summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libcrypto')
-rw-r--r--src/lib/libcrypto/Attic/Makefile34
-rw-r--r--src/lib/libcrypto/aes/aes.h5
-rw-r--r--src/lib/libcrypto/aes/aes_core.c12
-rw-r--r--src/lib/libcrypto/aes/aes_misc.c21
-rw-r--r--src/lib/libcrypto/aes/asm/aes-586.pl14
-rwxr-xr-xsrc/lib/libcrypto/aes/asm/aes-x86_64.pl45
-rw-r--r--src/lib/libcrypto/aes/asm/aesni-x86_64.pl2478
-rw-r--r--src/lib/libcrypto/asn1/a_digest.c6
-rw-r--r--src/lib/libcrypto/asn1/a_int.c4
-rw-r--r--src/lib/libcrypto/asn1/a_sign.c111
-rw-r--r--src/lib/libcrypto/asn1/a_verify.c77
-rw-r--r--src/lib/libcrypto/asn1/asn1.h8
-rw-r--r--src/lib/libcrypto/asn1/asn1_err.c5
-rw-r--r--src/lib/libcrypto/asn1/asn_mime.c23
-rw-r--r--src/lib/libcrypto/asn1/n_pkey.c38
-rw-r--r--src/lib/libcrypto/asn1/p5_pbev2.c143
-rw-r--r--src/lib/libcrypto/asn1/t_crl.c3
-rw-r--r--src/lib/libcrypto/asn1/t_x509.c55
-rw-r--r--src/lib/libcrypto/asn1/tasn_prn.c12
-rw-r--r--src/lib/libcrypto/asn1/x_algor.c14
-rw-r--r--src/lib/libcrypto/asn1/x_name.c3
-rw-r--r--src/lib/libcrypto/asn1/x_pubkey.c11
-rw-r--r--src/lib/libcrypto/bf/bf_skey.c8
-rw-r--r--src/lib/libcrypto/bf/blowfish.h4
-rw-r--r--src/lib/libcrypto/bio/b_sock.c2
-rw-r--r--src/lib/libcrypto/bio/bio.h70
-rw-r--r--src/lib/libcrypto/bio/bio_err.c3
-rw-r--r--src/lib/libcrypto/bio/bio_lib.c28
-rw-r--r--src/lib/libcrypto/bio/bss_bio.c18
-rw-r--r--src/lib/libcrypto/bio/bss_dgram.c996
-rw-r--r--src/lib/libcrypto/bn/Makefile34
-rw-r--r--src/lib/libcrypto/bn/bn.h15
-rw-r--r--src/lib/libcrypto/bn/bn_div.c272
-rw-r--r--src/lib/libcrypto/bn/bn_exp.c240
-rw-r--r--src/lib/libcrypto/bn/bn_gf2m.c114
-rw-r--r--src/lib/libcrypto/bn/bn_lcl.h23
-rw-r--r--src/lib/libcrypto/bn/bn_lib.c19
-rw-r--r--src/lib/libcrypto/bn/bn_mont.c116
-rw-r--r--src/lib/libcrypto/bn/bn_nist.c338
-rw-r--r--src/lib/libcrypto/bn/bn_print.c19
-rw-r--r--src/lib/libcrypto/bn/bn_shift.c27
-rw-r--r--src/lib/libcrypto/bn/bntest.c8
-rw-r--r--src/lib/libcrypto/buffer/buffer.c60
-rw-r--r--src/lib/libcrypto/cast/c_skey.c9
-rw-r--r--src/lib/libcrypto/cast/cast.h4
-rw-r--r--src/lib/libcrypto/cms/cms_smime.c61
-rw-r--r--src/lib/libcrypto/comp/c_rle.c4
-rw-r--r--src/lib/libcrypto/cpt_err.c4
-rw-r--r--src/lib/libcrypto/cryptlib.c40
-rw-r--r--src/lib/libcrypto/cryptlib.h2
-rw-r--r--src/lib/libcrypto/crypto-lib.com37
-rw-r--r--src/lib/libcrypto/crypto.h29
-rw-r--r--src/lib/libcrypto/des/des.h3
-rw-r--r--src/lib/libcrypto/des/set_key.c9
-rw-r--r--src/lib/libcrypto/dh/dh.h20
-rw-r--r--src/lib/libcrypto/dh/dh_err.c7
-rw-r--r--src/lib/libcrypto/dh/dh_gen.c17
-rw-r--r--src/lib/libcrypto/dh/dh_key.c33
-rw-r--r--src/lib/libcrypto/dh/dh_lib.c15
-rw-r--r--src/lib/libcrypto/doc/EVP_DigestInit.pod66
-rw-r--r--src/lib/libcrypto/dsa/Makefile7
-rw-r--r--src/lib/libcrypto/dsa/dsa.h20
-rw-r--r--src/lib/libcrypto/dsa/dsa_asn1.c40
-rw-r--r--src/lib/libcrypto/dsa/dsa_err.c7
-rw-r--r--src/lib/libcrypto/dsa/dsa_gen.c35
-rw-r--r--src/lib/libcrypto/dsa/dsa_key.c16
-rw-r--r--src/lib/libcrypto/dsa/dsa_lib.c22
-rw-r--r--src/lib/libcrypto/dsa/dsa_ossl.c16
-rw-r--r--src/lib/libcrypto/dsa/dsa_sign.c50
-rw-r--r--src/lib/libcrypto/dsa/dsa_vrf.c29
-rw-r--r--src/lib/libcrypto/dso/dso_dlfcn.c3
-rw-r--r--src/lib/libcrypto/ec/ec.h69
-rw-r--r--src/lib/libcrypto/ec/ec2_smpl.c351
-rw-r--r--src/lib/libcrypto/ec/ec_cvt.c28
-rw-r--r--src/lib/libcrypto/ec/ec_err.c20
-rw-r--r--src/lib/libcrypto/ec/ec_lcl.h55
-rw-r--r--src/lib/libcrypto/ec/ec_lib.c80
-rw-r--r--src/lib/libcrypto/ec/ecp_mont.c14
-rw-r--r--src/lib/libcrypto/ec/ecp_nist.c13
-rw-r--r--src/lib/libcrypto/ec/ecp_smpl.c379
-rw-r--r--src/lib/libcrypto/ec/ectest.c341
-rw-r--r--src/lib/libcrypto/engine/Makefile34
-rw-r--r--src/lib/libcrypto/engine/eng_all.c11
-rw-r--r--src/lib/libcrypto/engine/eng_cryptodev.c71
-rw-r--r--src/lib/libcrypto/engine/eng_fat.c3
-rw-r--r--src/lib/libcrypto/engine/engine.h10
-rw-r--r--src/lib/libcrypto/err/err.c13
-rw-r--r--src/lib/libcrypto/err/err.h3
-rw-r--r--src/lib/libcrypto/err/err_all.c7
-rw-r--r--src/lib/libcrypto/evp/Makefile70
-rw-r--r--src/lib/libcrypto/evp/bio_md.c11
-rw-r--r--src/lib/libcrypto/evp/bio_ok.c103
-rw-r--r--src/lib/libcrypto/evp/c_allc.c18
-rw-r--r--src/lib/libcrypto/evp/digest.c28
-rw-r--r--src/lib/libcrypto/evp/e_aes.c1273
-rw-r--r--src/lib/libcrypto/evp/e_des3.c3
-rw-r--r--src/lib/libcrypto/evp/e_null.c4
-rw-r--r--src/lib/libcrypto/evp/e_rc2.c3
-rw-r--r--src/lib/libcrypto/evp/e_rc4.c1
-rw-r--r--src/lib/libcrypto/evp/evp.h98
-rw-r--r--src/lib/libcrypto/evp/evp_enc.c95
-rw-r--r--src/lib/libcrypto/evp/evp_err.c19
-rw-r--r--src/lib/libcrypto/evp/evp_key.c27
-rw-r--r--src/lib/libcrypto/evp/evp_lib.c4
-rw-r--r--src/lib/libcrypto/evp/evp_locl.h40
-rw-r--r--src/lib/libcrypto/evp/evp_pbe.c5
-rw-r--r--src/lib/libcrypto/evp/evptests.txt13
-rw-r--r--src/lib/libcrypto/evp/m_dss.c2
-rw-r--r--src/lib/libcrypto/evp/m_dss1.c3
-rw-r--r--src/lib/libcrypto/evp/m_md4.c2
-rw-r--r--src/lib/libcrypto/evp/m_md5.c1
-rw-r--r--src/lib/libcrypto/evp/m_mdc2.c2
-rw-r--r--src/lib/libcrypto/evp/m_ripemd.c1
-rw-r--r--src/lib/libcrypto/evp/m_sha.c1
-rw-r--r--src/lib/libcrypto/evp/m_sha1.c5
-rw-r--r--src/lib/libcrypto/evp/names.c5
-rw-r--r--src/lib/libcrypto/evp/p5_crpt.c33
-rw-r--r--src/lib/libcrypto/evp/p5_crpt2.c89
-rw-r--r--src/lib/libcrypto/evp/p_open.c3
-rw-r--r--src/lib/libcrypto/evp/p_seal.c3
-rw-r--r--src/lib/libcrypto/evp/p_sign.c10
-rw-r--r--src/lib/libcrypto/evp/p_verify.c10
-rw-r--r--src/lib/libcrypto/hmac/hmac.c37
-rw-r--r--src/lib/libcrypto/idea/idea.h3
-rw-r--r--src/lib/libcrypto/md2/md2.h3
-rw-r--r--src/lib/libcrypto/md2/md2_dgst.c2
-rw-r--r--src/lib/libcrypto/md4/md4.h3
-rw-r--r--src/lib/libcrypto/md4/md4_dgst.c5
-rw-r--r--src/lib/libcrypto/md5/md5.h3
-rw-r--r--src/lib/libcrypto/md5/md5_dgst.c3
-rw-r--r--src/lib/libcrypto/mdc2/Makefile14
-rw-r--r--src/lib/libcrypto/mdc2/mdc2.h3
-rw-r--r--src/lib/libcrypto/mem.c2
-rw-r--r--src/lib/libcrypto/objects/obj_mac.num27
-rw-r--r--src/lib/libcrypto/objects/objects.txt41
-rw-r--r--src/lib/libcrypto/ocsp/ocsp_lib.c3
-rw-r--r--src/lib/libcrypto/opensslv.h6
-rw-r--r--src/lib/libcrypto/ossl_typ.h2
-rwxr-xr-xsrc/lib/libcrypto/perlasm/x86_64-xlate.pl221
-rw-r--r--src/lib/libcrypto/perlasm/x86asm.pl55
-rw-r--r--src/lib/libcrypto/perlasm/x86gas.pl31
-rw-r--r--src/lib/libcrypto/perlasm/x86nasm.pl15
-rw-r--r--src/lib/libcrypto/pkcs12/p12_decr.c9
-rw-r--r--src/lib/libcrypto/pkcs12/p12_key.c16
-rw-r--r--src/lib/libcrypto/pkcs12/p12_kiss.c2
-rw-r--r--src/lib/libcrypto/pkcs12/p12_mutl.c12
-rw-r--r--src/lib/libcrypto/pkcs7/pk7_doit.c101
-rw-r--r--src/lib/libcrypto/pkcs7/pk7_smime.c25
-rw-r--r--src/lib/libcrypto/rand/md_rand.c31
-rw-r--r--src/lib/libcrypto/rand/rand.h9
-rw-r--r--src/lib/libcrypto/rand/rand_err.c6
-rw-r--r--src/lib/libcrypto/rand/rand_lib.c119
-rw-r--r--src/lib/libcrypto/rand/randfile.c2
-rw-r--r--src/lib/libcrypto/rc2/rc2.h4
-rw-r--r--src/lib/libcrypto/rc2/rc2_skey.c8
-rw-r--r--src/lib/libcrypto/rc4/asm/rc4-586.pl162
-rwxr-xr-xsrc/lib/libcrypto/rc4/asm/rc4-x86_64.pl290
-rw-r--r--src/lib/libcrypto/rc4/rc4.h1
-rw-r--r--src/lib/libcrypto/rc4/rc4_skey.c36
-rw-r--r--src/lib/libcrypto/ripemd/ripemd.h3
-rw-r--r--src/lib/libcrypto/ripemd/rmd_dgst.c3
-rw-r--r--src/lib/libcrypto/rsa/Makefile39
-rw-r--r--src/lib/libcrypto/rsa/rsa.h79
-rw-r--r--src/lib/libcrypto/rsa/rsa_asn1.c10
-rw-r--r--src/lib/libcrypto/rsa/rsa_err.c21
-rw-r--r--src/lib/libcrypto/rsa/rsa_gen.c15
-rw-r--r--src/lib/libcrypto/rsa/rsa_lib.c172
-rw-r--r--src/lib/libcrypto/rsa/rsa_oaep.c6
-rw-r--r--src/lib/libcrypto/rsa/rsa_sign.c33
-rw-r--r--src/lib/libcrypto/sha/asm/sha1-586.pl1107
-rw-r--r--src/lib/libcrypto/sha/sha.h14
-rw-r--r--src/lib/libcrypto/sha/sha1dgst.c1
-rw-r--r--src/lib/libcrypto/sha/sha_dgst.c1
-rw-r--r--src/lib/libcrypto/sha/sha_locl.h6
-rw-r--r--src/lib/libcrypto/stack/safestack.h138
-rw-r--r--src/lib/libcrypto/symhacks.h30
-rw-r--r--src/lib/libcrypto/ts/ts_rsp_verify.c9
-rw-r--r--src/lib/libcrypto/ui/ui.h2
-rw-r--r--src/lib/libcrypto/ui/ui_openssl.c2
-rw-r--r--src/lib/libcrypto/util/cygwin.sh12
-rw-r--r--src/lib/libcrypto/util/libeay.num217
-rw-r--r--src/lib/libcrypto/util/mk1mf.pl85
-rw-r--r--src/lib/libcrypto/util/mkdef.pl40
-rw-r--r--src/lib/libcrypto/util/mkfiles.pl2
-rw-r--r--src/lib/libcrypto/util/pl/VC-32.pl79
-rw-r--r--src/lib/libcrypto/util/ssleay.num61
-rw-r--r--src/lib/libcrypto/x509/x509.h11
-rw-r--r--src/lib/libcrypto/x509/x509_cmp.c27
-rw-r--r--src/lib/libcrypto/x509/x509_lu.c2
-rw-r--r--src/lib/libcrypto/x509/x509_vfy.c5
-rw-r--r--src/lib/libcrypto/x509/x509type.c32
-rw-r--r--src/lib/libcrypto/x509/x_all.c19
-rw-r--r--src/lib/libcrypto/x509v3/v3_asid.c63
-rw-r--r--src/lib/libcrypto/x509v3/v3_skey.c3
-rw-r--r--src/lib/libcrypto/x86_64cpuid.pl87
195 files changed, 10581 insertions, 2795 deletions
diff --git a/src/lib/libcrypto/Attic/Makefile b/src/lib/libcrypto/Attic/Makefile
index 85d9f249c5..947dd5d44e 100644
--- a/src/lib/libcrypto/Attic/Makefile
+++ b/src/lib/libcrypto/Attic/Makefile
@@ -7,7 +7,7 @@ TOP= ..
7CC= cc 7CC= cc
8INCLUDE= -I. -I$(TOP) -I../include $(ZLIB_INCLUDE) 8INCLUDE= -I. -I$(TOP) -I../include $(ZLIB_INCLUDE)
9# INCLUDES targets sudbirs! 9# INCLUDES targets sudbirs!
10INCLUDES= -I.. -I../.. -I../asn1 -I../evp -I../../include $(ZLIB_INCLUDE) 10INCLUDES= -I.. -I../.. -I../modes -I../asn1 -I../evp -I../../include $(ZLIB_INCLUDE)
11CFLAG= -g 11CFLAG= -g
12MAKEDEPPROG= makedepend 12MAKEDEPPROG= makedepend
13MAKEDEPEND= $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG) 13MAKEDEPEND= $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
@@ -34,8 +34,10 @@ GENERAL=Makefile README crypto-lib.com install.com
34 34
35LIB= $(TOP)/libcrypto.a 35LIB= $(TOP)/libcrypto.a
36SHARED_LIB= libcrypto$(SHLIB_EXT) 36SHARED_LIB= libcrypto$(SHLIB_EXT)
37LIBSRC= cryptlib.c mem.c mem_clr.c mem_dbg.c cversion.c ex_data.c cpt_err.c ebcdic.c uid.c o_time.c o_str.c o_dir.c 37LIBSRC= cryptlib.c mem.c mem_clr.c mem_dbg.c cversion.c ex_data.c cpt_err.c \
38LIBOBJ= cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o cpt_err.o ebcdic.o uid.o o_time.o o_str.o o_dir.o $(CPUID_OBJ) 38 ebcdic.c uid.c o_time.c o_str.c o_dir.c o_fips.c o_init.c fips_ers.c
39LIBOBJ= cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o cpt_err.o ebcdic.o \
40 uid.o o_time.o o_str.o o_dir.o o_fips.o o_init.o fips_ers.o $(CPUID_OBJ)
39 41
40SRC= $(LIBSRC) 42SRC= $(LIBSRC)
41 43
@@ -67,14 +69,13 @@ applink.o: $(TOP)/ms/applink.c
67uplink.o: $(TOP)/ms/uplink.c applink.o 69uplink.o: $(TOP)/ms/uplink.c applink.o
68 $(CC) $(CFLAGS) -c -o $@ $(TOP)/ms/uplink.c 70 $(CC) $(CFLAGS) -c -o $@ $(TOP)/ms/uplink.c
69 71
70uplink-cof.s: $(TOP)/ms/uplink.pl 72uplink-x86.s: $(TOP)/ms/uplink-x86.pl
71 $(PERL) $(TOP)/ms/uplink.pl coff > $@ 73 $(PERL) $(TOP)/ms/uplink-x86.pl $(PERLASM_SCHEME) > $@
72 74
73x86_64cpuid.s: x86_64cpuid.pl 75x86_64cpuid.s: x86_64cpuid.pl; $(PERL) x86_64cpuid.pl $(PERLASM_SCHEME) > $@
74 $(PERL) x86_64cpuid.pl $(PERLASM_SCHEME) > $@ 76ia64cpuid.s: ia64cpuid.S; $(CC) $(CFLAGS) -E ia64cpuid.S > $@
75ia64cpuid.s: ia64cpuid.S
76 $(CC) $(CFLAGS) -E ia64cpuid.S > $@
77ppccpuid.s: ppccpuid.pl; $(PERL) ppccpuid.pl $(PERLASM_SCHEME) $@ 77ppccpuid.s: ppccpuid.pl; $(PERL) ppccpuid.pl $(PERLASM_SCHEME) $@
78pariscid.s: pariscid.pl; $(PERL) pariscid.pl $(PERLASM_SCHEME) $@
78alphacpuid.s: alphacpuid.pl 79alphacpuid.s: alphacpuid.pl
79 $(PERL) $< | $(CC) -E - | tee $@ > /dev/null 80 $(PERL) $< | $(CC) -E - | tee $@ > /dev/null
80 81
@@ -102,6 +103,7 @@ lib: $(LIB)
102 @touch lib 103 @touch lib
103$(LIB): $(LIBOBJ) 104$(LIB): $(LIBOBJ)
104 $(AR) $(LIB) $(LIBOBJ) 105 $(AR) $(LIB) $(LIBOBJ)
106 [ -z "$(FIPSLIBDIR)" ] || $(AR) $(LIB) $(FIPSLIBDIR)fipscanister.o
105 $(RANLIB) $(LIB) || echo Never mind. 107 $(RANLIB) $(LIB) || echo Never mind.
106 108
107shared: buildinf.h lib subdirs 109shared: buildinf.h lib subdirs
@@ -171,6 +173,7 @@ ex_data.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
171ex_data.o: ../include/openssl/ossl_typ.h ../include/openssl/safestack.h 173ex_data.o: ../include/openssl/ossl_typ.h ../include/openssl/safestack.h
172ex_data.o: ../include/openssl/stack.h ../include/openssl/symhacks.h cryptlib.h 174ex_data.o: ../include/openssl/stack.h ../include/openssl/symhacks.h cryptlib.h
173ex_data.o: ex_data.c 175ex_data.o: ex_data.c
176fips_ers.o: ../include/openssl/opensslconf.h fips_ers.c
174mem.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/buffer.h 177mem.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/buffer.h
175mem.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h 178mem.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
176mem.o: ../include/openssl/err.h ../include/openssl/lhash.h 179mem.o: ../include/openssl/err.h ../include/openssl/lhash.h
@@ -191,6 +194,19 @@ mem_dbg.o: ../include/openssl/stack.h ../include/openssl/symhacks.h cryptlib.h
191mem_dbg.o: mem_dbg.c 194mem_dbg.o: mem_dbg.c
192o_dir.o: ../e_os.h ../include/openssl/e_os2.h ../include/openssl/opensslconf.h 195o_dir.o: ../e_os.h ../include/openssl/e_os2.h ../include/openssl/opensslconf.h
193o_dir.o: LPdir_unix.c o_dir.c o_dir.h 196o_dir.o: LPdir_unix.c o_dir.c o_dir.h
197o_fips.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/buffer.h
198o_fips.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
199o_fips.o: ../include/openssl/err.h ../include/openssl/lhash.h
200o_fips.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
201o_fips.o: ../include/openssl/ossl_typ.h ../include/openssl/safestack.h
202o_fips.o: ../include/openssl/stack.h ../include/openssl/symhacks.h cryptlib.h
203o_fips.o: o_fips.c
204o_init.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/crypto.h
205o_init.o: ../include/openssl/e_os2.h ../include/openssl/err.h
206o_init.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h
207o_init.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
208o_init.o: ../include/openssl/safestack.h ../include/openssl/stack.h
209o_init.o: ../include/openssl/symhacks.h o_init.c
194o_str.o: ../e_os.h ../include/openssl/e_os2.h ../include/openssl/opensslconf.h 210o_str.o: ../e_os.h ../include/openssl/e_os2.h ../include/openssl/opensslconf.h
195o_str.o: o_str.c o_str.h 211o_str.o: o_str.c o_str.h
196o_time.o: ../include/openssl/e_os2.h ../include/openssl/opensslconf.h o_time.c 212o_time.o: ../include/openssl/e_os2.h ../include/openssl/opensslconf.h o_time.c
diff --git a/src/lib/libcrypto/aes/aes.h b/src/lib/libcrypto/aes/aes.h
index d2c99730fe..031abf01b5 100644
--- a/src/lib/libcrypto/aes/aes.h
+++ b/src/lib/libcrypto/aes/aes.h
@@ -90,6 +90,11 @@ int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
90int AES_set_decrypt_key(const unsigned char *userKey, const int bits, 90int AES_set_decrypt_key(const unsigned char *userKey, const int bits,
91 AES_KEY *key); 91 AES_KEY *key);
92 92
93int private_AES_set_encrypt_key(const unsigned char *userKey, const int bits,
94 AES_KEY *key);
95int private_AES_set_decrypt_key(const unsigned char *userKey, const int bits,
96 AES_KEY *key);
97
93void AES_encrypt(const unsigned char *in, unsigned char *out, 98void AES_encrypt(const unsigned char *in, unsigned char *out,
94 const AES_KEY *key); 99 const AES_KEY *key);
95void AES_decrypt(const unsigned char *in, unsigned char *out, 100void AES_decrypt(const unsigned char *in, unsigned char *out,
diff --git a/src/lib/libcrypto/aes/aes_core.c b/src/lib/libcrypto/aes/aes_core.c
index a7ec54f4da..8f5210ac70 100644
--- a/src/lib/libcrypto/aes/aes_core.c
+++ b/src/lib/libcrypto/aes/aes_core.c
@@ -625,7 +625,7 @@ static const u32 rcon[] = {
625/** 625/**
626 * Expand the cipher key into the encryption key schedule. 626 * Expand the cipher key into the encryption key schedule.
627 */ 627 */
628int AES_set_encrypt_key(const unsigned char *userKey, const int bits, 628int private_AES_set_encrypt_key(const unsigned char *userKey, const int bits,
629 AES_KEY *key) { 629 AES_KEY *key) {
630 630
631 u32 *rk; 631 u32 *rk;
@@ -726,7 +726,7 @@ int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
726/** 726/**
727 * Expand the cipher key into the decryption key schedule. 727 * Expand the cipher key into the decryption key schedule.
728 */ 728 */
729int AES_set_decrypt_key(const unsigned char *userKey, const int bits, 729int private_AES_set_decrypt_key(const unsigned char *userKey, const int bits,
730 AES_KEY *key) { 730 AES_KEY *key) {
731 731
732 u32 *rk; 732 u32 *rk;
@@ -734,7 +734,7 @@ int AES_set_decrypt_key(const unsigned char *userKey, const int bits,
734 u32 temp; 734 u32 temp;
735 735
736 /* first, start with an encryption schedule */ 736 /* first, start with an encryption schedule */
737 status = AES_set_encrypt_key(userKey, bits, key); 737 status = private_AES_set_encrypt_key(userKey, bits, key);
738 if (status < 0) 738 if (status < 0)
739 return status; 739 return status;
740 740
@@ -1201,7 +1201,7 @@ static const u32 rcon[] = {
1201/** 1201/**
1202 * Expand the cipher key into the encryption key schedule. 1202 * Expand the cipher key into the encryption key schedule.
1203 */ 1203 */
1204int AES_set_encrypt_key(const unsigned char *userKey, const int bits, 1204int private_AES_set_encrypt_key(const unsigned char *userKey, const int bits,
1205 AES_KEY *key) { 1205 AES_KEY *key) {
1206 u32 *rk; 1206 u32 *rk;
1207 int i = 0; 1207 int i = 0;
@@ -1301,7 +1301,7 @@ int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
1301/** 1301/**
1302 * Expand the cipher key into the decryption key schedule. 1302 * Expand the cipher key into the decryption key schedule.
1303 */ 1303 */
1304int AES_set_decrypt_key(const unsigned char *userKey, const int bits, 1304int private_AES_set_decrypt_key(const unsigned char *userKey, const int bits,
1305 AES_KEY *key) { 1305 AES_KEY *key) {
1306 1306
1307 u32 *rk; 1307 u32 *rk;
@@ -1309,7 +1309,7 @@ int AES_set_decrypt_key(const unsigned char *userKey, const int bits,
1309 u32 temp; 1309 u32 temp;
1310 1310
1311 /* first, start with an encryption schedule */ 1311 /* first, start with an encryption schedule */
1312 status = AES_set_encrypt_key(userKey, bits, key); 1312 status = private_AES_set_encrypt_key(userKey, bits, key);
1313 if (status < 0) 1313 if (status < 0)
1314 return status; 1314 return status;
1315 1315
diff --git a/src/lib/libcrypto/aes/aes_misc.c b/src/lib/libcrypto/aes/aes_misc.c
index 4fead1b4c7..f083488ecb 100644
--- a/src/lib/libcrypto/aes/aes_misc.c
+++ b/src/lib/libcrypto/aes/aes_misc.c
@@ -50,6 +50,7 @@
50 */ 50 */
51 51
52#include <openssl/opensslv.h> 52#include <openssl/opensslv.h>
53#include <openssl/crypto.h>
53#include <openssl/aes.h> 54#include <openssl/aes.h>
54#include "aes_locl.h" 55#include "aes_locl.h"
55 56
@@ -62,3 +63,23 @@ const char *AES_options(void) {
62 return "aes(partial)"; 63 return "aes(partial)";
63#endif 64#endif
64} 65}
66
67/* FIPS wrapper functions to block low level AES calls in FIPS mode */
68
69int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
70 AES_KEY *key)
71 {
72#ifdef OPENSSL_FIPS
73 fips_cipher_abort(AES);
74#endif
75 return private_AES_set_encrypt_key(userKey, bits, key);
76 }
77
78int AES_set_decrypt_key(const unsigned char *userKey, const int bits,
79 AES_KEY *key)
80 {
81#ifdef OPENSSL_FIPS
82 fips_cipher_abort(AES);
83#endif
84 return private_AES_set_decrypt_key(userKey, bits, key);
85 }
diff --git a/src/lib/libcrypto/aes/asm/aes-586.pl b/src/lib/libcrypto/aes/asm/aes-586.pl
index aab40e6f1c..687ed811be 100644
--- a/src/lib/libcrypto/aes/asm/aes-586.pl
+++ b/src/lib/libcrypto/aes/asm/aes-586.pl
@@ -39,7 +39,7 @@
39# but exhibits up to 10% improvement on other cores. 39# but exhibits up to 10% improvement on other cores.
40# 40#
41# Second version is "monolithic" replacement for aes_core.c, which in 41# Second version is "monolithic" replacement for aes_core.c, which in
42# addition to AES_[de|en]crypt implements AES_set_[de|en]cryption_key. 42# addition to AES_[de|en]crypt implements private_AES_set_[de|en]cryption_key.
43# This made it possible to implement little-endian variant of the 43# This made it possible to implement little-endian variant of the
44# algorithm without modifying the base C code. Motivating factor for 44# algorithm without modifying the base C code. Motivating factor for
45# the undertaken effort was that it appeared that in tight IA-32 45# the undertaken effort was that it appeared that in tight IA-32
@@ -2854,12 +2854,12 @@ sub enckey()
2854 &set_label("exit"); 2854 &set_label("exit");
2855&function_end("_x86_AES_set_encrypt_key"); 2855&function_end("_x86_AES_set_encrypt_key");
2856 2856
2857# int AES_set_encrypt_key(const unsigned char *userKey, const int bits, 2857# int private_AES_set_encrypt_key(const unsigned char *userKey, const int bits,
2858# AES_KEY *key) 2858# AES_KEY *key)
2859&function_begin_B("AES_set_encrypt_key"); 2859&function_begin_B("private_AES_set_encrypt_key");
2860 &call ("_x86_AES_set_encrypt_key"); 2860 &call ("_x86_AES_set_encrypt_key");
2861 &ret (); 2861 &ret ();
2862&function_end_B("AES_set_encrypt_key"); 2862&function_end_B("private_AES_set_encrypt_key");
2863 2863
2864sub deckey() 2864sub deckey()
2865{ my ($i,$key,$tp1,$tp2,$tp4,$tp8) = @_; 2865{ my ($i,$key,$tp1,$tp2,$tp4,$tp8) = @_;
@@ -2916,9 +2916,9 @@ sub deckey()
2916 &mov (&DWP(4*$i,$key),$tp1); 2916 &mov (&DWP(4*$i,$key),$tp1);
2917} 2917}
2918 2918
2919# int AES_set_decrypt_key(const unsigned char *userKey, const int bits, 2919# int private_AES_set_decrypt_key(const unsigned char *userKey, const int bits,
2920# AES_KEY *key) 2920# AES_KEY *key)
2921&function_begin_B("AES_set_decrypt_key"); 2921&function_begin_B("private_AES_set_decrypt_key");
2922 &call ("_x86_AES_set_encrypt_key"); 2922 &call ("_x86_AES_set_encrypt_key");
2923 &cmp ("eax",0); 2923 &cmp ("eax",0);
2924 &je (&label("proceed")); 2924 &je (&label("proceed"));
@@ -2974,7 +2974,7 @@ sub deckey()
2974 &jb (&label("permute")); 2974 &jb (&label("permute"));
2975 2975
2976 &xor ("eax","eax"); # return success 2976 &xor ("eax","eax"); # return success
2977&function_end("AES_set_decrypt_key"); 2977&function_end("private_AES_set_decrypt_key");
2978&asciz("AES for x86, CRYPTOGAMS by <appro\@openssl.org>"); 2978&asciz("AES for x86, CRYPTOGAMS by <appro\@openssl.org>");
2979 2979
2980&asm_finish(); 2980&asm_finish();
diff --git a/src/lib/libcrypto/aes/asm/aes-x86_64.pl b/src/lib/libcrypto/aes/asm/aes-x86_64.pl
index 53e4ef85fd..027b4ae2e5 100755
--- a/src/lib/libcrypto/aes/asm/aes-x86_64.pl
+++ b/src/lib/libcrypto/aes/asm/aes-x86_64.pl
@@ -588,6 +588,9 @@ $code.=<<___;
588.globl AES_encrypt 588.globl AES_encrypt
589.type AES_encrypt,\@function,3 589.type AES_encrypt,\@function,3
590.align 16 590.align 16
591.globl asm_AES_encrypt
592.hidden asm_AES_encrypt
593asm_AES_encrypt:
591AES_encrypt: 594AES_encrypt:
592 push %rbx 595 push %rbx
593 push %rbp 596 push %rbp
@@ -1184,6 +1187,9 @@ $code.=<<___;
1184.globl AES_decrypt 1187.globl AES_decrypt
1185.type AES_decrypt,\@function,3 1188.type AES_decrypt,\@function,3
1186.align 16 1189.align 16
1190.globl asm_AES_decrypt
1191.hidden asm_AES_decrypt
1192asm_AES_decrypt:
1187AES_decrypt: 1193AES_decrypt:
1188 push %rbx 1194 push %rbx
1189 push %rbp 1195 push %rbp
@@ -1277,13 +1283,13 @@ $code.=<<___;
1277___ 1283___
1278} 1284}
1279 1285
1280# int AES_set_encrypt_key(const unsigned char *userKey, const int bits, 1286# int private_AES_set_encrypt_key(const unsigned char *userKey, const int bits,
1281# AES_KEY *key) 1287# AES_KEY *key)
1282$code.=<<___; 1288$code.=<<___;
1283.globl AES_set_encrypt_key 1289.globl private_AES_set_encrypt_key
1284.type AES_set_encrypt_key,\@function,3 1290.type private_AES_set_encrypt_key,\@function,3
1285.align 16 1291.align 16
1286AES_set_encrypt_key: 1292private_AES_set_encrypt_key:
1287 push %rbx 1293 push %rbx
1288 push %rbp 1294 push %rbp
1289 push %r12 # redundant, but allows to share 1295 push %r12 # redundant, but allows to share
@@ -1304,7 +1310,7 @@ AES_set_encrypt_key:
1304 add \$56,%rsp 1310 add \$56,%rsp
1305.Lenc_key_epilogue: 1311.Lenc_key_epilogue:
1306 ret 1312 ret
1307.size AES_set_encrypt_key,.-AES_set_encrypt_key 1313.size private_AES_set_encrypt_key,.-private_AES_set_encrypt_key
1308 1314
1309.type _x86_64_AES_set_encrypt_key,\@abi-omnipotent 1315.type _x86_64_AES_set_encrypt_key,\@abi-omnipotent
1310.align 16 1316.align 16
@@ -1547,13 +1553,13 @@ $code.=<<___;
1547___ 1553___
1548} 1554}
1549 1555
1550# int AES_set_decrypt_key(const unsigned char *userKey, const int bits, 1556# int private_AES_set_decrypt_key(const unsigned char *userKey, const int bits,
1551# AES_KEY *key) 1557# AES_KEY *key)
1552$code.=<<___; 1558$code.=<<___;
1553.globl AES_set_decrypt_key 1559.globl private_AES_set_decrypt_key
1554.type AES_set_decrypt_key,\@function,3 1560.type private_AES_set_decrypt_key,\@function,3
1555.align 16 1561.align 16
1556AES_set_decrypt_key: 1562private_AES_set_decrypt_key:
1557 push %rbx 1563 push %rbx
1558 push %rbp 1564 push %rbp
1559 push %r12 1565 push %r12
@@ -1622,7 +1628,7 @@ $code.=<<___;
1622 add \$56,%rsp 1628 add \$56,%rsp
1623.Ldec_key_epilogue: 1629.Ldec_key_epilogue:
1624 ret 1630 ret
1625.size AES_set_decrypt_key,.-AES_set_decrypt_key 1631.size private_AES_set_decrypt_key,.-private_AES_set_decrypt_key
1626___ 1632___
1627 1633
1628# void AES_cbc_encrypt (const void char *inp, unsigned char *out, 1634# void AES_cbc_encrypt (const void char *inp, unsigned char *out,
@@ -1648,6 +1654,9 @@ $code.=<<___;
1648.type AES_cbc_encrypt,\@function,6 1654.type AES_cbc_encrypt,\@function,6
1649.align 16 1655.align 16
1650.extern OPENSSL_ia32cap_P 1656.extern OPENSSL_ia32cap_P
1657.globl asm_AES_cbc_encrypt
1658.hidden asm_AES_cbc_encrypt
1659asm_AES_cbc_encrypt:
1651AES_cbc_encrypt: 1660AES_cbc_encrypt:
1652 cmp \$0,%rdx # check length 1661 cmp \$0,%rdx # check length
1653 je .Lcbc_epilogue 1662 je .Lcbc_epilogue
@@ -2766,13 +2775,13 @@ cbc_se_handler:
2766 .rva .LSEH_end_AES_decrypt 2775 .rva .LSEH_end_AES_decrypt
2767 .rva .LSEH_info_AES_decrypt 2776 .rva .LSEH_info_AES_decrypt
2768 2777
2769 .rva .LSEH_begin_AES_set_encrypt_key 2778 .rva .LSEH_begin_private_AES_set_encrypt_key
2770 .rva .LSEH_end_AES_set_encrypt_key 2779 .rva .LSEH_end_private_AES_set_encrypt_key
2771 .rva .LSEH_info_AES_set_encrypt_key 2780 .rva .LSEH_info_private_AES_set_encrypt_key
2772 2781
2773 .rva .LSEH_begin_AES_set_decrypt_key 2782 .rva .LSEH_begin_private_AES_set_decrypt_key
2774 .rva .LSEH_end_AES_set_decrypt_key 2783 .rva .LSEH_end_private_AES_set_decrypt_key
2775 .rva .LSEH_info_AES_set_decrypt_key 2784 .rva .LSEH_info_private_AES_set_decrypt_key
2776 2785
2777 .rva .LSEH_begin_AES_cbc_encrypt 2786 .rva .LSEH_begin_AES_cbc_encrypt
2778 .rva .LSEH_end_AES_cbc_encrypt 2787 .rva .LSEH_end_AES_cbc_encrypt
@@ -2788,11 +2797,11 @@ cbc_se_handler:
2788 .byte 9,0,0,0 2797 .byte 9,0,0,0
2789 .rva block_se_handler 2798 .rva block_se_handler
2790 .rva .Ldec_prologue,.Ldec_epilogue # HandlerData[] 2799 .rva .Ldec_prologue,.Ldec_epilogue # HandlerData[]
2791.LSEH_info_AES_set_encrypt_key: 2800.LSEH_info_private_AES_set_encrypt_key:
2792 .byte 9,0,0,0 2801 .byte 9,0,0,0
2793 .rva key_se_handler 2802 .rva key_se_handler
2794 .rva .Lenc_key_prologue,.Lenc_key_epilogue # HandlerData[] 2803 .rva .Lenc_key_prologue,.Lenc_key_epilogue # HandlerData[]
2795.LSEH_info_AES_set_decrypt_key: 2804.LSEH_info_private_AES_set_decrypt_key:
2796 .byte 9,0,0,0 2805 .byte 9,0,0,0
2797 .rva key_se_handler 2806 .rva key_se_handler
2798 .rva .Ldec_key_prologue,.Ldec_key_epilogue # HandlerData[] 2807 .rva .Ldec_key_prologue,.Ldec_key_epilogue # HandlerData[]
diff --git a/src/lib/libcrypto/aes/asm/aesni-x86_64.pl b/src/lib/libcrypto/aes/asm/aesni-x86_64.pl
index 49e0f4b351..499f3b3f42 100644
--- a/src/lib/libcrypto/aes/asm/aesni-x86_64.pl
+++ b/src/lib/libcrypto/aes/asm/aesni-x86_64.pl
@@ -11,6 +11,151 @@
11# OpenSSL context it's used with Intel engine, but can also be used as 11# OpenSSL context it's used with Intel engine, but can also be used as
12# drop-in replacement for crypto/aes/asm/aes-x86_64.pl [see below for 12# drop-in replacement for crypto/aes/asm/aes-x86_64.pl [see below for
13# details]. 13# details].
