OpenSSL 0.9.5 merge

*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2
if you are using the ssl26 packages for ssh and other things to work you will
need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs

1 files changed, 219 insertions, 19 deletions

diff --git a/src/lib/libcrypto/bn/bn_exp.c b/src/lib/libcrypto/bn/bn_exp.c
index 2df1614ada..0c11601675 100644
--- a/src/lib/libcrypto/bn/bn_exp.c
+++ b/src/lib/libcrypto/bn/bn_exp.c
@@ -59,6 +59,12 @@
 #include <stdio.h>
 #include "cryptlib.h"
 #include "bn_lcl.h"
+#ifdef ATALLA
+# include <alloca.h>
+# include <atasi.h>
+# include <assert.h>
+# include <dlfcn.h>
+#endif
 
 #define TABLE_SIZE      16
 
@@ -72,7 +78,8 @@ int BN_mod_mul(BIGNUM *ret, BIGNUM *a, BIGNUM *b, const BIGNUM *m, BN_CTX *ctx)
         bn_check_top(b);
         bn_check_top(m);
 
-        t= &(ctx->bn[ctx->tos++]);
+        BN_CTX_start(ctx);
+        if ((t = BN_CTX_get(ctx)) == NULL) goto err;
         if (a == b)
                 { if (!BN_sqr(t,a,ctx)) goto err; }
         else
@@ -80,7 +87,7 @@ int BN_mod_mul(BIGNUM *ret, BIGNUM *a, BIGNUM *b, const BIGNUM *m, BN_CTX *ctx)
         if (!BN_mod(ret,t,m,ctx)) goto err;
         r=1;
 err:
-        ctx->tos--;
+        BN_CTX_end(ctx);
         return(r);
         }
 
@@ -91,8 +98,10 @@ int BN_mod_exp(BIGNUM *r, BIGNUM *a, BIGNUM *p, BIGNUM *m, BN_CTX *ctx)
         int i,bits,ret=0;
         BIGNUM *v,*tmp;
 
-        v= &(ctx->bn[ctx->tos++]);
-        tmp= &(ctx->bn[ctx->tos++]);
+        BN_CTX_start(ctx);
+        v = BN_CTX_get(ctx);
+        tmp = BN_CTX_get(ctx);
+        if (v == NULL || tmp == NULL) goto err;
 
         if (BN_copy(v,a) == NULL) goto err;
         bits=BN_num_bits(p);
@@ -113,7 +122,7 @@ int BN_mod_exp(BIGNUM *r, BIGNUM *a, BIGNUM *p, BIGNUM *m, BN_CTX *ctx)
                 }
         ret=1;
 err:
-        ctx->tos-=2;
+        BN_CTX_end(ctx);
         return(ret);
         }
 
@@ -122,15 +131,15 @@ err:
 /* this one works - simple but works */
 int BN_exp(BIGNUM *r, BIGNUM *a, BIGNUM *p, BN_CTX *ctx)
         {
-        int i,bits,ret=0,tos;
+        int i,bits,ret=0;
         BIGNUM *v,*rr;
 
-        tos=ctx->tos;
-        v= &(ctx->bn[ctx->tos++]);
+        BN_CTX_start(ctx);
         if ((r == a) || (r == p))
-                rr= &(ctx->bn[ctx->tos++]);
+                rr = BN_CTX_get(ctx);
         else
-                rr=r;
+                rr = r;
+        if ((v = BN_CTX_get(ctx)) == NULL) goto err;
 
         if (BN_copy(v,a) == NULL) goto err;
         bits=BN_num_bits(p);
@@ -149,11 +158,178 @@ int BN_exp(BIGNUM *r, BIGNUM *a, BIGNUM *p, BN_CTX *ctx)
                 }
         ret=1;
 err:
-        ctx->tos=tos;
         if (r != rr) BN_copy(r,rr);
+        BN_CTX_end(ctx);
         return(ret);
         }
 
