = j4;
148 x6 = j6; 148 x5 = j5;
149 x7 = j7; 149 x6 = j6;
150 x8 = j8; 150 x7 = j7;
151 x9 = j9; 151 x8 = j8;
152 x10 = j10; 152 x9 = j9;
153 x11 = j11; 153 x10 = j10;
154 x12 = j12; 154 x11 = j11;
155 x13 = j13; 155 x12 = j12;
156 x14 = j14; 156 x13 = j13;
157 x15 = j15; 157 x14 = j14;
158 for (i = 20;i > 0;i -= 2) { 158 x15 = j15;
159 QUARTERROUND( x0, x4, x8,x12) 159 for (i = 20; i > 0; i -= 2) {
160 QUARTERROUND( x1, x5, x9,x13) 160 QUARTERROUND(x0, x4, x8, x12)
161 QUARTERROUND( x2, x6,x10,x14) 161 QUARTERROUND(x1, x5, x9, x13)
162 QUARTERROUND( x3, x7,x11,x15) 162 QUARTERROUND(x2, x6, x10, x14)
163 QUARTERROUND( x0, x5,x10,x15) 163 QUARTERROUND(x3, x7, x11, x15)
164 QUARTERROUND( x1, x6,x11,x12) 164 QUARTERROUND(x0, x5, x10, x15)
165 QUARTERROUND( x2, x7, x8,x13) 165 QUARTERROUND(x1, x6, x11, x12)
166 QUARTERROUND( x3, x4, x9,x14) 166 QUARTERROUND(x2, x7, x8, x13)
167 } 167 QUARTERROUND(x3, x4, x9, x14)
168 x0 = PLUS(x0,j0); 168 }
169 x1 = PLUS(x1,j1); 169 x0 = PLUS(x0, j0);
170 x2 = PLUS(x2,j2); 170 x1 = PLUS(x1, j1);
171 x3 = PLUS(x3,j3); 171 x2 = PLUS(x2, j2);
172 x4 = PLUS(x4,j4); 172 x3 = PLUS(x3, j3);
173 x5 = PLUS(x5,j5); 173 x4 = PLUS(x4, j4);
174 x6 = PLUS(x6,j6); 174 x5 = PLUS(x5, j5);
175 x7 = PLUS(x7,j7); 175 x6 = PLUS(x6, j6);
176 x8 = PLUS(x8,j8); 176 x7 = PLUS(x7, j7);
177 x9 = PLUS(x9,j9); 177 x8 = PLUS(x8, j8);
178 x10 = PLUS(x10,j10); 178 x9 = PLUS(x9, j9);
179 x11 = PLUS(x11,j11); 179 x10 = PLUS(x10, j10);
180 x12 = PLUS(x12,j12); 180 x11 = PLUS(x11, j11);
181 x13 = PLUS(x13,j13); 181 x12 = PLUS(x12, j12);
182 x14 = PLUS(x14,j14); 182 x13 = PLUS(x13, j13);
183 x15 = PLUS(x15,j15); 183 x14 = PLUS(x14, j14);
184 184 x15 = PLUS(x15, j15);
185 x0 = XOR(x0,U8TO32_LITTLE(m + 0)); 185
186 x1 = XOR(x1,U8TO32_LITTLE(m + 4)); 186 x0 = XOR(x0, U8TO32_LITTLE(m + 0));
187 x2 = XOR(x2,U8TO32_LITTLE(m + 8)); 187 x1 = XOR(x1, U8TO32_LITTLE(m + 4));
188 x3 = XOR(x3,U8TO32_LITTLE(m + 12)); 188 x2 = XOR(x2, U8TO32_LITTLE(m + 8));
189 x4 = XOR(x4,U8TO32_LITTLE(m + 16)); 189 x3 = XOR(x3, U8TO32_LITTLE(m + 12));
190 x5 = XOR(x5,U8TO32_LITTLE(m + 20)); 190 x4 = XOR(x4, U8TO32_LITTLE(m + 16));
191 x6 = XOR(x6,U8TO32_LITTLE(m + 24)); 191 x5 = XOR(x5, U8TO32_LITTLE(m + 20));
192 x7 = XOR(x7,U8TO32_LITTLE(m + 28)); 192 x6 = XOR(x6, U8TO32_LITTLE(m + 24));
193 x8 = XOR(x8,U8TO32_LITTLE(m + 32)); 193 x7 = XOR(x7, U8TO32_LITTLE(m + 28));
194 x9 = XOR(x9,U8TO32_LITTLE(m + 36)); 194 x8 = XOR(x8, U8TO32_LITTLE(m + 32));
195 x10 = XOR(x10,U8TO32_LITTLE(m + 40)); 195 x9 = XOR(x9, U8TO32_LITTLE(m + 36));
196 x11 = XOR(x11,U8TO32_LITTLE(m + 44)); 196 x10 = XOR(x10, U8TO32_LITTLE(m + 40));
197 x12 = XOR(x12,U8TO32_LITTLE(m + 48)); 197 x11 = XOR(x11, U8TO32_LITTLE(m + 44));
198 x13 = XOR(x13,U8TO32_LITTLE(m + 52)); 198 x12 = XOR(x12, U8TO32_LITTLE(m + 48));
199 x14 = XOR(x14,U8TO32_LITTLE(m + 56)); 199 x13 = XOR(x13, U8TO32_LITTLE(m + 52));
200 x15 = XOR(x15,U8TO32_LITTLE(m + 60)); 200 x14 = XOR(x14, U8TO32_LITTLE(m + 56));
201 201 x15 = XOR(x15, U8TO32_LITTLE(m + 60));
202 j12 = PLUSONE(j12); 202
203 if (!j12) { 203 j12 = PLUSONE(j12);
204 j13 = PLUSONE(j13); 204 if (!j12) {
205 /* stopping at 2^70 bytes per nonce is user's responsibility */ 205 j13 = PLUSONE(j13);
206 } 206 /* stopping at 2^70 bytes per nonce is user's responsibility */
207 207 }
208 U32TO8_LITTLE(c + 0,x0); 208
209 U32TO8_LITTLE(c + 4,x1); 209 U32TO8_LITTLE(c + 0, x0);
210 U32TO8_LITTLE(c + 8,x2); 210 U32TO8_LITTLE(c + 4, x1);
211 U32TO8_LITTLE(c + 12,x3); 211 U32TO8_LITTLE(c + 8, x2);
212 U32TO8_LITTLE(c + 16,x4); 212 U32TO8_LITTLE(c + 12, x3);
213 U32TO8_LITTLE(c + 20,x5); 213 U32TO8_LITTLE(c + 16, x4);
214 U32TO8_LITTLE(c + 24,x6); 214 U32TO8_LITTLE(c + 20, x5);
215 U32TO8_LITTLE(c + 28,x7); 215 U32TO8_LITTLE(c + 24, x6);
216 U32TO8_LITTLE(c + 32,x8); 216 U32TO8_LITTLE(c + 28, x7);
217 U32TO8_LITTLE(c + 36,x9); 217 U32TO8_LITTLE(c + 32, x8);
218 U32TO8_LITTLE(c + 40,x10); 218 U32TO8_LITTLE(c + 36, x9);
219 U32TO8_LITTLE(c + 44,x11); 219 U32TO8_LITTLE(c + 40, x10);
220 U32TO8_LITTLE(c + 48,x12); 220 U32TO8_LITTLE(c + 44, x11);
221 U32TO8_LITTLE(c + 52,x13); 221 U32TO8_LITTLE(c + 48, x12);
222 U32TO8_LITTLE(c + 56,x14); 222 U32TO8_LITTLE(c + 52, x13);
223 U32TO8_LITTLE(c + 60,x15); 223 U32TO8_LITTLE(c + 56, x14);
224 224 U32TO8_LITTLE(c + 60, x15);
225 if (bytes <= 64) { 225
226 if (bytes < 64) { 226 if (bytes <= 64) {
227 for (i = 0;i < bytes;++i) ctarget[i] = c[i]; 227 if (bytes < 64) {
228 } 228 for (i = 0; i < bytes; ++i)
229 x->input[12] = j12; 229 ctarget[i] = c[i];
230 x->input[13] = j13; 230 }
231 return; 231 x->input[12] = j12;
232 } 232 x->input[13] = j13;
233 bytes -= 64; 233 return;
234 c += 64; 234 }
235 m += 64; 235 bytes -= 64;
236 } 236 c += 64;
237 m += 64;
238 }
237} 239}
diff --git a/src/lib/libssl/src/crypto/chacha/chacha.h b/src/lib/libssl/src/crypto/chacha/chacha.h
index 456d960ed9..8312273cea 100644
--- a/src/lib/libssl/src/crypto/chacha/chacha.h