14#
15# Performance.
16#
17# Given aes(enc|dec) instructions' latency asymptotic performance for
18# non-parallelizable modes such as CBC encrypt is 3.75 cycles per byte
19# processed with 128-bit key. And given their throughput asymptotic
20# performance for parallelizable modes is 1.25 cycles per byte. Being
21# asymptotic limit it's not something you commonly achieve in reality,
22# but how close does one get? Below are results collected for
23# different modes and block sized. Pairs of numbers are for en-/
24# decryption.
25#
26# 16-byte 64-byte 256-byte 1-KB 8-KB
27# ECB 4.25/4.25 1.38/1.38 1.28/1.28 1.26/1.26 1.26/1.26
28# CTR 5.42/5.42 1.92/1.92 1.44/1.44 1.28/1.28 1.26/1.26
29# CBC 4.38/4.43 4.15/1.43 4.07/1.32 4.07/1.29 4.06/1.28
30# CCM 5.66/9.42 4.42/5.41 4.16/4.40 4.09/4.15 4.06/4.07
31# OFB 5.42/5.42 4.64/4.64 4.44/4.44 4.39/4.39 4.38/4.38
32# CFB 5.73/5.85 5.56/5.62 5.48/5.56 5.47/5.55 5.47/5.55
33#
34# ECB, CTR, CBC and CCM results are free from EVP overhead. This means
35# that otherwise used 'openssl speed -evp aes-128-??? -engine aesni
36# [-decrypt]' will exhibit 10-15% worse results for smaller blocks.
37# The results were collected with specially crafted speed.c benchmark
38# in order to compare them with results reported in "Intel Advanced
39# Encryption Standard (AES) New Instruction Set" White Paper Revision
40# 3.0 dated May 2010. All above results are consistently better. This
41# module also provides better performance for block sizes smaller than
42# 128 bytes in points *not* represented in the above table.
43#
44# Looking at the results for 8-KB buffer.
45#
46# CFB and OFB results are far from the limit, because implementation
47# uses "generic" CRYPTO_[c|o]fb128_encrypt interfaces relying on
48# single-block aesni_encrypt, which is not the most optimal way to go.
49# CBC encrypt result is unexpectedly high and there is no documented
50# explanation for it. Seemingly there is a small penalty for feeding
51# the result back to AES unit the way it's done in CBC mode. There is
52# nothing one can do and the result appears optimal. CCM result is
53# identical to CBC, because CBC-MAC is essentially CBC encrypt without
54# saving output. CCM CTR "stays invisible," because it's neatly
55# interleaved wih CBC-MAC. This provides ~30% improvement over
56# "straghtforward" CCM implementation with CTR and CBC-MAC performed
57# disjointly. Parallelizable modes practically achieve the theoretical
58# limit.
59#
60# Looking at how results vary with buffer size.
61#
62# Curves are practically saturated at 1-KB buffer size. In most cases
63# "256-byte" performance is >95%, and "64-byte" is ~90% of "8-KB" one.
64# CTR curve doesn't follow this pattern and is "slowest" changing one
65# with "256-byte" result being 87% of "8-KB." This is because overhead
66# in CTR mode is most computationally intensive. Small-block CCM
67# decrypt is slower than encrypt, because first CTR and last CBC-MAC
68# iterations can't be interleaved.
69#
70# Results for 192- and 256-bit keys.
71#
72# EVP-free results were observed to scale perfectly with number of
73# rounds for larger block sizes, i.e. 192-bit result being 10/12 times
74# lower and 256-bit one - 10/14. Well, in CBC encrypt case differences
75# are a tad smaller, because the above mentioned penalty biases all
76# results by same constant value. In similar way function call
77# overhead affects small-block performance, as well as OFB and CFB
78# results. Differences are not large, most common coefficients are
79# 10/11.7 and 10/13.4 (as opposite to 10/12.0 and 10/14.0), but one
80# observe even 10/11.2 and 10/12.4 (CTR, OFB, CFB)...
81
82# January 2011
83#
84# While Westmere processor features 6 cycles latency for aes[enc|dec]
85# instructions, which can be scheduled every second cycle, Sandy
86# Bridge spends 8 cycles per instruction, but it can schedule them
87# every cycle. This means that code targeting Westmere would perform
88# suboptimally on Sandy Bridge. Therefore this update.
89#
90# In addition, non-parallelizable CBC encrypt (as well as CCM) is
91# optimized. Relative improvement might appear modest, 8% on Westmere,
92# but in absolute terms it's 3.77 cycles per byte encrypted with
93# 128-bit key on Westmere, and 5.07 - on Sandy Bridge. These numbers
94# should be compared to asymptotic limits of 3.75 for Westmere and
95# 5.00 for Sandy Bridge. Actually, the fact that they get this close
96# to asymptotic limits is quite amazing. Indeed, the limit is
97# calculated as latency times number of rounds, 10 for 128-bit key,
98# and divided by 16, the number of bytes in block, or in other words
99# it accounts *solely* for aesenc instructions. But there are extra
100# instructions, and numbers so close to the asymptotic limits mean
101# that it's as if it takes as little as *one* additional cycle to
102# execute all of them. How is it possible? It is possible thanks to
103# out-of-order execution logic, which manages to overlap post-
104# processing of previous block, things like saving the output, with
105# actual encryption of current block, as well as pre-processing of
106# current block, things like fetching input and xor-ing it with
107# 0-round element of the key schedule, with actual encryption of
108# previous block. Keep this in mind...
109#
110# For parallelizable modes, such as ECB, CBC decrypt, CTR, higher
111# performance is achieved by interleaving instructions working on
112# independent blocks. In which case asymptotic limit for such modes
113# can be obtained by dividing above mentioned numbers by AES
114# instructions' interleave factor. Westmere can execute at most 3
115# instructions at a time, meaning that optimal interleave factor is 3,
116# and that's where the "magic" number of 1.25 come from. "Optimal
117# interleave factor" means that increase of interleave factor does
118# not improve performance. The formula has proven to reflect reality
119# pretty well on Westmere... Sandy Bridge on the other hand can
120# execute up to 8 AES instructions at a time, so how does varying
121# interleave factor affect the performance? Here is table for ECB
122# (numbers are cycles per byte processed with 128-bit key):
123#
124# instruction interleave factor 3x 6x 8x
125# theoretical asymptotic limit 1.67 0.83 0.625
126# measured performance for 8KB block 1.05 0.86 0.84
127#
128# "as if" interleave factor 4.7x 5.8x 6.0x
129#
130# Further data for other parallelizable modes:
131#
132# CBC decrypt 1.16 0.93 0.93
133# CTR 1.14 0.91 n/a
134#
135# Well, given 3x column it's probably inappropriate to call the limit
136# asymptotic, if it can be surpassed, isn't it? What happens there?
137# Rewind to CBC paragraph for the answer. Yes, out-of-order execution
138# magic is responsible for this. Processor overlaps not only the
139# additional instructions with AES ones, but even AES instuctions
140# processing adjacent triplets of independent blocks. In the 6x case
141# additional instructions still claim disproportionally small amount
142# of additional cycles, but in 8x case number of instructions must be
143# a tad too high for out-of-order logic to cope with, and AES unit
144# remains underutilized... As you can see 8x interleave is hardly
145# justifiable, so there no need to feel bad that 32-bit aesni-x86.pl
146# utilizies 6x interleave because of limited register bank capacity.
147#
148# Higher interleave factors do have negative impact on Westmere
149# performance. While for ECB mode it's negligible ~1.5%, other
150# parallelizables perform ~5% worse, which is outweighed by ~25%
151# improvement on Sandy Bridge. To balance regression on Westmere
152# CTR mode was implemented with 6x aesenc interleave factor.
153
154# April 2011
155#
156# Add aesni_xts_[en|de]crypt. Westmere spends 1.33 cycles processing
157# one byte out of 8KB with 128-bit key, Sandy Bridge - 0.97. Just like
158# in CTR mode AES instruction interleave factor was chosen to be 6x.
14 159
15$PREFIX="aesni"; # if $PREFIX is set to "AES", the script 160$PREFIX="aesni"; # if $PREFIX is set to "AES", the script
16 # generates drop-in replacement for 161 # generates drop-in replacement for
@@ -29,7 +174,7 @@ die "can't locate x86_64-xlate.pl";
29 174
30open STDOUT,"| $^X $xlate $flavour $output"; 175open STDOUT,"| $^X $xlate $flavour $output";
31 176
32$movkey = $PREFIX eq "aesni" ? "movaps" : "movups"; 177$movkey = $PREFIX eq "aesni" ? "movups" : "movups";
33@_4args=$win64? ("%rcx","%rdx","%r8", "%r9") : # Win64 order 178@_4args=$win64? ("%rcx","%rdx","%r8", "%r9") : # Win64 order
34 ("%rdi","%rsi","%rdx","%rcx"); # Unix order 179 ("%rdi","%rsi","%rdx","%rcx"); # Unix order
35 180
@@ -41,18 +186,20 @@ $inp="%rdi";
41$out="%rsi"; 186$out="%rsi";
42$len="%rdx"; 187$len="%rdx";
43$key="%rcx"; # input to and changed by aesni_[en|de]cryptN !!! 188$key="%rcx"; # input to and changed by aesni_[en|de]cryptN !!!
44$ivp="%r8"; # cbc 189$ivp="%r8"; # cbc, ctr, ...
45 190
46$rnds_="%r10d"; # backup copy for $rounds 191$rnds_="%r10d"; # backup copy for $rounds
47$key_="%r11"; # backup copy for $key 192$key_="%r11"; # backup copy for $key
48 193
49# %xmm register layout 194# %xmm register layout
50$inout0="%xmm0"; $inout1="%xmm1"; 195$rndkey0="%xmm0"; $rndkey1="%xmm1";
51$inout2="%xmm2"; $inout3="%xmm3"; 196$inout0="%xmm2"; $inout1="%xmm3";
52$rndkey0="%xmm4"; $rndkey1="%xmm5"; 197$inout2="%xmm4"; $inout3="%xmm5";
53 198$inout4="%xmm6"; $inout5="%xmm7";
54$iv="%xmm6"; $in0="%xmm7"; # used in CBC decrypt 199$inout6="%xmm8"; $inout7="%xmm9";
55$in1="%xmm8"; $in2="%xmm9"; 200
201$in2="%xmm6"; $in1="%xmm7"; # used in CBC decrypt, CTR, ...
202$in0="%xmm8"; $iv="%xmm9";
56 203
57# Inline version of internal aesni_[en|de]crypt1. 204# Inline version of internal aesni_[en|de]crypt1.
58# 205#
@@ -60,20 +207,29 @@ $in1="%xmm8"; $in2="%xmm9";
60# cycles which take care of loop variables... 207# cycles which take care of loop variables...
61{ my $sn; 208{ my $sn;
62sub aesni_generate1 { 209sub aesni_generate1 {
63my ($p,$key,$rounds)=@_; 210my ($p,$key,$rounds,$inout,$ivec)=@_; $inout=$inout0 if (!defined($inout));
64++$sn; 211++$sn;
65$code.=<<___; 212$code.=<<___;
66 $movkey ($key),$rndkey0 213 $movkey ($key),$rndkey0
67 $movkey 16($key),$rndkey1 214 $movkey 16($key),$rndkey1
215___
216$code.=<<___ if (defined($ivec));
217 xorps $rndkey0,$ivec
218 lea 32($key),$key
219 xorps $ivec,$inout
220___
221$code.=<<___ if (!defined($ivec));
68 lea 32($key),$key 222 lea 32($key),$key
69 pxor $rndkey0,$inout0 223 xorps $rndkey0,$inout
224___
225$code.=<<___;
70.Loop_${p}1_$sn: 226.Loop_${p}1_$sn:
71 aes${p} $rndkey1,$inout0 227 aes${p} $rndkey1,$inout
72 dec $rounds 228 dec $rounds
73 $movkey ($key),$rndkey1 229 $movkey ($key),$rndkey1
74 lea 16($key),$key 230 lea 16($key),$key
75 jnz .Loop_${p}1_$sn # loop body is 16 bytes 231 jnz .Loop_${p}1_$sn # loop body is 16 bytes
76 aes${p}last $rndkey1,$inout0 232 aes${p}last $rndkey1,$inout
77___ 233___
78}} 234}}
79# void $PREFIX_[en|de]crypt (const void *inp,void *out,const AES_KEY *key); 235# void $PREFIX_[en|de]crypt (const void *inp,void *out,const AES_KEY *key);
@@ -86,7 +242,7 @@ $code.=<<___;
86.align 16 242.align 16
87${PREFIX}_encrypt: 243${PREFIX}_encrypt:
88 movups ($inp),$inout0 # load input 244 movups ($inp),$inout0 # load input
89 mov 240($key),$rounds # pull $rounds 245 mov 240($key),$rounds # key->rounds
90___ 246___
91 &aesni_generate1("enc",$key,$rounds); 247 &aesni_generate1("enc",$key,$rounds);
92$code.=<<___; 248$code.=<<___;
@@ -99,7 +255,7 @@ $code.=<<___;
99.align 16 255.align 16
100${PREFIX}_decrypt: 256${PREFIX}_decrypt:
101 movups ($inp),$inout0 # load input 257 movups ($inp),$inout0 # load input
102 mov 240($key),$rounds # pull $rounds 258 mov 240($key),$rounds # key->rounds
103___ 259___
104 &aesni_generate1("dec",$key,$rounds); 260 &aesni_generate1("dec",$key,$rounds);
105$code.=<<___; 261$code.=<<___;
@@ -109,16 +265,16 @@ $code.=<<___;
109___ 265___
110} 266}
111 267
112# _aesni_[en|de]crypt[34] are private interfaces, N denotes interleave 268# _aesni_[en|de]cryptN are private interfaces, N denotes interleave
113# factor. Why 3x subroutine is used in loops? Even though aes[enc|dec] 269# factor. Why 3x subroutine were originally used in loops? Even though
114# latency is 6, it turned out that it can be scheduled only every 270# aes[enc|dec] latency was originally 6, it could be scheduled only
115# *second* cycle. Thus 3x interleave is the one providing optimal 271# every *2nd* cycle. Thus 3x interleave was the one providing optimal
116# utilization, i.e. when subroutine's throughput is virtually same as 272# utilization, i.e. when subroutine's throughput is virtually same as
117# of non-interleaved subroutine [for number of input blocks up to 3]. 273# of non-interleaved subroutine [for number of input blocks up to 3].
118# This is why it makes no sense to implement 2x subroutine. As soon 274# This is why it makes no sense to implement 2x subroutine.
119# as/if Intel improves throughput by making it possible to schedule 275# aes[enc|dec] latency in next processor generation is 8, but the
120# the instructions in question *every* cycles I would have to 276# instructions can be scheduled every cycle. Optimal interleave for
121# implement 6x interleave and use it in loop... 277# new processor is therefore 8x...
122sub aesni_generate3 { 278sub aesni_generate3 {
123my $dir=shift; 279my $dir=shift;
124# As already mentioned it takes in $key and $rounds, which are *not* 280# As already mentioned it takes in $key and $rounds, which are *not*
@@ -131,25 +287,25 @@ _aesni_${dir}rypt3:
131 shr \$1,$rounds 287 shr \$1,$rounds
132 $movkey 16($key),$rndkey1 288 $movkey 16($key),$rndkey1
133 lea 32($key),$key 289 lea 32($key),$key
134 pxor $rndkey0,$inout0 290 xorps $rndkey0,$inout0
135 pxor $rndkey0,$inout1 291 xorps $rndkey0,$inout1
136 pxor $rndkey0,$inout2 292 xorps $rndkey0,$inout2
293 $movkey ($key),$rndkey0
137 294
138.L${dir}_loop3: 295.L${dir}_loop3:
139 aes${dir} $rndkey1,$inout0 296 aes${dir} $rndkey1,$inout0
140 $movkey ($key),$rndkey0
141 aes${dir} $rndkey1,$inout1 297 aes${dir} $rndkey1,$inout1
142 dec $rounds 298 dec $rounds
143 aes${dir} $rndkey1,$inout2 299 aes${dir} $rndkey1,$inout2
144 aes${dir} $rndkey0,$inout0
145 $movkey 16($key),$rndkey1 300 $movkey 16($key),$rndkey1
301 aes${dir} $rndkey0,$inout0
146 aes${dir} $rndkey0,$inout1 302 aes${dir} $rndkey0,$inout1
147 lea 32($key),$key 303 lea 32($key),$key
148 aes${dir} $rndkey0,$inout2 304 aes${dir} $rndkey0,$inout2
305 $movkey ($key),$rndkey0
149 jnz .L${dir}_loop3 306 jnz .L${dir}_loop3
150 307
151 aes${dir} $rndkey1,$inout0 308 aes${dir} $rndkey1,$inout0
152 $movkey ($key),$rndkey0
153 aes${dir} $rndkey1,$inout1 309 aes${dir} $rndkey1,$inout1
154 aes${dir} $rndkey1,$inout2 310 aes${dir} $rndkey1,$inout2
155 aes${dir}last $rndkey0,$inout0 311 aes${dir}last $rndkey0,$inout0
@@ -175,28 +331,28 @@ _aesni_${dir}rypt4:
175 shr \$1,$rounds 331 shr \$1,$rounds
176 $movkey 16($key),$rndkey1 332 $movkey 16($key),$rndkey1
177 lea 32($key),$key 333 lea 32($key),$key
178 pxor $rndkey0,$inout0 334 xorps $rndkey0,$inout0
179 pxor $rndkey0,$inout1 335 xorps $rndkey0,$inout1
180 pxor $rndkey0,$inout2 336 xorps $rndkey0,$inout2
181 pxor $rndkey0,$inout3 337 xorps $rndkey0,$inout3
338 $movkey ($key),$rndkey0
182 339
183.L${dir}_loop4: 340.L${dir}_loop4:
184 aes${dir} $rndkey1,$inout0 341 aes${dir} $rndkey1,$inout0
185 $movkey ($key),$rndkey0
186 aes${dir} $rndkey1,$inout1 342 aes${dir} $rndkey1,$inout1
187 dec $rounds 343 dec $rounds
188 aes${dir} $rndkey1,$inout2 344 aes${dir} $rndkey1,$inout2
189 aes${dir} $rndkey1,$inout3 345 aes${dir} $rndkey1,$inout3
190 aes${dir} $rndkey0,$inout0
191 $movkey 16($key),$rndkey1 346 $movkey 16($key),$rndkey1
347 aes${dir} $rndkey0,$inout0
192 aes${dir} $rndkey0,$inout1 348 aes${dir} $rndkey0,$inout1
193 lea 32($key),$key 349 lea 32($key),$key
194 aes${dir} $rndkey0,$inout2 350 aes${dir} $rndkey0,$inout2
195 aes${dir} $rndkey0,$inout3 351 aes${dir} $rndkey0,$inout3
352 $movkey ($key),$rndkey0
196 jnz .L${dir}_loop4 353 jnz .L${dir}_loop4
197 354
198 aes${dir} $rndkey1,$inout0 355 aes${dir} $rndkey1,$inout0
199 $movkey ($key),$rndkey0
200 aes${dir} $rndkey1,$inout1 356 aes${dir} $rndkey1,$inout1
201 aes${dir} $rndkey1,$inout2 357 aes${dir} $rndkey1,$inout2
202 aes${dir} $rndkey1,$inout3 358 aes${dir} $rndkey1,$inout3
@@ -208,12 +364,158 @@ _aesni_${dir}rypt4:
208.size _aesni_${dir}rypt4,.-_aesni_${dir}rypt4 364.size _aesni_${dir}rypt4,.-_aesni_${dir}rypt4
209___ 365___
210} 366}
367sub aesni_generate6 {
368my $dir=shift;
369# As already mentioned it takes in $key and $rounds, which are *not*
370# preserved. $inout[0-5] is cipher/clear text...
371$code.=<<___;
372.type _aesni_${dir}rypt6,\@abi-omnipotent
373.align 16
374_aesni_${dir}rypt6:
375 $movkey ($key),$rndkey0
376 shr \$1,$rounds
377 $movkey 16($key),$rndkey1
378 lea 32($key),$key
379 xorps $rndkey0,$inout0
380 pxor $rndkey0,$inout1
381 aes${dir} $rndkey1,$inout0
382 pxor $rndkey0,$inout2
383 aes${dir} $rndkey1,$inout1
384 pxor $rndkey0,$inout3
385 aes${dir} $rndkey1,$inout2
386 pxor $rndkey0,$inout4
387 aes${dir} $rndkey1,$inout3
388 pxor $rndkey0,$inout5
389 dec $rounds
390 aes${dir} $rndkey1,$inout4
391 $movkey ($key),$rndkey0
392 aes${dir} $rndkey1,$inout5
393 jmp .L${dir}_loop6_enter
394.align 16
395.L${dir}_loop6:
396 aes${dir} $rndkey1,$inout0
397 aes${dir} $rndkey1,$inout1
398 dec $rounds
399 aes${dir} $rndkey1,$inout2
400 aes${dir} $rndkey1,$inout3
401 aes${dir} $rndkey1,$inout4
402 aes${dir} $rndkey1,$inout5
403.L${dir}_loop6_enter: # happens to be 16-byte aligned
404 $movkey 16($key),$rndkey1
405 aes${dir} $rndkey0,$inout0
406 aes${dir} $rndkey0,$inout1
407 lea 32($key),$key
408 aes${dir} $rndkey0,$inout2
409 aes${dir} $rndkey0,$inout3
410 aes${dir} $rndkey0,$inout4
411 aes${dir} $rndkey0,$inout5
412 $movkey ($key),$rndkey0
413 jnz .L${dir}_loop6
414
415 aes${dir} $rndkey1,$inout0
416 aes${dir} $rndkey1,$inout1
417 aes${dir} $rndkey1,$inout2
418 aes${dir} $rndkey1,$inout3
419 aes${dir} $rndkey1,$inout4
420 aes${dir} $rndkey1,$inout5
421 aes${dir}last $rndkey0,$inout0
422 aes${dir}last $rndkey0,$inout1
423 aes${dir}last $rndkey0,$inout2
424 aes${dir}last $rndkey0,$inout3
425 aes${dir}last $rndkey0,$inout4
426 aes${dir}last $rndkey0,$inout5
427 ret
428.size _aesni_${dir}rypt6,.-_aesni_${dir}rypt6
429___
430}
431sub aesni_generate8 {
432my $dir=shift;
433# As already mentioned it takes in $key and $rounds, which are *not*
434# preserved. $inout[0-7] is cipher/clear text...