+#ifdef ATALLA
+
+/*
+ * This routine will dynamically check for the existance of an Atalla AXL-200
+ * SSL accelerator module.  If one is found, the variable
+ * asi_accelerator_present is set to 1 and the function pointers
+ * ptr_ASI_xxxxxx above will be initialized to corresponding ASI API calls.
+ */
+typedef int tfnASI_GetPerformanceStatistics(int reset_flag,
+                                            unsigned int *ret_buf);
+typedef int tfnASI_GetHardwareConfig(long card_num, unsigned int *ret_buf);
+typedef int tfnASI_RSAPrivateKeyOpFn(RSAPrivateKey * rsaKey,
+                                     unsigned char *output,
+                                     unsigned char *input,
+                                     unsigned int modulus_len);
+
+static tfnASI_GetHardwareConfig *ptr_ASI_GetHardwareConfig;
+static tfnASI_RSAPrivateKeyOpFn *ptr_ASI_RSAPrivateKeyOpFn;
+static tfnASI_GetPerformanceStatistics *ptr_ASI_GetPerformanceStatistics;
+static int asi_accelerator_present;
+static int tried_atalla;
+
+void atalla_initialize_accelerator_handle(void)
+        {
+        void *dl_handle;
+        int status;
+        unsigned int config_buf[1024]; 
+        static int tested;
+
+        if(tested)
+                return;
+
+        tested=1;
+
+        bzero((void *)config_buf, 1024);
+
+        /*
+         * Check to see if the library is present on the system
+         */
+        dl_handle = dlopen("atasi.so", RTLD_NOW);
+        if (dl_handle == (void *) NULL)
+                {
+/*              printf("atasi.so library is not present on the system\n");
+                printf("No HW acceleration available\n");*/
+                return;
+                }
+
+        /*
+         * The library is present.  Now we'll check to insure that the
+         * LDM is up and running. First we'll get the address of the
+         * function in the atasi library that we need to see if the
+         * LDM is operating.
+         */
+
+        ptr_ASI_GetHardwareConfig =
+          (tfnASI_GetHardwareConfig *)dlsym(dl_handle,"ASI_GetHardwareConfig");
+
+        if (ptr_ASI_GetHardwareConfig)
+                {
+                /*
+                 * We found the call, now we'll get our config
+                 * status.  If we get a non 0 result, the LDM is not
+                 * running and we cannot use the Atalla ASI *
+                 * library.
+                 */
+                status = (*ptr_ASI_GetHardwareConfig)(0L, config_buf);
+                if (status != 0)
+                        {
+                        printf("atasi.so library is present but not initialized\n");
+                        printf("No HW acceleration available\n");
+                        return;
+                        }    
+                }
+        else
+                {
+/*              printf("We found the library, but not the function. Very Strange!\n");*/
+                return ;
+                }
+
+        /* 
+         * It looks like we have acceleration capabilities.  Load up the
+         * pointers to our ASI API calls.
+         */
+        ptr_ASI_RSAPrivateKeyOpFn=
+          (tfnASI_RSAPrivateKeyOpFn *)dlsym(dl_handle, "ASI_RSAPrivateKeyOpFn");
+        if (ptr_ASI_RSAPrivateKeyOpFn == NULL)
+                {
+/*              printf("We found the library, but no RSA function. Very Strange!\n");*/
+                return;
+                }
+
+        ptr_ASI_GetPerformanceStatistics =
+          (tfnASI_GetPerformanceStatistics *)dlsym(dl_handle, "ASI_GetPerformanceStatistics");
+        if (ptr_ASI_GetPerformanceStatistics == NULL)
+                {
+/*              printf("We found the library, but no stat function. Very Strange!\n");*/
+                return;
+              }
+
+        /*
+         * Indicate that acceleration is available
+         */
+        asi_accelerator_present = 1;
+
+/*      printf("This system has acceleration!\n");*/
+
+        return;
+        }
+
+/* make sure this only gets called once when bn_mod_exp calls bn_mod_exp_mont */
+int BN_mod_exp_atalla(BIGNUM *r, BIGNUM *a, const BIGNUM *p, const BIGNUM *m)
+        {
+        unsigned char *abin;
+        unsigned char *pbin;
+        unsigned char *mbin;
+        unsigned char *rbin;
+        int an,pn,mn,ret;
+        RSAPrivateKey keydata;
+
+        atalla_initialize_accelerator_handle();
+        if(!asi_accelerator_present)
+                return 0;
+
+
+/* We should be able to run without size testing */
+# define ASIZE  128
+        an=BN_num_bytes(a);
+        pn=BN_num_bytes(p);
+        mn=BN_num_bytes(m);
+
+        if(an <= ASIZE && pn <= ASIZE && mn <= ASIZE)
+            {
+            int size=mn;
+
+            assert(an <= mn);
+            abin=alloca(size);
+            memset(abin,'\0',mn);
+            BN_bn2bin(a,abin+size-an);
+
+            pbin=alloca(pn);
+            BN_bn2bin(p,pbin);
+
+            mbin=alloca(size);
+            memset(mbin,'\0',mn);
+            BN_bn2bin(m,mbin+size-mn);
+
+            rbin=alloca(size);
+
+            memset(&keydata,'\0',sizeof keydata);
+            keydata.privateExponent.data=pbin;
+            keydata.privateExponent.len=pn;
+            keydata.modulus.data=mbin;
+            keydata.modulus.len=size;
+
+            ret=(*ptr_ASI_RSAPrivateKeyOpFn)(&keydata,rbin,abin,keydata.modulus.len);
+/*fprintf(stderr,"!%s\n",BN_bn2hex(a));*/
+            if(!ret)
+                {
+                BN_bin2bn(rbin,keydata.modulus.len,r);
+/*fprintf(stderr,"?%s\n",BN_bn2hex(r));*/
+                return 1;
+                }
+            }
+        return 0;
+        }
+#endif /* def ATALLA */
+
 int BN_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
                BN_CTX *ctx)
         {
@@ -163,6 +339,13 @@ int BN_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
         bn_check_top(p);
         bn_check_top(m);
 