+++ b/src/lib/libssl/src/crypto/chacha/chacha.h
@@ -30,7 +30,7 @@ extern "C" {
30#endif 30#endif
31 31
32typedef struct { 32typedef struct {
33 unsigned int input[16]; 33 unsigned int input[16];
34} ChaCha_ctx; 34} ChaCha_ctx;
35 35
36void ChaCha_set_key(ChaCha_ctx *ctx, const unsigned char *key, 36void ChaCha_set_key(ChaCha_ctx *ctx, const unsigned char *key,
diff --git a/src/lib/libssl/src/crypto/evp/e_aes.c b/src/lib/libssl/src/crypto/evp/e_aes.c
index e4d9457c96..4da61b8f62 100644
--- a/src/lib/libssl/src/crypto/evp/e_aes.c
+++ b/src/lib/libssl/src/crypto/evp/e_aes.c
@@ -658,7 +658,8 @@ aes_gcm_cleanup(EVP_CIPHER_CTX *c)
658 658
659/* increment counter (64-bit int) by 1 */ 659/* increment counter (64-bit int) by 1 */
660static void 660static void
661ctr64_inc(unsigned char *counter) { 661ctr64_inc(unsigned char *counter)
662{
662 int n = 8; 663 int n = 8;
663 unsigned char c; 664 unsigned char c;
664 665
@@ -991,11 +992,11 @@ aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
991 | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \ 992 | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
992 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT) 993 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT)
993 994
994BLOCK_CIPHER_custom(NID_aes, 128, 1,12, gcm, GCM, 995BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, gcm, GCM,
995 EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS) 996 EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS)
996BLOCK_CIPHER_custom(NID_aes, 192, 1,12, gcm, GCM, 997BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, gcm, GCM,
997 EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS) 998 EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS)
998BLOCK_CIPHER_custom(NID_aes, 256, 1,12, gcm, GCM, 999BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, gcm, GCM,
999 EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS) 1000 EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS)
1000 1001
1001static int 1002static int
@@ -1104,8 +1105,8 @@ aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1104#define XTS_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV \ 1105#define XTS_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV \
1105 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT) 1106 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT)
1106 1107
1107BLOCK_CIPHER_custom(NID_aes, 128, 1,16, xts, XTS, EVP_CIPH_FLAG_FIPS|XTS_FLAGS) 1108BLOCK_CIPHER_custom(NID_aes, 128, 1, 16, xts, XTS, EVP_CIPH_FLAG_FIPS|XTS_FLAGS)
1108BLOCK_CIPHER_custom(NID_aes, 256, 1,16, xts, XTS, EVP_CIPH_FLAG_FIPS|XTS_FLAGS) 1109BLOCK_CIPHER_custom(NID_aes, 256, 1, 16, xts, XTS, EVP_CIPH_FLAG_FIPS|XTS_FLAGS)
1109 1110
1110static int 1111static int
1111aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) 1112aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
@@ -1254,11 +1255,11 @@ aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1254 1255
1255#define aes_ccm_cleanup NULL 1256#define aes_ccm_cleanup NULL
1256 1257
1257BLOCK_CIPHER_custom(NID_aes, 128, 1,12, ccm, CCM, 1258BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, ccm, CCM,
1258 EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS) 1259 EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
1259BLOCK_CIPHER_custom(NID_aes, 192, 1,12, ccm, CCM, 1260BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, ccm, CCM,
1260 EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS) 1261 EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
1261BLOCK_CIPHER_custom(NID_aes, 256, 1,12, ccm, CCM, 1262BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, ccm, CCM,
1262 EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS) 1263 EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
1263 1264
1264#define EVP_AEAD_AES_GCM_TAG_LEN 16 1265#define EVP_AEAD_AES_GCM_TAG_LEN 16
@@ -1390,7 +1391,7 @@ aead_aes_gcm_open(const EVP_AEAD_CTX *ctx, unsigned char *out,
1390 1391
1391 if (gcm_ctx->ctr) { 1392 if (gcm_ctx->ctr) {
1392 if (CRYPTO_gcm128_decrypt_ctr32(&gcm, in + bulk, out + bulk, 1393 if (CRYPTO_gcm128_decrypt_ctr32(&gcm, in + bulk, out + bulk,
1393 in_len-bulk-gcm_ctx->tag_len, gcm_ctx->ctr)) 1394 in_len - bulk - gcm_ctx->tag_len, gcm_ctx->ctr))
1394 return -1; 1395 return -1;
1395 } else { 1396 } else {
1396 if (CRYPTO_gcm128_decrypt(&gcm, in + bulk, out + bulk, 1397 if (CRYPTO_gcm128_decrypt(&gcm, in + bulk, out + bulk,
diff --git a/src/lib/libssl/src/crypto/evp/evp_aead.c b/src/lib/libssl/src/crypto/evp/evp_aead.c
index 137e3dd05b..c8ba1df54a 100644
--- a/src/lib/libssl/src/crypto/evp/evp_aead.c
+++ b/src/lib/libssl/src/crypto/evp/evp_aead.c
@@ -4,21 +4,21 @@
4 * This package is an SSL implementation written 4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com). 5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL. 6 * The implementation was written so as to conform with Netscapes SSL.