435$code.=<<___;
436.type _aesni_${dir}rypt8,\@abi-omnipotent
437.align 16
438_aesni_${dir}rypt8:
439 $movkey ($key),$rndkey0
440 shr \$1,$rounds
441 $movkey 16($key),$rndkey1
442 lea 32($key),$key
443 xorps $rndkey0,$inout0
444 xorps $rndkey0,$inout1
445 aes${dir} $rndkey1,$inout0
446 pxor $rndkey0,$inout2
447 aes${dir} $rndkey1,$inout1
448 pxor $rndkey0,$inout3
449 aes${dir} $rndkey1,$inout2
450 pxor $rndkey0,$inout4
451 aes${dir} $rndkey1,$inout3
452 pxor $rndkey0,$inout5
453 dec $rounds
454 aes${dir} $rndkey1,$inout4
455 pxor $rndkey0,$inout6
456 aes${dir} $rndkey1,$inout5
457 pxor $rndkey0,$inout7
458 $movkey ($key),$rndkey0
459 aes${dir} $rndkey1,$inout6
460 aes${dir} $rndkey1,$inout7
461 $movkey 16($key),$rndkey1
462 jmp .L${dir}_loop8_enter
463.align 16
464.L${dir}_loop8:
465 aes${dir} $rndkey1,$inout0
466 aes${dir} $rndkey1,$inout1
467 dec $rounds
468 aes${dir} $rndkey1,$inout2
469 aes${dir} $rndkey1,$inout3
470 aes${dir} $rndkey1,$inout4
471 aes${dir} $rndkey1,$inout5
472 aes${dir} $rndkey1,$inout6
473 aes${dir} $rndkey1,$inout7
474 $movkey 16($key),$rndkey1
475.L${dir}_loop8_enter: # happens to be 16-byte aligned
476 aes${dir} $rndkey0,$inout0
477 aes${dir} $rndkey0,$inout1
478 lea 32($key),$key
479 aes${dir} $rndkey0,$inout2
480 aes${dir} $rndkey0,$inout3
481 aes${dir} $rndkey0,$inout4
482 aes${dir} $rndkey0,$inout5
483 aes${dir} $rndkey0,$inout6
484 aes${dir} $rndkey0,$inout7
485 $movkey ($key),$rndkey0
486 jnz .L${dir}_loop8
487
488 aes${dir} $rndkey1,$inout0
489 aes${dir} $rndkey1,$inout1
490 aes${dir} $rndkey1,$inout2
491 aes${dir} $rndkey1,$inout3
492 aes${dir} $rndkey1,$inout4
493 aes${dir} $rndkey1,$inout5
494 aes${dir} $rndkey1,$inout6
495 aes${dir} $rndkey1,$inout7
496 aes${dir}last $rndkey0,$inout0
497 aes${dir}last $rndkey0,$inout1
498 aes${dir}last $rndkey0,$inout2
499 aes${dir}last $rndkey0,$inout3
500 aes${dir}last $rndkey0,$inout4
501 aes${dir}last $rndkey0,$inout5
502 aes${dir}last $rndkey0,$inout6
503 aes${dir}last $rndkey0,$inout7
504 ret
505.size _aesni_${dir}rypt8,.-_aesni_${dir}rypt8
506___
507}
211&aesni_generate3("enc") if ($PREFIX eq "aesni"); 508&aesni_generate3("enc") if ($PREFIX eq "aesni");
212&aesni_generate3("dec"); 509&aesni_generate3("dec");
213&aesni_generate4("enc") if ($PREFIX eq "aesni"); 510&aesni_generate4("enc") if ($PREFIX eq "aesni");
214&aesni_generate4("dec"); 511&aesni_generate4("dec");
512&aesni_generate6("enc") if ($PREFIX eq "aesni");
513&aesni_generate6("dec");
514&aesni_generate8("enc") if ($PREFIX eq "aesni");
515&aesni_generate8("dec");
215 516
216if ($PREFIX eq "aesni") { 517if ($PREFIX eq "aesni") {
518########################################################################
217# void aesni_ecb_encrypt (const void *in, void *out, 519# void aesni_ecb_encrypt (const void *in, void *out,
218# size_t length, const AES_KEY *key, 520# size_t length, const AES_KEY *key,
219# int enc); 521# int enc);
@@ -222,54 +524,98 @@ $code.=<<___;
222.type aesni_ecb_encrypt,\@function,5 524.type aesni_ecb_encrypt,\@function,5
223.align 16 525.align 16
224aesni_ecb_encrypt: 526aesni_ecb_encrypt:
225 cmp \$16,$len # check length
226 jb .Lecb_ret
227
228 mov 240($key),$rounds # pull $rounds
229 and \$-16,$len 527 and \$-16,$len
528 jz .Lecb_ret
529
530 mov 240($key),$rounds # key->rounds
531 $movkey ($key),$rndkey0
230 mov $key,$key_ # backup $key 532 mov $key,$key_ # backup $key
231 test %r8d,%r8d # 5th argument
232 mov $rounds,$rnds_ # backup $rounds 533 mov $rounds,$rnds_ # backup $rounds
534 test %r8d,%r8d # 5th argument
233 jz .Lecb_decrypt 535 jz .Lecb_decrypt
234#--------------------------- ECB ENCRYPT ------------------------------# 536#--------------------------- ECB ENCRYPT ------------------------------#
235 sub \$0x40,$len 537 cmp \$0x80,$len
236 jbe .Lecb_enc_tail 538 jb .Lecb_enc_tail
237 jmp .Lecb_enc_loop3 539
540 movdqu ($inp),$inout0
541 movdqu 0x10($inp),$inout1
542 movdqu 0x20($inp),$inout2
543 movdqu 0x30($inp),$inout3
544 movdqu 0x40($inp),$inout4
545 movdqu 0x50($inp),$inout5
546 movdqu 0x60($inp),$inout6
547 movdqu 0x70($inp),$inout7
548 lea 0x80($inp),$inp
549 sub \$0x80,$len
550 jmp .Lecb_enc_loop8_enter
238.align 16 551.align 16
239.Lecb_enc_loop3: 552.Lecb_enc_loop8:
240 movups ($inp),$inout0 553 movups $inout0,($out)
241 movups 0x10($inp),$inout1
242 movups 0x20($inp),$inout2
243 call _aesni_encrypt3
244 sub \$0x30,$len
245 lea 0x30($inp),$inp
246 lea 0x30($out),$out
247 movups $inout0,-0x30($out)
248 mov $rnds_,$rounds # restore $rounds
249 movups $inout1,-0x20($out)
250 mov $key_,$key # restore $key 554 mov $key_,$key # restore $key
251 movups $inout2,-0x10($out) 555 movdqu ($inp),$inout0
252 ja .Lecb_enc_loop3 556 mov $rnds_,$rounds # restore $rounds
557 movups $inout1,0x10($out)
558 movdqu 0x10($inp),$inout1
559 movups $inout2,0x20($out)
560 movdqu 0x20($inp),$inout2
561 movups $inout3,0x30($out)
562 movdqu 0x30($inp),$inout3
563 movups $inout4,0x40($out)
564 movdqu 0x40($inp),$inout4
565 movups $inout5,0x50($out)
566 movdqu 0x50($inp),$inout5
567 movups $inout6,0x60($out)
568 movdqu 0x60($inp),$inout6
569 movups $inout7,0x70($out)
570 lea 0x80($out),$out
571 movdqu 0x70($inp),$inout7
572 lea 0x80($inp),$inp
573.Lecb_enc_loop8_enter:
574
575 call _aesni_encrypt8
576
577 sub \$0x80,$len
578 jnc .Lecb_enc_loop8
253 579
254.Lecb_enc_tail: 580 movups $inout0,($out)
255 add \$0x40,$len 581 mov $key_,$key # restore $key
582 movups $inout1,0x10($out)
583 mov $rnds_,$rounds # restore $rounds
584 movups $inout2,0x20($out)
585 movups $inout3,0x30($out)
586 movups $inout4,0x40($out)
587 movups $inout5,0x50($out)
588 movups $inout6,0x60($out)
589 movups $inout7,0x70($out)
590 lea 0x80($out),$out
591 add \$0x80,$len
256 jz .Lecb_ret 592 jz .Lecb_ret
257 593
258 cmp \$0x10,$len 594.Lecb_enc_tail:
259 movups ($inp),$inout0 595 movups ($inp),$inout0
260 je .Lecb_enc_one
261 cmp \$0x20,$len 596 cmp \$0x20,$len
597 jb .Lecb_enc_one
262 movups 0x10($inp),$inout1 598 movups 0x10($inp),$inout1
263 je .Lecb_enc_two 599 je .Lecb_enc_two
264 cmp \$0x30,$len
265 movups 0x20($inp),$inout2 600 movups 0x20($inp),$inout2
266 je .Lecb_enc_three 601 cmp \$0x40,$len
602 jb .Lecb_enc_three
267 movups 0x30($inp),$inout3 603 movups 0x30($inp),$inout3
268 call _aesni_encrypt4 604 je .Lecb_enc_four
605 movups 0x40($inp),$inout4
606 cmp \$0x60,$len
607 jb .Lecb_enc_five
608 movups 0x50($inp),$inout5
609 je .Lecb_enc_six
610 movdqu 0x60($inp),$inout6
611 call _aesni_encrypt8
269 movups $inout0,($out) 612 movups $inout0,($out)
270 movups $inout1,0x10($out) 613 movups $inout1,0x10($out)
271 movups $inout2,0x20($out) 614 movups $inout2,0x20($out)
272 movups $inout3,0x30($out) 615 movups $inout3,0x30($out)
616 movups $inout4,0x40($out)
617 movups $inout5,0x50($out)
618 movups $inout6,0x60($out)
273 jmp .Lecb_ret 619 jmp .Lecb_ret
274.align 16 620.align 16
275.Lecb_enc_one: 621.Lecb_enc_one:
@@ -280,6 +626,7 @@ $code.=<<___;
280 jmp .Lecb_ret 626 jmp .Lecb_ret
281.align 16 627.align 16
282.Lecb_enc_two: 628.Lecb_enc_two:
629 xorps $inout2,$inout2
283 call _aesni_encrypt3 630 call _aesni_encrypt3
284 movups $inout0,($out) 631 movups $inout0,($out)
285 movups $inout1,0x10($out) 632 movups $inout1,0x10($out)
@@ -291,47 +638,121 @@ $code.=<<___;
291 movups $inout1,0x10($out) 638 movups $inout1,0x10($out)
292 movups $inout2,0x20($out) 639 movups $inout2,0x20($out)
293 jmp .Lecb_ret 640 jmp .Lecb_ret
641.align 16
642.Lecb_enc_four:
643 call _aesni_encrypt4
644 movups $inout0,($out)
645 movups $inout1,0x10($out)
646 movups $inout2,0x20($out)
647 movups $inout3,0x30($out)
648 jmp .Lecb_ret
649.align 16
650.Lecb_enc_five:
651 xorps $inout5,$inout5
652 call _aesni_encrypt6
653 movups $inout0,($out)
654 movups $inout1,0x10($out)
655 movups $inout2,0x20($out)
656 movups $inout3,0x30($out)
657 movups $inout4,0x40($out)
658 jmp .Lecb_ret
659.align 16
660.Lecb_enc_six:
661 call _aesni_encrypt6
662 movups $inout0,($out)
663 movups $inout1,0x10($out)
664 movups $inout2,0x20($out)
665 movups $inout3,0x30($out)
666 movups $inout4,0x40($out)
667 movups $inout5,0x50($out)
668 jmp .Lecb_ret
294 #--------------------------- ECB DECRYPT ------------------------------# 669 #--------------------------- ECB DECRYPT ------------------------------#
295.align 16 670.align 16
296.Lecb_decrypt: 671.Lecb_decrypt:
297 sub \$0x40,$len 672 cmp \$0x80,$len
298 jbe .Lecb_dec_tail 673 jb .Lecb_dec_tail
299 jmp .Lecb_dec_loop3 674
675 movdqu ($inp),$inout0
676 movdqu 0x10($inp),$inout1
677 movdqu 0x20($inp),$inout2
678 movdqu 0x30($inp),$inout3
679 movdqu 0x40($inp),$inout4
680 movdqu 0x50($inp),$inout5
681 movdqu 0x60($inp),$inout6
682 movdqu 0x70($inp),$inout7
683 lea 0x80($inp),$inp
684 sub \$0x80,$len
685 jmp .Lecb_dec_loop8_enter
300.align 16 686.align 16
301.Lecb_dec_loop3: 687.Lecb_dec_loop8:
302 movups ($inp),$inout0 688 movups $inout0,($out)
303 movups 0x10($inp),$inout1
304 movups 0x20($inp),$inout2
305 call _aesni_decrypt3
306 sub \$0x30,$len
307 lea 0x30($inp),$inp
308 lea 0x30($out),$out
309 movups $inout0,-0x30($out)
310 mov $rnds_,$rounds # restore $rounds
311 movups $inout1,-0x20($out)
312 mov $key_,$key # restore $key 689 mov $key_,$key # restore $key
313 movups $inout2,-0x10($out) 690 movdqu ($inp),$inout0
314 ja .Lecb_dec_loop3 691 mov $rnds_,$rounds # restore $rounds
692 movups $inout1,0x10($out)
693 movdqu 0x10($inp),$inout1
694 movups $inout2,0x20($out)
695 movdqu 0x20($inp),$inout2
696 movups $inout3,0x30($out)
697 movdqu 0x30($inp),$inout3
698 movups $inout4,0x40($out)
699 movdqu 0x40($inp),$inout4
700 movups $inout5,0x50($out)
701 movdqu 0x50($inp),$inout5
702 movups $inout6,0x60($out)
703 movdqu 0x60($inp),$inout6
704 movups $inout7,0x70($out)
705 lea 0x80($out),$out
706 movdqu 0x70($inp),$inout7
707 lea 0x80($inp),$inp
708.Lecb_dec_loop8_enter:
709
710 call _aesni_decrypt8
711
712 $movkey ($key_),$rndkey0
713 sub \$0x80,$len
714 jnc .Lecb_dec_loop8
315 715
316.Lecb_dec_tail: 716 movups $inout0,($out)
317 add \$0x40,$len 717 mov $key_,$key # restore $key
718 movups $inout1,0x10($out)
719 mov $rnds_,$rounds # restore $rounds
720 movups $inout2,0x20($out)
721 movups $inout3,0x30($out)
722 movups $inout4,0x40($out)
723 movups $inout5,0x50($out)
724 movups $inout6,0x60($out)
725 movups $inout7,0x70($out)
726 lea 0x80($out),$out
727 add \$0x80,$len
318 jz .Lecb_ret 728 jz .Lecb_ret
319 729
320 cmp \$0x10,$len 730.Lecb_dec_tail:
321 movups ($inp),$inout0 731 movups ($inp),$inout0
322 je .Lecb_dec_one
323 cmp \$0x20,$len 732 cmp \$0x20,$len
733 jb .Lecb_dec_one
324 movups 0x10($inp),$inout1 734 movups 0x10($inp),$inout1
325 je .Lecb_dec_two 735 je .Lecb_dec_two
326 cmp \$0x30,$len
327 movups 0x20($inp),$inout2 736 movups 0x20($inp),$inout2
328 je .Lecb_dec_three 737 cmp \$0x40,$len
738 jb .Lecb_dec_three
329 movups 0x30($inp),$inout3 739 movups 0x30($inp),$inout3
330 call _aesni_decrypt4 740 je .Lecb_dec_four
741 movups 0x40($inp),$inout4
742 cmp \$0x60,$len
743 jb .Lecb_dec_five
744 movups 0x50($inp),$inout5
745 je .Lecb_dec_six
746 movups 0x60($inp),$inout6
747 $movkey ($key),$rndkey0
748 call _aesni_decrypt8
331 movups $inout0,($out) 749 movups $inout0,($out)
332 movups $inout1,0x10($out) 750 movups $inout1,0x10($out)
333 movups $inout2,0x20($out) 751 movups $inout2,0x20($out)
334 movups $inout3,0x30($out) 752 movups $inout3,0x30($out)
753 movups $inout4,0x40($out)
754 movups $inout5,0x50($out)
755 movups $inout6,0x60($out)
335 jmp .Lecb_ret 756 jmp .Lecb_ret
336.align 16 757.align 16
337.Lecb_dec_one: 758.Lecb_dec_one:
@@ -342,6 +763,7 @@ $code.=<<___;
342 jmp .Lecb_ret 763 jmp .Lecb_ret
343.align 16 764.align 16
344.Lecb_dec_two: 765.Lecb_dec_two:
766 xorps $inout2,$inout2
345 call _aesni_decrypt3 767 call _aesni_decrypt3
346 movups $inout0,($out) 768 movups $inout0,($out)
347 movups $inout1,0x10($out) 769 movups $inout1,0x10($out)
@@ -352,17 +774,1353 @@ $code.=<<___;
352 movups $inout0,($out) 774 movups $inout0,($out)
353 movups $inout1,0x10($out) 775 movups $inout1,0x10($out)
354 movups $inout2,0x20($out) 776 movups $inout2,0x20($out)
777 jmp .Lecb_ret
778.align 16
779.Lecb_dec_four:
780 call _aesni_decrypt4
781 movups $inout0,($out)
782 movups $inout1,0x10($out)
783 movups $inout2,0x20($out)
784 movups $inout3,0x30($out)
785 jmp .Lecb_ret
786.align 16
787.Lecb_dec_five:
788 xorps $inout5,$inout5
789 call _aesni_decrypt6
790 movups $inout0,($out)
791 movups $inout1,0x10($out)
792 movups $inout2,0x20($out)
793 movups $inout3,0x30($out)
794 movups $inout4,0x40($out)
795 jmp .Lecb_ret
796.align 16
797.Lecb_dec_six:
798 call _aesni_decrypt6
799 movups $inout0,($out)
800 movups $inout1,0x10($out)
801 movups $inout2,0x20($out)
802 movups $inout3,0x30($out)
803 movups $inout4,0x40($out)
804 movups $inout5,0x50($out)
355 805
356.Lecb_ret: 806.Lecb_ret:
357 ret 807 ret
358.size aesni_ecb_encrypt,.-aesni_ecb_encrypt 808.size aesni_ecb_encrypt,.-aesni_ecb_encrypt
359___ 809___
810
811{
812######################################################################
813# void aesni_ccm64_[en|de]crypt_blocks (const void *in, void *out,
814# size_t blocks, const AES_KEY *key,
815# const char *ivec,char *cmac);
816#
817# Handles only complete blocks, operates on 64-bit counter and
818# does not update *ivec! Nor does it finalize CMAC value
819# (see engine/eng_aesni.c for details)
820#
821{
822my $cmac="%r9"; # 6th argument
823
824my $increment="%xmm6";
825my $bswap_mask="%xmm7";
826
827$code.=<<___;
828.globl aesni_ccm64_encrypt_blocks
829.type aesni_ccm64_encrypt_blocks,\@function,6
830.align 16
831aesni_ccm64_encrypt_blocks:
832___
833$code.=<<___ if ($win64);
834 lea -0x58(%rsp),%rsp
835 movaps %xmm6,(%rsp)
836 movaps %xmm7,0x10(%rsp)
837 movaps %xmm8,0x20(%rsp)
838 movaps %xmm9,0x30(%rsp)
839.Lccm64_enc_body:
840___
841$code.=<<___;
842 mov 240($key),$rounds # key->rounds
843 movdqu ($ivp),$iv
844 movdqa .Lincrement64(%rip),$increment
845 movdqa .Lbswap_mask(%rip),$bswap_mask
846
847 shr \$1,$rounds
848 lea 0($key),$key_
849 movdqu ($cmac),$inout1
850 movdqa $iv,$inout0
851 mov $rounds,$rnds_
852 pshufb $bswap_mask,$iv
853 jmp .Lccm64_enc_outer
854.align 16
855.Lccm64_enc_outer:
856 $movkey ($key_),$rndkey0
857 mov $rnds_,$rounds
858 movups ($inp),$in0 # load inp
859
860 xorps $rndkey0,$inout0 # counter
861 $movkey 16($key_),$rndkey1
862 xorps $in0,$rndkey0
863 lea 32($key_),$key
864 xorps $rndkey0,$inout1 # cmac^=inp
865 $movkey ($key),$rndkey0
866
867.Lccm64_enc2_loop:
868 aesenc $rndkey1,$inout0
869 dec $rounds
870 aesenc $rndkey1,$inout1
871 $movkey 16($key),$rndkey1
872 aesenc $rndkey0,$inout0
873 lea 32($key),$key
874 aesenc $rndkey0,$inout1
875 $movkey 0($key),$rndkey0
876 jnz .Lccm64_enc2_loop
877 aesenc $rndkey1,$inout0
878 aesenc $rndkey1,$inout1
879 paddq $increment,$iv
880 aesenclast $rndkey0,$inout0
881 aesenclast $rndkey0,$inout1
882
883 dec $len
884 lea 16($inp),$inp
885 xorps $inout0,$in0 # inp ^= E(iv)
886 movdqa $iv,$inout0
887 movups $in0,($out) # save output
888 lea 16($out),$out
889 pshufb $bswap_mask,$inout0
890 jnz .Lccm64_enc_outer
891
892 movups $inout1,($cmac)
893___
894$code.=<<___ if ($win64);
895 movaps (%rsp),%xmm6
896 movaps 0x10(%rsp),%xmm7
897 movaps 0x20(%rsp),%xmm8
898 movaps 0x30(%rsp),%xmm9
899 lea 0x58(%rsp),%rsp
900.Lccm64_enc_ret:
901___
902$code.=<<___;
903 ret
904.size aesni_ccm64_encrypt_blocks,.-aesni_ccm64_encrypt_blocks
905___
906######################################################################
907$code.=<<___;
908.globl aesni_ccm64_decrypt_blocks
909.type aesni_ccm64_decrypt_blocks,\@function,6
910.align 16
911aesni_ccm64_decrypt_blocks:
912___
913$code.=<<___ if ($win64);
914 lea -0x58(%rsp),%rsp
915 movaps %xmm6,(%rsp)
916 movaps %xmm7,0x10(%rsp)
917 movaps %xmm8,0x20(%rsp)
918 movaps %xmm9,0x30(%rsp)
919.Lccm64_dec_body:
920___
921$code.=<<___;
922 mov 240($key),$rounds # key->rounds
923 movups ($ivp),$iv
924 movdqu ($cmac),$inout1
925 movdqa .Lincrement64(%rip),$increment
926 movdqa .Lbswap_mask(%rip),$bswap_mask
927
928 movaps $iv,$inout0
929 mov $rounds,$rnds_
930 mov $key,$key_
931 pshufb $bswap_mask,$iv
932___
933 &aesni_generate1("enc",$key,$rounds);
934$code.=<<___;
935 movups ($inp),$in0 # load inp
936 paddq $increment,$iv
937 lea 16($inp),$inp
938 jmp .Lccm64_dec_outer
939.align 16
940.Lccm64_dec_outer:
941 xorps $inout0,$in0 # inp ^= E(iv)
942 movdqa $iv,$inout0
943 mov $rnds_,$rounds
944 movups $in0,($out) # save output
945 lea 16($out),$out
946 pshufb $bswap_mask,$inout0
947
948 sub \$1,$len
949 jz .Lccm64_dec_break
950
951 $movkey ($key_),$rndkey0
952 shr \$1,$rounds
953 $movkey 16($key_),$rndkey1
954 xorps $rndkey0,$in0
955 lea 32($key_),$key
956 xorps $rndkey0,$inout0
957 xorps $in0,$inout1 # cmac^=out
958 $movkey ($key),$rndkey0
959
960.Lccm64_dec2_loop:
961 aesenc $rndkey1,$inout0
962 dec $rounds
963 aesenc $rndkey1,$inout1
964 $movkey 16($key),$rndkey1
965 aesenc $rndkey0,$inout0
966 lea 32($key),$key
967 aesenc $rndkey0,$inout1
968 $movkey 0($key),$rndkey0
969 jnz .Lccm64_dec2_loop
970 movups ($inp),$in0 # load inp
971 paddq $increment,$iv
972 aesenc $rndkey1,$inout0
973 aesenc $rndkey1,$inout1
974 lea 16($inp),$inp
975 aesenclast $rndkey0,$inout0
976 aesenclast $rndkey0,$inout1
977 jmp .Lccm64_dec_outer
978
979.align 16
980.Lccm64_dec_break:
981 #xorps $in0,$inout1 # cmac^=out
982___
983 &aesni_generate1("enc",$key_,$rounds,$inout1,$in0);
984$code.=<<___;
985 movups $inout1,($cmac)
986___
987$code.=<<___ if ($win64);
988 movaps (%rsp),%xmm6
989 movaps 0x10(%rsp),%xmm7
990 movaps 0x20(%rsp),%xmm8
991 movaps 0x30(%rsp),%xmm9
992 lea 0x58(%rsp),%rsp
993.Lccm64_dec_ret:
994___
995$code.=<<___;
996 ret
997.size aesni_ccm64_decrypt_blocks,.-aesni_ccm64_decrypt_blocks
998___
999}
1000######################################################################
1001# void aesni_ctr32_encrypt_blocks (const void *in, void *out,
1002# size_t blocks, const AES_KEY *key,
1003# const char *ivec);
1004#
1005# Handles only complete blocks, operates on 32-bit counter and
1006# does not update *ivec! (see engine/eng_aesni.c for details)
1007#
1008{
1009my $reserved = $win64?0:-0x28;
1010my ($in0,$in1,$in2,$in3)=map("%xmm$_",(8..11));
1011my ($iv0,$iv1,$ivec)=("%xmm12","%xmm13","%xmm14");
1012my $bswap_mask="%xmm15";
1013
1014$code.=<<___;
1015.globl aesni_ctr32_encrypt_blocks
1016.type aesni_ctr32_encrypt_blocks,\@function,5
1017.align 16
1018aesni_ctr32_encrypt_blocks:
1019___
1020$code.=<<___ if ($win64);
1021 lea -0xc8(%rsp),%rsp
1022 movaps %xmm6,0x20(%rsp)
1023 movaps %xmm7,0x30(%rsp)
1024 movaps %xmm8,0x40(%rsp)
1025 movaps %xmm9,0x50(%rsp)
1026 movaps %xmm10,0x60(%rsp)
1027 movaps %xmm11,0x70(%rsp)
1028 movaps %xmm12,0x80(%rsp)
1029 movaps %xmm13,0x90(%rsp)
1030 movaps %xmm14,0xa0(%rsp)
1031 movaps %xmm15,0xb0(%rsp)
1032.Lctr32_body:
1033___
1034$code.=<<___;
1035 cmp \$1,$len
1036 je .Lctr32_one_shortcut
1037
1038 movdqu ($ivp),$ivec
1039 movdqa .Lbswap_mask(%rip),$bswap_mask
1040 xor $rounds,$rounds
1041 pextrd \$3,$ivec,$rnds_ # pull 32-bit counter
1042 pinsrd \$3,$rounds,$ivec # wipe 32-bit counter
1043
1044 mov 240($key),$rounds # key->rounds
1045 bswap $rnds_
1046 pxor $iv0,$iv0 # vector of 3 32-bit counters
1047 pxor $iv1,$iv1 # vector of 3 32-bit counters
1048 pinsrd \$0,$rnds_,$iv0
1049 lea 3($rnds_),$key_
1050 pinsrd \$0,$key_,$iv1
1051 inc $rnds_
1052 pinsrd \$1,$rnds_,$iv0
1053 inc $key_
1054 pinsrd \$1,$key_,$iv1
1055 inc $rnds_
1056 pinsrd \$2,$rnds_,$iv0
1057 inc $key_
1058 pinsrd \$2,$key_,$iv1
1059 movdqa $iv0,$reserved(%rsp)
1060 pshufb $bswap_mask,$iv0
1061 movdqa $iv1,`$reserved+0x10`(%rsp)
1062 pshufb $bswap_mask,$iv1
1063
1064 pshufd \$`3<<6`,$iv0,$inout0 # place counter to upper dword
1065 pshufd \$`2<<6`,$iv0,$inout1
1066 pshufd \$`1<<6`,$iv0,$inout2
1067 cmp \$6,$len
1068 jb .Lctr32_tail
1069 shr \$1,$rounds
1070 mov $key,$key_ # backup $key
1071 mov $rounds,$rnds_ # backup $rounds
1072 sub \$6,$len
1073 jmp .Lctr32_loop6
1074
1075.align 16
1076.Lctr32_loop6:
1077 pshufd \$`3<<6`,$iv1,$inout3
1078 por $ivec,$inout0 # merge counter-less ivec
1079 $movkey ($key_),$rndkey0
1080 pshufd \$`2<<6`,$iv1,$inout4
1081 por $ivec,$inout1
1082 $movkey 16($key_),$rndkey1
1083 pshufd \$`1<<6`,$iv1,$inout5
1084 por $ivec,$inout2
1085 por $ivec,$inout3
1086 xorps $rndkey0,$inout0
1087 por $ivec,$inout4
1088 por $ivec,$inout5
1089
1090 # inline _aesni_encrypt6 and interleave last rounds
1091 # with own code...
1092
1093 pxor $rndkey0,$inout1
1094 aesenc $rndkey1,$inout0
1095 lea 32($key_),$key
1096 pxor $rndkey0,$inout2
1097 aesenc $rndkey1,$inout1
1098 movdqa .Lincrement32(%rip),$iv1
1099 pxor $rndkey0,$inout3
1100 aesenc $rndkey1,$inout2
1101 movdqa $reserved(%rsp),$iv0
1102 pxor $rndkey0,$inout4
1103 aesenc $rndkey1,$inout3
1104 pxor $rndkey0,$inout5
1105 $movkey ($key),$rndkey0
1106 dec $rounds
1107 aesenc $rndkey1,$inout4
1108 aesenc $rndkey1,$inout5
1109 jmp .Lctr32_enc_loop6_enter
1110.align 16
1111.Lctr32_enc_loop6:
1112 aesenc $rndkey1,$inout0
1113 aesenc $rndkey1,$inout1
1114 dec $rounds
1115 aesenc $rndkey1,$inout2
1116 aesenc $rndkey1,$inout3
1117 aesenc $rndkey1,$inout4
1118 aesenc $rndkey1,$inout5
1119.Lctr32_enc_loop6_enter:
1120 $movkey 16($key),$rndkey1
1121 aesenc $rndkey0,$inout0
1122 aesenc $rndkey0,$inout1
1123 lea 32($key),$key
1124 aesenc $rndkey0,$inout2
1125 aesenc $rndkey0,$inout3
1126 aesenc $rndkey0,$inout4
1127 aesenc $rndkey0,$inout5
1128 $movkey ($key),$rndkey0
1129 jnz .Lctr32_enc_loop6
1130
1131 aesenc $rndkey1,$inout0
1132 paddd $iv1,$iv0 # increment counter vector
1133 aesenc $rndkey1,$inout1
1134 paddd `$reserved+0x10`(%rsp),$iv1
1135 aesenc $rndkey1,$inout2
1136 movdqa $iv0,$reserved(%rsp) # save counter vector
1137 aesenc $rndkey1,$inout3
1138 movdqa $iv1,`$reserved+0x10`(%rsp)
1139 aesenc $rndkey1,$inout4
1140 pshufb $bswap_mask,$iv0 # byte swap
1141 aesenc $rndkey1,$inout5
1142 pshufb $bswap_mask,$iv1
1143
1144 aesenclast $rndkey0,$inout0
1145 movups ($inp),$in0 # load input
1146 aesenclast $rndkey0,$inout1
1147 movups 0x10($inp),$in1
1148 aesenclast $rndkey0,$inout2
1149 movups 0x20($inp),$in2
1150 aesenclast $rndkey0,$inout3
1151 movups 0x30($inp),$in3
1152 aesenclast $rndkey0,$inout4
1153 movups 0x40($inp),$rndkey1
1154 aesenclast $rndkey0,$inout5
1155 movups 0x50($inp),$rndkey0
1156 lea 0x60($inp),$inp
1157
1158 xorps $inout0,$in0 # xor
1159 pshufd \$`3<<6`,$iv0,$inout0
1160 xorps $inout1,$in1
1161 pshufd \$`2<<6`,$iv0,$inout1
1162 movups $in0,($out) # store output
1163 xorps $inout2,$in2
1164 pshufd \$`1<<6`,$iv0,$inout2
1165 movups $in1,0x10($out)
1166 xorps $inout3,$in3
1167 movups $in2,0x20($out)
1168 xorps $inout4,$rndkey1
1169 movups $in3,0x30($out)
1170 xorps $inout5,$rndkey0
1171 movups $rndkey1,0x40($out)
1172 movups $rndkey0,0x50($out)
1173 lea 0x60($out),$out
1174 mov $rnds_,$rounds
1175 sub \$6,$len
1176 jnc .Lctr32_loop6
1177
1178 add \$6,$len
1179 jz .Lctr32_done
1180 mov $key_,$key # restore $key
1181 lea 1($rounds,$rounds),$rounds # restore original value
1182
1183.Lctr32_tail:
1184 por $ivec,$inout0
1185 movups ($inp),$in0
1186 cmp \$2,$len
1187 jb .Lctr32_one
1188
1189 por $ivec,$inout1
1190 movups 0x10($inp),$in1
1191 je .Lctr32_two
1192
1193 pshufd \$`3<<6`,$iv1,$inout3
1194 por $ivec,$inout2
1195 movups 0x20($inp),$in2
1196 cmp \$4,$len
1197 jb .Lctr32_three
1198
1199 pshufd \$`2<<6`,$iv1,$inout4
1200 por $ivec,$inout3
1201 movups 0x30($inp),$in3
1202 je .Lctr32_four
1203
1204 por $ivec,$inout4
1205 xorps $inout5,$inout5
1206
1207 call _aesni_encrypt6
1208
1209 movups 0x40($inp),$rndkey1
1210 xorps $inout0,$in0
1211 xorps $inout1,$in1
1212 movups $in0,($out)
1213 xorps $inout2,$in2
1214 movups $in1,0x10($out)
1215 xorps $inout3,$in3
1216 movups $in2,0x20($out)
1217 xorps $inout4,$rndkey1
1218 movups $in3,0x30($out)
1219 movups $rndkey1,0x40($out)
1220 jmp .Lctr32_done
1221
1222.align 16
1223.Lctr32_one_shortcut:
1224 movups ($ivp),$inout0
1225 movups ($inp),$in0
1226 mov 240($key),$rounds # key->rounds
1227.Lctr32_one:
1228___
1229 &aesni_generate1("enc",$key,$rounds);
1230$code.=<<___;
1231 xorps $inout0,$in0
1232 movups $in0,($out)
1233 jmp .Lctr32_done
1234
1235.align 16
1236.Lctr32_two:
1237 xorps $inout2,$inout2
1238 call _aesni_encrypt3
1239 xorps $inout0,$in0
1240 xorps $inout1,$in1
1241 movups $in0,($out)
1242 movups $in1,0x10($out)
1243 jmp .Lctr32_done
1244
1245.align 16
1246.Lctr32_three:
1247 call _aesni_encrypt3
1248 xorps $inout0,$in0
1249 xorps $inout1,$in1
1250 movups $in0,($out)
1251 xorps $inout2,$in2
1252 movups $in1,0x10($out)
1253 movups $in2,0x20($out)
1254 jmp .Lctr32_done
1255
1256.align 16
1257.Lctr32_four:
1258 call _aesni_encrypt4
1259 xorps $inout0,$in0
1260 xorps $inout1,$in1
1261 movups $in0,($out)
1262 xorps $inout2,$in2
1263 movups $in1,0x10($out)
1264 xorps $inout3,$in3
1265 movups $in2,0x20($out)
1266 movups $in3,0x30($out)
1267
1268.Lctr32_done:
1269___
1270$code.=<<___ if ($win64);
1271 movaps 0x20(%rsp),%xmm6
1272 movaps 0x30(%rsp),%xmm7
1273 movaps 0x40(%rsp),%xmm8
1274 movaps 0x50(%rsp),%xmm9
1275 movaps 0x60(%rsp),%xmm10
1276 movaps 0x70(%rsp),%xmm11
1277 movaps 0x80(%rsp),%xmm12
1278 movaps 0x90(%rsp),%xmm13
1279 movaps 0xa0(%rsp),%xmm14
1280 movaps 0xb0(%rsp),%xmm15
1281 lea 0xc8(%rsp),%rsp
1282.Lctr32_ret:
1283___
1284$code.=<<___;
1285 ret
1286.size aesni_ctr32_encrypt_blocks,.-aesni_ctr32_encrypt_blocks
1287___
360} 1288}
361 1289
1290######################################################################
1291# void aesni_xts_[en|de]crypt(const char *inp,char *out,size_t len,
1292# const AES_KEY *key1, const AES_KEY *key2
1293# const unsigned char iv[16]);
1294#
1295{
1296my @tweak=map("%xmm$_",(10..15));
1297my ($twmask,$twres,$twtmp)=("%xmm8","%xmm9",@tweak[4]);
1298my ($key2,$ivp,$len_)=("%r8","%r9","%r9");
1299my $frame_size = 0x68 + ($win64?160:0);
1300
1301$code.=<<___;
1302.globl aesni_xts_encrypt
1303.type aesni_xts_encrypt,\@function,6
1304.align 16
1305aesni_xts_encrypt:
1306 lea -$frame_size(%rsp),%rsp
1307___
1308$code.=<<___ if ($win64);
1309 movaps %xmm6,0x60(%rsp)
1310 movaps %xmm7,0x70(%rsp)
1311 movaps %xmm8,0x80(%rsp)
1312 movaps %xmm9,0x90(%rsp)
1313 movaps %xmm10,0xa0(%rsp)
1314 movaps %xmm11,0xb0(%rsp)
1315 movaps %xmm12,0xc0(%rsp)
1316 movaps %xmm13,0xd0(%rsp)
1317 movaps %xmm14,0xe0(%rsp)
1318 movaps %xmm15,0xf0(%rsp)
1319.Lxts_enc_body:
1320___
1321$code.=<<___;
1322 movups ($ivp),@tweak[5] # load clear-text tweak
1323 mov 240(%r8),$rounds # key2->rounds
1324 mov 240($key),$rnds_ # key1->rounds
1325___
1326 # generate the tweak
1327 &aesni_generate1("enc",$key2,$rounds,@tweak[5]);
1328$code.=<<___;
1329 mov $key,$key_ # backup $key
1330 mov $rnds_,$rounds # backup $rounds
1331 mov $len,$len_ # backup $len
1332 and \$-16,$len
1333
1334 movdqa .Lxts_magic(%rip),$twmask
1335 pxor $twtmp,$twtmp
1336 pcmpgtd @tweak[5],$twtmp # broadcast upper bits
1337___
1338 for ($i=0;$i<4;$i++) {
1339 $code.=<<___;
1340 pshufd \$0x13,$twtmp,$twres
1341 pxor $twtmp,$twtmp
1342 movdqa @tweak[5],@tweak[$i]
1343 paddq @tweak[5],@tweak[5] # psllq 1,$tweak
1344 pand $twmask,$twres # isolate carry and residue
1345 pcmpgtd @tweak[5],$twtmp # broadcat upper bits
1346 pxor $twres,@tweak[5]
1347___
1348 }
1349$code.=<<___;
1350 sub \$16*6,$len
1351 jc .Lxts_enc_short
1352
1353 shr \$1,$rounds
1354 sub \$1,$rounds
1355 mov $rounds,$rnds_
1356 jmp .Lxts_enc_grandloop
1357
1358.align 16
1359.Lxts_enc_grandloop:
1360 pshufd \$0x13,$twtmp,$twres
1361 movdqa @tweak[5],@tweak[4]
1362 paddq @tweak[5],@tweak[5] # psllq 1,$tweak
1363 movdqu `16*0`($inp),$inout0 # load input
1364 pand $twmask,$twres # isolate carry and residue
1365 movdqu `16*1`($inp),$inout1
1366 pxor $twres,@tweak[5]
1367
1368 movdqu `16*2`($inp),$inout2
1369 pxor @tweak[0],$inout0 # input^=tweak
1370 movdqu `16*3`($inp),$inout3
1371 pxor @tweak[1],$inout1
1372 movdqu `16*4`($inp),$inout4
1373 pxor @tweak[2],$inout2
1374 movdqu `16*5`($inp),$inout5
1375 lea `16*6`($inp),$inp
1376 pxor @tweak[3],$inout3
1377 $movkey ($key_),$rndkey0
1378 pxor @tweak[4],$inout4
1379 pxor @tweak[5],$inout5
1380
1381 # inline _aesni_encrypt6 and interleave first and last rounds
1382 # with own code...