+#ifdef ATALLA
+        if(BN_mod_exp_atalla(r,a,p,m))
+            return 1;
+/* If it fails, try the other methods (but don't try atalla again) */
+        tried_atalla=1;
+#endif
+
 #ifdef MONT_MUL_MOD
         /* I have finally been able to take out this pre-condition of
          * the top bit being set.  It was caused by an error in BN_div
@@ -180,6 +363,10 @@ int BN_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
                 { ret=BN_mod_exp_simple(r,a,p,m,ctx); }
 #endif
 
+#ifdef ATALLA
+        tried_atalla=0;
+#endif
+
         return(ret);
         }
 
@@ -193,7 +380,6 @@ int BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
         BIGNUM val[TABLE_SIZE];
         BN_RECP_CTX recp;
 
-        aa= &(ctx->bn[ctx->tos++]);
         bits=BN_num_bits(p);
 
         if (bits == 0)
@@ -201,6 +387,10 @@ int BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
                 BN_one(r);
                 return(1);
                 }
+
+        BN_CTX_start(ctx);
+        if ((aa = BN_CTX_get(ctx)) == NULL) goto err;
+
         BN_RECP_CTX_init(&recp);
         if (BN_RECP_CTX_set(&recp,m,ctx) <= 0) goto err;
 
@@ -289,7 +479,7 @@ int BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
                 }
         ret=1;
 err:
-        ctx->tos--;
+        BN_CTX_end(ctx);
         for (i=0; i<ts; i++)
                 BN_clear_free(&(val[i]));
         BN_RECP_CTX_free(&recp);
@@ -312,19 +502,27 @@ int BN_mod_exp_mont(BIGNUM *rr, BIGNUM *a, const BIGNUM *p,
         bn_check_top(p);
         bn_check_top(m);
 
+#ifdef ATALLA
+        if(!tried_atalla && BN_mod_exp_atalla(rr,a,p,m))
+            return 1;
+/* If it fails, try the other methods */
+#endif
+
         if (!(m->d[0] & 1))
                 {
                 BNerr(BN_F_BN_MOD_EXP_MONT,BN_R_CALLED_WITH_EVEN_MODULUS);
                 return(0);
                 }
-        d= &(ctx->bn[ctx->tos++]);
-        r= &(ctx->bn[ctx->tos++]);
         bits=BN_num_bits(p);
         if (bits == 0)
                 {
-                BN_one(r);
+                BN_one(rr);
                 return(1);
                 }
+        BN_CTX_start(ctx);
+        d = BN_CTX_get(ctx);
+        r = BN_CTX_get(ctx);
+        if (d == NULL || r == NULL) goto err;
 
         /* If this is not done, things will break in the montgomery
          * part */
@@ -432,7 +630,7 @@ int BN_mod_exp_mont(BIGNUM *rr, BIGNUM *a, const BIGNUM *p,
         ret=1;
 err:
         if ((in_mont == NULL) && (mont != NULL)) BN_MONT_CTX_free(mont);
-        ctx->tos-=2;
+        BN_CTX_end(ctx);
         for (i=0; i<ts; i++)
                 BN_clear_free(&(val[i]));
         return(ret);
@@ -448,7 +646,6 @@ int BN_mod_exp_simple(BIGNUM *r, BIGNUM *a, BIGNUM *p, BIGNUM *m,
         BIGNUM *d;
         BIGNUM val[TABLE_SIZE];
 
-        d= &(ctx->bn[ctx->tos++]);
         bits=BN_num_bits(p);
 
         if (bits == 0)
@@ -457,6 +654,9 @@ int BN_mod_exp_simple(BIGNUM *r, BIGNUM *a, BIGNUM *p, BIGNUM *m,
                 return(1);
                 }
 
+        BN_CTX_start(ctx);
+        if ((d = BN_CTX_get(ctx)) == NULL) goto err;
+
         BN_init(&(val[0]));
         ts=1;
         if (!BN_mod(&(val[0]),a,m,ctx)) goto err;               /* 1 */
@@ -541,7 +741,7 @@ int BN_mod_exp_simple(BIGNUM *r, BIGNUM *a, BIGNUM *p, BIGNUM *m,
                 }
         ret=1;
 err:
-        ctx->tos--;
+        BN_CTX_end(ctx);
         for (i=0; i<ts; i++)
                 BN_clear_free(&(val[i]));
         return(ret);