7 * 7 *
8 * This library is free for commercial and non-commercial use as long as 8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions 9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA, 10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms 12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 * 14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in 15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed. 16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution 17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used. 18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or 19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package. 20 * in documentation (online or textual) provided with the package.
21 * 21 *
22 * Redistribution and use in source and binary forms, with or without 22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions 23 * modification, are permitted provided that the following conditions
24 * are met: 24 * are met:
@@ -33,10 +33,10 @@
33 * Eric Young (eay@cryptsoft.com)" 33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library 34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-). 35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from 36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement: 37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 * 39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -48,7 +48,7 @@
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE. 50 * SUCH DAMAGE.
51 * 51 *
52 * The licence and distribution terms for any publically available version or 52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be 53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence 54 * copied and put under another distribution licence
@@ -63,46 +63,50 @@
63 63
64#include "evp_locl.h" 64#include "evp_locl.h"
65 65
66size_t EVP_AEAD_key_length(const EVP_AEAD *aead) 66size_t
67 { 67EVP_AEAD_key_length(const EVP_AEAD *aead)
68{
68 return aead->key_len; 69 return aead->key_len;
69 } 70}
70 71
71size_t EVP_AEAD_nonce_length(const EVP_AEAD *aead) 72size_t
72 { 73EVP_AEAD_nonce_length(const EVP_AEAD *aead)
74{
73 return aead->nonce_len; 75 return aead->nonce_len;
74 } 76}
75 77
76size_t EVP_AEAD_max_overhead(const EVP_AEAD *aead) 78size_t
77 { 79EVP_AEAD_max_overhead(const EVP_AEAD *aead)
80{
78 return aead->overhead; 81 return aead->overhead;
79 } 82}
80 83
81size_t EVP_AEAD_max_tag_len(const EVP_AEAD *aead) 84size_t
82 { 85EVP_AEAD_max_tag_len(const EVP_AEAD *aead)
86{
83 return aead->max_tag_len; 87 return aead->max_tag_len;
84 } 88}
85 89
86int EVP_AEAD_CTX_init(EVP_AEAD_CTX *ctx, const EVP_AEAD *aead, 90int
87 const unsigned char *key, size_t key_len, 91EVP_AEAD_CTX_init(EVP_AEAD_CTX *ctx, const EVP_AEAD *aead,
88 size_t tag_len, ENGINE *impl) 92 const unsigned char *key, size_t key_len, size_t tag_len, ENGINE *impl)
89 { 93{
90 ctx->aead = aead; 94 ctx->aead = aead;
91 if (key_len != aead->key_len) 95 if (key_len != aead->key_len) {
92 { 96 EVPerr(EVP_F_EVP_AEAD_CTX_INIT, EVP_R_UNSUPPORTED_KEY_SIZE);
93 EVPerr(EVP_F_EVP_AEAD_CTX_INIT,EVP_R_UNSUPPORTED_KEY_SIZE);
94 return 0; 97 return 0;
95 }
96 return aead->init(ctx, key, key_len, tag_len);
97 } 98 }
99 return aead->init(ctx, key, key_len, tag_len);
100}
98 101
99void EVP_AEAD_CTX_cleanup(EVP_AEAD_CTX *ctx) 102void
100 { 103EVP_AEAD_CTX_cleanup(EVP_AEAD_CTX *ctx)
104{
101 if (ctx->aead == NULL) 105 if (ctx->aead == NULL)
102 return; 106 return;
103 ctx->aead->cleanup(ctx); 107 ctx->aead->cleanup(ctx);
104 ctx->aead = NULL; 108 ctx->aead = NULL;
105 } 109}
106 110
107/* check_alias returns 0 if out points within the buffer determined by in 111/* check_alias returns 0 if out points within the buffer determined by in
108 * and in_len and 1 otherwise. 112 * and in_len and 1 otherwise.
@@ -112,41 +116,39 @@ void EVP_AEAD_CTX_cleanup(EVP_AEAD_CTX *ctx)
112 * stomp input that hasn't been read yet. 116 * stomp input that hasn't been read yet.