1383 $movkey 16($key_),$rndkey1
1384 pxor $rndkey0,$inout0
1385 pxor $rndkey0,$inout1
1386 movdqa @tweak[0],`16*0`(%rsp) # put aside tweaks
1387 aesenc $rndkey1,$inout0
1388 lea 32($key_),$key
1389 pxor $rndkey0,$inout2
1390 movdqa @tweak[1],`16*1`(%rsp)
1391 aesenc $rndkey1,$inout1
1392 pxor $rndkey0,$inout3
1393 movdqa @tweak[2],`16*2`(%rsp)
1394 aesenc $rndkey1,$inout2
1395 pxor $rndkey0,$inout4
1396 movdqa @tweak[3],`16*3`(%rsp)
1397 aesenc $rndkey1,$inout3
1398 pxor $rndkey0,$inout5
1399 $movkey ($key),$rndkey0
1400 dec $rounds
1401 movdqa @tweak[4],`16*4`(%rsp)
1402 aesenc $rndkey1,$inout4
1403 movdqa @tweak[5],`16*5`(%rsp)
1404 aesenc $rndkey1,$inout5
1405 pxor $twtmp,$twtmp
1406 pcmpgtd @tweak[5],$twtmp
1407 jmp .Lxts_enc_loop6_enter
1408
1409.align 16
1410.Lxts_enc_loop6:
1411 aesenc $rndkey1,$inout0
1412 aesenc $rndkey1,$inout1
1413 dec $rounds
1414 aesenc $rndkey1,$inout2
1415 aesenc $rndkey1,$inout3
1416 aesenc $rndkey1,$inout4
1417 aesenc $rndkey1,$inout5
1418.Lxts_enc_loop6_enter:
1419 $movkey 16($key),$rndkey1
1420 aesenc $rndkey0,$inout0
1421 aesenc $rndkey0,$inout1
1422 lea 32($key),$key
1423 aesenc $rndkey0,$inout2
1424 aesenc $rndkey0,$inout3
1425 aesenc $rndkey0,$inout4
1426 aesenc $rndkey0,$inout5
1427 $movkey ($key),$rndkey0
1428 jnz .Lxts_enc_loop6
1429
1430 pshufd \$0x13,$twtmp,$twres
1431 pxor $twtmp,$twtmp
1432 paddq @tweak[5],@tweak[5] # psllq 1,$tweak
1433 aesenc $rndkey1,$inout0
1434 pand $twmask,$twres # isolate carry and residue
1435 aesenc $rndkey1,$inout1
1436 pcmpgtd @tweak[5],$twtmp # broadcast upper bits
1437 aesenc $rndkey1,$inout2
1438 pxor $twres,@tweak[5]
1439 aesenc $rndkey1,$inout3
1440 aesenc $rndkey1,$inout4
1441 aesenc $rndkey1,$inout5
1442 $movkey 16($key),$rndkey1
1443
1444 pshufd \$0x13,$twtmp,$twres
1445 pxor $twtmp,$twtmp
1446 movdqa @tweak[5],@tweak[0]
1447 paddq @tweak[5],@tweak[5] # psllq 1,$tweak
1448 aesenc $rndkey0,$inout0
1449 pand $twmask,$twres # isolate carry and residue
1450 aesenc $rndkey0,$inout1
1451 pcmpgtd @tweak[5],$twtmp # broadcat upper bits
1452 aesenc $rndkey0,$inout2
1453 pxor $twres,@tweak[5]
1454 aesenc $rndkey0,$inout3
1455 aesenc $rndkey0,$inout4
1456 aesenc $rndkey0,$inout5
1457 $movkey 32($key),$rndkey0
1458
1459 pshufd \$0x13,$twtmp,$twres
1460 pxor $twtmp,$twtmp
1461 movdqa @tweak[5],@tweak[1]
1462 paddq @tweak[5],@tweak[5] # psllq 1,$tweak
1463 aesenc $rndkey1,$inout0
1464 pand $twmask,$twres # isolate carry and residue
1465 aesenc $rndkey1,$inout1
1466 pcmpgtd @tweak[5],$twtmp # broadcat upper bits
1467 aesenc $rndkey1,$inout2
1468 pxor $twres,@tweak[5]
1469 aesenc $rndkey1,$inout3
1470 aesenc $rndkey1,$inout4
1471 aesenc $rndkey1,$inout5
1472
1473 pshufd \$0x13,$twtmp,$twres
1474 pxor $twtmp,$twtmp
1475 movdqa @tweak[5],@tweak[2]
1476 paddq @tweak[5],@tweak[5] # psllq 1,$tweak
1477 aesenclast $rndkey0,$inout0
1478 pand $twmask,$twres # isolate carry and residue
1479 aesenclast $rndkey0,$inout1
1480 pcmpgtd @tweak[5],$twtmp # broadcat upper bits
1481 aesenclast $rndkey0,$inout2
1482 pxor $twres,@tweak[5]
1483 aesenclast $rndkey0,$inout3
1484 aesenclast $rndkey0,$inout4
1485 aesenclast $rndkey0,$inout5
1486
1487 pshufd \$0x13,$twtmp,$twres
1488 pxor $twtmp,$twtmp
1489 movdqa @tweak[5],@tweak[3]
1490 paddq @tweak[5],@tweak[5] # psllq 1,$tweak
1491 xorps `16*0`(%rsp),$inout0 # output^=tweak
1492 pand $twmask,$twres # isolate carry and residue
1493 xorps `16*1`(%rsp),$inout1
1494 pcmpgtd @tweak[5],$twtmp # broadcat upper bits
1495 pxor $twres,@tweak[5]
1496
1497 xorps `16*2`(%rsp),$inout2
1498 movups $inout0,`16*0`($out) # write output
1499 xorps `16*3`(%rsp),$inout3
1500 movups $inout1,`16*1`($out)
1501 xorps `16*4`(%rsp),$inout4
1502 movups $inout2,`16*2`($out)
1503 xorps `16*5`(%rsp),$inout5
1504 movups $inout3,`16*3`($out)
1505 mov $rnds_,$rounds # restore $rounds
1506 movups $inout4,`16*4`($out)
1507 movups $inout5,`16*5`($out)
1508 lea `16*6`($out),$out
1509 sub \$16*6,$len
1510 jnc .Lxts_enc_grandloop
1511
1512 lea 3($rounds,$rounds),$rounds # restore original value
1513 mov $key_,$key # restore $key
1514 mov $rounds,$rnds_ # backup $rounds
1515
1516.Lxts_enc_short:
1517 add \$16*6,$len
1518 jz .Lxts_enc_done
1519
1520 cmp \$0x20,$len
1521 jb .Lxts_enc_one
1522 je .Lxts_enc_two
1523
1524 cmp \$0x40,$len
1525 jb .Lxts_enc_three
1526 je .Lxts_enc_four
1527
1528 pshufd \$0x13,$twtmp,$twres
1529 movdqa @tweak[5],@tweak[4]
1530 paddq @tweak[5],@tweak[5] # psllq 1,$tweak
1531 movdqu ($inp),$inout0
1532 pand $twmask,$twres # isolate carry and residue
1533 movdqu 16*1($inp),$inout1
1534 pxor $twres,@tweak[5]
1535
1536 movdqu 16*2($inp),$inout2
1537 pxor @tweak[0],$inout0
1538 movdqu 16*3($inp),$inout3
1539 pxor @tweak[1],$inout1
1540 movdqu 16*4($inp),$inout4
1541 lea 16*5($inp),$inp
1542 pxor @tweak[2],$inout2
1543 pxor @tweak[3],$inout3
1544 pxor @tweak[4],$inout4
1545
1546 call _aesni_encrypt6
1547
1548 xorps @tweak[0],$inout0
1549 movdqa @tweak[5],@tweak[0]
1550 xorps @tweak[1],$inout1
1551 xorps @tweak[2],$inout2
1552 movdqu $inout0,($out)
1553 xorps @tweak[3],$inout3
1554 movdqu $inout1,16*1($out)
1555 xorps @tweak[4],$inout4
1556 movdqu $inout2,16*2($out)
1557 movdqu $inout3,16*3($out)
1558 movdqu $inout4,16*4($out)
1559 lea 16*5($out),$out
1560 jmp .Lxts_enc_done
1561
1562.align 16
1563.Lxts_enc_one:
1564 movups ($inp),$inout0
1565 lea 16*1($inp),$inp
1566 xorps @tweak[0],$inout0
1567___
1568 &aesni_generate1("enc",$key,$rounds);
1569$code.=<<___;
1570 xorps @tweak[0],$inout0
1571 movdqa @tweak[1],@tweak[0]
1572 movups $inout0,($out)
1573 lea 16*1($out),$out
1574 jmp .Lxts_enc_done
1575
1576.align 16
1577.Lxts_enc_two:
1578 movups ($inp),$inout0
1579 movups 16($inp),$inout1
1580 lea 32($inp),$inp
1581 xorps @tweak[0],$inout0
1582 xorps @tweak[1],$inout1
1583
1584 call _aesni_encrypt3
1585
1586 xorps @tweak[0],$inout0
1587 movdqa @tweak[2],@tweak[0]
1588 xorps @tweak[1],$inout1
1589 movups $inout0,($out)
1590 movups $inout1,16*1($out)
1591 lea 16*2($out),$out
1592 jmp .Lxts_enc_done
1593
1594.align 16
1595.Lxts_enc_three:
1596 movups ($inp),$inout0
1597 movups 16*1($inp),$inout1
1598 movups 16*2($inp),$inout2
1599 lea 16*3($inp),$inp
1600 xorps @tweak[0],$inout0
1601 xorps @tweak[1],$inout1
1602 xorps @tweak[2],$inout2
1603
1604 call _aesni_encrypt3
1605
1606 xorps @tweak[0],$inout0
1607 movdqa @tweak[3],@tweak[0]
1608 xorps @tweak[1],$inout1
1609 xorps @tweak[2],$inout2
1610 movups $inout0,($out)
1611 movups $inout1,16*1($out)
1612 movups $inout2,16*2($out)
1613 lea 16*3($out),$out
1614 jmp .Lxts_enc_done
1615
1616.align 16
1617.Lxts_enc_four:
1618 movups ($inp),$inout0
1619 movups 16*1($inp),$inout1
1620 movups 16*2($inp),$inout2
1621 xorps @tweak[0],$inout0
1622 movups 16*3($inp),$inout3
1623 lea 16*4($inp),$inp
1624 xorps @tweak[1],$inout1
1625 xorps @tweak[2],$inout2
1626 xorps @tweak[3],$inout3
1627
1628 call _aesni_encrypt4
1629
1630 xorps @tweak[0],$inout0
1631 movdqa @tweak[5],@tweak[0]
1632 xorps @tweak[1],$inout1
1633 xorps @tweak[2],$inout2
1634 movups $inout0,($out)
1635 xorps @tweak[3],$inout3
1636 movups $inout1,16*1($out)
1637 movups $inout2,16*2($out)
1638 movups $inout3,16*3($out)
1639 lea 16*4($out),$out
1640 jmp .Lxts_enc_done
1641
1642.align 16
1643.Lxts_enc_done:
1644 and \$15,$len_
1645 jz .Lxts_enc_ret
1646 mov $len_,$len
1647
1648.Lxts_enc_steal:
1649 movzb ($inp),%eax # borrow $rounds ...
1650 movzb -16($out),%ecx # ... and $key
1651 lea 1($inp),$inp
1652 mov %al,-16($out)
1653 mov %cl,0($out)
1654 lea 1($out),$out
1655 sub \$1,$len
1656 jnz .Lxts_enc_steal
1657
1658 sub $len_,$out # rewind $out
1659 mov $key_,$key # restore $key
1660 mov $rnds_,$rounds # restore $rounds
1661
1662 movups -16($out),$inout0
1663 xorps @tweak[0],$inout0
1664___
1665 &aesni_generate1("enc",$key,$rounds);
1666$code.=<<___;
1667 xorps @tweak[0],$inout0
1668 movups $inout0,-16($out)
1669
1670.Lxts_enc_ret:
1671___
1672$code.=<<___ if ($win64);
1673 movaps 0x60(%rsp),%xmm6
1674 movaps 0x70(%rsp),%xmm7
1675 movaps 0x80(%rsp),%xmm8
1676 movaps 0x90(%rsp),%xmm9
1677 movaps 0xa0(%rsp),%xmm10
1678 movaps 0xb0(%rsp),%xmm11
1679 movaps 0xc0(%rsp),%xmm12
1680 movaps 0xd0(%rsp),%xmm13
1681 movaps 0xe0(%rsp),%xmm14
1682 movaps 0xf0(%rsp),%xmm15
1683___
1684$code.=<<___;
1685 lea $frame_size(%rsp),%rsp
1686.Lxts_enc_epilogue:
1687 ret
1688.size aesni_xts_encrypt,.-aesni_xts_encrypt
1689___
1690
1691$code.=<<___;
1692.globl aesni_xts_decrypt
1693.type aesni_xts_decrypt,\@function,6
1694.align 16
1695aesni_xts_decrypt:
1696 lea -$frame_size(%rsp),%rsp
1697___
1698$code.=<<___ if ($win64);
1699 movaps %xmm6,0x60(%rsp)
1700 movaps %xmm7,0x70(%rsp)
1701 movaps %xmm8,0x80(%rsp)
1702 movaps %xmm9,0x90(%rsp)
1703 movaps %xmm10,0xa0(%rsp)
1704 movaps %xmm11,0xb0(%rsp)
1705 movaps %xmm12,0xc0(%rsp)
1706 movaps %xmm13,0xd0(%rsp)
1707 movaps %xmm14,0xe0(%rsp)
1708 movaps %xmm15,0xf0(%rsp)
1709.Lxts_dec_body:
1710___
1711$code.=<<___;
1712 movups ($ivp),@tweak[5] # load clear-text tweak
1713 mov 240($key2),$rounds # key2->rounds
1714 mov 240($key),$rnds_ # key1->rounds
1715___
1716 # generate the tweak
1717 &aesni_generate1("enc",$key2,$rounds,@tweak[5]);
1718$code.=<<___;
1719 xor %eax,%eax # if ($len%16) len-=16;
1720 test \$15,$len
1721 setnz %al
1722 shl \$4,%rax
1723 sub %rax,$len
1724
1725 mov $key,$key_ # backup $key
1726 mov $rnds_,$rounds # backup $rounds
1727 mov $len,$len_ # backup $len
1728 and \$-16,$len
1729
1730 movdqa .Lxts_magic(%rip),$twmask
1731 pxor $twtmp,$twtmp
1732 pcmpgtd @tweak[5],$twtmp # broadcast upper bits
1733___
1734 for ($i=0;$i<4;$i++) {
1735 $code.=<<___;
1736 pshufd \$0x13,$twtmp,$twres
1737 pxor $twtmp,$twtmp
1738 movdqa @tweak[5],@tweak[$i]
1739 paddq @tweak[5],@tweak[5] # psllq 1,$tweak
1740 pand $twmask,$twres # isolate carry and residue
1741 pcmpgtd @tweak[5],$twtmp # broadcat upper bits
1742 pxor $twres,@tweak[5]
1743___
1744 }
1745$code.=<<___;
1746 sub \$16*6,$len
1747 jc .Lxts_dec_short
1748
1749 shr \$1,$rounds
1750 sub \$1,$rounds
1751 mov $rounds,$rnds_
1752 jmp .Lxts_dec_grandloop
1753
1754.align 16
1755.Lxts_dec_grandloop:
1756 pshufd \$0x13,$twtmp,$twres
1757 movdqa @tweak[5],@tweak[4]
1758 paddq @tweak[5],@tweak[5] # psllq 1,$tweak
1759 movdqu `16*0`($inp),$inout0 # load input
1760 pand $twmask,$twres # isolate carry and residue
1761 movdqu `16*1`($inp),$inout1
1762 pxor $twres,@tweak[5]
1763
1764 movdqu `16*2`($inp),$inout2
1765 pxor @tweak[0],$inout0 # input^=tweak
1766 movdqu `16*3`($inp),$inout3
1767 pxor @tweak[1],$inout1
1768 movdqu `16*4`($inp),$inout4
1769 pxor @tweak[2],$inout2
1770 movdqu `16*5`($inp),$inout5
1771 lea `16*6`($inp),$inp
1772 pxor @tweak[3],$inout3
1773 $movkey ($key_),$rndkey0
1774 pxor @tweak[4],$inout4
1775 pxor @tweak[5],$inout5
1776
1777 # inline _aesni_decrypt6 and interleave first and last rounds
1778 # with own code...
1779 $movkey 16($key_),$rndkey1
1780 pxor $rndkey0,$inout0
1781 pxor $rndkey0,$inout1
1782 movdqa @tweak[0],`16*0`(%rsp) # put aside tweaks
1783 aesdec $rndkey1,$inout0
1784 lea 32($key_),$key
1785 pxor $rndkey0,$inout2
1786 movdqa @tweak[1],`16*1`(%rsp)
1787 aesdec $rndkey1,$inout1
1788 pxor $rndkey0,$inout3
1789 movdqa @tweak[2],`16*2`(%rsp)
1790 aesdec $rndkey1,$inout2
1791 pxor $rndkey0,$inout4
1792 movdqa @tweak[3],`16*3`(%rsp)
1793 aesdec $rndkey1,$inout3
1794 pxor $rndkey0,$inout5
1795 $movkey ($key),$rndkey0
1796 dec $rounds
1797 movdqa @tweak[4],`16*4`(%rsp)
1798 aesdec $rndkey1,$inout4
1799 movdqa @tweak[5],`16*5`(%rsp)
1800 aesdec $rndkey1,$inout5
1801 pxor $twtmp,$twtmp
1802 pcmpgtd @tweak[5],$twtmp
1803 jmp .Lxts_dec_loop6_enter
1804
1805.align 16
1806.Lxts_dec_loop6:
1807 aesdec $rndkey1,$inout0
1808 aesdec $rndkey1,$inout1
1809 dec $rounds
1810 aesdec $rndkey1,$inout2
1811 aesdec $rndkey1,$inout3
1812 aesdec $rndkey1,$inout4
1813 aesdec $rndkey1,$inout5
1814.Lxts_dec_loop6_enter:
1815 $movkey 16($key),$rndkey1
1816 aesdec $rndkey0,$inout0
1817 aesdec $rndkey0,$inout1
1818 lea 32($key),$key
1819 aesdec $rndkey0,$inout2
1820 aesdec $rndkey0,$inout3
1821 aesdec $rndkey0,$inout4
1822 aesdec $rndkey0,$inout5
1823 $movkey ($key),$rndkey0
1824 jnz .Lxts_dec_loop6
1825
1826 pshufd \$0x13,$twtmp,$twres
1827 pxor $twtmp,$twtmp
1828 paddq @tweak[5],@tweak[5] # psllq 1,$tweak
1829 aesdec $rndkey1,$inout0
1830 pand $twmask,$twres # isolate carry and residue
1831 aesdec $rndkey1,$inout1
1832 pcmpgtd @tweak[5],$twtmp # broadcast upper bits
1833 aesdec $rndkey1,$inout2
1834 pxor $twres,@tweak[5]
1835 aesdec $rndkey1,$inout3
1836 aesdec $rndkey1,$inout4
1837 aesdec $rndkey1,$inout5
1838 $movkey 16($key),$rndkey1
1839
1840 pshufd \$0x13,$twtmp,$twres
1841 pxor $twtmp,$twtmp
1842 movdqa @tweak[5],@tweak[0]
1843 paddq @tweak[5],@tweak[5] # psllq 1,$tweak
1844 aesdec $rndkey0,$inout0
1845 pand $twmask,$twres # isolate carry and residue
1846 aesdec $rndkey0,$inout1
1847 pcmpgtd @tweak[5],$twtmp # broadcat upper bits
1848 aesdec $rndkey0,$inout2
1849 pxor $twres,@tweak[5]
1850 aesdec $rndkey0,$inout3
1851 aesdec $rndkey0,$inout4
1852 aesdec $rndkey0,$inout5
1853 $movkey 32($key),$rndkey0
1854
1855 pshufd \$0x13,$twtmp,$twres
1856 pxor $twtmp,$twtmp
1857 movdqa @tweak[5],@tweak[1]
1858 paddq @tweak[5],@tweak[5] # psllq 1,$tweak
1859 aesdec $rndkey1,$inout0
1860 pand $twmask,$twres # isolate carry and residue
1861 aesdec $rndkey1,$inout1
1862 pcmpgtd @tweak[5],$twtmp # broadcat upper bits
1863 aesdec $rndkey1,$inout2
1864 pxor $twres,@tweak[5]
1865 aesdec $rndkey1,$inout3
1866 aesdec $rndkey1,$inout4
1867 aesdec $rndkey1,$inout5
1868
1869 pshufd \$0x13,$twtmp,$twres
1870 pxor $twtmp,$twtmp
1871 movdqa @tweak[5],@tweak[2]
1872 paddq @tweak[5],@tweak[5] # psllq 1,$tweak
1873 aesdeclast $rndkey0,$inout0
1874 pand $twmask,$twres # isolate carry and residue
1875 aesdeclast $rndkey0,$inout1
1876 pcmpgtd @tweak[5],$twtmp # broadcat upper bits
1877 aesdeclast $rndkey0,$inout2
1878 pxor $twres,@tweak[5]
1879 aesdeclast $rndkey0,$inout3
1880 aesdeclast $rndkey0,$inout4
1881 aesdeclast $rndkey0,$inout5
1882
1883 pshufd \$0x13,$twtmp,$twres
1884 pxor $twtmp,$twtmp
1885 movdqa @tweak[5],@tweak[3]
1886 paddq @tweak[5],@tweak[5] # psllq 1,$tweak
1887 xorps `16*0`(%rsp),$inout0 # output^=tweak
1888 pand $twmask,$twres # isolate carry and residue
1889 xorps `16*1`(%rsp),$inout1
1890 pcmpgtd @tweak[5],$twtmp # broadcat upper bits
1891 pxor $twres,@tweak[5]
1892
1893 xorps `16*2`(%rsp),$inout2
1894 movups $inout0,`16*0`($out) # write output
1895 xorps `16*3`(%rsp),$inout3
1896 movups $inout1,`16*1`($out)
1897 xorps `16*4`(%rsp),$inout4
1898 movups $inout2,`16*2`($out)
1899 xorps `16*5`(%rsp),$inout5
1900 movups $inout3,`16*3`($out)
1901 mov $rnds_,$rounds # restore $rounds
1902 movups $inout4,`16*4`($out)
1903 movups $inout5,`16*5`($out)
1904 lea `16*6`($out),$out
1905 sub \$16*6,$len
1906 jnc .Lxts_dec_grandloop
1907
1908 lea 3($rounds,$rounds),$rounds # restore original value
1909 mov $key_,$key # restore $key
1910 mov $rounds,$rnds_ # backup $rounds
1911
1912.Lxts_dec_short:
1913 add \$16*6,$len
1914 jz .Lxts_dec_done
1915
1916 cmp \$0x20,$len
1917 jb .Lxts_dec_one
1918 je .Lxts_dec_two
1919
1920 cmp \$0x40,$len
1921 jb .Lxts_dec_three
1922 je .Lxts_dec_four
1923
1924 pshufd \$0x13,$twtmp,$twres
1925 movdqa @tweak[5],@tweak[4]
1926 paddq @tweak[5],@tweak[5] # psllq 1,$tweak
1927 movdqu ($inp),$inout0
1928 pand $twmask,$twres # isolate carry and residue
1929 movdqu 16*1($inp),$inout1
1930 pxor $twres,@tweak[5]
1931
1932 movdqu 16*2($inp),$inout2
1933 pxor @tweak[0],$inout0
1934 movdqu 16*3($inp),$inout3
1935 pxor @tweak[1],$inout1
1936 movdqu 16*4($inp),$inout4
1937 lea 16*5($inp),$inp
1938 pxor @tweak[2],$inout2
1939 pxor @tweak[3],$inout3
1940 pxor @tweak[4],$inout4
1941
1942 call _aesni_decrypt6
1943
1944 xorps @tweak[0],$inout0
1945 xorps @tweak[1],$inout1
1946 xorps @tweak[2],$inout2
1947 movdqu $inout0,($out)
1948 xorps @tweak[3],$inout3
1949 movdqu $inout1,16*1($out)
1950 xorps @tweak[4],$inout4
1951 movdqu $inout2,16*2($out)
1952 pxor $twtmp,$twtmp
1953 movdqu $inout3,16*3($out)
1954 pcmpgtd @tweak[5],$twtmp
1955 movdqu $inout4,16*4($out)
1956 lea 16*5($out),$out
1957 pshufd \$0x13,$twtmp,@tweak[1] # $twres
1958 and \$15,$len_
1959 jz .Lxts_dec_ret
1960
1961 movdqa @tweak[5],@tweak[0]
1962 paddq @tweak[5],@tweak[5] # psllq 1,$tweak
1963 pand $twmask,@tweak[1] # isolate carry and residue
1964 pxor @tweak[5],@tweak[1]
1965 jmp .Lxts_dec_done2
1966
1967.align 16
1968.Lxts_dec_one:
1969 movups ($inp),$inout0
1970 lea 16*1($inp),$inp
1971 xorps @tweak[0],$inout0
1972___
1973 &aesni_generate1("dec",$key,$rounds);
1974$code.=<<___;
1975 xorps @tweak[0],$inout0
1976 movdqa @tweak[1],@tweak[0]
1977 movups $inout0,($out)
1978 movdqa @tweak[2],@tweak[1]
1979 lea 16*1($out),$out
1980 jmp .Lxts_dec_done
1981
1982.align 16
1983.Lxts_dec_two:
1984 movups ($inp),$inout0
1985 movups 16($inp),$inout1
1986 lea 32($inp),$inp
1987 xorps @tweak[0],$inout0
1988 xorps @tweak[1],$inout1
1989
1990 call _aesni_decrypt3
1991
1992 xorps @tweak[0],$inout0
1993 movdqa @tweak[2],@tweak[0]
1994 xorps @tweak[1],$inout1
1995 movdqa @tweak[3],@tweak[1]
1996 movups $inout0,($out)
1997 movups $inout1,16*1($out)
1998 lea 16*2($out),$out
1999 jmp .Lxts_dec_done
2000
2001.align 16
2002.Lxts_dec_three:
2003 movups ($inp),$inout0
2004 movups 16*1($inp),$inout1
2005 movups 16*2($inp),$inout2
2006 lea 16*3($inp),$inp
2007 xorps @tweak[0],$inout0
2008 xorps @tweak[1],$inout1
2009 xorps @tweak[2],$inout2
2010
2011 call _aesni_decrypt3
2012
2013 xorps @tweak[0],$inout0
2014 movdqa @tweak[3],@tweak[0]
2015 xorps @tweak[1],$inout1
2016 movdqa @tweak[5],@tweak[1]
2017 xorps @tweak[2],$inout2
2018 movups $inout0,($out)
2019 movups $inout1,16*1($out)
2020 movups $inout2,16*2($out)
2021 lea 16*3($out),$out
2022 jmp .Lxts_dec_done
2023
2024.align 16
2025.Lxts_dec_four:
2026 pshufd \$0x13,$twtmp,$twres
2027 movdqa @tweak[5],@tweak[4]
2028 paddq @tweak[5],@tweak[5] # psllq 1,$tweak
2029 movups ($inp),$inout0
2030 pand $twmask,$twres # isolate carry and residue
2031 movups 16*1($inp),$inout1
2032 pxor $twres,@tweak[5]
2033
2034 movups 16*2($inp),$inout2
2035 xorps @tweak[0],$inout0
2036 movups 16*3($inp),$inout3
2037 lea 16*4($inp),$inp
2038 xorps @tweak[1],$inout1
2039 xorps @tweak[2],$inout2
2040 xorps @tweak[3],$inout3
2041
2042 call _aesni_decrypt4
2043
2044 xorps @tweak[0],$inout0
2045 movdqa @tweak[4],@tweak[0]
2046 xorps @tweak[1],$inout1
2047 movdqa @tweak[5],@tweak[1]
2048 xorps @tweak[2],$inout2
2049 movups $inout0,($out)
2050 xorps @tweak[3],$inout3
2051 movups $inout1,16*1($out)
2052 movups $inout2,16*2($out)
2053 movups $inout3,16*3($out)
2054 lea 16*4($out),$out
2055 jmp .Lxts_dec_done
2056
2057.align 16
2058.Lxts_dec_done:
2059 and \$15,$len_
2060 jz .Lxts_dec_ret
2061.Lxts_dec_done2:
2062 mov $len_,$len
2063 mov $key_,$key # restore $key
2064 mov $rnds_,$rounds # restore $rounds
2065
2066 movups ($inp),$inout0
2067 xorps @tweak[1],$inout0
2068___
2069 &aesni_generate1("dec",$key,$rounds);
2070$code.=<<___;
2071 xorps @tweak[1],$inout0
2072 movups $inout0,($out)
2073
2074.Lxts_dec_steal:
2075 movzb 16($inp),%eax # borrow $rounds ...
2076 movzb ($out),%ecx # ... and $key
2077 lea 1($inp),$inp
2078 mov %al,($out)
2079 mov %cl,16($out)
2080 lea 1($out),$out
2081 sub \$1,$len
2082 jnz .Lxts_dec_steal
2083
2084 sub $len_,$out # rewind $out
2085 mov $key_,$key # restore $key
2086 mov $rnds_,$rounds # restore $rounds
2087
2088 movups ($out),$inout0
2089 xorps @tweak[0],$inout0
2090___
2091 &aesni_generate1("dec",$key,$rounds);
2092$code.=<<___;
2093 xorps @tweak[0],$inout0
2094 movups $inout0,($out)
2095
2096.Lxts_dec_ret:
2097___
2098$code.=<<___ if ($win64);
2099 movaps 0x60(%rsp),%xmm6
2100 movaps 0x70(%rsp),%xmm7
2101 movaps 0x80(%rsp),%xmm8
2102 movaps 0x90(%rsp),%xmm9
2103 movaps 0xa0(%rsp),%xmm10
2104 movaps 0xb0(%rsp),%xmm11
2105 movaps 0xc0(%rsp),%xmm12
2106 movaps 0xd0(%rsp),%xmm13
2107 movaps 0xe0(%rsp),%xmm14
2108 movaps 0xf0(%rsp),%xmm15
2109___
2110$code.=<<___;
2111 lea $frame_size(%rsp),%rsp
2112.Lxts_dec_epilogue:
2113 ret
2114.size aesni_xts_decrypt,.-aesni_xts_decrypt
2115___
2116} }}
2117
2118########################################################################
362# void $PREFIX_cbc_encrypt (const void *inp, void *out, 2119# void $PREFIX_cbc_encrypt (const void *inp, void *out,
363# size_t length, const AES_KEY *key, 2120# size_t length, const AES_KEY *key,
364# unsigned char *ivp,const int enc); 2121# unsigned char *ivp,const int enc);
365$reserved = $win64?0x40:-0x18; # used in decrypt 2122{
2123my $reserved = $win64?0x40:-0x18; # used in decrypt
366$code.=<<___; 2124$code.=<<___;
367.globl ${PREFIX}_cbc_encrypt 2125.globl ${PREFIX}_cbc_encrypt
368.type ${PREFIX}_cbc_encrypt,\@function,6 2126.type ${PREFIX}_cbc_encrypt,\@function,6
@@ -371,30 +2129,30 @@ ${PREFIX}_cbc_encrypt:
371 test $len,$len # check length 2129 test $len,$len # check length
372 jz .Lcbc_ret 2130 jz .Lcbc_ret
373 2131
374 mov 240($key),$rnds_ # pull $rounds 2132 mov 240($key),$rnds_ # key->rounds
375 mov $key,$key_ # backup $key 2133 mov $key,$key_ # backup $key
376 test %r9d,%r9d # 6th argument 2134 test %r9d,%r9d # 6th argument
377 jz .Lcbc_decrypt 2135 jz .Lcbc_decrypt
378#--------------------------- CBC ENCRYPT ------------------------------# 2136#--------------------------- CBC ENCRYPT ------------------------------#
379 movups ($ivp),$inout0 # load iv as initial state 2137 movups ($ivp),$inout0 # load iv as initial state
380 cmp \$16,$len
381 mov $rnds_,$rounds 2138 mov $rnds_,$rounds
2139 cmp \$16,$len
382 jb .Lcbc_enc_tail 2140 jb .Lcbc_enc_tail
383 sub \$16,$len 2141 sub \$16,$len
384 jmp .Lcbc_enc_loop 2142 jmp .Lcbc_enc_loop
385.align 16 2143.align 16
386.Lcbc_enc_loop: 2144.Lcbc_enc_loop:
387 movups ($inp),$inout1 # load input 2145 movups ($inp),$inout1 # load input
388 lea 16($inp),$inp 2146 lea 16($inp),$inp
389 pxor $inout1,$inout0 2147 #xorps $inout1,$inout0
390___ 2148___
391 &aesni_generate1("enc",$key,$rounds); 2149 &aesni_generate1("enc",$key,$rounds,$inout0,$inout1);
392$code.=<<___; 2150$code.=<<___;
393 sub \$16,$len
394 lea 16($out),$out
395 mov $rnds_,$rounds # restore $rounds 2151 mov $rnds_,$rounds # restore $rounds
396 mov $key_,$key # restore $key 2152 mov $key_,$key # restore $key
397 movups $inout0,-16($out) # store output 2153 movups $inout0,0($out) # store output
2154 lea 16($out),$out
2155 sub \$16,$len
398 jnc .Lcbc_enc_loop 2156 jnc .Lcbc_enc_loop
399 add \$16,$len 2157 add \$16,$len
400 jnz .Lcbc_enc_tail 2158 jnz .Lcbc_enc_tail
@@ -429,92 +2187,238 @@ $code.=<<___ if ($win64);
429___ 2187___
430$code.=<<___; 2188$code.=<<___;
431 movups ($ivp),$iv 2189 movups ($ivp),$iv
432 sub \$0x40,$len
433 mov $rnds_,$rounds 2190 mov $rnds_,$rounds
2191 cmp \$0x70,$len
434 jbe .Lcbc_dec_tail 2192 jbe .Lcbc_dec_tail
435 jmp .Lcbc_dec_loop3 2193 shr \$1,$rnds_
436.align 16 2194 sub \$0x70,$len
437.Lcbc_dec_loop3: 2195 mov $rnds_,$rounds
438 movups ($inp),$inout0 2196 movaps $iv,$reserved(%rsp)
2197 jmp .Lcbc_dec_loop8_enter
2198.align 16
2199.Lcbc_dec_loop8:
2200 movaps $rndkey0,$reserved(%rsp) # save IV
2201 movups $inout7,($out)
2202 lea 0x10($out),$out
2203.Lcbc_dec_loop8_enter:
2204 $movkey ($key),$rndkey0
2205 movups ($inp),$inout0 # load input
439 movups 0x10($inp),$inout1 2206 movups 0x10($inp),$inout1
440 movups 0x20($inp),$inout2 2207 $movkey 16($key),$rndkey1
441 movaps $inout0,$in0
442 movaps $inout1,$in1
443 movaps $inout2,$in2
444 call _aesni_decrypt3
445 sub \$0x30,$len
446 lea 0x30($inp),$inp
447 lea 0x30($out),$out
448 pxor $iv,$inout0
449 pxor $in0,$inout1
450 movaps $in2,$iv
451 pxor $in1,$inout2
452 movups $inout0,-0x30($out)
453 mov $rnds_,$rounds # restore $rounds
454 movups $inout1,-0x20($out)
455 mov $key_,$key # restore $key
456 movups $inout2,-0x10($out)
457 ja .Lcbc_dec_loop3
458 2208
459.Lcbc_dec_tail: 2209 lea 32($key),$key
460 add \$0x40,$len 2210 movdqu 0x20($inp),$inout2
461 movups $iv,($ivp) 2211 xorps $rndkey0,$inout0
462 jz .Lcbc_dec_ret 2212 movdqu 0x30($inp),$inout3
2213 xorps $rndkey0,$inout1
2214 movdqu 0x40($inp),$inout4
2215 aesdec $rndkey1,$inout0
2216 pxor $rndkey0,$inout2
2217 movdqu 0x50($inp),$inout5
2218 aesdec $rndkey1,$inout1
2219 pxor $rndkey0,$inout3
2220 movdqu 0x60($inp),$inout6
2221 aesdec $rndkey1,$inout2
2222 pxor $rndkey0,$inout4
2223 movdqu 0x70($inp),$inout7
2224 aesdec $rndkey1,$inout3
2225 pxor $rndkey0,$inout5
2226 dec $rounds
2227 aesdec $rndkey1,$inout4
2228 pxor $rndkey0,$inout6
2229 aesdec $rndkey1,$inout5
2230 pxor $rndkey0,$inout7
2231 $movkey ($key),$rndkey0
2232 aesdec $rndkey1,$inout6
2233 aesdec $rndkey1,$inout7
2234 $movkey 16($key),$rndkey1
463 2235
2236 call .Ldec_loop8_enter
2237
2238 movups ($inp),$rndkey1 # re-load input
2239 movups 0x10($inp),$rndkey0
2240 xorps $reserved(%rsp),$inout0 # ^= IV
2241 xorps $rndkey1,$inout1
2242 movups 0x20($inp),$rndkey1
2243 xorps $rndkey0,$inout2
2244 movups 0x30($inp),$rndkey0
2245 xorps $rndkey1,$inout3
2246 movups 0x40($inp),$rndkey1
2247 xorps $rndkey0,$inout4
2248 movups 0x50($inp),$rndkey0
2249 xorps $rndkey1,$inout5
2250 movups 0x60($inp),$rndkey1
2251 xorps $rndkey0,$inout6
2252 movups 0x70($inp),$rndkey0 # IV
2253 xorps $rndkey1,$inout7
2254 movups $inout0,($out)
2255 movups $inout1,0x10($out)
2256 movups $inout2,0x20($out)
2257 movups $inout3,0x30($out)
2258 mov $rnds_,$rounds # restore $rounds
2259 movups $inout4,0x40($out)
2260 mov $key_,$key # restore $key
2261 movups $inout5,0x50($out)
2262 lea 0x80($inp),$inp
2263 movups $inout6,0x60($out)
2264 lea 0x70($out),$out
2265 sub \$0x80,$len
2266 ja .Lcbc_dec_loop8
2267
2268 movaps $inout7,$inout0
2269 movaps $rndkey0,$iv
2270 add \$0x70,$len
2271 jle .Lcbc_dec_tail_collected
2272 movups $inout0,($out)
2273 lea 1($rnds_,$rnds_),$rounds
2274 lea 0x10($out),$out
2275.Lcbc_dec_tail:
464 movups ($inp),$inout0 2276 movups ($inp),$inout0
465 cmp \$0x10,$len
466 movaps $inout0,$in0 2277 movaps $inout0,$in0
2278 cmp \$0x10,$len
467 jbe .Lcbc_dec_one 2279 jbe .Lcbc_dec_one
2280
468 movups 0x10($inp),$inout1 2281 movups 0x10($inp),$inout1
469 cmp \$0x20,$len
470 movaps $inout1,$in1 2282 movaps $inout1,$in1
2283 cmp \$0x20,$len
471 jbe .Lcbc_dec_two 2284 jbe .Lcbc_dec_two
2285
472 movups 0x20($inp),$inout2 2286 movups 0x20($inp),$inout2
473 cmp \$0x30,$len
474 movaps $inout2,$in2 2287 movaps $inout2,$in2
2288 cmp \$0x30,$len
475 jbe .Lcbc_dec_three 2289 jbe .Lcbc_dec_three
2290
476 movups 0x30($inp),$inout3 2291 movups 0x30($inp),$inout3
477 call _aesni_decrypt4 2292 cmp \$0x40,$len
478 pxor $iv,$inout0 2293 jbe .Lcbc_dec_four
479 movups 0x30($inp),$iv 2294
480 pxor $in0,$inout1 2295 movups 0x40($inp),$inout4
2296 cmp \$0x50,$len
2297 jbe .Lcbc_dec_five
2298
2299 movups 0x50($inp),$inout5
2300 cmp \$0x60,$len
2301 jbe .Lcbc_dec_six
2302
2303 movups 0x60($inp),$inout6
2304 movaps $iv,$reserved(%rsp) # save IV
2305 call _aesni_decrypt8
2306 movups ($inp),$rndkey1
2307 movups 0x10($inp),$rndkey0
2308 xorps $reserved(%rsp),$inout0 # ^= IV
2309 xorps $rndkey1,$inout1
2310 movups 0x20($inp),$rndkey1
2311 xorps $rndkey0,$inout2
2312 movups 0x30($inp),$rndkey0
2313 xorps $rndkey1,$inout3
2314 movups 0x40($inp),$rndkey1
2315 xorps $rndkey0,$inout4
2316 movups 0x50($inp),$rndkey0
2317 xorps $rndkey1,$inout5
2318 movups 0x60($inp),$iv # IV
2319 xorps $rndkey0,$inout6
481 movups $inout0,($out) 2320 movups $inout0,($out)
482 pxor $in1,$inout2
483 movups $inout1,0x10($out) 2321 movups $inout1,0x10($out)
484 pxor $in2,$inout3
485 movups $inout2,0x20($out) 2322 movups $inout2,0x20($out)
486 movaps $inout3,$inout0 2323 movups $inout3,0x30($out)
487 lea 0x30($out),$out 2324 movups $inout4,0x40($out)
2325 movups $inout5,0x50($out)
2326 lea 0x60($out),$out
2327 movaps $inout6,$inout0
2328 sub \$0x70,$len
488 jmp .Lcbc_dec_tail_collected 2329 jmp .Lcbc_dec_tail_collected
489.align 16 2330.align 16
490.Lcbc_dec_one: 2331.Lcbc_dec_one:
491___ 2332___
492 &aesni_generate1("dec",$key,$rounds); 2333 &aesni_generate1("dec",$key,$rounds);
493$code.=<<___; 2334$code.=<<___;
494 pxor $iv,$inout0 2335 xorps $iv,$inout0
495 movaps $in0,$iv 2336 movaps $in0,$iv
2337 sub \$0x10,$len
496 jmp .Lcbc_dec_tail_collected 2338 jmp .Lcbc_dec_tail_collected
497.align 16 2339.align 16
498.Lcbc_dec_two: 2340.Lcbc_dec_two:
2341 xorps $inout2,$inout2
499 call _aesni_decrypt3 2342 call _aesni_decrypt3
500 pxor $iv,$inout0 2343 xorps $iv,$inout0
501 pxor $in0,$inout1 2344 xorps $in0,$inout1
502 movups $inout0,($out) 2345 movups $inout0,($out)
503 movaps $in1,$iv 2346 movaps $in1,$iv
504 movaps $inout1,$inout0 2347 movaps $inout1,$inout0
505 lea 0x10($out),$out 2348 lea 0x10($out),$out
2349 sub \$0x20,$len
506 jmp .Lcbc_dec_tail_collected 2350 jmp .Lcbc_dec_tail_collected
507.align 16 2351.align 16
508.Lcbc_dec_three: 2352.Lcbc_dec_three:
509 call _aesni_decrypt3 2353 call _aesni_decrypt3
510 pxor $iv,$inout0 2354 xorps $iv,$inout0
511 pxor $in0,$inout1 2355 xorps $in0,$inout1
512 movups $inout0,($out) 2356 movups $inout0,($out)
513 pxor $in1,$inout2 2357 xorps $in1,$inout2
514 movups $inout1,0x10($out) 2358 movups $inout1,0x10($out)
515 movaps $in2,$iv 2359 movaps $in2,$iv
516 movaps $inout2,$inout0 2360 movaps $inout2,$inout0
517 lea 0x20($out),$out 2361 lea 0x20($out),$out
2362 sub \$0x30,$len
2363 jmp .Lcbc_dec_tail_collected
2364.align 16
2365.Lcbc_dec_four:
2366 call _aesni_decrypt4
2367 xorps $iv,$inout0
2368 movups 0x30($inp),$iv
2369 xorps $in0,$inout1
2370 movups $inout0,($out)
2371 xorps $in1,$inout2
2372 movups $inout1,0x10($out)
2373 xorps $in2,$inout3
2374 movups $inout2,0x20($out)
2375 movaps $inout3,$inout0
2376 lea 0x30($out),$out
2377 sub \$0x40,$len
2378 jmp .Lcbc_dec_tail_collected
2379.align 16
2380.Lcbc_dec_five:
2381 xorps $inout5,$inout5
2382 call _aesni_decrypt6
2383 movups 0x10($inp),$rndkey1
2384 movups 0x20($inp),$rndkey0
2385 xorps $iv,$inout0
2386 xorps $in0,$inout1
2387 xorps $rndkey1,$inout2
2388 movups 0x30($inp),$rndkey1
2389 xorps $rndkey0,$inout3
2390 movups 0x40($inp),$iv
2391 xorps $rndkey1,$inout4
2392 movups $inout0,($out)
2393 movups $inout1,0x10($out)
2394 movups $inout2,0x20($out)
2395 movups $inout3,0x30($out)
2396 lea 0x40($out),$out
2397 movaps $inout4,$inout0
2398 sub \$0x50,$len
2399 jmp .Lcbc_dec_tail_collected
2400.align 16
2401.Lcbc_dec_six:
2402 call _aesni_decrypt6
2403 movups 0x10($inp),$rndkey1
2404 movups 0x20($inp),$rndkey0
2405 xorps $iv,$inout0
2406 xorps $in0,$inout1
2407 xorps $rndkey1,$inout2
2408 movups 0x30($inp),$rndkey1
2409 xorps $rndkey0,$inout3
2410 movups 0x40($inp),$rndkey0
2411 xorps $rndkey1,$inout4
2412 movups 0x50($inp),$iv
2413 xorps $rndkey0,$inout5
2414 movups $inout0,($out)
2415 movups $inout1,0x10($out)
2416 movups $inout2,0x20($out)
2417 movups $inout3,0x30($out)
2418 movups $inout4,0x40($out)
2419 lea 0x50($out),$out
2420 movaps $inout5,$inout0
2421 sub \$0x60,$len
518 jmp .Lcbc_dec_tail_collected 2422 jmp .Lcbc_dec_tail_collected
519.align 16 2423.align 16
520.Lcbc_dec_tail_collected: 2424.Lcbc_dec_tail_collected:
@@ -523,10 +2427,12 @@ $code.=<<___;
523 jnz .Lcbc_dec_tail_partial 2427 jnz .Lcbc_dec_tail_partial
524 movups $inout0,($out) 2428 movups $inout0,($out)
525 jmp .Lcbc_dec_ret 2429 jmp .Lcbc_dec_ret
2430.align 16
526.Lcbc_dec_tail_partial: 2431.Lcbc_dec_tail_partial:
527 movaps $inout0,$reserved(%rsp) 2432 movaps $inout0,$reserved(%rsp)
2433 mov \$16,%rcx
528 mov $out,%rdi 2434 mov $out,%rdi
529 mov $len,%rcx 2435 sub $len,%rcx
530 lea $reserved(%rsp),%rsi 2436 lea $reserved(%rsp),%rsi
531 .long 0x9066A4F3 # rep movsb 2437 .long 0x9066A4F3 # rep movsb
532 2438
@@ -544,7 +2450,7 @@ $code.=<<___;
544 ret 2450 ret
545.size ${PREFIX}_cbc_encrypt,.-${PREFIX}_cbc_encrypt 2451.size ${PREFIX}_cbc_encrypt,.-${PREFIX}_cbc_encrypt
546___ 2452___
547 2453}
548# int $PREFIX_set_[en|de]crypt_key (const unsigned char *userKey, 2454# int $PREFIX_set_[en|de]crypt_key (const unsigned char *userKey,
549# int bits, AES_KEY *key) 2455# int bits, AES_KEY *key)
550{ my ($inp,$bits,$key) = @_4args; 2456{ my ($inp,$bits,$key) = @_4args;
@@ -556,7 +2462,7 @@ $code.=<<___;
556.align 16 2462.align 16
557${PREFIX}_set_decrypt_key: 2463${PREFIX}_set_decrypt_key:
558 .byte 0x48,0x83,0xEC,0x08 # sub rsp,8 2464 .byte 0x48,0x83,0xEC,0x08 # sub rsp,8
559 call _aesni_set_encrypt_key 2465 call __aesni_set_encrypt_key
560 shl \$4,$bits # rounds-1 after _aesni_set_encrypt_key 2466 shl \$4,$bits # rounds-1 after _aesni_set_encrypt_key
561 test %eax,%eax 2467 test %eax,%eax
562 jnz .Ldec_key_ret 2468 jnz .Ldec_key_ret
@@ -576,9 +2482,9 @@ ${PREFIX}_set_decrypt_key:
576 aesimc %xmm1,%xmm1 2482 aesimc %xmm1,%xmm1
577 lea 16($key),$key 2483 lea 16($key),$key
578 lea -16($inp),$inp 2484 lea -16($inp),$inp
579 cmp $key,$inp
580 $movkey %xmm0,16($inp) 2485 $movkey %xmm0,16($inp)
581 $movkey %xmm1,-16($key) 2486 $movkey %xmm1,-16($key)
2487 cmp $key,$inp
582 ja .Ldec_key_inverse 2488 ja .Ldec_key_inverse
583 2489
584 $movkey ($key),%xmm0 # inverse middle 2490 $movkey ($key),%xmm0 # inverse middle
@@ -605,16 +2511,16 @@ $code.=<<___;
605.type ${PREFIX}_set_encrypt_key,\@abi-omnipotent 2511.type ${PREFIX}_set_encrypt_key,\@abi-omnipotent
606.align 16 2512.align 16
607${PREFIX}_set_encrypt_key: 2513${PREFIX}_set_encrypt_key:
608_aesni_set_encrypt_key: 2514__aesni_set_encrypt_key:
609 .byte 0x48,0x83,0xEC,0x08 # sub rsp,8 2515 .byte 0x48,0x83,0xEC,0x08 # sub rsp,8
610 test $inp,$inp
611 mov \$-1,%rax 2516 mov \$-1,%rax
2517 test $inp,$inp
612 jz .Lenc_key_ret 2518 jz .Lenc_key_ret
613 test $key,$key 2519 test $key,$key
614 jz .Lenc_key_ret 2520 jz .Lenc_key_ret
615 2521
616 movups ($inp),%xmm0 # pull first 128 bits of *userKey 2522 movups ($inp),%xmm0 # pull first 128 bits of *userKey
617 pxor %xmm4,%xmm4 # low dword of xmm4 is assumed 0 2523 xorps %xmm4,%xmm4 # low dword of xmm4 is assumed 0
618 lea 16($key),%rax 2524 lea 16($key),%rax
619 cmp \$256,$bits 2525 cmp \$256,$bits
620 je .L14rounds 2526 je .L14rounds
@@ -729,11 +2635,11 @@ _aesni_set_encrypt_key:
729 lea 16(%rax),%rax 2635 lea 16(%rax),%rax
730.Lkey_expansion_128_cold: 2636.Lkey_expansion_128_cold:
731 shufps \$0b00010000,%xmm0,%xmm4 2637 shufps \$0b00010000,%xmm0,%xmm4
732 pxor %xmm4, %xmm0 2638 xorps %xmm4, %xmm0
733 shufps \$0b10001100,%xmm0,%xmm4 2639 shufps \$0b10001100,%xmm0,%xmm4
734 pxor %xmm4, %xmm0 2640 xorps %xmm4, %xmm0
735 pshufd \$0b11111111,%xmm1,%xmm1 # critical path 2641 shufps \$0b11111111,%xmm1,%xmm1 # critical path
736 pxor %xmm1,%xmm0 2642 xorps %xmm1,%xmm0
737 ret 2643 ret
738 2644
739.align 16 2645.align 16
@@ -744,11 +2650,11 @@ _aesni_set_encrypt_key:
744 movaps %xmm2, %xmm5 2650 movaps %xmm2, %xmm5
745.Lkey_expansion_192b_warm: 2651.Lkey_expansion_192b_warm:
746 shufps \$0b00010000,%xmm0,%xmm4 2652 shufps \$0b00010000,%xmm0,%xmm4
747 movaps %xmm2,%xmm3 2653 movdqa %xmm2,%xmm3
748 pxor %xmm4,%xmm0 2654 xorps %xmm4,%xmm0
749 shufps \$0b10001100,%xmm0,%xmm4 2655 shufps \$0b10001100,%xmm0,%xmm4
750 pslldq \$4,%xmm3 2656 pslldq \$4,%xmm3
751 pxor %xmm4,%xmm0 2657 xorps %xmm4,%xmm0
752 pshufd \$0b01010101,%xmm1,%xmm1 # critical path 2658 pshufd \$0b01010101,%xmm1,%xmm1 # critical path
753 pxor %xmm3,%xmm2 2659 pxor %xmm3,%xmm2
754 pxor %xmm1,%xmm0 2660 pxor %xmm1,%xmm0
@@ -772,11 +2678,11 @@ _aesni_set_encrypt_key:
772 lea 16(%rax),%rax 2678 lea 16(%rax),%rax
773.Lkey_expansion_256a_cold: 2679.Lkey_expansion_256a_cold:
774 shufps \$0b00010000,%xmm0,%xmm4 2680 shufps \$0b00010000,%xmm0,%xmm4
775 pxor %xmm4,%xmm0 2681 xorps %xmm4,%xmm0
776 shufps \$0b10001100,%xmm0,%xmm4 2682 shufps \$0b10001100,%xmm0,%xmm4
777 pxor %xmm4,%xmm0 2683 xorps %xmm4,%xmm0
778 pshufd \$0b11111111,%xmm1,%xmm1 # critical path 2684 shufps \$0b11111111,%xmm1,%xmm1 # critical path
779 pxor %xmm1,%xmm0 2685 xorps %xmm1,%xmm0
780 ret 2686 ret
781 2687
782.align 16 2688.align 16
@@ -785,17 +2691,28 @@ _aesni_set_encrypt_key:
785 lea 16(%rax),%rax 2691 lea 16(%rax),%rax
786 2692
787 shufps \$0b00010000,%xmm2,%xmm4 2693 shufps \$0b00010000,%xmm2,%xmm4
788 pxor %xmm4,%xmm2 2694 xorps %xmm4,%xmm2
789 shufps \$0b10001100,%xmm2,%xmm4 2695 shufps \$0b10001100,%xmm2,%xmm4
790 pxor %xmm4,%xmm2 2696 xorps %xmm4,%xmm2
791 pshufd \$0b10101010,%xmm1,%xmm1 # critical path 2697 shufps \$0b10101010,%xmm1,%xmm1 # critical path
792 pxor %xmm1,%xmm2 2698 xorps %xmm1,%xmm2
793 ret 2699 ret
794.size ${PREFIX}_set_encrypt_key,.-${PREFIX}_set_encrypt_key 2700.size ${PREFIX}_set_encrypt_key,.-${PREFIX}_set_encrypt_key
2701.size __aesni_set_encrypt_key,.-__aesni_set_encrypt_key
795___ 2702___
796} 2703}
797 2704
798$code.=<<___; 2705$code.=<<___;
2706.align 64
2707.Lbswap_mask:
2708 .byte 15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0
2709.Lincrement32:
2710 .long 6,6,6,0
2711.Lincrement64:
2712 .long 1,0,0,0
2713.Lxts_magic:
2714 .long 0x87,0,1,0
2715
799.asciz "AES for Intel AES-NI, CRYPTOGAMS by <appro\@openssl.org>" 2716.asciz "AES for Intel AES-NI, CRYPTOGAMS by <appro\@openssl.org>"
800.align 64 2717.align 64
801___ 2718___
@@ -810,9 +2727,11 @@ $disp="%r9";
810 2727
811$code.=<<___; 2728$code.=<<___;
812.extern __imp_RtlVirtualUnwind 2729.extern __imp_RtlVirtualUnwind
813.type cbc_se_handler,\@abi-omnipotent 2730___
2731$code.=<<___ if ($PREFIX eq "aesni");
2732.type ecb_se_handler,\@abi-omnipotent
814.align 16 2733.align 16
815cbc_se_handler: 2734ecb_se_handler:
816 push %rsi 2735 push %rsi
817 push %rdi 2736 push %rdi
818 push %rbx 2737 push %rbx
@@ -825,42 +2744,132 @@ cbc_se_handler:
825 sub \$64,%rsp 2744 sub \$64,%rsp
826 2745
827 mov 152($context),%rax # pull context->Rsp 2746 mov 152($context),%rax # pull context->Rsp
2747
2748 jmp .Lcommon_seh_tail
2749.size ecb_se_handler,.-ecb_se_handler
2750
2751.type ccm64_se_handler,\@abi-omnipotent
2752.align 16
2753ccm64_se_handler:
2754 push %rsi
2755 push %rdi
2756 push %rbx
2757 push %rbp
2758 push %r12
2759 push %r13
2760 push %r14
2761 push %r15
2762 pushfq
2763 sub \$64,%rsp
2764
2765 mov 120($context),%rax # pull context->Rax
828 mov 248($context),%rbx # pull context->Rip 2766 mov 248($context),%rbx # pull context->Rip
829 2767
830 lea .Lcbc_decrypt(%rip),%r10 2768 mov 8($disp),%rsi # disp->ImageBase
831 cmp %r10,%rbx # context->Rip<"prologue" label 2769 mov 56($disp),%r11 # disp->HandlerData
832 jb .Lin_prologue
833 2770
834 lea .Lcbc_decrypt_body(%rip),%r10 2771 mov 0(%r11),%r10d # HandlerData[0]
835 cmp %r10,%rbx # context->Rip<cbc_decrypt_body 2772 lea (%rsi,%r10),%r10 # prologue label
836 jb .Lrestore_rax 2773 cmp %r10,%rbx # context->Rip<prologue label
2774 jb .Lcommon_seh_tail
837 2775
838 lea .Lcbc_ret(%rip),%r10 2776 mov 152($context),%rax # pull context->Rsp
839 cmp %r10,%rbx # context->Rip>="epilogue" label
840 jae .Lin_prologue
841 2777
842 lea 0(%rax),%rsi # top of stack 2778 mov 4(%r11),%r10d # HandlerData[1]
2779 lea (%rsi,%r10),%r10 # epilogue label
2780 cmp %r10,%rbx # context->Rip>=epilogue label
2781 jae .Lcommon_seh_tail
2782
2783 lea 0(%rax),%rsi # %xmm save area
843 lea 512($context),%rdi # &context.Xmm6 2784 lea 512($context),%rdi # &context.Xmm6
844 mov \$8,%ecx # 4*sizeof(%xmm0)/sizeof(%rax) 2785 mov \$8,%ecx # 4*sizeof(%xmm0)/sizeof(%rax)
845 .long 0xa548f3fc # cld; rep movsq 2786 .long 0xa548f3fc # cld; rep movsq
846 lea 0x58(%rax),%rax # adjust stack pointer 2787 lea 0x58(%rax),%rax # adjust stack pointer
847 jmp .Lin_prologue
848 2788
849.Lrestore_rax: 2789 jmp .Lcommon_seh_tail
850 mov 120($context),%rax 2790.size ccm64_se_handler,.-ccm64_se_handler
851.Lin_prologue:
852 mov 8(%rax),%rdi
853 mov 16(%rax),%rsi
854 mov %rax,152($context) # restore context->Rsp
855 mov %rsi,168($context) # restore context->Rsi
856 mov %rdi,176($context) # restore context->Rdi
857 2791
858 jmp .Lcommon_seh_exit 2792.type ctr32_se_handler,\@abi-omnipotent
859.size cbc_se_handler,.-cbc_se_handler 2793.align 16
2794ctr32_se_handler:
2795 push %rsi
2796 push %rdi
2797 push %rbx
2798 push %rbp
2799 push %r12
2800 push %r13
2801 push %r14
2802 push %r15
2803 pushfq
2804 sub \$64,%rsp
860 2805
861.type ecb_se_handler,\@abi-omnipotent 2806 mov 120($context),%rax # pull context->Rax
2807 mov 248($context),%rbx # pull context->Rip
2808
2809 lea .Lctr32_body(%rip),%r10
2810 cmp %r10,%rbx # context->Rip<"prologue" label
2811 jb .Lcommon_seh_tail
2812
2813 mov 152($context),%rax # pull context->Rsp
2814
2815 lea .Lctr32_ret(%rip),%r10
2816 cmp %r10,%rbx
2817 jae .Lcommon_seh_tail
2818
2819 lea 0x20(%rax),%rsi # %xmm save area
2820 lea 512($context),%rdi # &context.Xmm6
2821 mov \$20,%ecx # 10*sizeof(%xmm0)/sizeof(%rax)
2822 .long 0xa548f3fc # cld; rep movsq
2823 lea 0xc8(%rax),%rax # adjust stack pointer
2824
2825 jmp .Lcommon_seh_tail
2826.size ctr32_se_handler,.-ctr32_se_handler
2827
2828.type xts_se_handler,\@abi-omnipotent
862.align 16 2829.align 16
863ecb_se_handler: 2830xts_se_handler:
2831 push %rsi
2832 push %rdi
2833 push %rbx
2834 push %rbp
2835 push %r12
2836 push %r13
2837 push %r14
2838 push %r15
2839 pushfq
2840 sub \$64,%rsp
2841
2842 mov 120($context),%rax # pull context->Rax
2843 mov 248($context),%rbx # pull context->Rip
2844
2845 mov 8($disp),%rsi # disp->ImageBase
2846 mov 56($disp),%r11 # disp->HandlerData
2847
2848 mov 0(%r11),%r10d # HandlerData[0]
2849 lea (%rsi,%r10),%r10 # prologue lable
2850 cmp %r10,%rbx # context->Rip<prologue label
2851 jb .Lcommon_seh_tail
2852
2853 mov 152($context),%rax # pull context->Rsp
2854
2855 mov 4(%r11),%r10d # HandlerData[1]
2856 lea (%rsi,%r10),%r10 # epilogue label
2857 cmp %r10,%rbx # context->Rip>=epilogue label
2858 jae .Lcommon_seh_tail
2859
2860 lea 0x60(%rax),%rsi # %xmm save area
2861 lea 512($context),%rdi # & context.Xmm6
2862 mov \$20,%ecx # 10*sizeof(%xmm0)/sizeof(%rax)
2863 .long 0xa548f3fc # cld; rep movsq
2864 lea 0x68+160(%rax),%rax # adjust stack pointer
2865
2866 jmp .Lcommon_seh_tail
2867.size xts_se_handler,.-xts_se_handler
2868___
2869$code.=<<___;
2870.type cbc_se_handler,\@abi-omnipotent
2871.align 16
2872cbc_se_handler:
864 push %rsi 2873 push %rsi
865 push %rdi 2874 push %rdi
866 push %rbx 2875 push %rbx
@@ -873,13 +2882,37 @@ ecb_se_handler:
873 sub \$64,%rsp 2882 sub \$64,%rsp
874 2883
875 mov 152($context),%rax # pull context->Rsp 2884 mov 152($context),%rax # pull context->Rsp
2885 mov 248($context),%rbx # pull context->Rip
2886
2887 lea .Lcbc_decrypt(%rip),%r10
2888 cmp %r10,%rbx # context->Rip<"prologue" label
2889 jb .Lcommon_seh_tail
2890
2891 lea .Lcbc_decrypt_body(%rip),%r10
2892 cmp %r10,%rbx # context->Rip<cbc_decrypt_body
2893 jb .Lrestore_cbc_rax
2894
2895 lea .Lcbc_ret(%rip),%r10
2896 cmp %r10,%rbx # context->Rip>="epilogue" label
2897 jae .Lcommon_seh_tail
2898
2899 lea 0(%rax),%rsi # top of stack
2900 lea 512($context),%rdi # &context.Xmm6
2901 mov \$8,%ecx # 4*sizeof(%xmm0)/sizeof(%rax)
2902 .long 0xa548f3fc # cld; rep movsq
2903 lea 0x58(%rax),%rax # adjust stack pointer
2904 jmp .Lcommon_seh_tail
2905
2906.Lrestore_cbc_rax:
2907 mov 120($context),%rax
2908
2909.Lcommon_seh_tail:
876 mov 8(%rax),%rdi 2910 mov 8(%rax),%rdi
877 mov 16(%rax),%rsi 2911 mov 16(%rax),%rsi
2912 mov %rax,152($context) # restore context->Rsp
878 mov %rsi,168($context) # restore context->Rsi 2913 mov %rsi,168($context) # restore context->Rsi
879 mov %rdi,176($context) # restore context->Rdi 2914 mov %rdi,176($context) # restore context->Rdi
880 2915
881.Lcommon_seh_exit:
882
883 mov 40($disp),%rdi # disp->ContextRecord 2916 mov 40($disp),%rdi # disp->ContextRecord
884 mov $context,%rsi # context 2917 mov $context,%rsi # context
885 mov \$154,%ecx # sizeof(CONTEXT) 2918 mov \$154,%ecx # sizeof(CONTEXT)
@@ -915,10 +2948,33 @@ ecb_se_handler:
915 2948
916.section .pdata 2949.section .pdata
917.align 4 2950.align 4
918 .rva .LSEH_begin_${PREFIX}_ecb_encrypt 2951___
919 .rva .LSEH_end_${PREFIX}_ecb_encrypt 2952$code.=<<___ if ($PREFIX eq "aesni");
2953 .rva .LSEH_begin_aesni_ecb_encrypt
2954 .rva .LSEH_end_aesni_ecb_encrypt
920 .rva .LSEH_info_ecb 2955 .rva .LSEH_info_ecb
921 2956
2957 .rva .LSEH_begin_aesni_ccm64_encrypt_blocks
2958 .rva .LSEH_end_aesni_ccm64_encrypt_blocks
2959 .rva .LSEH_info_ccm64_enc
2960
2961 .rva .LSEH_begin_aesni_ccm64_decrypt_blocks
2962 .rva .LSEH_end_aesni_ccm64_decrypt_blocks
2963 .rva .LSEH_info_ccm64_dec
2964
2965 .rva .LSEH_begin_aesni_ctr32_encrypt_blocks
2966 .rva .LSEH_end_aesni_ctr32_encrypt_blocks
2967 .rva .LSEH_info_ctr32
2968
2969 .rva .LSEH_begin_aesni_xts_encrypt
2970 .rva .LSEH_end_aesni_xts_encrypt
2971 .rva .LSEH_info_xts_enc
2972
2973 .rva .LSEH_begin_aesni_xts_decrypt
2974 .rva .LSEH_end_aesni_xts_decrypt
2975 .rva .LSEH_info_xts_dec
2976___
2977$code.=<<___;
922 .rva .LSEH_begin_${PREFIX}_cbc_encrypt 2978 .rva .LSEH_begin_${PREFIX}_cbc_encrypt
923 .rva .LSEH_end_${PREFIX}_cbc_encrypt 2979 .rva .LSEH_end_${PREFIX}_cbc_encrypt
924 .rva .LSEH_info_cbc 2980 .rva .LSEH_info_cbc
@@ -932,28 +2988,49 @@ ecb_se_handler:
932 .rva .LSEH_info_key 2988 .rva .LSEH_info_key
933.section .xdata 2989.section .xdata
934.align 8 2990.align 8
2991___
2992$code.=<<___ if ($PREFIX eq "aesni");
935.LSEH_info_ecb: 2993.LSEH_info_ecb:
936 .byte 9,0,0,0 2994 .byte 9,0,0,0
937 .rva ecb_se_handler 2995 .rva ecb_se_handler
2996.LSEH_info_ccm64_enc:
2997 .byte 9,0,0,0
2998 .rva ccm64_se_handler
2999 .rva .Lccm64_enc_body,.Lccm64_enc_ret # HandlerData[]
3000.LSEH_info_ccm64_dec:
3001 .byte 9,0,0,0
3002 .rva ccm64_se_handler
3003 .rva .Lccm64_dec_body,.Lccm64_dec_ret # HandlerData[]
3004.LSEH_info_ctr32:
3005 .byte 9,0,0,0
3006 .rva ctr32_se_handler
3007.LSEH_info_xts_enc:
3008 .byte 9,0,0,0
3009 .rva xts_se_handler
3010 .rva .Lxts_enc_body,.Lxts_enc_epilogue # HandlerData[]
3011.LSEH_info_xts_dec:
3012 .byte 9,0,0,0
3013 .rva xts_se_handler
3014 .rva .Lxts_dec_body,.Lxts_dec_epilogue # HandlerData[]
3015___
3016$code.=<<___;
938.LSEH_info_cbc: 3017.LSEH_info_cbc:
939 .byte 9,0,0,0 3018 .byte 9,0,0,0
940 .rva cbc_se_handler 3019 .rva cbc_se_handler
941.LSEH_info_key: 3020.LSEH_info_key:
942 .byte 0x01,0x04,0x01,0x00 3021 .byte 0x01,0x04,0x01,0x00
943 .byte 0x04,0x02,0x00,0x00 3022 .byte 0x04,0x02,0x00,0x00 # sub rsp,8
944___ 3023___
945} 3024}
946 3025
947sub rex { 3026sub rex {
948 local *opcode=shift; 3027 local *opcode=shift;
949 my ($dst,$src)=@_; 3028 my ($dst,$src)=@_;
950 3029 my $rex=0;
951 if ($dst>=8 || $src>=8) { 3030
952 $rex=0x40; 3031 $rex|=0x04 if($dst>=8);
953 $rex|=0x04 if($dst>=8); 3032 $rex|=0x01 if($src>=8);
954 $rex|=0x01 if($src>=8); 3033 push @opcode,$rex|0x40 if($rex);
955 push @opcode,$rex;
956 }
957} 3034}
958 3035
959sub aesni { 3036sub aesni {
@@ -989,4 +3066,3 @@ $code =~ s/\b(aes.*%xmm[0-9]+).*$/aesni($1)/gem;
989print $code; 3066print $code;
990 3067
991close STDOUT; 3068close STDOUT;
992
diff --git a/src/lib/libcrypto/asn1/a_digest.c b/src/lib/libcrypto/asn1/a_digest.c
index d00d9e22b1..cbdeea6ac0 100644
--- a/src/lib/libcrypto/asn1/a_digest.c
+++ b/src/lib/libcrypto/asn1/a_digest.c
@@ -87,7 +87,8 @@ int ASN1_digest(i2d_of_void *i2d, const EVP_MD *type, char *data,
87 p=str; 87 p=str;
88 i2d(data,&p); 88 i2d(data,&p);
89 89
90 EVP_Digest(str, i, md, len, type, NULL); 90 if (!EVP_Digest(str, i, md, len, type, NULL))
91 return 0;
91 OPENSSL_free(str); 92 OPENSSL_free(str);
92 return(1); 93 return(1);
93 } 94 }
@@ -104,7 +105,8 @@ int ASN1_item_digest(const ASN1_ITEM *it, const EVP_MD *type, void *asn,
104 i=ASN1_item_i2d(asn,&str, it); 105 i=ASN1_item_i2d(asn,&str, it);
105 if (!str) return(0); 106 if (!str) return(0);
106 107
107 EVP_Digest(str, i, md, len, type, NULL); 108 if (!EVP_Digest(str, i, md, len, type, NULL))
109 return 0;
108 OPENSSL_free(str); 110 OPENSSL_free(str);
109 return(1); 111 return(1);
110 } 112 }
diff --git a/src/lib/libcrypto/asn1/a_int.c b/src/lib/libcrypto/asn1/a_int.c
index 3348b8762c..ad0d2506f6 100644
--- a/src/lib/libcrypto/asn1/a_int.c
+++ b/src/lib/libcrypto/asn1/a_int.c
@@ -386,8 +386,8 @@ long ASN1_INTEGER_get(const ASN1_INTEGER *a)
386 386
387 if (a->length > (int)sizeof(long)) 387 if (a->length > (int)sizeof(long))
388 { 388 {
389 /* hmm... a bit ugly */ 389 /* hmm... a bit ugly, return all ones */
390 return(0xffffffffL); 390 return -1;
391 } 391 }
392 if (a->data == NULL) 392 if (a->data == NULL)
393 return 0; 393 return 0;
diff --git a/src/lib/libcrypto/asn1/a_sign.c b/src/lib/libcrypto/asn1/a_sign.c
index ff63bfc7be..7b4a193d6b 100644
--- a/src/lib/libcrypto/asn1/a_sign.c
+++ b/src/lib/libcrypto/asn1/a_sign.c
@@ -184,9 +184,9 @@ int ASN1_sign(i2d_of_void *i2d, X509_ALGOR *algor1, X509_ALGOR *algor2,
184 p=buf_in; 184 p=buf_in;
185 185
186 i2d(data,&p); 186 i2d(data,&p);
187 EVP_SignInit_ex(&ctx,type, NULL); 187 if (!EVP_SignInit_ex(&ctx,type, NULL)
188 EVP_SignUpdate(&ctx,(unsigned char *)buf_in,inl); 188 || !EVP_SignUpdate(&ctx,(unsigned char *)buf_in,inl)
189 if (!EVP_SignFinal(&ctx,(unsigned char *)buf_out, 189 || !EVP_SignFinal(&ctx,(unsigned char *)buf_out,
190 (unsigned int *)&outl,pkey)) 190 (unsigned int *)&outl,pkey))
191 { 191 {
192 outl=0; 192 outl=0;
@@ -218,65 +218,100 @@ int ASN1_item_sign(const ASN1_ITEM *it, X509_ALGOR *algor1, X509_ALGOR *algor2,
218 const EVP_MD *type) 218 const EVP_MD *type)
219 { 219 {
220 EVP_MD_CTX ctx; 220 EVP_MD_CTX ctx;
221 EVP_MD_CTX_init(&ctx);
222 if (!EVP_DigestSignInit(&ctx, NULL, type, NULL, pkey))
223 {
224 EVP_MD_CTX_cleanup(&ctx);
225 return 0;
226 }
227 return ASN1_item_sign_ctx(it, algor1, algor2, signature, asn, &ctx);
228 }
229
230
231int ASN1_item_sign_ctx(const ASN1_ITEM *it,
232 X509_ALGOR *algor1, X509_ALGOR *algor2,
233 ASN1_BIT_STRING *signature, void *asn, EVP_MD_CTX *ctx)
234 {
235 const EVP_MD *type;
236 EVP_PKEY *pkey;
221 unsigned char *buf_in=NULL,*buf_out=NULL; 237 unsigned char *buf_in=NULL,*buf_out=NULL;
222 int inl=0,outl=0,outll=0; 238 size_t inl=0,outl=0,outll=0;
223 int signid, paramtype; 239 int signid, paramtype;
240 int rv;
241
242 type = EVP_MD_CTX_md(ctx);
243 pkey = EVP_PKEY_CTX_get0_pkey(ctx->pctx);
224 244
225 if (type == NULL) 245 if (!type || !pkey)
226 { 246 {
227 int def_nid; 247 ASN1err(ASN1_F_ASN1_ITEM_SIGN_CTX, ASN1_R_CONTEXT_NOT_INITIALISED);
228 if (EVP_PKEY_get_default_digest_nid(pkey, &def_nid) > 0) 248 return 0;
229 type = EVP_get_digestbynid(def_nid);
230 } 249 }
231 250
232 if (type == NULL) 251 if (pkey->ameth->item_sign)
233 { 252 {
234 ASN1err(ASN1_F_ASN1_ITEM_SIGN, ASN1_R_NO_DEFAULT_DIGEST); 253 rv = pkey->ameth->item_sign(ctx, it, asn, algor1, algor2,
235 return 0; 254 signature);
255 if (rv == 1)
256 outl = signature->length;
257 /* Return value meanings:
258 * <=0: error.