113 * 117 *
114 * This function checks for that case. */ 118 * This function checks for that case. */
115static int check_alias(const unsigned char *in, size_t in_len, 119static int
116 const unsigned char *out) 120check_alias(const unsigned char *in, size_t in_len, const unsigned char *out)
117 { 121{
118 if (out <= in) 122 if (out <= in)
119 return 1; 123 return 1;
120 if (in + in_len <= out) 124 if (in + in_len <= out)
121 return 1; 125 return 1;
122 return 0; 126 return 0;
123 } 127}
124 128
125ssize_t EVP_AEAD_CTX_seal(const EVP_AEAD_CTX *ctx, 129ssize_t
126 unsigned char *out, size_t max_out_len, 130EVP_AEAD_CTX_seal(const EVP_AEAD_CTX *ctx, unsigned char *out,
127 const unsigned char *nonce, size_t nonce_len, 131 size_t max_out_len, const unsigned char *nonce, size_t nonce_len,
128 const unsigned char *in, size_t in_len, 132 const unsigned char *in, size_t in_len, const unsigned char *ad,
129 const unsigned char *ad, size_t ad_len) 133 size_t ad_len)
130 { 134{
131 size_t possible_out_len = in_len + ctx->aead->overhead; 135 size_t possible_out_len = in_len + ctx->aead->overhead;
132 ssize_t r; 136 ssize_t r;
133 137
134 if (possible_out_len < in_len /* overflow */ || 138 if (possible_out_len < in_len /* overflow */ ||
135 possible_out_len > SSIZE_MAX /* return value cannot be 139 possible_out_len > SSIZE_MAX /* return value cannot be
136 represented */) 140 represented */) {
137 {
138 EVPerr(EVP_F_EVP_AEAD_CTX_SEAL, EVP_R_TOO_LARGE); 141 EVPerr(EVP_F_EVP_AEAD_CTX_SEAL, EVP_R_TOO_LARGE);
139 goto error; 142 goto error;
140 } 143 }
141 144
142 if (!check_alias(in, in_len, out)) 145 if (!check_alias(in, in_len, out)) {
143 {
144 EVPerr(EVP_F_EVP_AEAD_CTX_SEAL, EVP_R_OUTPUT_ALIASES_INPUT); 146 EVPerr(EVP_F_EVP_AEAD_CTX_SEAL, EVP_R_OUTPUT_ALIASES_INPUT);
145 goto error; 147 goto error;
146 } 148 }
147 149
148 r = ctx->aead->seal(ctx, out, max_out_len, nonce, nonce_len, 150 r = ctx->aead->seal(ctx, out, max_out_len, nonce, nonce_len,
149 in, in_len, ad, ad_len); 151 in, in_len, ad, ad_len);
150 if (r >= 0) 152 if (r >= 0)
151 return r; 153 return r;
152 154
@@ -155,30 +157,28 @@ error:
155 * that doesn't check the return value doesn't send raw data. */ 157 * that doesn't check the return value doesn't send raw data. */
156 memset(out, 0, max_out_len); 158 memset(out, 0, max_out_len);
157 return -1; 159 return -1;
158 } 160}
159 161
160ssize_t EVP_AEAD_CTX_open(const EVP_AEAD_CTX *ctx, 162ssize_t
161 unsigned char *out, size_t max_out_len, 163EVP_AEAD_CTX_open(const EVP_AEAD_CTX *ctx, unsigned char *out,
162 const unsigned char *nonce, size_t nonce_len, 164 size_t max_out_len, const unsigned char *nonce, size_t nonce_len,
163 const unsigned char *in, size_t in_len, 165 const unsigned char *in, size_t in_len, const unsigned char *ad,
164 const unsigned char *ad, size_t ad_len) 166 size_t ad_len)
165 { 167{
166 ssize_t r; 168 ssize_t r;
167 169
168 if (in_len > SSIZE_MAX) 170 if (in_len > SSIZE_MAX) {
169 {
170 EVPerr(EVP_F_EVP_AEAD_CTX_OPEN, EVP_R_TOO_LARGE); 171 EVPerr(EVP_F_EVP_AEAD_CTX_OPEN, EVP_R_TOO_LARGE);
171 goto error; /* may not be able to represent return value. */ 172 goto error; /* may not be able to represent return value. */
172 } 173 }
173 174
174 if (!check_alias(in, in_len, out)) 175 if (!check_alias(in, in_len, out)) {
175 {
176 EVPerr(EVP_F_EVP_AEAD_CTX_OPEN, EVP_R_OUTPUT_ALIASES_INPUT); 176 EVPerr(EVP_F_EVP_AEAD_CTX_OPEN, EVP_R_OUTPUT_ALIASES_INPUT);
177 goto error; 177 goto error;
178 } 178 }
179 179
180 r = ctx->aead->open(ctx, out, max_out_len, nonce, nonce_len, 180 r = ctx->aead->open(ctx, out, max_out_len, nonce, nonce_len,
181 in, in_len, ad, ad_len); 181 in, in_len, ad, ad_len);
182 182
183 if (r >= 0) 183 if (r >= 0)
184 return r; 184 return r;
@@ -189,4 +189,4 @@ error:
189 * data. */ 189 * data. */
190 memset(out, 0, max_out_len); 190 memset(out, 0, max_out_len);
191 return -1; 191 return -1;
192 } 192}
diff --git a/src/lib/libssl/src/crypto/poly1305/poly1305-donna.c b/src/lib/libssl/src/crypto/poly1305/poly1305-donna.c
index 642a30b376..83d862f633 100644
--- a/src/lib/libssl/src/crypto/poly1305/poly1305-donna.c
+++ b/src/lib/libssl/src/crypto/poly1305/poly1305-donna.c
@@ -32,32 +32,34 @@ typedef struct poly1305_state_internal_t {
32 32
33/* interpret four 8 bit unsigned integers as a 32 bit unsigned integer in little endian */ 33/* interpret four 8 bit unsigned integers as a 32 bit unsigned integer in little endian */
34static unsigned long 34static unsigned long
35U8TO32(const unsigned char *p) { 35U8TO32(const unsigned char *p)
36 return 36{
37 (((unsigned long)(p[0] & 0xff) ) | 37 return (((unsigned long)(p[0] & 0xff)) |
38 ((unsigned long)(p[1] & 0xff) << 8) | 38 ((unsigned long)(p[1] & 0xff) << 8) |