259 * 1: method does everything.
260 * 2: carry on as normal.
261 * 3: ASN1 method sets algorithm identifiers: just sign.
262 */
263 if (rv <= 0)
264 ASN1err(ASN1_F_ASN1_ITEM_SIGN_CTX, ERR_R_EVP_LIB);
265 if (rv <= 1)
266 goto err;
236 } 267 }
268 else
269 rv = 2;
237 270
238 if (type->flags & EVP_MD_FLAG_PKEY_METHOD_SIGNATURE) 271 if (rv == 2)
239 { 272 {
240 if (!pkey->ameth || 273 if (type->flags & EVP_MD_FLAG_PKEY_METHOD_SIGNATURE)
241 !OBJ_find_sigid_by_algs(&signid, EVP_MD_nid(type),
242 pkey->ameth->pkey_id))
243 { 274 {
244 ASN1err(ASN1_F_ASN1_ITEM_SIGN, 275 if (!pkey->ameth ||
245 ASN1_R_DIGEST_AND_KEY_TYPE_NOT_SUPPORTED); 276 !OBJ_find_sigid_by_algs(&signid,
246 return 0; 277 EVP_MD_nid(type),
278 pkey->ameth->pkey_id))
279 {
280 ASN1err(ASN1_F_ASN1_ITEM_SIGN_CTX,
281 ASN1_R_DIGEST_AND_KEY_TYPE_NOT_SUPPORTED);
282 return 0;
283 }
247 } 284 }
248 } 285 else
249 else 286 signid = type->pkey_type;
250 signid = type->pkey_type;
251 287
252 if (pkey->ameth->pkey_flags & ASN1_PKEY_SIGPARAM_NULL) 288 if (pkey->ameth->pkey_flags & ASN1_PKEY_SIGPARAM_NULL)
253 paramtype = V_ASN1_NULL; 289 paramtype = V_ASN1_NULL;
254 else 290 else
255 paramtype = V_ASN1_UNDEF; 291 paramtype = V_ASN1_UNDEF;
256 292
257 if (algor1) 293 if (algor1)
258 X509_ALGOR_set0(algor1, OBJ_nid2obj(signid), paramtype, NULL); 294 X509_ALGOR_set0(algor1, OBJ_nid2obj(signid), paramtype, NULL);
259 if (algor2) 295 if (algor2)
260 X509_ALGOR_set0(algor2, OBJ_nid2obj(signid), paramtype, NULL); 296 X509_ALGOR_set0(algor2, OBJ_nid2obj(signid), paramtype, NULL);
297
298 }
261 299
262 EVP_MD_CTX_init(&ctx);
263 inl=ASN1_item_i2d(asn,&buf_in, it); 300 inl=ASN1_item_i2d(asn,&buf_in, it);
264 outll=outl=EVP_PKEY_size(pkey); 301 outll=outl=EVP_PKEY_size(pkey);
265 buf_out=(unsigned char *)OPENSSL_malloc((unsigned int)outl); 302 buf_out=OPENSSL_malloc((unsigned int)outl);
266 if ((buf_in == NULL) || (buf_out == NULL)) 303 if ((buf_in == NULL) || (buf_out == NULL))
267 { 304 {
268 outl=0; 305 outl=0;
269 ASN1err(ASN1_F_ASN1_ITEM_SIGN,ERR_R_MALLOC_FAILURE); 306 ASN1err(ASN1_F_ASN1_ITEM_SIGN_CTX,ERR_R_MALLOC_FAILURE);
270 goto err; 307 goto err;
271 } 308 }
272 309
273 EVP_SignInit_ex(&ctx,type, NULL); 310 if (!EVP_DigestSignUpdate(ctx, buf_in, inl)
274 EVP_SignUpdate(&ctx,(unsigned char *)buf_in,inl); 311 || !EVP_DigestSignFinal(ctx, buf_out, &outl))
275 if (!EVP_SignFinal(&ctx,(unsigned char *)buf_out,
276 (unsigned int *)&outl,pkey))
277 { 312 {
278 outl=0; 313 outl=0;
279 ASN1err(ASN1_F_ASN1_ITEM_SIGN,ERR_R_EVP_LIB); 314 ASN1err(ASN1_F_ASN1_ITEM_SIGN_CTX,ERR_R_EVP_LIB);
280 goto err; 315 goto err;
281 } 316 }
282 if (signature->data != NULL) OPENSSL_free(signature->data); 317 if (signature->data != NULL) OPENSSL_free(signature->data);
@@ -289,7 +324,7 @@ int ASN1_item_sign(const ASN1_ITEM *it, X509_ALGOR *algor1, X509_ALGOR *algor2,
289 signature->flags&= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07); 324 signature->flags&= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07);
290 signature->flags|=ASN1_STRING_FLAG_BITS_LEFT; 325 signature->flags|=ASN1_STRING_FLAG_BITS_LEFT;
291err: 326err:
292 EVP_MD_CTX_cleanup(&ctx); 327 EVP_MD_CTX_cleanup(ctx);
293 if (buf_in != NULL) 328 if (buf_in != NULL)
294 { OPENSSL_cleanse((char *)buf_in,(unsigned int)inl); OPENSSL_free(buf_in); } 329 { OPENSSL_cleanse((char *)buf_in,(unsigned int)inl); OPENSSL_free(buf_in); }
295 if (buf_out != NULL) 330 if (buf_out != NULL)
diff --git a/src/lib/libcrypto/asn1/a_verify.c b/src/lib/libcrypto/asn1/a_verify.c
index cecdb13c70..432722e409 100644
--- a/src/lib/libcrypto/asn1/a_verify.c
+++ b/src/lib/libcrypto/asn1/a_verify.c
@@ -101,8 +101,13 @@ int ASN1_verify(i2d_of_void *i2d, X509_ALGOR *a, ASN1_BIT_STRING *signature,
101 p=buf_in; 101 p=buf_in;
102 102
103 i2d(data,&p); 103 i2d(data,&p);
104 EVP_VerifyInit_ex(&ctx,type, NULL); 104 if (!EVP_VerifyInit_ex(&ctx,type, NULL)
105 EVP_VerifyUpdate(&ctx,(unsigned char *)buf_in,inl); 105 || !EVP_VerifyUpdate(&ctx,(unsigned char *)buf_in,inl))
106 {
107 ASN1err(ASN1_F_ASN1_VERIFY,ERR_R_EVP_LIB);
108 ret=0;
109 goto err;
110 }
106 111
107 OPENSSL_cleanse(buf_in,(unsigned int)inl); 112 OPENSSL_cleanse(buf_in,(unsigned int)inl);
108 OPENSSL_free(buf_in); 113 OPENSSL_free(buf_in);
@@ -126,11 +131,10 @@ err:
126#endif 131#endif
127 132
128 133
129int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a, ASN1_BIT_STRING *signature, 134int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a,
130 void *asn, EVP_PKEY *pkey) 135 ASN1_BIT_STRING *signature, void *asn, EVP_PKEY *pkey)
131 { 136 {
132 EVP_MD_CTX ctx; 137 EVP_MD_CTX ctx;
133 const EVP_MD *type = NULL;
134 unsigned char *buf_in=NULL; 138 unsigned char *buf_in=NULL;
135 int ret= -1,inl; 139 int ret= -1,inl;
136 140
@@ -144,25 +148,47 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a, ASN1_BIT_STRING *signat
144 ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ASN1_R_UNKNOWN_SIGNATURE_ALGORITHM); 148 ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ASN1_R_UNKNOWN_SIGNATURE_ALGORITHM);
145 goto err; 149 goto err;
146 } 150 }
147 type=EVP_get_digestbynid(mdnid); 151 if (mdnid == NID_undef)
148 if (type == NULL)
149 { 152 {
150 ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM); 153 if (!pkey->ameth || !pkey->ameth->item_verify)
151 goto err; 154 {
155 ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ASN1_R_UNKNOWN_SIGNATURE_ALGORITHM);
156 goto err;
157 }
158 ret = pkey->ameth->item_verify(&ctx, it, asn, a,
159 signature, pkey);
160 /* Return value of 2 means carry on, anything else means we
161 * exit straight away: either a fatal error of the underlying
162 * verification routine handles all verification.
163 */
164 if (ret != 2)
165 goto err;
166 ret = -1;
152 } 167 }
153 168 else
154 /* Check public key OID matches public key type */
155 if (EVP_PKEY_type(pknid) != pkey->ameth->pkey_id)
156 { 169 {
157 ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ASN1_R_WRONG_PUBLIC_KEY_TYPE); 170 const EVP_MD *type;
158 goto err; 171 type=EVP_get_digestbynid(mdnid);
159 } 172 if (type == NULL)
173 {
174 ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);
175 goto err;
176 }
177
178 /* Check public key OID matches public key type */
179 if (EVP_PKEY_type(pknid) != pkey->ameth->pkey_id)
180 {
181 ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ASN1_R_WRONG_PUBLIC_KEY_TYPE);
182 goto err;
183 }
184
185 if (!EVP_DigestVerifyInit(&ctx, NULL, type, NULL, pkey))
186 {
187 ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ERR_R_EVP_LIB);
188 ret=0;
189 goto err;
190 }
160 191
161 if (!EVP_VerifyInit_ex(&ctx,type, NULL))
162 {
163 ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ERR_R_EVP_LIB);
164 ret=0;
165 goto err;
166 } 192 }
167 193
168 inl = ASN1_item_i2d(asn, &buf_in, it); 194 inl = ASN1_item_i2d(asn, &buf_in, it);
@@ -173,13 +199,18 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a, ASN1_BIT_STRING *signat
173 goto err; 199 goto err;
174 } 200 }
175 201
176 EVP_VerifyUpdate(&ctx,(unsigned char *)buf_in,inl); 202 if (!EVP_DigestVerifyUpdate(&ctx,buf_in,inl))
203 {
204 ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ERR_R_EVP_LIB);
205 ret=0;
206 goto err;
207 }
177 208
178 OPENSSL_cleanse(buf_in,(unsigned int)inl); 209 OPENSSL_cleanse(buf_in,(unsigned int)inl);
179 OPENSSL_free(buf_in); 210 OPENSSL_free(buf_in);
180 211
181 if (EVP_VerifyFinal(&ctx,(unsigned char *)signature->data, 212 if (EVP_DigestVerifyFinal(&ctx,signature->data,
182 (unsigned int)signature->length,pkey) <= 0) 213 (size_t)signature->length) <= 0)
183 { 214 {
184 ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ERR_R_EVP_LIB); 215 ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ERR_R_EVP_LIB);
185 ret=0; 216 ret=0;
diff --git a/src/lib/libcrypto/asn1/asn1.h b/src/lib/libcrypto/asn1/asn1.h
index 59540e4e79..220a0c8c63 100644
--- a/src/lib/libcrypto/asn1/asn1.h
+++ b/src/lib/libcrypto/asn1/asn1.h
@@ -235,7 +235,7 @@ typedef struct asn1_object_st
235 */ 235 */
236#define ASN1_STRING_FLAG_MSTRING 0x040 236#define ASN1_STRING_FLAG_MSTRING 0x040
237/* This is the base type that holds just about everything :-) */ 237/* This is the base type that holds just about everything :-) */
238typedef struct asn1_string_st 238struct asn1_string_st
239 { 239 {
240 int length; 240 int length;
241 int type; 241 int type;
@@ -245,7 +245,7 @@ typedef struct asn1_string_st
245 * input data has a non-zero 'unused bits' value, it will be 245 * input data has a non-zero 'unused bits' value, it will be
246 * handled correctly */ 246 * handled correctly */
247 long flags; 247 long flags;
248 } ASN1_STRING; 248 };
249 249
250/* ASN1_ENCODING structure: this is used to save the received 250/* ASN1_ENCODING structure: this is used to save the received
251 * encoding of an ASN1 type. This is useful to get round 251 * encoding of an ASN1 type. This is useful to get round
@@ -293,7 +293,6 @@ DECLARE_STACK_OF(ASN1_STRING_TABLE)
293 * see asn1t.h 293 * see asn1t.h
294 */ 294 */
295typedef struct ASN1_TEMPLATE_st ASN1_TEMPLATE; 295typedef struct ASN1_TEMPLATE_st ASN1_TEMPLATE;
296typedef struct ASN1_ITEM_st ASN1_ITEM;
297typedef struct ASN1_TLC_st ASN1_TLC; 296typedef struct ASN1_TLC_st ASN1_TLC;
298/* This is just an opaque pointer */ 297/* This is just an opaque pointer */
299typedef struct ASN1_VALUE_st ASN1_VALUE; 298typedef struct ASN1_VALUE_st ASN1_VALUE;
@@ -1194,6 +1193,7 @@ void ERR_load_ASN1_strings(void);
1194#define ASN1_F_ASN1_ITEM_I2D_FP 193 1193#define ASN1_F_ASN1_ITEM_I2D_FP 193
1195#define ASN1_F_ASN1_ITEM_PACK 198 1194#define ASN1_F_ASN1_ITEM_PACK 198
1196#define ASN1_F_ASN1_ITEM_SIGN 195 1195#define ASN1_F_ASN1_ITEM_SIGN 195
1196#define ASN1_F_ASN1_ITEM_SIGN_CTX 220
1197#define ASN1_F_ASN1_ITEM_UNPACK 199 1197#define ASN1_F_ASN1_ITEM_UNPACK 199
1198#define ASN1_F_ASN1_ITEM_VERIFY 197 1198#define ASN1_F_ASN1_ITEM_VERIFY 197
1199#define ASN1_F_ASN1_MBSTRING_NCOPY 122 1199#define ASN1_F_ASN1_MBSTRING_NCOPY 122
@@ -1266,6 +1266,7 @@ void ERR_load_ASN1_strings(void);
1266#define ASN1_F_PKCS5_PBE2_SET_IV 167 1266#define ASN1_F_PKCS5_PBE2_SET_IV 167
1267#define ASN1_F_PKCS5_PBE_SET 202 1267#define ASN1_F_PKCS5_PBE_SET 202
1268#define ASN1_F_PKCS5_PBE_SET0_ALGOR 215 1268#define ASN1_F_PKCS5_PBE_SET0_ALGOR 215
1269#define ASN1_F_PKCS5_PBKDF2_SET 219
1269#define ASN1_F_SMIME_READ_ASN1 212 1270#define ASN1_F_SMIME_READ_ASN1 212
1270#define ASN1_F_SMIME_TEXT 213 1271#define ASN1_F_SMIME_TEXT 213
1271#define ASN1_F_X509_CINF_NEW 168 1272#define ASN1_F_X509_CINF_NEW 168
@@ -1291,6 +1292,7 @@ void ERR_load_ASN1_strings(void);
1291#define ASN1_R_BOOLEAN_IS_WRONG_LENGTH 106 1292#define ASN1_R_BOOLEAN_IS_WRONG_LENGTH 106
1292#define ASN1_R_BUFFER_TOO_SMALL 107 1293#define ASN1_R_BUFFER_TOO_SMALL 107
1293#define ASN1_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER 108 1294#define ASN1_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER 108
1295#define ASN1_R_CONTEXT_NOT_INITIALISED 217
1294#define ASN1_R_DATA_IS_WRONG 109 1296#define ASN1_R_DATA_IS_WRONG 109
1295#define ASN1_R_DECODE_ERROR 110 1297#define ASN1_R_DECODE_ERROR 110
1296#define ASN1_R_DECODING_ERROR 111 1298#define ASN1_R_DECODING_ERROR 111
diff --git a/src/lib/libcrypto/asn1/asn1_err.c b/src/lib/libcrypto/asn1/asn1_err.c
index 6e04d08f31..1a30bf119b 100644
--- a/src/lib/libcrypto/asn1/asn1_err.c
+++ b/src/lib/libcrypto/asn1/asn1_err.c
@@ -1,6 +1,6 @@
1/* crypto/asn1/asn1_err.c */ 1/* crypto/asn1/asn1_err.c */
2/* ==================================================================== 2/* ====================================================================
3 * Copyright (c) 1999-2009 The OpenSSL Project. All rights reserved. 3 * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved.
4 * 4 *
5 * Redistribution and use in source and binary forms, with or without 5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions 6 * modification, are permitted provided that the following conditions
@@ -107,6 +107,7 @@ static ERR_STRING_DATA ASN1_str_functs[]=
107{ERR_FUNC(ASN1_F_ASN1_ITEM_I2D_FP), "ASN1_item_i2d_fp"}, 107{ERR_FUNC(ASN1_F_ASN1_ITEM_I2D_FP), "ASN1_item_i2d_fp"},
108{ERR_FUNC(ASN1_F_ASN1_ITEM_PACK), "ASN1_item_pack"}, 108{ERR_FUNC(ASN1_F_ASN1_ITEM_PACK), "ASN1_item_pack"},
109{ERR_FUNC(ASN1_F_ASN1_ITEM_SIGN), "ASN1_item_sign"}, 109{ERR_FUNC(ASN1_F_ASN1_ITEM_SIGN), "ASN1_item_sign"},
110{ERR_FUNC(ASN1_F_ASN1_ITEM_SIGN_CTX), "ASN1_item_sign_ctx"},
110{ERR_FUNC(ASN1_F_ASN1_ITEM_UNPACK), "ASN1_item_unpack"}, 111{ERR_FUNC(ASN1_F_ASN1_ITEM_UNPACK), "ASN1_item_unpack"},
111{ERR_FUNC(ASN1_F_ASN1_ITEM_VERIFY), "ASN1_item_verify"}, 112{ERR_FUNC(ASN1_F_ASN1_ITEM_VERIFY), "ASN1_item_verify"},
112{ERR_FUNC(ASN1_F_ASN1_MBSTRING_NCOPY), "ASN1_mbstring_ncopy"}, 113{ERR_FUNC(ASN1_F_ASN1_MBSTRING_NCOPY), "ASN1_mbstring_ncopy"},
@@ -179,6 +180,7 @@ static ERR_STRING_DATA ASN1_str_functs[]=
179{ERR_FUNC(ASN1_F_PKCS5_PBE2_SET_IV), "PKCS5_pbe2_set_iv"}, 180{ERR_FUNC(ASN1_F_PKCS5_PBE2_SET_IV), "PKCS5_pbe2_set_iv"},
180{ERR_FUNC(ASN1_F_PKCS5_PBE_SET), "PKCS5_pbe_set"}, 181{ERR_FUNC(ASN1_F_PKCS5_PBE_SET), "PKCS5_pbe_set"},
181{ERR_FUNC(ASN1_F_PKCS5_PBE_SET0_ALGOR), "PKCS5_pbe_set0_algor"}, 182{ERR_FUNC(ASN1_F_PKCS5_PBE_SET0_ALGOR), "PKCS5_pbe_set0_algor"},
183{ERR_FUNC(ASN1_F_PKCS5_PBKDF2_SET), "PKCS5_pbkdf2_set"},
182{ERR_FUNC(ASN1_F_SMIME_READ_ASN1), "SMIME_read_ASN1"}, 184{ERR_FUNC(ASN1_F_SMIME_READ_ASN1), "SMIME_read_ASN1"},
183{ERR_FUNC(ASN1_F_SMIME_TEXT), "SMIME_text"}, 185{ERR_FUNC(ASN1_F_SMIME_TEXT), "SMIME_text"},
184{ERR_FUNC(ASN1_F_X509_CINF_NEW), "X509_CINF_NEW"}, 186{ERR_FUNC(ASN1_F_X509_CINF_NEW), "X509_CINF_NEW"},
@@ -207,6 +209,7 @@ static ERR_STRING_DATA ASN1_str_reasons[]=
207{ERR_REASON(ASN1_R_BOOLEAN_IS_WRONG_LENGTH),"boolean is wrong length"}, 209{ERR_REASON(ASN1_R_BOOLEAN_IS_WRONG_LENGTH),"boolean is wrong length"},
208{ERR_REASON(ASN1_R_BUFFER_TOO_SMALL) ,"buffer too small"}, 210{ERR_REASON(ASN1_R_BUFFER_TOO_SMALL) ,"buffer too small"},
209{ERR_REASON(ASN1_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER),"cipher has no object identifier"}, 211{ERR_REASON(ASN1_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER),"cipher has no object identifier"},
212{ERR_REASON(ASN1_R_CONTEXT_NOT_INITIALISED),"context not initialised"},
210{ERR_REASON(ASN1_R_DATA_IS_WRONG) ,"data is wrong"}, 213{ERR_REASON(ASN1_R_DATA_IS_WRONG) ,"data is wrong"},
211{ERR_REASON(ASN1_R_DECODE_ERROR) ,"decode error"}, 214{ERR_REASON(ASN1_R_DECODE_ERROR) ,"decode error"},
212{ERR_REASON(ASN1_R_DECODING_ERROR) ,"decoding error"}, 215{ERR_REASON(ASN1_R_DECODING_ERROR) ,"decoding error"},
diff --git a/src/lib/libcrypto/asn1/asn_mime.c b/src/lib/libcrypto/asn1/asn_mime.c
index c1d1b12291..54a704a969 100644
--- a/src/lib/libcrypto/asn1/asn_mime.c
+++ b/src/lib/libcrypto/asn1/asn_mime.c
@@ -377,8 +377,12 @@ static int asn1_output_data(BIO *out, BIO *data, ASN1_VALUE *val, int flags,
377 BIO *tmpbio; 377 BIO *tmpbio;
378 const ASN1_AUX *aux = it->funcs; 378 const ASN1_AUX *aux = it->funcs;
379 ASN1_STREAM_ARG sarg; 379 ASN1_STREAM_ARG sarg;
380 int rv = 1;
380 381
381 if (!(flags & SMIME_DETACHED)) 382 /* If data is not deteched or resigning then the output BIO is
383 * already set up to finalise when it is written through.
384 */
385 if (!(flags & SMIME_DETACHED) || (flags & PKCS7_REUSE_DIGEST))
382 { 386 {
383 SMIME_crlf_copy(data, out, flags); 387 SMIME_crlf_copy(data, out, flags);
384 return 1; 388 return 1;
@@ -405,7 +409,7 @@ static int asn1_output_data(BIO *out, BIO *data, ASN1_VALUE *val, int flags,
405 409
406 /* Finalize structure */ 410 /* Finalize structure */
407 if (aux->asn1_cb(ASN1_OP_DETACHED_POST, &val, it, &sarg) <= 0) 411 if (aux->asn1_cb(ASN1_OP_DETACHED_POST, &val, it, &sarg) <= 0)
408 return 0; 412 rv = 0;
409 413
410 /* Now remove any digests prepended to the BIO */ 414 /* Now remove any digests prepended to the BIO */
411 415
@@ -416,7 +420,7 @@ static int asn1_output_data(BIO *out, BIO *data, ASN1_VALUE *val, int flags,
416 sarg.ndef_bio = tmpbio; 420 sarg.ndef_bio = tmpbio;
417 } 421 }
418 422
419 return 1; 423 return rv;
420 424
421 } 425 }
422 426
@@ -486,9 +490,9 @@ ASN1_VALUE *SMIME_read_ASN1(BIO *bio, BIO **bcont, const ASN1_ITEM *it)
486 490
487 if(strcmp(hdr->value, "application/x-pkcs7-signature") && 491 if(strcmp(hdr->value, "application/x-pkcs7-signature") &&
488 strcmp(hdr->value, "application/pkcs7-signature")) { 492 strcmp(hdr->value, "application/pkcs7-signature")) {
489 sk_MIME_HEADER_pop_free(headers, mime_hdr_free);
490 ASN1err(ASN1_F_SMIME_READ_ASN1,ASN1_R_SIG_INVALID_MIME_TYPE); 493 ASN1err(ASN1_F_SMIME_READ_ASN1,ASN1_R_SIG_INVALID_MIME_TYPE);
491 ERR_add_error_data(2, "type: ", hdr->value); 494 ERR_add_error_data(2, "type: ", hdr->value);
495 sk_MIME_HEADER_pop_free(headers, mime_hdr_free);
492 sk_BIO_pop_free(parts, BIO_vfree); 496 sk_BIO_pop_free(parts, BIO_vfree);
493 return NULL; 497 return NULL;
494 } 498 }
@@ -801,7 +805,7 @@ static MIME_HEADER *mime_hdr_new(char *name, char *value)
801 if(name) { 805 if(name) {
802 if(!(tmpname = BUF_strdup(name))) return NULL; 806 if(!(tmpname = BUF_strdup(name))) return NULL;
803 for(p = tmpname ; *p; p++) { 807 for(p = tmpname ; *p; p++) {
804 c = *p; 808 c = (unsigned char)*p;
805 if(isupper(c)) { 809 if(isupper(c)) {
806 c = tolower(c); 810 c = tolower(c);
807 *p = c; 811 *p = c;
@@ -811,7 +815,7 @@ static MIME_HEADER *mime_hdr_new(char *name, char *value)
811 if(value) { 815 if(value) {
812 if(!(tmpval = BUF_strdup(value))) return NULL; 816 if(!(tmpval = BUF_strdup(value))) return NULL;
813 for(p = tmpval ; *p; p++) { 817 for(p = tmpval ; *p; p++) {
814 c = *p; 818 c = (unsigned char)*p;
815 if(isupper(c)) { 819 if(isupper(c)) {
816 c = tolower(c); 820 c = tolower(c);
817 *p = c; 821 *p = c;
@@ -835,7 +839,7 @@ static int mime_hdr_addparam(MIME_HEADER *mhdr, char *name, char *value)
835 tmpname = BUF_strdup(name); 839 tmpname = BUF_strdup(name);
836 if(!tmpname) return 0; 840 if(!tmpname) return 0;
837 for(p = tmpname ; *p; p++) { 841 for(p = tmpname ; *p; p++) {
838 c = *p; 842 c = (unsigned char)*p;
839 if(isupper(c)) { 843 if(isupper(c)) {
840 c = tolower(c); 844 c = tolower(c);
841 *p = c; 845 *p = c;
@@ -858,12 +862,17 @@ static int mime_hdr_addparam(MIME_HEADER *mhdr, char *name, char *value)
858static int mime_hdr_cmp(const MIME_HEADER * const *a, 862static int mime_hdr_cmp(const MIME_HEADER * const *a,
859 const MIME_HEADER * const *b) 863 const MIME_HEADER * const *b)
860{ 864{
865 if (!(*a)->name || !(*b)->name)
866 return !!(*a)->name - !!(*b)->name;
867
861 return(strcmp((*a)->name, (*b)->name)); 868 return(strcmp((*a)->name, (*b)->name));
862} 869}
863 870
864static int mime_param_cmp(const MIME_PARAM * const *a, 871static int mime_param_cmp(const MIME_PARAM * const *a,
865 const MIME_PARAM * const *b) 872 const MIME_PARAM * const *b)
866{ 873{
874 if (!(*a)->param_name || !(*b)->param_name)
875 return !!(*a)->param_name - !!(*b)->param_name;
867 return(strcmp((*a)->param_name, (*b)->param_name)); 876 return(strcmp((*a)->param_name, (*b)->param_name));
868} 877}
869 878
diff --git a/src/lib/libcrypto/asn1/n_pkey.c b/src/lib/libcrypto/asn1/n_pkey.c
index e7d0439062..e251739933 100644
--- a/src/lib/libcrypto/asn1/n_pkey.c
+++ b/src/lib/libcrypto/asn1/n_pkey.c
@@ -129,6 +129,7 @@ int i2d_RSA_NET(const RSA *a, unsigned char **pp,
129 unsigned char buf[256],*zz; 129 unsigned char buf[256],*zz;
130 unsigned char key[EVP_MAX_KEY_LENGTH]; 130 unsigned char key[EVP_MAX_KEY_LENGTH];
131 EVP_CIPHER_CTX ctx; 131 EVP_CIPHER_CTX ctx;
132 EVP_CIPHER_CTX_init(&ctx);
132 133
133 if (a == NULL) return(0); 134 if (a == NULL) return(0);
134 135
@@ -206,24 +207,28 @@ int i2d_RSA_NET(const RSA *a, unsigned char **pp,
206 i = strlen((char *)buf); 207 i = strlen((char *)buf);
207 /* If the key is used for SGC the algorithm is modified a little. */ 208 /* If the key is used for SGC the algorithm is modified a little. */
208 if(sgckey) { 209 if(sgckey) {
209 EVP_Digest(buf, i, buf, NULL, EVP_md5(), NULL); 210 if (!EVP_Digest(buf, i, buf, NULL, EVP_md5(), NULL))
211 goto err;
210 memcpy(buf + 16, "SGCKEYSALT", 10); 212 memcpy(buf + 16, "SGCKEYSALT", 10);
211 i = 26; 213 i = 26;
212 } 214 }
213 215
214 EVP_BytesToKey(EVP_rc4(),EVP_md5(),NULL,buf,i,1,key,NULL); 216 if (!EVP_BytesToKey(EVP_rc4(),EVP_md5(),NULL,buf,i,1,key,NULL))
217 goto err;
215 OPENSSL_cleanse(buf,256); 218 OPENSSL_cleanse(buf,256);
216 219
217 /* Encrypt private key in place */ 220 /* Encrypt private key in place */
218 zz = enckey->enckey->digest->data; 221 zz = enckey->enckey->digest->data;
219 EVP_CIPHER_CTX_init(&ctx); 222 if (!EVP_EncryptInit_ex(&ctx,EVP_rc4(),NULL,key,NULL))
220 EVP_EncryptInit_ex(&ctx,EVP_rc4(),NULL,key,NULL); 223 goto err;
221 EVP_EncryptUpdate(&ctx,zz,&i,zz,pkeylen); 224 if (!EVP_EncryptUpdate(&ctx,zz,&i,zz,pkeylen))
222 EVP_EncryptFinal_ex(&ctx,zz + i,&j); 225 goto err;
223 EVP_CIPHER_CTX_cleanup(&ctx); 226 if (!EVP_EncryptFinal_ex(&ctx,zz + i,&j))
227 goto err;
224 228
225 ret = i2d_NETSCAPE_ENCRYPTED_PKEY(enckey, pp); 229 ret = i2d_NETSCAPE_ENCRYPTED_PKEY(enckey, pp);
226err: 230err:
231 EVP_CIPHER_CTX_cleanup(&ctx);
227 NETSCAPE_ENCRYPTED_PKEY_free(enckey); 232 NETSCAPE_ENCRYPTED_PKEY_free(enckey);
228 NETSCAPE_PKEY_free(pkey); 233 NETSCAPE_PKEY_free(pkey);
229 return(ret); 234 return(ret);
@@ -288,6 +293,7 @@ static RSA *d2i_RSA_NET_2(RSA **a, ASN1_OCTET_STRING *os,
288 const unsigned char *zz; 293 const unsigned char *zz;
289 unsigned char key[EVP_MAX_KEY_LENGTH]; 294 unsigned char key[EVP_MAX_KEY_LENGTH];
290 EVP_CIPHER_CTX ctx; 295 EVP_CIPHER_CTX ctx;
296 EVP_CIPHER_CTX_init(&ctx);
291 297
292 i=cb((char *)buf,256,"Enter Private Key password:",0); 298 i=cb((char *)buf,256,"Enter Private Key password:",0);
293 if (i != 0) 299 if (i != 0)
@@ -298,19 +304,22 @@ static RSA *d2i_RSA_NET_2(RSA **a, ASN1_OCTET_STRING *os,
298 304
299 i = strlen((char *)buf); 305 i = strlen((char *)buf);
300 if(sgckey){ 306 if(sgckey){
301 EVP_Digest(buf, i, buf, NULL, EVP_md5(), NULL); 307 if (!EVP_Digest(buf, i, buf, NULL, EVP_md5(), NULL))
308 goto err;
302 memcpy(buf + 16, "SGCKEYSALT", 10); 309 memcpy(buf + 16, "SGCKEYSALT", 10);
303 i = 26; 310 i = 26;
304 } 311 }
305 312
306 EVP_BytesToKey(EVP_rc4(),EVP_md5(),NULL,buf,i,1,key,NULL); 313 if (!EVP_BytesToKey(EVP_rc4(),EVP_md5(),NULL,buf,i,1,key,NULL))
314 goto err;
307 OPENSSL_cleanse(buf,256); 315 OPENSSL_cleanse(buf,256);
308 316
309 EVP_CIPHER_CTX_init(&ctx); 317 if (!EVP_DecryptInit_ex(&ctx,EVP_rc4(),NULL, key,NULL))
310 EVP_DecryptInit_ex(&ctx,EVP_rc4(),NULL, key,NULL); 318 goto err;
311 EVP_DecryptUpdate(&ctx,os->data,&i,os->data,os->length); 319 if (!EVP_DecryptUpdate(&ctx,os->data,&i,os->data,os->length))
312 EVP_DecryptFinal_ex(&ctx,&(os->data[i]),&j); 320 goto err;
313 EVP_CIPHER_CTX_cleanup(&ctx); 321 if (!EVP_DecryptFinal_ex(&ctx,&(os->data[i]),&j))
322 goto err;
314 os->length=i+j; 323 os->length=i+j;
315 324
316 zz=os->data; 325 zz=os->data;
@@ -328,6 +337,7 @@ static RSA *d2i_RSA_NET_2(RSA **a, ASN1_OCTET_STRING *os,
328 goto err; 337 goto err;
329 } 338 }
330err: 339err:
340 EVP_CIPHER_CTX_cleanup(&ctx);
331 NETSCAPE_PKEY_free(pkey); 341 NETSCAPE_PKEY_free(pkey);
332 return(ret); 342 return(ret);
333 } 343 }
diff --git a/src/lib/libcrypto/asn1/p5_pbev2.c b/src/lib/libcrypto/asn1/p5_pbev2.c
index cb49b6651d..4ea683036b 100644
--- a/src/lib/libcrypto/asn1/p5_pbev2.c
+++ b/src/lib/libcrypto/asn1/p5_pbev2.c
@@ -91,12 +91,10 @@ X509_ALGOR *PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter,
91 unsigned char *aiv, int prf_nid) 91 unsigned char *aiv, int prf_nid)
92{ 92{
93 X509_ALGOR *scheme = NULL, *kalg = NULL, *ret = NULL; 93 X509_ALGOR *scheme = NULL, *kalg = NULL, *ret = NULL;
94 int alg_nid; 94 int alg_nid, keylen;
95 EVP_CIPHER_CTX ctx; 95 EVP_CIPHER_CTX ctx;
96 unsigned char iv[EVP_MAX_IV_LENGTH]; 96 unsigned char iv[EVP_MAX_IV_LENGTH];
97 PBKDF2PARAM *kdf = NULL;
98 PBE2PARAM *pbe2 = NULL; 97 PBE2PARAM *pbe2 = NULL;
99 ASN1_OCTET_STRING *osalt = NULL;
100 ASN1_OBJECT *obj; 98 ASN1_OBJECT *obj;
101 99
102 alg_nid = EVP_CIPHER_type(cipher); 100 alg_nid = EVP_CIPHER_type(cipher);
@@ -127,7 +125,8 @@ X509_ALGOR *PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter,
127 EVP_CIPHER_CTX_init(&ctx); 125 EVP_CIPHER_CTX_init(&ctx);
128 126
129 /* Dummy cipherinit to just setup the IV, and PRF */ 127 /* Dummy cipherinit to just setup the IV, and PRF */
130 EVP_CipherInit_ex(&ctx, cipher, NULL, NULL, iv, 0); 128 if (!EVP_CipherInit_ex(&ctx, cipher, NULL, NULL, iv, 0))
129 goto err;
131 if(EVP_CIPHER_param_to_asn1(&ctx, scheme->parameter) < 0) { 130 if(EVP_CIPHER_param_to_asn1(&ctx, scheme->parameter) < 0) {
132 ASN1err(ASN1_F_PKCS5_PBE2_SET_IV, 131 ASN1err(ASN1_F_PKCS5_PBE2_SET_IV,
133 ASN1_R_ERROR_SETTING_CIPHER_PARAMS); 132 ASN1_R_ERROR_SETTING_CIPHER_PARAMS);
@@ -145,55 +144,21 @@ X509_ALGOR *PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter,
145 } 144 }
146 EVP_CIPHER_CTX_cleanup(&ctx); 145 EVP_CIPHER_CTX_cleanup(&ctx);
147 146
148 if(!(kdf = PBKDF2PARAM_new())) goto merr;
149 if(!(osalt = M_ASN1_OCTET_STRING_new())) goto merr;
150
151 if (!saltlen) saltlen = PKCS5_SALT_LEN;
152 if (!(osalt->data = OPENSSL_malloc (saltlen))) goto merr;
153 osalt->length = saltlen;
154 if (salt) memcpy (osalt->data, salt, saltlen);
155 else if (RAND_pseudo_bytes (osalt->data, saltlen) < 0) goto merr;
156
157 if(iter <= 0) iter = PKCS5_DEFAULT_ITER;
158 if(!ASN1_INTEGER_set(kdf->iter, iter)) goto merr;
159
160 /* Now include salt in kdf structure */
161 kdf->salt->value.octet_string = osalt;
162 kdf->salt->type = V_ASN1_OCTET_STRING;
163 osalt = NULL;
164
165 /* If its RC2 then we'd better setup the key length */ 147 /* If its RC2 then we'd better setup the key length */
166 148
167 if(alg_nid == NID_rc2_cbc) { 149 if(alg_nid == NID_rc2_cbc)
168 if(!(kdf->keylength = M_ASN1_INTEGER_new())) goto merr; 150 keylen = EVP_CIPHER_key_length(cipher);
169 if(!ASN1_INTEGER_set (kdf->keylength, 151 else
170 EVP_CIPHER_key_length(cipher))) goto merr; 152 keylen = -1;
171 }
172
173 /* prf can stay NULL if we are using hmacWithSHA1 */
174 if (prf_nid != NID_hmacWithSHA1)
175 {
176 kdf->prf = X509_ALGOR_new();
177 if (!kdf->prf)
178 goto merr;
179 X509_ALGOR_set0(kdf->prf, OBJ_nid2obj(prf_nid),
180 V_ASN1_NULL, NULL);
181 }
182
183 /* Now setup the PBE2PARAM keyfunc structure */
184 153
185 pbe2->keyfunc->algorithm = OBJ_nid2obj(NID_id_pbkdf2); 154 /* Setup keyfunc */
186 155
187 /* Encode PBKDF2PARAM into parameter of pbe2 */ 156 X509_ALGOR_free(pbe2->keyfunc);
188 157
189 if(!(pbe2->keyfunc->parameter = ASN1_TYPE_new())) goto merr; 158 pbe2->keyfunc = PKCS5_pbkdf2_set(iter, salt, saltlen, prf_nid, keylen);
190 159
191 if(!ASN1_item_pack(kdf, ASN1_ITEM_rptr(PBKDF2PARAM), 160 if (!pbe2->keyfunc)
192 &pbe2->keyfunc->parameter->value.sequence)) goto merr; 161 goto merr;
193 pbe2->keyfunc->parameter->type = V_ASN1_SEQUENCE;
194
195 PBKDF2PARAM_free(kdf);
196 kdf = NULL;
197 162
198 /* Now set up top level AlgorithmIdentifier */ 163 /* Now set up top level AlgorithmIdentifier */
199 164
@@ -219,8 +184,6 @@ X509_ALGOR *PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter,
219 err: 184 err:
220 PBE2PARAM_free(pbe2); 185 PBE2PARAM_free(pbe2);
221 /* Note 'scheme' is freed as part of pbe2 */ 186 /* Note 'scheme' is freed as part of pbe2 */
222 M_ASN1_OCTET_STRING_free(osalt);
223 PBKDF2PARAM_free(kdf);
224 X509_ALGOR_free(kalg); 187 X509_ALGOR_free(kalg);
225 X509_ALGOR_free(ret); 188 X509_ALGOR_free(ret);
226 189
@@ -233,3 +196,85 @@ X509_ALGOR *PKCS5_pbe2_set(const EVP_CIPHER *cipher, int iter,
233 { 196 {
234 return PKCS5_pbe2_set_iv(cipher, iter, salt, saltlen, NULL, -1); 197 return PKCS5_pbe2_set_iv(cipher, iter, salt, saltlen, NULL, -1);
235 } 198 }
199
200X509_ALGOR *PKCS5_pbkdf2_set(int iter, unsigned char *salt, int saltlen,
201 int prf_nid, int keylen)
202 {
203 X509_ALGOR *keyfunc = NULL;
204 PBKDF2PARAM *kdf = NULL;
205 ASN1_OCTET_STRING *osalt = NULL;
206
207 if(!(kdf = PBKDF2PARAM_new()))
208 goto merr;
209 if(!(osalt = M_ASN1_OCTET_STRING_new()))
210 goto merr;
211
212 kdf->salt->value.octet_string = osalt;
213 kdf->salt->type = V_ASN1_OCTET_STRING;
214
215 if (!saltlen)
216 saltlen = PKCS5_SALT_LEN;
217 if (!(osalt->data = OPENSSL_malloc (saltlen)))
218 goto merr;
219
220 osalt->length = saltlen;
221
222 if (salt)
223 memcpy (osalt->data, salt, saltlen);
224 else if (RAND_pseudo_bytes (osalt->data, saltlen) < 0)
225 goto merr;
226
227 if(iter <= 0)
228 iter = PKCS5_DEFAULT_ITER;
229
230 if(!ASN1_INTEGER_set(kdf->iter, iter))
231 goto merr;
232
233 /* If have a key len set it up */
234
235 if(keylen > 0)
236 {
237 if(!(kdf->keylength = M_ASN1_INTEGER_new()))
238 goto merr;
239 if(!ASN1_INTEGER_set (kdf->keylength, keylen))
240 goto merr;
241 }
242
243 /* prf can stay NULL if we are using hmacWithSHA1 */
244 if (prf_nid > 0 && prf_nid != NID_hmacWithSHA1)
245 {
246 kdf->prf = X509_ALGOR_new();
247 if (!kdf->prf)
248 goto merr;
249 X509_ALGOR_set0(kdf->prf, OBJ_nid2obj(prf_nid),
250 V_ASN1_NULL, NULL);
251 }
252
253 /* Finally setup the keyfunc structure */
254
255 keyfunc = X509_ALGOR_new();
256 if (!keyfunc)
257 goto merr;
258
259 keyfunc->algorithm = OBJ_nid2obj(NID_id_pbkdf2);
260
261 /* Encode PBKDF2PARAM into parameter of pbe2 */
262
263 if(!(keyfunc->parameter = ASN1_TYPE_new()))
264 goto merr;
265
266 if(!ASN1_item_pack(kdf, ASN1_ITEM_rptr(PBKDF2PARAM),
267 &keyfunc->parameter->value.sequence))
268 goto merr;
269 keyfunc->parameter->type = V_ASN1_SEQUENCE;
270
271 PBKDF2PARAM_free(kdf);
272 return keyfunc;
273
274 merr:
275 ASN1err(ASN1_F_PKCS5_PBKDF2_SET,ERR_R_MALLOC_FAILURE);
276 PBKDF2PARAM_free(kdf);
277 X509_ALGOR_free(keyfunc);
278 return NULL;
279 }
280
diff --git a/src/lib/libcrypto/asn1/t_crl.c b/src/lib/libcrypto/asn1/t_crl.c
index ee5a687ce8..c61169208a 100644
--- a/src/lib/libcrypto/asn1/t_crl.c
+++ b/src/lib/libcrypto/asn1/t_crl.c
@@ -94,8 +94,7 @@ int X509_CRL_print(BIO *out, X509_CRL *x)
94 l = X509_CRL_get_version(x); 94 l = X509_CRL_get_version(x);
95 BIO_printf(out, "%8sVersion %lu (0x%lx)\n", "", l+1, l); 95 BIO_printf(out, "%8sVersion %lu (0x%lx)\n", "", l+1, l);
96 i = OBJ_obj2nid(x->sig_alg->algorithm); 96 i = OBJ_obj2nid(x->sig_alg->algorithm);
97 BIO_printf(out, "%8sSignature Algorithm: %s\n", "", 97 X509_signature_print(out, x->sig_alg, NULL);
98 (i == NID_undef) ? "NONE" : OBJ_nid2ln(i));
99 p=X509_NAME_oneline(X509_CRL_get_issuer(x),NULL,0); 98 p=X509_NAME_oneline(X509_CRL_get_issuer(x),NULL,0);
100 BIO_printf(out,"%8sIssuer: %s\n","",p); 99 BIO_printf(out,"%8sIssuer: %s\n","",p);
101 OPENSSL_free(p); 100 OPENSSL_free(p);
diff --git a/src/lib/libcrypto/asn1/t_x509.c b/src/lib/libcrypto/asn1/t_x509.c
index e061f2ffad..edbb39a02f 100644
--- a/src/lib/libcrypto/asn1/t_x509.c
+++ b/src/lib/libcrypto/asn1/t_x509.c
@@ -72,6 +72,7 @@
72#include <openssl/objects.h> 72#include <openssl/objects.h>
73#include <openssl/x509.h> 73#include <openssl/x509.h>
74#include <openssl/x509v3.h> 74#include <openssl/x509v3.h>
75#include "asn1_locl.h"
75 76
76#ifndef OPENSSL_NO_FP_API 77#ifndef OPENSSL_NO_FP_API
77int X509_print_fp(FILE *fp, X509 *x) 78int X509_print_fp(FILE *fp, X509 *x)
@@ -137,10 +138,10 @@ int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, unsigned long cflag)
137 if (BIO_write(bp," Serial Number:",22) <= 0) goto err; 138 if (BIO_write(bp," Serial Number:",22) <= 0) goto err;
138 139
139 bs=X509_get_serialNumber(x); 140 bs=X509_get_serialNumber(x);
140 if (bs->length <= 4) 141 if (bs->length <= (int)sizeof(long))
141 { 142 {
142 l=ASN1_INTEGER_get(bs); 143 l=ASN1_INTEGER_get(bs);
143 if (l < 0) 144 if (bs->type == V_ASN1_NEG_INTEGER)
144 { 145 {
145 l= -l; 146 l= -l;
146 neg="-"; 147 neg="-";
@@ -167,12 +168,16 @@ int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, unsigned long cflag)
167 168
168 if(!(cflag & X509_FLAG_NO_SIGNAME)) 169 if(!(cflag & X509_FLAG_NO_SIGNAME))
169 { 170 {
171 if(X509_signature_print(bp, x->sig_alg, NULL) <= 0)
172 goto err;
173#if 0
170 if (BIO_printf(bp,"%8sSignature Algorithm: ","") <= 0) 174 if (BIO_printf(bp,"%8sSignature Algorithm: ","") <= 0)
171 goto err; 175 goto err;
172 if (i2a_ASN1_OBJECT(bp, ci->signature->algorithm) <= 0) 176 if (i2a_ASN1_OBJECT(bp, ci->signature->algorithm) <= 0)
173 goto err; 177 goto err;
174 if (BIO_puts(bp, "\n") <= 0) 178 if (BIO_puts(bp, "\n") <= 0)
175 goto err; 179 goto err;
180#endif
176 } 181 }
177 182
178 if(!(cflag & X509_FLAG_NO_ISSUER)) 183 if(!(cflag & X509_FLAG_NO_ISSUER))
@@ -255,7 +260,8 @@ int X509_ocspid_print (BIO *bp, X509 *x)
255 goto err; 260 goto err;
256 i2d_X509_NAME(x->cert_info->subject, &dertmp); 261 i2d_X509_NAME(x->cert_info->subject, &dertmp);
257 262
258 EVP_Digest(der, derlen, SHA1md, NULL, EVP_sha1(), NULL); 263 if (!EVP_Digest(der, derlen, SHA1md, NULL, EVP_sha1(), NULL))
264 goto err;
259 for (i=0; i < SHA_DIGEST_LENGTH; i++) 265 for (i=0; i < SHA_DIGEST_LENGTH; i++)
260 { 266 {
261 if (BIO_printf(bp,"%02X",SHA1md[i]) <= 0) goto err; 267 if (BIO_printf(bp,"%02X",SHA1md[i]) <= 0) goto err;
@@ -268,8 +274,10 @@ int X509_ocspid_print (BIO *bp, X509 *x)
268 if (BIO_printf(bp,"\n Public key OCSP hash: ") <= 0) 274 if (BIO_printf(bp,"\n Public key OCSP hash: ") <= 0)
269 goto err; 275 goto err;
270 276
271 EVP_Digest(x->cert_info->key->public_key->data, 277 if (!EVP_Digest(x->cert_info->key->public_key->data,
272 x->cert_info->key->public_key->length, SHA1md, NULL, EVP_sha1(), NULL); 278 x->cert_info->key->public_key->length,
279 SHA1md, NULL, EVP_sha1(), NULL))
280 goto err;
273 for (i=0; i < SHA_DIGEST_LENGTH; i++) 281 for (i=0; i < SHA_DIGEST_LENGTH; i++)
274 { 282 {
275 if (BIO_printf(bp,"%02X",SHA1md[i]) <= 0) 283 if (BIO_printf(bp,"%02X",SHA1md[i]) <= 0)
@@ -283,23 +291,50 @@ err:
283 return(0); 291 return(0);
284 } 292 }
285 293
286int X509_signature_print(BIO *bp, X509_ALGOR *sigalg, ASN1_STRING *sig) 294int X509_signature_dump(BIO *bp, const ASN1_STRING *sig, int indent)
287{ 295{
288 unsigned char *s; 296 const unsigned char *s;
289 int i, n; 297 int i, n;
290 if (BIO_puts(bp," Signature Algorithm: ") <= 0) return 0;
291 if (i2a_ASN1_OBJECT(bp, sigalg->algorithm) <= 0) return 0;
292 298
293 n=sig->length; 299 n=sig->length;
294 s=sig->data; 300 s=sig->data;
295 for (i=0; i<n; i++) 301 for (i=0; i<n; i++)
296 { 302 {
297 if ((i%18) == 0) 303 if ((i%18) == 0)
298 if (BIO_write(bp,"\n ",9) <= 0) return 0; 304 {
305 if (BIO_write(bp,"\n",1) <= 0) return 0;
306 if (BIO_indent(bp, indent, indent) <= 0) return 0;
307 }
299 if (BIO_printf(bp,"%02x%s",s[i], 308 if (BIO_printf(bp,"%02x%s",s[i],
300 ((i+1) == n)?"":":") <= 0) return 0; 309 ((i+1) == n)?"":":") <= 0) return 0;
301 } 310 }
302 if (BIO_write(bp,"\n",1) != 1) return 0; 311 if (BIO_write(bp,"\n",1) != 1) return 0;
312
313 return 1;
314}
315
316int X509_signature_print(BIO *bp, X509_ALGOR *sigalg, ASN1_STRING *sig)
317{
318 int sig_nid;
319 if (BIO_puts(bp," Signature Algorithm: ") <= 0) return 0;
320 if (i2a_ASN1_OBJECT(bp, sigalg->algorithm) <= 0) return 0;
321
322 sig_nid = OBJ_obj2nid(sigalg->algorithm);
323 if (sig_nid != NID_undef)
324 {
325 int pkey_nid, dig_nid;
326 const EVP_PKEY_ASN1_METHOD *ameth;
327 if (OBJ_find_sigid_algs(sig_nid, &dig_nid, &pkey_nid))
328 {
329 ameth = EVP_PKEY_asn1_find(NULL, pkey_nid);
330 if (ameth && ameth->sig_print)
331 return ameth->sig_print(bp, sigalg, sig, 9, 0);
332 }
333 }
334 if (sig)
335 return X509_signature_dump(bp, sig, 9);
336 else if (BIO_puts(bp, "\n") <= 0)
337 return 0;
303 return 1; 338 return 1;
304} 339}
305 340
diff --git a/src/lib/libcrypto/asn1/tasn_prn.c b/src/lib/libcrypto/asn1/tasn_prn.c
index 453698012d..542a091a66 100644
--- a/src/lib/libcrypto/asn1/tasn_prn.c
+++ b/src/lib/libcrypto/asn1/tasn_prn.c
@@ -446,11 +446,11 @@ static int asn1_print_fsname(BIO *out, int indent,
446 return 1; 446 return 1;
447 } 447 }
448 448
449static int asn1_print_boolean_ctx(BIO *out, const int bool, 449static int asn1_print_boolean_ctx(BIO *out, int boolval,
450 const ASN1_PCTX *pctx) 450 const ASN1_PCTX *pctx)
451 { 451 {
452 const char *str; 452 const char *str;
453 switch (bool) 453 switch (boolval)
454 { 454 {
455 case -1: 455 case -1:
456 str = "BOOL ABSENT"; 456 str = "BOOL ABSENT";
@@ -574,10 +574,10 @@ static int asn1_primitive_print(BIO *out, ASN1_VALUE **fld,
574 { 574 {
575 case V_ASN1_BOOLEAN: 575 case V_ASN1_BOOLEAN:
576 { 576 {
577 int bool = *(int *)fld; 577 int boolval = *(int *)fld;
578 if (bool == -1) 578 if (boolval == -1)
579 bool = it->size; 579 boolval = it->size;
580 ret = asn1_print_boolean_ctx(out, bool, pctx); 580 ret = asn1_print_boolean_ctx(out, boolval, pctx);
581 } 581 }
582 break; 582 break;
583 583
diff --git a/src/lib/libcrypto/asn1/x_algor.c b/src/lib/libcrypto/asn1/x_algor.c
index 99e53429b7..274e456c73 100644
--- a/src/lib/libcrypto/asn1/x_algor.c
+++ b/src/lib/libcrypto/asn1/x_algor.c
@@ -128,3 +128,17 @@ void X509_ALGOR_get0(ASN1_OBJECT **paobj, int *pptype, void **ppval,
128 } 128 }
129 } 129 }
130 130
131/* Set up an X509_ALGOR DigestAlgorithmIdentifier from an EVP_MD */
132
133void X509_ALGOR_set_md(X509_ALGOR *alg, const EVP_MD *md)
134 {
135 int param_type;
136
137 if (md->flags & EVP_MD_FLAG_DIGALGID_ABSENT)
138 param_type = V_ASN1_UNDEF;
139 else
140 param_type = V_ASN1_NULL;
141
142 X509_ALGOR_set0(alg, OBJ_nid2obj(EVP_MD_type(md)), param_type, NULL);
143
144 }
diff --git a/src/lib/libcrypto/asn1/x_name.c b/src/lib/libcrypto/asn1/x_name.c
index 49be08b4da..d7c2318693 100644
--- a/src/lib/libcrypto/asn1/x_name.c
+++ b/src/lib/libcrypto/asn1/x_name.c
@@ -399,8 +399,7 @@ static int asn1_string_canon(ASN1_STRING *out, ASN1_STRING *in)
399 /* If type not in bitmask just copy string across */ 399 /* If type not in bitmask just copy string across */
400 if (!(ASN1_tag2bit(in->type) & ASN1_MASK_CANON)) 400 if (!(ASN1_tag2bit(in->type) & ASN1_MASK_CANON))
401 { 401 {
402 out->type = in->type; 402 if (!ASN1_STRING_copy(out, in))
403 if (!ASN1_STRING_set(out, in->data, in->length))
404 return 0; 403 return 0;
405 return 1; 404 return 1;
406 } 405 }
diff --git a/src/lib/libcrypto/asn1/x_pubkey.c b/src/lib/libcrypto/asn1/x_pubkey.c
index d42b6a2c54..627ec87f9f 100644
--- a/src/lib/libcrypto/asn1/x_pubkey.c
+++ b/src/lib/libcrypto/asn1/x_pubkey.c
@@ -171,7 +171,16 @@ EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key)
171 goto error; 171 goto error;
172 } 172 }
173 173
174 key->pkey = ret; 174 /* Check to see if another thread set key->pkey first */
175 CRYPTO_w_lock(CRYPTO_LOCK_EVP_PKEY);
176 if (key->pkey)
177 {
178 EVP_PKEY_free(ret);
179 ret = key->pkey;
180 }
181 else
182 key->pkey = ret;
183 CRYPTO_w_unlock(CRYPTO_LOCK_EVP_PKEY);
175 CRYPTO_add(&ret->references, 1, CRYPTO_LOCK_EVP_PKEY); 184 CRYPTO_add(&ret->references, 1, CRYPTO_LOCK_EVP_PKEY);
176 185
177 return ret; 186 return ret;
diff --git a/src/lib/libcrypto/bf/bf_skey.c b/src/lib/libcrypto/bf/bf_skey.c
index 3673cdee6e..3b0bca41ae 100644
--- a/src/lib/libcrypto/bf/bf_skey.c
+++ b/src/lib/libcrypto/bf/bf_skey.c
@@ -58,11 +58,19 @@
58 58
59#include <stdio.h> 59#include <stdio.h>
60#include <string.h> 60#include <string.h>
61#include <openssl/crypto.h>
61#include <openssl/blowfish.h> 62#include <openssl/blowfish.h>
62#include "bf_locl.h" 63#include "bf_locl.h"
63#include "bf_pi.h" 64#include "bf_pi.h"
64 65
65void BF_set_key(BF_KEY *key, int len, const unsigned char *data) 66void BF_set_key(BF_KEY *key, int len, const unsigned char *data)
67#ifdef OPENSSL_FIPS
68 {
69 fips_cipher_abort(BLOWFISH);
70 private_BF_set_key(key, len, data);
71 }
72void private_BF_set_key(BF_KEY *key, int len, const unsigned char *data)
73#endif
66 { 74 {
67 int i; 75 int i;
68 BF_LONG *p,ri,in[2]; 76 BF_LONG *p,ri,in[2];
diff --git a/src/lib/libcrypto/bf/blowfish.h b/src/lib/libcrypto/bf/blowfish.h
index b97e76f9a3..4b6c8920a4 100644
--- a/src/lib/libcrypto/bf/blowfish.h
+++ b/src/lib/libcrypto/bf/blowfish.h
@@ -104,7 +104,9 @@ typedef struct bf_key_st
104 BF_LONG S[4*256]; 104 BF_LONG S[4*256];
105 } BF_KEY; 105 } BF_KEY;
106 106
107 107#ifdef OPENSSL_FIPS
108void private_BF_set_key(BF_KEY *key, int len, const unsigned char *data);
109#endif
108void BF_set_key(BF_KEY *key, int len, const unsigned char *data); 110void BF_set_key(BF_KEY *key, int len, const unsigned char *data);
109 111
110void BF_encrypt(BF_LONG *data,const BF_KEY *key); 112void BF_encrypt(BF_LONG *data,const BF_KEY *key);
diff --git a/src/lib/libcrypto/bio/b_sock.c b/src/lib/libcrypto/bio/b_sock.c
index d47310d650..41f958be71 100644
--- a/src/lib/libcrypto/bio/b_sock.c
+++ b/src/lib/libcrypto/bio/b_sock.c
@@ -960,7 +960,6 @@ int BIO_set_tcp_ndelay(int s, int on)
960#endif 960#endif
961 return(ret == 0); 961 return(ret == 0);
962 } 962 }
963#endif
964 963
965int BIO_socket_nbio(int s, int mode) 964int BIO_socket_nbio(int s, int mode)
966 { 965 {
@@ -973,3 +972,4 @@ int BIO_socket_nbio(int s, int mode)
973#endif 972#endif
974 return(ret == 0); 973 return(ret == 0);
975 } 974 }
975#endif
diff --git a/src/lib/libcrypto/bio/bio.h b/src/lib/libcrypto/bio/bio.h
index ab47abcf14..05699ab212 100644
--- a/src/lib/libcrypto/bio/bio.h
+++ b/src/lib/libcrypto/bio/bio.h
@@ -68,6 +68,14 @@
68 68
69#include <openssl/crypto.h> 69#include <openssl/crypto.h>
70 70
71#ifndef OPENSSL_NO_SCTP
72# ifndef OPENSSL_SYS_VMS
73# include <stdint.h>
74# else
75# include <inttypes.h>
76# endif
77#endif
78
71#ifdef __cplusplus 79#ifdef __cplusplus
72extern "C" { 80extern "C" {
73#endif 81#endif
@@ -95,6 +103,9 @@ extern "C" {
95#define BIO_TYPE_BIO (19|0x0400) /* (half a) BIO pair */ 103#define BIO_TYPE_BIO (19|0x0400) /* (half a) BIO pair */
96#define BIO_TYPE_LINEBUFFER (20|0x0200) /* filter */ 104#define BIO_TYPE_LINEBUFFER (20|0x0200) /* filter */
97#define BIO_TYPE_DGRAM (21|0x0400|0x0100) 105#define BIO_TYPE_DGRAM (21|0x0400|0x0100)
106#ifndef OPENSSL_NO_SCTP
107#define BIO_TYPE_DGRAM_SCTP (24|0x0400|0x0100)
108#endif
98#define BIO_TYPE_ASN1 (22|0x0200) /* filter */ 109#define BIO_TYPE_ASN1 (22|0x0200) /* filter */
99#define BIO_TYPE_COMP (23|0x0200) /* filter */ 110#define BIO_TYPE_COMP (23|0x0200) /* filter */
100 111
@@ -146,6 +157,7 @@ extern "C" {
146/* #endif */ 157/* #endif */
147 158
148#define BIO_CTRL_DGRAM_QUERY_MTU 40 /* as kernel for current MTU */ 159#define BIO_CTRL_DGRAM_QUERY_MTU 40 /* as kernel for current MTU */
160#define BIO_CTRL_DGRAM_GET_FALLBACK_MTU 47
149#define BIO_CTRL_DGRAM_GET_MTU 41 /* get cached value for MTU */ 161#define BIO_CTRL_DGRAM_GET_MTU 41 /* get cached value for MTU */
150#define BIO_CTRL_DGRAM_SET_MTU 42 /* set cached value for 162#define BIO_CTRL_DGRAM_SET_MTU 42 /* set cached value for
151 * MTU. want to use this 163 * MTU. want to use this
@@ -161,7 +173,22 @@ extern "C" {
161#define BIO_CTRL_DGRAM_SET_PEER 44 /* Destination for the data */ 173#define BIO_CTRL_DGRAM_SET_PEER 44 /* Destination for the data */
162 174
163#define BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT 45 /* Next DTLS handshake timeout to 175#define BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT 45 /* Next DTLS handshake timeout to
164 * adjust socket timeouts */ 176 * adjust socket timeouts */
177
178#ifndef OPENSSL_NO_SCTP
179/* SCTP stuff */
180#define BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE 50
181#define BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY 51
182#define BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY 52
183#define BIO_CTRL_DGRAM_SCTP_AUTH_CCS_RCVD 53
184#define BIO_CTRL_DGRAM_SCTP_GET_SNDINFO 60
185#define BIO_CTRL_DGRAM_SCTP_SET_SNDINFO 61
186#define BIO_CTRL_DGRAM_SCTP_GET_RCVINFO 62
187#define BIO_CTRL_DGRAM_SCTP_SET_RCVINFO 63
188#define BIO_CTRL_DGRAM_SCTP_GET_PRINFO 64
189#define BIO_CTRL_DGRAM_SCTP_SET_PRINFO 65
190#define BIO_CTRL_DGRAM_SCTP_SAVE_SHUTDOWN 70
191#endif
165 192
166/* modifiers */ 193/* modifiers */
167#define BIO_FP_READ 0x02 194#define BIO_FP_READ 0x02
@@ -331,6 +358,34 @@ typedef struct bio_f_buffer_ctx_struct
331/* Prefix and suffix callback in ASN1 BIO */ 358/* Prefix and suffix callback in ASN1 BIO */
332typedef int asn1_ps_func(BIO *b, unsigned char **pbuf, int *plen, void *parg); 359typedef int asn1_ps_func(BIO *b, unsigned char **pbuf, int *plen, void *parg);
333 360
361#ifndef OPENSSL_NO_SCTP
362/* SCTP parameter structs */
363struct bio_dgram_sctp_sndinfo
364 {
365 uint16_t snd_sid;
366 uint16_t snd_flags;
367 uint32_t snd_ppid;
368 uint32_t snd_context;
369 };
370
371struct bio_dgram_sctp_rcvinfo
372 {
373 uint16_t rcv_sid;
374 uint16_t rcv_ssn;
375 uint16_t rcv_flags;
376 uint32_t rcv_ppid;
377 uint32_t rcv_tsn;
378 uint32_t rcv_cumtsn;
379 uint32_t rcv_context;
380 };
381
382struct bio_dgram_sctp_prinfo
383 {
384 uint16_t pr_policy;
385 uint32_t pr_value;
386 };
387#endif
388
334/* connect BIO stuff */ 389/* connect BIO stuff */
335#define BIO_CONN_S_BEFORE 1 390#define BIO_CONN_S_BEFORE 1
336#define BIO_CONN_S_GET_IP 2 391#define BIO_CONN_S_GET_IP 2
@@ -628,6 +683,9 @@ BIO_METHOD *BIO_f_linebuffer(void);
628BIO_METHOD *BIO_f_nbio_test(void); 683BIO_METHOD *BIO_f_nbio_test(void);
629#ifndef OPENSSL_NO_DGRAM 684#ifndef OPENSSL_NO_DGRAM
630BIO_METHOD *BIO_s_datagram(void); 685BIO_METHOD *BIO_s_datagram(void);
686#ifndef OPENSSL_NO_SCTP
687BIO_METHOD *BIO_s_datagram_sctp(void);
688#endif
631#endif 689#endif
632 690
633/* BIO_METHOD *BIO_f_ber(void); */ 691/* BIO_METHOD *BIO_f_ber(void); */
@@ -670,6 +728,15 @@ int BIO_set_tcp_ndelay(int sock,int turn_on);
670 728
671BIO *BIO_new_socket(int sock, int close_flag); 729BIO *BIO_new_socket(int sock, int close_flag);
672BIO *BIO_new_dgram(int fd, int close_flag); 730BIO *BIO_new_dgram(int fd, int close_flag);
731#ifndef OPENSSL_NO_SCTP
732BIO *BIO_new_dgram_sctp(int fd, int close_flag);
733int BIO_dgram_is_sctp(BIO *bio);
734int BIO_dgram_sctp_notification_cb(BIO *b,
735 void (*handle_notifications)(BIO *bio, void *context, void *buf),
736 void *context);
737int BIO_dgram_sctp_wait_for_dry(BIO *b);
738int BIO_dgram_sctp_msg_waiting(BIO *b);
739#endif
673BIO *BIO_new_fd(int fd, int close_flag); 740BIO *BIO_new_fd(int fd, int close_flag);
674BIO *BIO_new_connect(char *host_port); 741BIO *BIO_new_connect(char *host_port);
675BIO *BIO_new_accept(char *host_port); 742BIO *BIO_new_accept(char *host_port);
@@ -734,6 +801,7 @@ void ERR_load_BIO_strings(void);
734#define BIO_F_BUFFER_CTRL 114 801#define BIO_F_BUFFER_CTRL 114
735#define BIO_F_CONN_CTRL 127 802#define BIO_F_CONN_CTRL 127
736#define BIO_F_CONN_STATE 115 803#define BIO_F_CONN_STATE 115
804#define BIO_F_DGRAM_SCTP_READ 132
737#define BIO_F_FILE_CTRL 116 805#define BIO_F_FILE_CTRL 116
738#define BIO_F_FILE_READ 130 806#define BIO_F_FILE_READ 130
739#define BIO_F_LINEBUFFER_CTRL 129 807#define BIO_F_LINEBUFFER_CTRL 129
diff --git a/src/lib/libcrypto/bio/bio_err.c b/src/lib/libcrypto/bio/bio_err.c
index a224edd5a0..0dbfbd80d3 100644
--- a/src/lib/libcrypto/bio/bio_err.c
+++ b/src/lib/libcrypto/bio/bio_err.c
@@ -1,6 +1,6 @@
1/* crypto/bio/bio_err.c */ 1/* crypto/bio/bio_err.c */
2/* ==================================================================== 2/* ====================================================================
3 * Copyright (c) 1999-2006 The OpenSSL Project. All rights reserved. 3 * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved.