39 ((unsigned long)(p[2] & 0xff) << 16) | 39 ((unsigned long)(p[2] & 0xff) << 16) |
40 ((unsigned long)(p[3] & 0xff) << 24)); 40 ((unsigned long)(p[3] & 0xff) << 24));
41} 41}
42 42
43/* store a 32 bit unsigned integer as four 8 bit unsigned integers in little endian */ 43/* store a 32 bit unsigned integer as four 8 bit unsigned integers in little endian */
44static void 44static void
45U32TO8(unsigned char *p, unsigned long v) { 45U32TO8(unsigned char *p, unsigned long v)
46 p[0] = (v ) & 0xff; 46{
47 p[0] = (v) & 0xff;
47 p[1] = (v >> 8) & 0xff; 48 p[1] = (v >> 8) & 0xff;
48 p[2] = (v >> 16) & 0xff; 49 p[2] = (v >> 16) & 0xff;
49 p[3] = (v >> 24) & 0xff; 50 p[3] = (v >> 24) & 0xff;
50} 51}
51 52
52static inline void 53static inline void
53poly1305_init(poly1305_context *ctx, const unsigned char key[32]) { 54poly1305_init(poly1305_context *ctx, const unsigned char key[32])
55{
54 poly1305_state_internal_t *st = (poly1305_state_internal_t *)ctx; 56 poly1305_state_internal_t *st = (poly1305_state_internal_t *)ctx;
55 57
56 /* r &= 0xffffffc0ffffffc0ffffffc0fffffff */ 58 /* r &= 0xffffffc0ffffffc0ffffffc0fffffff */
57 st->r[0] = (U8TO32(&key[ 0]) ) & 0x3ffffff; 59 st->r[0] = (U8TO32(&key[0])) & 0x3ffffff;
58 st->r[1] = (U8TO32(&key[ 3]) >> 2) & 0x3ffff03; 60 st->r[1] = (U8TO32(&key[3]) >> 2) & 0x3ffff03;
59 st->r[2] = (U8TO32(&key[ 6]) >> 4) & 0x3ffc0ff; 61 st->r[2] = (U8TO32(&key[6]) >> 4) & 0x3ffc0ff;
60 st->r[3] = (U8TO32(&key[ 9]) >> 6) & 0x3f03fff; 62 st->r[3] = (U8TO32(&key[9]) >> 6) & 0x3f03fff;
61 st->r[4] = (U8TO32(&key[12]) >> 8) & 0x00fffff; 63 st->r[4] = (U8TO32(&key[12]) >> 8) & 0x00fffff;
62 64
63 /* h = 0 */ 65 /* h = 0 */
@@ -78,12 +80,13 @@ poly1305_init(poly1305_context *ctx, const unsigned char key[32]) {
78} 80}
79 81
80static void 82static void
81poly1305_blocks(poly1305_state_internal_t *st, const unsigned char *m, size_t bytes) { 83poly1305_blocks(poly1305_state_internal_t *st, const unsigned char *m, size_t bytes)
84{
82 const unsigned long hibit = (st->final) ? 0 : (1 << 24); /* 1 << 128 */ 85 const unsigned long hibit = (st->final) ? 0 : (1 << 24); /* 1 << 128 */
83 unsigned long r0,r1,r2,r3,r4; 86 unsigned long r0, r1, r2, r3, r4;
84 unsigned long s1,s2,s3,s4; 87 unsigned long s1, s2, s3, s4;
85 unsigned long h0,h1,h2,h3,h4; 88 unsigned long h0, h1, h2, h3, h4;
86 unsigned long long d0,d1,d2,d3,d4; 89 unsigned long long d0, d1, d2, d3, d4;
87 unsigned long c; 90 unsigned long c;
88 91
89 r0 = st->r[0]; 92 r0 = st->r[0];
@@ -105,26 +108,57 @@ poly1305_blocks(poly1305_state_internal_t *st, const unsigned char *m, size_t by
105 108
106 while (bytes >= poly1305_block_size) { 109 while (bytes >= poly1305_block_size) {
107 /* h += m[i] */ 110 /* h += m[i] */
108 h0 += (U8TO32(m+ 0) ) & 0x3ffffff; 111 h0 += (U8TO32(m + 0)) & 0x3ffffff;
109 h1 += (U8TO32(m+ 3) >> 2) & 0x3ffffff; 112 h1 += (U8TO32(m + 3) >> 2) & 0x3ffffff;
110 h2 += (U8TO32(m+ 6) >> 4) & 0x3ffffff; 113 h2 += (U8TO32(m + 6) >> 4) & 0x3ffffff;
111 h3 += (U8TO32(m+ 9) >> 6) & 0x3ffffff; 114 h3 += (U8TO32(m + 9) >> 6) & 0x3ffffff;
112 h4 += (U8TO32(m+12) >> 8) | hibit; 115 h4 += (U8TO32(m + 12) >> 8) | hibit;
113 116
114 /* h *= r */ 117 /* h *= r */
115 d0 = ((unsigned long long)h0 * r0) + ((unsigned long long)h1 * s4) + ((unsigned long long)h2 * s3) + ((unsigned long long)h3 * s2) + ((unsigned long long)h4 * s1); 118 d0 = ((unsigned long long)h0 * r0) +
116 d1 = ((unsigned long long)h0 * r1) + ((unsigned long long)h1 * r0) + ((unsigned long long)h2 * s4) + ((unsigned long long)h3 * s3) + ((unsigned long long)h4 * s2); 119 ((unsigned long long)h1 * s4) +
117 d2 = ((unsigned long long)h0 * r2) + ((unsigned long long)h1 * r1) + ((unsigned long long)h2 * r0) + ((unsigned long long)h3 * s4) + ((unsigned long long)h4 * s3); 120 ((unsigned long long)h2 * s3) +
118 d3 = ((unsigned long long)h0 * r3) + ((unsigned long long)h1 * r2) + ((unsigned long long)h2 * r1) + ((unsigned long long)h3 * r0) + ((unsigned long long)h4 * s4); 121 ((unsigned long long)h3 * s2) +
119 d4 = ((unsigned long long)h0 * r4) + ((unsigned long long)h1 * r3) + ((unsigned long long)h2 * r2) + ((unsigned long long)h3 * r1) + ((unsigned long long)h4 * r0); 122 ((unsigned long long)h4 * s1);
123 d1 = ((unsigned long long)h0 * r1) +
124 ((unsigned long long)h1 * r0) +
125 ((unsigned long long)h2 * s4) +
126 ((unsigned long long)h3 * s3) +
127 ((unsigned long long)h4 * s2);
128 d2 = ((unsigned long long)h0 * r2) +
129 ((unsigned long long)h1 * r1) +
130 ((unsigned long long)h2 * r0) +
131 ((unsigned long long)h3 * s4) +
132 ((unsigned long long)h4 * s3);
133 d3 = ((unsigned long long)h0 * r3) +
134 ((unsigned long long)h1 * r2) +
135 ((unsigned long long)h2 * r1) +
136 ((unsigned long long)h3 * r0) +
137 ((unsigned long long)h4 * s4);
138 d4 = ((unsigned long long)h0 * r4) +
139 ((unsigned long long)h1 * r3) +
140 ((unsigned long long)h2 * r2) +
141 ((unsigned long long)h3 * r1) +
142 ((unsigned long long)h4 * r0);
120 143
121 /* (partial) h %= p */ 144 /* (partial) h %= p */
122 c = (unsigned long)(d0 >> 26); h0 = (unsigned long)d0 & 0x3ffffff; 145 c = (unsigned long)(d0 >> 26);
123 d1 += c; c = (unsigned long)(d1 >> 26); h1 = (unsigned long)d1 & 0x3ffffff; 146 h0 = (unsigned long)d0 & 0x3ffffff;
124 d2 += c; c = (unsigned long)(d2 >> 26); h2 = (unsigned long)d2 & 0x3ffffff; 147 d1 += c;
125 d3 += c; c = (unsigned long)(d3 >> 26); h3 = (unsigned long)d3 & 0x3ffffff; 148 c = (unsigned long)(d1 >> 26);
126 d4 += c; c = (unsigned long)(d4 >> 26); h4 = (unsigned long)d4 & 0x3ffffff; 149 h1 = (unsigned long)d1 & 0x3ffffff;
127 h0 += c * 5; c = (h0 >> 26); h0 = h0 & 0x3ffffff; 150 d2 += c;
151 c = (unsigned long)(d2 >> 26);
152 h2 = (unsigned long)d2 & 0x3ffffff;
153 d3 += c;
154 c = (unsigned long)(d3 >> 26);
155 h3 = (unsigned long)d3 & 0x3ffffff;
156 d4 += c;
157 c = (unsigned long)(d4 >> 26);
158 h4 = (unsigned long)d4 & 0x3ffffff;
159 h0 += c * 5;
160 c = (h0 >> 26);
161 h0 = h0 & 0x3ffffff;
128 h1 += c; 162 h1 += c;
129 163
130 m += poly1305_block_size; 164 m += poly1305_block_size;
@@ -139,7 +173,8 @@ poly1305_blocks(poly1305_state_internal_t *st, const unsigned char *m, size_t by
139} 173}
140 174
141static inline void 175static inline void
142poly1305_update(poly1305_context *ctx, const unsigned char *m, size_t bytes) { 176poly1305_update(poly1305_context *ctx, const unsigned char *m, size_t bytes)
177{
143 poly1305_state_internal_t *st = (poly1305_state_internal_t *)ctx; 178 poly1305_state_internal_t *st = (poly1305_state_internal_t *)ctx;
144 size_t i; 179 size_t i;
145 180
@@ -176,10 +211,11 @@ poly1305_update(poly1305_context *ctx, const unsigned char *m, size_t bytes) {
176} 211}
177 212
178static inline void 213static inline void
179poly1305_finish(poly1305_context *ctx, unsigned char mac[16]) { 214poly1305_finish(poly1305_context *ctx, unsigned char mac[16])
215{
180 poly1305_state_internal_t *st = (poly1305_state_internal_t *)ctx; 216 poly1305_state_internal_t *st = (poly1305_state_internal_t *)ctx;
181 unsigned long h0,h1,h2,h3,h4,c; 217 unsigned long h0, h1, h2, h3, h4, c;
182 unsigned long g0,g1,g2,g3,g4; 218 unsigned long g0, g1, g2, g3, g4;
183 unsigned long long f; 219 unsigned long long f;
184 unsigned long mask; 220 unsigned long mask;
185 221
@@ -200,18 +236,35 @@ poly1305_finish(poly1305_context *ctx, unsigned char mac[16]) {
200 h3 = st->h[3]; 236 h3 = st->h[3];
201 h4 = st->h[4]; 237 h4 = st->h[4];
202 238
203 c = h1 >> 26; h1 = h1 & 0x3ffffff; 239 c = h1 >> 26;
204 h2 += c; c = h2 >> 26; h2 = h2 & 0x3ffffff; 240 h1 = h1 & 0x3ffffff;
205 h3 += c; c = h3 >> 26; h3 = h3 & 0x3ffffff; 241 h2 += c;
206 h4 += c; c = h4 >> 26; h4 = h4 & 0x3ffffff; 242 c = h2 >> 26;
207 h0 += c * 5; c = h0 >> 26; h0 = h0 & 0x3ffffff; 243 h2 = h2 & 0x3ffffff;
208 h1 += c; 244 h3 += c;
245 c = h3 >> 26;
246 h3 = h3 & 0x3ffffff;
247 h4 += c;
248 c = h4 >> 26;
249 h4 = h4 & 0x3ffffff;
250 h0 += c * 5;
251 c = h0 >> 26;
252 h0 = h0 & 0x3ffffff;
253 h1 += c;
209 254
210 /* compute h + -p */ 255 /* compute h + -p */
211 g0 = h0 + 5; c = g0 >> 26; g0 &= 0x3ffffff; 256 g0 = h0 + 5;
212 g1 = h1 + c; c = g1 >> 26; g1 &= 0x3ffffff; 257 c = g0 >> 26;
213 g2 = h2 + c; c = g2 >> 26; g2 &= 0x3ffffff; 258 g0 &= 0x3ffffff;
214 g3 = h3 + c; c = g3 >> 26; g3 &= 0x3ffffff; 259 g1 = h1 + c;
260 c = g1 >> 26;
261 g1 &= 0x3ffffff;
262 g2 = h2 + c;
263 c = g2 >> 26;
264 g2 &= 0x3ffffff;
265 g3 = h3 + c;
266 c = g3 >> 26;
267 g3 &= 0x3ffffff;
215 g4 = h4 + c - (1 << 26); 268 g4 = h4 + c - (1 << 26);
216 269
217 /* select h if h < p, or h + -p if h >= p */ 270 /* select h if h < p, or h + -p if h >= p */
@@ -229,16 +282,20 @@ poly1305_finish(poly1305_context *ctx, unsigned char mac[16]) {
229 h4 = (h4 & mask) | g4; 282 h4 = (h4 & mask) | g4;
230 283
231 /* h = h % (2^128) */ 284 /* h = h % (2^128) */
232 h0 = ((h0 ) | (h1 << 26)) & 0xffffffff; 285 h0 = ((h0) | (h1 << 26)) & 0xffffffff;
233 h1 = ((h1 >> 6) | (h2 << 20)) & 0xffffffff; 286 h1 = ((h1 >> 6) | (h2 << 20)) & 0xffffffff;
234 h2 = ((h2 >> 12) | (h3 << 14)) & 0xffffffff; 287 h2 = ((h2 >> 12) | (h3 << 14)) & 0xffffffff;
235 h3 = ((h3 >> 18) | (h4 << 8)) & 0xffffffff; 288 h3 = ((h3 >> 18) | (h4 << 8)) & 0xffffffff;
236 289
237 /* mac = (h + pad) % (2^128) */ 290 /* mac = (h + pad) % (2^128) */
238 f = (unsigned long long)h0 + st->pad[0] ; h0 = (unsigned long)f; 291 f = (unsigned long long)h0 + st->pad[0];
239 f = (unsigned long long)h1 + st->pad[1] + (f >> 32); h1 = (unsigned long)f; 292 h0 = (unsigned long)f;
240 f = (unsigned long long)h2 + st->pad[2] + (f >> 32); h2 = (unsigned long)f; 293 f = (unsigned long long)h1 + st->pad[1] + (f >> 32);
241 f = (unsigned long long)h3 + st->pad[3] + (f >> 32); h3 = (unsigned long)f; 294 h1 = (unsigned long)f;
295 f = (unsigned long long)h2 + st->pad[2] + (f >> 32);
296 h2 = (unsigned long)f;
297 f = (unsigned long long)h3 + st->pad[3] + (f >> 32);
298 h3 = (unsigned long)f;
242 299
243 U32TO8(mac + 0, h0); 300 U32TO8(mac + 0, h0);
244 U32TO8(mac + 4, h1); 301 U32TO8(mac + 4, h1);
diff --git a/src/regress/lib/libcrypto/aead/aeadtest.c b/src/regress/lib/libcrypto/aead/aeadtest.c
index e74b9fca97..4d96ed6de4 100644
--- a/src/regress/lib/libcrypto/aead/aeadtest.c
+++ b/src/regress/lib/libcrypto/aead/aeadtest.c
@@ -99,7 +99,8 @@ static const char NAMES[NUM_TYPES][6] = {
99}; 99};
100 100
101static unsigned char 101static unsigned char
102hex_digit(char h) { 102hex_digit(char h)
103{
103 if (h >= '0' && h <= '9') 104 if (h >= '0' && h <= '9')
104 return h - '0'; 105 return h - '0';
105 else if (h >= 'a' && h <= 'f') 106 else if (h >= 'a' && h <= 'f')
@@ -144,7 +145,7 @@ run_test_case(const EVP_AEAD* aead, unsigned char bufs[NUM_TYPES][BUF_MAX],
144 EVP_AEAD_CTX ctx; 145 EVP_AEAD_CTX ctx;
145 ssize_t n; 146 ssize_t n;
146 size_t un; 147 size_t un;
147 unsigned char out[BUF_MAX+EVP_AEAD_MAX_TAG_LENGTH], out2[BUF_MAX]; 148 unsigned char out[BUF_MAX + EVP_AEAD_MAX_TAG_LENGTH], out2[BUF_MAX];
148 149
149 if (!EVP_AEAD_CTX_init(&ctx, aead, bufs[KEY], lengths[KEY], 150 if (!EVP_AEAD_CTX_init(&ctx, aead, bufs[KEY], lengths[KEY],
150 lengths[TAG], NULL)) { 151 lengths[TAG], NULL)) {
@@ -164,8 +165,8 @@ run_test_case(const EVP_AEAD* aead, unsigned char bufs[NUM_TYPES][BUF_MAX],
164 165
165 if (un != lengths[CT] + lengths[TAG]) { 166 if (un != lengths[CT] + lengths[TAG]) {
166 fprintf(stderr, "Bad output length on line %u: %u vs %u\n", 167 fprintf(stderr, "Bad output length on line %u: %u vs %u\n",
167 line_no, (unsigned) un, 168 line_no, (unsigned) un,
168 (unsigned)(lengths[CT] + lengths[TAG])); 169 (unsigned)(lengths[CT] + lengths[TAG]));
169 return 0; 170 return 0;
170 } 171 }
171 172
@@ -188,7 +189,7 @@ run_test_case(const EVP_AEAD* aead, unsigned char bufs[NUM_TYPES][BUF_MAX],
188 189
189 if ((size_t)n != lengths[IN]) { 190 if ((size_t)n != lengths[IN]) {
190 fprintf(stderr, "Bad decrypt on line %u: %u\n", line_no, 191 fprintf(stderr, "Bad decrypt on line %u: %u\n", line_no,
191 (unsigned) n); 192 (unsigned) n);
192 return 0; 193 return 0;
193 } 194 }
194 195
@@ -263,7 +264,7 @@ main(int argc, char **argv)
263 fprintf(stderr, "Aborting...\n"); 264 fprintf(stderr, "Aborting...\n");
264 return 4; 265 return 4;
265 } 266 }
266 267
267 if (!run_test_case(aead, bufs, lengths, line_no)) 268 if (!run_test_case(aead, bufs, lengths, line_no))
268 return 4; 269 return 4;
269 270
diff --git a/src/regress/lib/libcrypto/poly1305/poly1305test.c b/src/regress/lib/libcrypto/poly1305/poly1305test.c
index 96b34c0218..91e296e39f 100644
--- a/src/regress/lib/libcrypto/poly1305/poly1305test.c
+++ b/src/regress/lib/libcrypto/poly1305/poly1305test.c
@@ -16,7 +16,7 @@ int poly1305_power_on_self_test(void);
16 16
17void 17void
18poly1305_auth(unsigned char mac[16], const unsigned char *m, size_t bytes, 18poly1305_auth(unsigned char mac[16], const unsigned char *m, size_t bytes,
19 const unsigned char key[32]) { 19const unsigned char key[32]) {
20 poly1305_context ctx; 20 poly1305_context ctx;
21 CRYPTO_poly1305_init(&ctx, key); 21 CRYPTO_poly1305_init(&ctx, key);
22 CRYPTO_poly1305_update(&ctx, m, bytes); 22 CRYPTO_poly1305_update(&ctx, m, bytes);
@@ -24,7 +24,8 @@ poly1305_auth(unsigned char mac[16], const unsigned char *m, size_t bytes,
24} 24}
25 25
26int 26int
27poly1305_verify(const unsigned char mac1[16], const unsigned char mac2[16]) { 27poly1305_verify(const unsigned char mac1[16], const unsigned char mac2[16])
28{
28 size_t i; 29 size_t i;
29 unsigned int dif = 0; 30 unsigned int dif = 0;
30 for (i = 0; i < 16; i++) 31 for (i = 0; i < 16; i++)
@@ -35,56 +36,57 @@ poly1305_verify(const unsigned char mac1[16], const unsigned char mac2[16]) {
35 36
36/* test a few basic operations */ 37/* test a few basic operations */
37int 38int
38poly1305_power_on_self_test(void) { 39poly1305_power_on_self_test(void)
40{
39 /* example from nacl */ 41 /* example from nacl */
40 static const unsigned char nacl_key[32] = { 42 static const unsigned char nacl_key[32] = {
41 0xee,0xa6,0xa7,0x25,0x1c,0x1e,0x72,0x91, 43 0xee, 0xa6, 0xa7, 0x25, 0x1c, 0x1e, 0x72, 0x91,
42 0x6d,0x11,0xc2,0xcb,0x21,0x4d,0x3c,0x25, 44 0x6d, 0x11, 0xc2, 0xcb, 0x21, 0x4d, 0x3c, 0x25,
43 0x25,0x39,0x12,0x1d,0x8e,0x23,0x4e,0x65, 45 0x25, 0x39, 0x12, 0x1d, 0x8e, 0x23, 0x4e, 0x65,
44 0x2d,0x65,0x1f,0xa4,0xc8,0xcf,0xf8,0x80, 46 0x2d, 0x65, 0x1f, 0xa4, 0xc8, 0xcf, 0xf8, 0x80,
45 }; 47 };
46 48
47 static const unsigned char nacl_msg[131] = { 49 static const unsigned char nacl_msg[131] = {
48 0x8e,0x99,0x3b,0x9f,0x48,0x68,0x12,0x73, 50 0x8e, 0x99, 0x3b, 0x9f, 0x48, 0x68, 0x12, 0x73,
49 0xc2,0x96,0x50,0xba,0x32,0xfc,0x76,0xce, 51 0xc2, 0x96, 0x50, 0xba, 0x32, 0xfc, 0x76, 0xce,
50 0x48,0x33,0x2e,0xa7,0x16,0x4d,0x96,0xa4, 52 0x48, 0x33, 0x2e, 0xa7, 0x16, 0x4d, 0x96, 0xa4,
51 0x47,0x6f,0xb8,0xc5,0x31,0xa1,0x18,0x6a, 53 0x47, 0x6f, 0xb8, 0xc5, 0x31, 0xa1, 0x18, 0x6a,
52 0xc0,0xdf,0xc1,0x7c,0x98,0xdc,0xe8,0x7b, 54 0xc0, 0xdf, 0xc1, 0x7c, 0x98, 0xdc, 0xe8, 0x7b,
53 0x4d,0xa7,0xf0,0x11,0xec,0x48,0xc9,0x72, 55 0x4d, 0xa7, 0xf0, 0x11, 0xec, 0x48, 0xc9, 0x72,
54 0x71,0xd2,0xc2,0x0f,0x9b,0x92,0x8f,0xe2, 56 0x71, 0xd2, 0xc2, 0x0f, 0x9b, 0x92, 0x8f, 0xe2,
55 0x27,0x0d,0x6f,0xb8,0x63,0xd5,0x17,0x38, 57 0x27, 0x0d, 0x6f, 0xb8, 0x63, 0xd5, 0x17, 0x38,
56 0xb4,0x8e,0xee,0xe3,0x14,0xa7,0xcc,0x8a, 58 0xb4, 0x8e, 0xee, 0xe3, 0x14, 0xa7, 0xcc, 0x8a,
57 0xb9,0x32,0x16,0x45,0x48,0xe5,0x26,0xae, 59 0xb9, 0x32, 0x16, 0x45, 0x48, 0xe5, 0x26, 0xae,
58 0x90,0x22,0x43,0x68,0x51,0x7a,0xcf,0xea, 60 0x90, 0x22, 0x43, 0x68, 0x51, 0x7a, 0xcf, 0xea,
59 0xbd,0x6b,0xb3,0x73,0x2b,0xc0,0xe9,0xda, 61 0xbd, 0x6b, 0xb3, 0x73, 0x2b, 0xc0, 0xe9, 0xda,
60 0x99,0x83,0x2b,0x61,0xca,0x01,0xb6,0xde, 62 0x99, 0x83, 0x2b, 0x61, 0xca, 0x01, 0xb6, 0xde,
61 0x56,0x24,0x4a,0x9e,0x88,0xd5,0xf9,0xb3, 63 0x56, 0x24, 0x4a, 0x9e, 0x88, 0xd5, 0xf9, 0xb3,
62 0x79,0x73,0xf6,0x22,0xa4,0x3d,0x14,0xa6, 64 0x79, 0x73, 0xf6, 0x22, 0xa4, 0x3d, 0x14, 0xa6,
63 0x59,0x9b,0x1f,0x65,0x4c,0xb4,0x5a,0x74, 65 0x59, 0x9b, 0x1f, 0x65, 0x4c, 0xb4, 0x5a, 0x74,
64 0xe3,0x55,0xa5 66 0xe3, 0x55, 0xa5
65 }; 67 };
66 68
67 static const unsigned char nacl_mac[16] = { 69 static const unsigned char nacl_mac[16] = {
68 0xf3,0xff,0xc7,0x70,0x3f,0x94,0x00,0xe5, 70 0xf3, 0xff, 0xc7, 0x70, 0x3f, 0x94, 0x00, 0xe5,
69 0x2a,0x7d,0xfb,0x4b,0x3d,0x33,0x05,0xd9 71 0x2a, 0x7d, 0xfb, 0x4b, 0x3d, 0x33, 0x05, 0xd9
70 }; 72 };
71 73
72 /* generates a final value of (2^130 - 2) == 3 */ 74 /* generates a final value of (2^130 - 2) == 3 */
73 static const unsigned char wrap_key[32] = { 75 static const unsigned char wrap_key[32] = {
74 0x02,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 76 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
75 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 77 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
76 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 78 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
77 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 79 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
78 }; 80 };
79 81
80 static const unsigned char wrap_msg[16] = { 82 static const unsigned char wrap_msg[16] = {
81 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff, 83 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
82 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff 84 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
83 }; 85 };
84 86
85 static const unsigned char wrap_mac[16] = { 87 static const unsigned char wrap_mac[16] = {
86 0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 88 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
87 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 89 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
88 }; 90 };
89 91
90 /* 92 /*
@@ -92,15 +94,15 @@ poly1305_power_on_self_test(void) {
92 have all their values set to the length 94 have all their values set to the length
93 */ 95 */
94 static const unsigned char total_key[32] = { 96 static const unsigned char total_key[32] = {
95 0x01,0x02,0x03,0x04,0x05,0x06,0x07, 97 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
96 0xff,0xfe,0xfd,0xfc,0xfb,0xfa,0xf9, 98 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9,
97 0xff,0xff,0xff,0xff,0xff,0xff,0xff, 99 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
98 0xff,0xff,0xff,0xff,0xff,0xff,0xff 100 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
99 }; 101 };
100 102
101 static const unsigned char total_mac[16] = { 103 static const unsigned char total_mac[16] = {
102 0x64,0xaf,0xe2,0xe8,0xd6,0xad,0x7b,0xbd, 104 0x64, 0xaf, 0xe2, 0xe8, 0xd6, 0xad, 0x7b, 0xbd,
103 0xd2,0x87,0xf9,0x7c,0x44,0x62,0x3d,0x39 105 0xd2, 0x87, 0xf9, 0x7c, 0x44, 0x62, 0x3d, 0x39
104 }; 106 };
105 107
106 poly1305_context ctx; 108 poly1305_context ctx;
@@ -161,6 +163,6 @@ main(int argc, char **argv)
161 fprintf(stderr, "One or more self tests failed!\n"); 163 fprintf(stderr, "One or more self tests failed!\n");
162 return 1; 164 return 1;
163 } 165 }
164 166
165 return 0; 167 return 0;
166} 168}
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-10-31 02:37:22 +0000