4 * 4 *
5 * Redistribution and use in source and binary forms, with or without 5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions 6 * modification, are permitted provided that the following conditions
@@ -95,6 +95,7 @@ static ERR_STRING_DATA BIO_str_functs[]=
95{ERR_FUNC(BIO_F_BUFFER_CTRL), "BUFFER_CTRL"}, 95{ERR_FUNC(BIO_F_BUFFER_CTRL), "BUFFER_CTRL"},
96{ERR_FUNC(BIO_F_CONN_CTRL), "CONN_CTRL"}, 96{ERR_FUNC(BIO_F_CONN_CTRL), "CONN_CTRL"},
97{ERR_FUNC(BIO_F_CONN_STATE), "CONN_STATE"}, 97{ERR_FUNC(BIO_F_CONN_STATE), "CONN_STATE"},
98{ERR_FUNC(BIO_F_DGRAM_SCTP_READ), "DGRAM_SCTP_READ"},
98{ERR_FUNC(BIO_F_FILE_CTRL), "FILE_CTRL"}, 99{ERR_FUNC(BIO_F_FILE_CTRL), "FILE_CTRL"},
99{ERR_FUNC(BIO_F_FILE_READ), "FILE_READ"}, 100{ERR_FUNC(BIO_F_FILE_READ), "FILE_READ"},
100{ERR_FUNC(BIO_F_LINEBUFFER_CTRL), "LINEBUFFER_CTRL"}, 101{ERR_FUNC(BIO_F_LINEBUFFER_CTRL), "LINEBUFFER_CTRL"},
diff --git a/src/lib/libcrypto/bio/bio_lib.c b/src/lib/libcrypto/bio/bio_lib.c
index e12bc3a2ca..9c9646afa8 100644
--- a/src/lib/libcrypto/bio/bio_lib.c
+++ b/src/lib/libcrypto/bio/bio_lib.c
@@ -521,40 +521,40 @@ void BIO_free_all(BIO *bio)
521 521
522BIO *BIO_dup_chain(BIO *in) 522BIO *BIO_dup_chain(BIO *in)
523 { 523 {
524 BIO *ret=NULL,*eoc=NULL,*bio,*new; 524 BIO *ret=NULL,*eoc=NULL,*bio,*new_bio;
525 525
526 for (bio=in; bio != NULL; bio=bio->next_bio) 526 for (bio=in; bio != NULL; bio=bio->next_bio)
527 { 527 {
528 if ((new=BIO_new(bio->method)) == NULL) goto err; 528 if ((new_bio=BIO_new(bio->method)) == NULL) goto err;
529 new->callback=bio->callback; 529 new_bio->callback=bio->callback;
530 new->cb_arg=bio->cb_arg; 530 new_bio->cb_arg=bio->cb_arg;
531 new->init=bio->init; 531 new_bio->init=bio->init;
532 new->shutdown=bio->shutdown; 532 new_bio->shutdown=bio->shutdown;
533 new->flags=bio->flags; 533 new_bio->flags=bio->flags;
534 534
535 /* This will let SSL_s_sock() work with stdin/stdout */ 535 /* This will let SSL_s_sock() work with stdin/stdout */
536 new->num=bio->num; 536 new_bio->num=bio->num;
537 537
538 if (!BIO_dup_state(bio,(char *)new)) 538 if (!BIO_dup_state(bio,(char *)new_bio))
539 { 539 {
540 BIO_free(new); 540 BIO_free(new_bio);
541 goto err; 541 goto err;
542 } 542 }
543 543
544 /* copy app data */ 544 /* copy app data */
545 if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_BIO, &new->ex_data, 545 if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_BIO, &new_bio->ex_data,
546 &bio->ex_data)) 546 &bio->ex_data))
547 goto err; 547 goto err;
548 548
549 if (ret == NULL) 549 if (ret == NULL)
550 { 550 {
551 eoc=new; 551 eoc=new_bio;
552 ret=eoc; 552 ret=eoc;
553 } 553 }
554 else 554 else
555 { 555 {
556 BIO_push(eoc,new); 556 BIO_push(eoc,new_bio);
557 eoc=new; 557 eoc=new_bio;
558 } 558 }
559 } 559 }
560 return(ret); 560 return(ret);
diff --git a/src/lib/libcrypto/bio/bss_bio.c b/src/lib/libcrypto/bio/bss_bio.c
index 76bd48e767..52ef0ebcb3 100644
--- a/src/lib/libcrypto/bio/bss_bio.c
+++ b/src/lib/libcrypto/bio/bss_bio.c
@@ -277,10 +277,10 @@ static int bio_read(BIO *bio, char *buf, int size_)
277 */ 277 */
278/* WARNING: The non-copying interface is largely untested as of yet 278/* WARNING: The non-copying interface is largely untested as of yet
279 * and may contain bugs. */ 279 * and may contain bugs. */
280static ssize_t bio_nread0(BIO *bio, char **buf) 280static ossl_ssize_t bio_nread0(BIO *bio, char **buf)
281 { 281 {
282 struct bio_bio_st *b, *peer_b; 282 struct bio_bio_st *b, *peer_b;
283 ssize_t num; 283 ossl_ssize_t num;
284 284
285 BIO_clear_retry_flags(bio); 285 BIO_clear_retry_flags(bio);
286 286
@@ -315,15 +315,15 @@ static ssize_t bio_nread0(BIO *bio, char **buf)
315 return num; 315 return num;
316 } 316 }
317 317
318static ssize_t bio_nread(BIO *bio, char **buf, size_t num_) 318static ossl_ssize_t bio_nread(BIO *bio, char **buf, size_t num_)
319 { 319 {
320 struct bio_bio_st *b, *peer_b; 320 struct bio_bio_st *b, *peer_b;
321 ssize_t num, available; 321 ossl_ssize_t num, available;
322 322
323 if (num_ > SSIZE_MAX) 323 if (num_ > SSIZE_MAX)
324 num = SSIZE_MAX; 324 num = SSIZE_MAX;
325 else 325 else
326 num = (ssize_t)num_; 326 num = (ossl_ssize_t)num_;
327 327
328 available = bio_nread0(bio, buf); 328 available = bio_nread0(bio, buf);
329 if (num > available) 329 if (num > available)
@@ -428,7 +428,7 @@ static int bio_write(BIO *bio, const char *buf, int num_)
428 * (example usage: bio_nwrite0(), write to buffer, bio_nwrite() 428 * (example usage: bio_nwrite0(), write to buffer, bio_nwrite()
429 * or just bio_nwrite(), write to buffer) 429 * or just bio_nwrite(), write to buffer)
430 */ 430 */
431static ssize_t bio_nwrite0(BIO *bio, char **buf) 431static ossl_ssize_t bio_nwrite0(BIO *bio, char **buf)
432 { 432 {
433 struct bio_bio_st *b; 433 struct bio_bio_st *b;
434 size_t num; 434 size_t num;
@@ -476,15 +476,15 @@ static ssize_t bio_nwrite0(BIO *bio, char **buf)
476 return num; 476 return num;
477 } 477 }
478 478
479static ssize_t bio_nwrite(BIO *bio, char **buf, size_t num_) 479static ossl_ssize_t bio_nwrite(BIO *bio, char **buf, size_t num_)
480 { 480 {
481 struct bio_bio_st *b; 481 struct bio_bio_st *b;
482 ssize_t num, space; 482 ossl_ssize_t num, space;
483 483
484 if (num_ > SSIZE_MAX) 484 if (num_ > SSIZE_MAX)
485 num = SSIZE_MAX; 485 num = SSIZE_MAX;
486 else 486 else
487 num = (ssize_t)num_; 487 num = (ossl_ssize_t)num_;
488 488
489 space = bio_nwrite0(bio, buf); 489 space = bio_nwrite0(bio, buf);
490 if (num > space) 490 if (num > space)
diff --git a/src/lib/libcrypto/bio/bss_dgram.c b/src/lib/libcrypto/bio/bss_dgram.c
index 71ebe987b6..1b1e4bec81 100644
--- a/src/lib/libcrypto/bio/bss_dgram.c
+++ b/src/lib/libcrypto/bio/bss_dgram.c
@@ -70,6 +70,13 @@
70#include <sys/timeb.h> 70#include <sys/timeb.h>
71#endif 71#endif
72 72
73#ifndef OPENSSL_NO_SCTP
74#include <netinet/sctp.h>
75#include <fcntl.h>
76#define OPENSSL_SCTP_DATA_CHUNK_TYPE 0x00
77#define OPENSSL_SCTP_FORWARD_CUM_TSN_CHUNK_TYPE 0xc0
78#endif
79
73#ifdef OPENSSL_SYS_LINUX 80#ifdef OPENSSL_SYS_LINUX
74#define IP_MTU 14 /* linux is lame */ 81#define IP_MTU 14 /* linux is lame */
75#endif 82#endif
@@ -88,6 +95,18 @@ static int dgram_new(BIO *h);
88static int dgram_free(BIO *data); 95static int dgram_free(BIO *data);
89static int dgram_clear(BIO *bio); 96static int dgram_clear(BIO *bio);
90 97
98#ifndef OPENSSL_NO_SCTP
99static int dgram_sctp_write(BIO *h, const char *buf, int num);
100static int dgram_sctp_read(BIO *h, char *buf, int size);
101static int dgram_sctp_puts(BIO *h, const char *str);
102static long dgram_sctp_ctrl(BIO *h, int cmd, long arg1, void *arg2);
103static int dgram_sctp_new(BIO *h);
104static int dgram_sctp_free(BIO *data);
105#ifdef SCTP_AUTHENTICATION_EVENT
106static void dgram_sctp_handle_auth_free_key_event(BIO *b, union sctp_notification *snp);
107#endif
108#endif
109
91static int BIO_dgram_should_retry(int s); 110static int BIO_dgram_should_retry(int s);
92 111
93static void get_current_time(struct timeval *t); 112static void get_current_time(struct timeval *t);
@@ -106,6 +125,22 @@ static BIO_METHOD methods_dgramp=
106 NULL, 125 NULL,
107 }; 126 };
108 127
128#ifndef OPENSSL_NO_SCTP
129static BIO_METHOD methods_dgramp_sctp=
130 {
131 BIO_TYPE_DGRAM_SCTP,
132 "datagram sctp socket",
133 dgram_sctp_write,
134 dgram_sctp_read,
135 dgram_sctp_puts,
136 NULL, /* dgram_gets, */
137 dgram_sctp_ctrl,
138 dgram_sctp_new,
139 dgram_sctp_free,
140 NULL,
141 };
142#endif
143
109typedef struct bio_dgram_data_st 144typedef struct bio_dgram_data_st
110 { 145 {
111 union { 146 union {
@@ -122,6 +157,40 @@ typedef struct bio_dgram_data_st
122 struct timeval socket_timeout; 157 struct timeval socket_timeout;
123 } bio_dgram_data; 158 } bio_dgram_data;
124 159
160#ifndef OPENSSL_NO_SCTP
161typedef struct bio_dgram_sctp_save_message_st
162 {
163 BIO *bio;
164 char *data;
165 int length;
166 } bio_dgram_sctp_save_message;
167
168typedef struct bio_dgram_sctp_data_st
169 {
170 union {
171 struct sockaddr sa;
172 struct sockaddr_in sa_in;
173#if OPENSSL_USE_IPV6
174 struct sockaddr_in6 sa_in6;
175#endif
176 } peer;
177 unsigned int connected;
178 unsigned int _errno;
179 unsigned int mtu;
180 struct bio_dgram_sctp_sndinfo sndinfo;
181 struct bio_dgram_sctp_rcvinfo rcvinfo;
182 struct bio_dgram_sctp_prinfo prinfo;
183 void (*handle_notifications)(BIO *bio, void *context, void *buf);
184 void* notification_context;
185 int in_handshake;
186 int ccs_rcvd;
187 int ccs_sent;
188 int save_shutdown;
189 int peer_auth_tested;
190 bio_dgram_sctp_save_message saved_message;
191 } bio_dgram_sctp_data;
192#endif
193
125BIO_METHOD *BIO_s_datagram(void) 194BIO_METHOD *BIO_s_datagram(void)
126 { 195 {
127 return(&methods_dgramp); 196 return(&methods_dgramp);
@@ -547,6 +616,27 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr)
547 ret = 0; 616 ret = 0;
548#endif 617#endif
549 break; 618 break;
619 case BIO_CTRL_DGRAM_GET_FALLBACK_MTU:
620 switch (data->peer.sa.sa_family)
621 {
622 case AF_INET:
623 ret = 576 - 20 - 8;
624 break;
625#if OPENSSL_USE_IPV6
626 case AF_INET6:
627#ifdef IN6_IS_ADDR_V4MAPPED
628 if (IN6_IS_ADDR_V4MAPPED(&data->peer.sa_in6.sin6_addr))
629 ret = 576 - 20 - 8;
630 else
631#endif
632 ret = 1280 - 40 - 8;
633 break;
634#endif
635 default:
636 ret = 576 - 20 - 8;
637 break;
638 }
639 break;
550 case BIO_CTRL_DGRAM_GET_MTU: 640 case BIO_CTRL_DGRAM_GET_MTU:
551 return data->mtu; 641 return data->mtu;
552 break; 642 break;
@@ -738,6 +828,912 @@ static int dgram_puts(BIO *bp, const char *str)
738 return(ret); 828 return(ret);
739 } 829 }
740 830
831#ifndef OPENSSL_NO_SCTP
832BIO_METHOD *BIO_s_datagram_sctp(void)
833 {
834 return(&methods_dgramp_sctp);
835 }
836
837BIO *BIO_new_dgram_sctp(int fd, int close_flag)
838 {
839 BIO *bio;
840 int ret, optval = 20000;
841 int auth_data = 0, auth_forward = 0;
842 unsigned char *p;
843 struct sctp_authchunk auth;
844 struct sctp_authchunks *authchunks;
845 socklen_t sockopt_len;
846#ifdef SCTP_AUTHENTICATION_EVENT
847#ifdef SCTP_EVENT
848 struct sctp_event event;
849#else
850 struct sctp_event_subscribe event;
851#endif
852#endif
853
854 bio=BIO_new(BIO_s_datagram_sctp());
855 if (bio == NULL) return(NULL);
856 BIO_set_fd(bio,fd,close_flag);
857
858 /* Activate SCTP-AUTH for DATA and FORWARD-TSN chunks */
859 auth.sauth_chunk = OPENSSL_SCTP_DATA_CHUNK_TYPE;
860 ret = setsockopt(fd, IPPROTO_SCTP, SCTP_AUTH_CHUNK, &auth, sizeof(struct sctp_authchunk));
861 OPENSSL_assert(ret >= 0);
862 auth.sauth_chunk = OPENSSL_SCTP_FORWARD_CUM_TSN_CHUNK_TYPE;
863 ret = setsockopt(fd, IPPROTO_SCTP, SCTP_AUTH_CHUNK, &auth, sizeof(struct sctp_authchunk));
864 OPENSSL_assert(ret >= 0);
865
866 /* Test if activation was successful. When using accept(),
867 * SCTP-AUTH has to be activated for the listening socket
868 * already, otherwise the connected socket won't use it. */
869 sockopt_len = (socklen_t)(sizeof(sctp_assoc_t) + 256 * sizeof(uint8_t));
870 authchunks = OPENSSL_malloc(sockopt_len);
871 memset(authchunks, 0, sizeof(sockopt_len));
872 ret = getsockopt(fd, IPPROTO_SCTP, SCTP_LOCAL_AUTH_CHUNKS, authchunks, &sockopt_len);
873 OPENSSL_assert(ret >= 0);
874
875 for (p = (unsigned char*) authchunks + sizeof(sctp_assoc_t);
876 p < (unsigned char*) authchunks + sockopt_len;
877 p += sizeof(uint8_t))
878 {
879 if (*p == OPENSSL_SCTP_DATA_CHUNK_TYPE) auth_data = 1;
880 if (*p == OPENSSL_SCTP_FORWARD_CUM_TSN_CHUNK_TYPE) auth_forward = 1;
881 }
882
883 OPENSSL_free(authchunks);
884
885 OPENSSL_assert(auth_data);
886 OPENSSL_assert(auth_forward);
887
888#ifdef SCTP_AUTHENTICATION_EVENT
889#ifdef SCTP_EVENT
890 memset(&event, 0, sizeof(struct sctp_event));
891 event.se_assoc_id = 0;
892 event.se_type = SCTP_AUTHENTICATION_EVENT;
893 event.se_on = 1;
894 ret = setsockopt(fd, IPPROTO_SCTP, SCTP_EVENT, &event, sizeof(struct sctp_event));
895 OPENSSL_assert(ret >= 0);
896#else
897 sockopt_len = (socklen_t) sizeof(struct sctp_event_subscribe);
898 ret = getsockopt(fd, IPPROTO_SCTP, SCTP_EVENTS, &event, &sockopt_len);
899 OPENSSL_assert(ret >= 0);
900
901 event.sctp_authentication_event = 1;
902
903 ret = setsockopt(fd, IPPROTO_SCTP, SCTP_EVENTS, &event, sizeof(struct sctp_event_subscribe));
904 OPENSSL_assert(ret >= 0);
905#endif
906#endif
907
908 /* Disable partial delivery by setting the min size
909 * larger than the max record size of 2^14 + 2048 + 13
910 */
911 ret = setsockopt(fd, IPPROTO_SCTP, SCTP_PARTIAL_DELIVERY_POINT, &optval, sizeof(optval));
912 OPENSSL_assert(ret >= 0);
913
914 return(bio);
915 }
916
917int BIO_dgram_is_sctp(BIO *bio)
918 {
919 return (BIO_method_type(bio) == BIO_TYPE_DGRAM_SCTP);
920 }
921
922static int dgram_sctp_new(BIO *bi)
923 {
924 bio_dgram_sctp_data *data = NULL;
925
926 bi->init=0;
927 bi->num=0;
928 data = OPENSSL_malloc(sizeof(bio_dgram_sctp_data));
929 if (data == NULL)
930 return 0;
931 memset(data, 0x00, sizeof(bio_dgram_sctp_data));
932#ifdef SCTP_PR_SCTP_NONE
933 data->prinfo.pr_policy = SCTP_PR_SCTP_NONE;
934#endif
935 bi->ptr = data;
936
937 bi->flags=0;
938 return(1);
939 }
940
941static int dgram_sctp_free(BIO *a)
942 {
943 bio_dgram_sctp_data *data;
944
945 if (a == NULL) return(0);
946 if ( ! dgram_clear(a))
947 return 0;
948
949 data = (bio_dgram_sctp_data *)a->ptr;
950 if(data != NULL) OPENSSL_free(data);
951
952 return(1);
953 }
954
955#ifdef SCTP_AUTHENTICATION_EVENT
956void dgram_sctp_handle_auth_free_key_event(BIO *b, union sctp_notification *snp)
957 {
958 unsigned int sockopt_len = 0;
959 int ret;
960 struct sctp_authkey_event* authkeyevent = &snp->sn_auth_event;
961
962 if (authkeyevent->auth_indication == SCTP_AUTH_FREE_KEY)
963 {
964 struct sctp_authkeyid authkeyid;
965
966 /* delete key */
967 authkeyid.scact_keynumber = authkeyevent->auth_keynumber;
968 sockopt_len = sizeof(struct sctp_authkeyid);
969 ret = setsockopt(b->num, IPPROTO_SCTP, SCTP_AUTH_DELETE_KEY,
970 &authkeyid, sockopt_len);
971 }
972 }
973#endif
974
975static int dgram_sctp_read(BIO *b, char *out, int outl)
976 {
977 int ret = 0, n = 0, i, optval;
978 socklen_t optlen;
979 bio_dgram_sctp_data *data = (bio_dgram_sctp_data *)b->ptr;
980 union sctp_notification *snp;
981 struct msghdr msg;
982 struct iovec iov;
983 struct cmsghdr *cmsg;
984 char cmsgbuf[512];
985
986 if (out != NULL)
987 {
988 clear_socket_error();
989
990 do
991 {
992 memset(&data->rcvinfo, 0x00, sizeof(struct bio_dgram_sctp_rcvinfo));
993 iov.iov_base = out;
994 iov.iov_len = outl;
995 msg.msg_name = NULL;
996 msg.msg_namelen = 0;
997 msg.msg_iov = &iov;
998 msg.msg_iovlen = 1;
999 msg.msg_control = cmsgbuf;
1000 msg.msg_controllen = 512;
1001 msg.msg_flags = 0;
1002 n = recvmsg(b->num, &msg, 0);
1003
1004 if (msg.msg_controllen > 0)
1005 {
1006 for (cmsg = CMSG_FIRSTHDR(&msg); cmsg; cmsg = CMSG_NXTHDR(&msg, cmsg))
1007 {
1008 if (cmsg->cmsg_level != IPPROTO_SCTP)
1009 continue;
1010#ifdef SCTP_RCVINFO
1011 if (cmsg->cmsg_type == SCTP_RCVINFO)
1012 {
1013 struct sctp_rcvinfo *rcvinfo;
1014
1015 rcvinfo = (struct sctp_rcvinfo *)CMSG_DATA(cmsg);
1016 data->rcvinfo.rcv_sid = rcvinfo->rcv_sid;
1017 data->rcvinfo.rcv_ssn = rcvinfo->rcv_ssn;
1018 data->rcvinfo.rcv_flags = rcvinfo->rcv_flags;
1019 data->rcvinfo.rcv_ppid = rcvinfo->rcv_ppid;
1020 data->rcvinfo.rcv_tsn = rcvinfo->rcv_tsn;
1021 data->rcvinfo.rcv_cumtsn = rcvinfo->rcv_cumtsn;
1022 data->rcvinfo.rcv_context = rcvinfo->rcv_context;
1023 }
1024#endif
1025#ifdef SCTP_SNDRCV
1026 if (cmsg->cmsg_type == SCTP_SNDRCV)
1027 {
1028 struct sctp_sndrcvinfo *sndrcvinfo;
1029
1030 sndrcvinfo = (struct sctp_sndrcvinfo *)CMSG_DATA(cmsg);
1031 data->rcvinfo.rcv_sid = sndrcvinfo->sinfo_stream;
1032 data->rcvinfo.rcv_ssn = sndrcvinfo->sinfo_ssn;
1033 data->rcvinfo.rcv_flags = sndrcvinfo->sinfo_flags;
1034 data->rcvinfo.rcv_ppid = sndrcvinfo->sinfo_ppid;
1035 data->rcvinfo.rcv_tsn = sndrcvinfo->sinfo_tsn;
1036 data->rcvinfo.rcv_cumtsn = sndrcvinfo->sinfo_cumtsn;
1037 data->rcvinfo.rcv_context = sndrcvinfo->sinfo_context;
1038 }
1039#endif
1040 }
1041 }
1042
1043 if (n <= 0)
1044 {
1045 if (n < 0)
1046 ret = n;
1047 break;
1048 }
1049
1050 if (msg.msg_flags & MSG_NOTIFICATION)
1051 {
1052 snp = (union sctp_notification*) out;
1053 if (snp->sn_header.sn_type == SCTP_SENDER_DRY_EVENT)
1054 {
1055#ifdef SCTP_EVENT
1056 struct sctp_event event;
1057#else
1058 struct sctp_event_subscribe event;
1059 socklen_t eventsize;
1060#endif
1061 /* If a message has been delayed until the socket
1062 * is dry, it can be sent now.
1063 */
1064 if (data->saved_message.length > 0)
1065 {
1066 dgram_sctp_write(data->saved_message.bio, data->saved_message.data,
1067 data->saved_message.length);
1068 OPENSSL_free(data->saved_message.data);
1069 data->saved_message.length = 0;
1070 }
1071
1072 /* disable sender dry event */
1073#ifdef SCTP_EVENT
1074 memset(&event, 0, sizeof(struct sctp_event));
1075 event.se_assoc_id = 0;
1076 event.se_type = SCTP_SENDER_DRY_EVENT;
1077 event.se_on = 0;
1078 i = setsockopt(b->num, IPPROTO_SCTP, SCTP_EVENT, &event, sizeof(struct sctp_event));
1079 OPENSSL_assert(i >= 0);
1080#else
1081 eventsize = sizeof(struct sctp_event_subscribe);
1082 i = getsockopt(b->num, IPPROTO_SCTP, SCTP_EVENTS, &event, &eventsize);
1083 OPENSSL_assert(i >= 0);
1084
1085 event.sctp_sender_dry_event = 0;
1086
1087 i = setsockopt(b->num, IPPROTO_SCTP, SCTP_EVENTS, &event, sizeof(struct sctp_event_subscribe));
1088 OPENSSL_assert(i >= 0);
1089#endif
1090 }
1091
1092#ifdef SCTP_AUTHENTICATION_EVENT
1093 if (snp->sn_header.sn_type == SCTP_AUTHENTICATION_EVENT)
1094 dgram_sctp_handle_auth_free_key_event(b, snp);
1095#endif
1096
1097 if (data->handle_notifications != NULL)
1098 data->handle_notifications(b, data->notification_context, (void*) out);
1099
1100 memset(out, 0, outl);
1101 }
1102 else
1103 ret += n;
1104 }
1105 while ((msg.msg_flags & MSG_NOTIFICATION) && (msg.msg_flags & MSG_EOR) && (ret < outl));
1106
1107 if (ret > 0 && !(msg.msg_flags & MSG_EOR))
1108 {
1109 /* Partial message read, this should never happen! */
1110
1111 /* The buffer was too small, this means the peer sent
1112 * a message that was larger than allowed. */
1113 if (ret == outl)
1114 return -1;
1115
1116 /* Test if socket buffer can handle max record
1117 * size (2^14 + 2048 + 13)
1118 */
1119 optlen = (socklen_t) sizeof(int);
1120 ret = getsockopt(b->num, SOL_SOCKET, SO_RCVBUF, &optval, &optlen);
1121 OPENSSL_assert(ret >= 0);
1122 OPENSSL_assert(optval >= 18445);
1123
1124 /* Test if SCTP doesn't partially deliver below
1125 * max record size (2^14 + 2048 + 13)
1126 */
1127 optlen = (socklen_t) sizeof(int);
1128 ret = getsockopt(b->num, IPPROTO_SCTP, SCTP_PARTIAL_DELIVERY_POINT,
1129 &optval, &optlen);
1130 OPENSSL_assert(ret >= 0);
1131 OPENSSL_assert(optval >= 18445);
1132
1133 /* Partially delivered notification??? Probably a bug.... */
1134 OPENSSL_assert(!(msg.msg_flags & MSG_NOTIFICATION));
1135
1136 /* Everything seems ok till now, so it's most likely
1137 * a message dropped by PR-SCTP.
1138 */
1139 memset(out, 0, outl);
1140 BIO_set_retry_read(b);
1141 return -1;
1142 }
1143
1144 BIO_clear_retry_flags(b);
1145 if (ret < 0)
1146 {
1147 if (BIO_dgram_should_retry(ret))
1148 {
1149 BIO_set_retry_read(b);
1150 data->_errno = get_last_socket_error();
1151 }
1152 }
1153
1154 /* Test if peer uses SCTP-AUTH before continuing */
1155 if (!data->peer_auth_tested)
1156 {
1157 int ii, auth_data = 0, auth_forward = 0;
1158 unsigned char *p;
1159 struct sctp_authchunks *authchunks;
1160
1161 optlen = (socklen_t)(sizeof(sctp_assoc_t) + 256 * sizeof(uint8_t));
1162 authchunks = OPENSSL_malloc(optlen);
1163 memset(authchunks, 0, sizeof(optlen));
1164 ii = getsockopt(b->num, IPPROTO_SCTP, SCTP_PEER_AUTH_CHUNKS, authchunks, &optlen);
1165 OPENSSL_assert(ii >= 0);
1166
1167 for (p = (unsigned char*) authchunks + sizeof(sctp_assoc_t);
1168 p < (unsigned char*) authchunks + optlen;
1169 p += sizeof(uint8_t))
1170 {
1171 if (*p == OPENSSL_SCTP_DATA_CHUNK_TYPE) auth_data = 1;
1172 if (*p == OPENSSL_SCTP_FORWARD_CUM_TSN_CHUNK_TYPE) auth_forward = 1;
1173 }
1174
1175 OPENSSL_free(authchunks);
1176
1177 if (!auth_data || !auth_forward)
1178 {
1179 BIOerr(BIO_F_DGRAM_SCTP_READ,BIO_R_CONNECT_ERROR);
1180 return -1;
1181 }
1182
1183 data->peer_auth_tested = 1;
1184 }
1185 }
1186 return(ret);
1187 }
1188
1189static int dgram_sctp_write(BIO *b, const char *in, int inl)
1190 {
1191 int ret;
1192 bio_dgram_sctp_data *data = (bio_dgram_sctp_data *)b->ptr;
1193 struct bio_dgram_sctp_sndinfo *sinfo = &(data->sndinfo);
1194 struct bio_dgram_sctp_prinfo *pinfo = &(data->prinfo);
1195 struct bio_dgram_sctp_sndinfo handshake_sinfo;
1196 struct iovec iov[1];
1197 struct msghdr msg;
1198 struct cmsghdr *cmsg;
1199#if defined(SCTP_SNDINFO) && defined(SCTP_PRINFO)
1200 char cmsgbuf[CMSG_SPACE(sizeof(struct sctp_sndinfo)) + CMSG_SPACE(sizeof(struct sctp_prinfo))];
1201 struct sctp_sndinfo *sndinfo;
1202 struct sctp_prinfo *prinfo;
1203#else
1204 char cmsgbuf[CMSG_SPACE(sizeof(struct sctp_sndrcvinfo))];
1205 struct sctp_sndrcvinfo *sndrcvinfo;
1206#endif
1207
1208 clear_socket_error();
1209
1210 /* If we're send anything else than application data,
1211 * disable all user parameters and flags.
1212 */
1213 if (in[0] != 23) {
1214 memset(&handshake_sinfo, 0x00, sizeof(struct bio_dgram_sctp_sndinfo));
1215#ifdef SCTP_SACK_IMMEDIATELY
1216 handshake_sinfo.snd_flags = SCTP_SACK_IMMEDIATELY;
1217#endif
1218 sinfo = &handshake_sinfo;
1219 }
1220
1221 /* If we have to send a shutdown alert message and the
1222 * socket is not dry yet, we have to save it and send it
1223 * as soon as the socket gets dry.
1224 */
1225 if (data->save_shutdown && !BIO_dgram_sctp_wait_for_dry(b))
1226 {
1227 data->saved_message.bio = b;
1228 data->saved_message.length = inl;
1229 data->saved_message.data = OPENSSL_malloc(inl);
1230 memcpy(data->saved_message.data, in, inl);
1231 return inl;
1232 }
1233
1234 iov[0].iov_base = (char *)in;
1235 iov[0].iov_len = inl;
1236 msg.msg_name = NULL;
1237 msg.msg_namelen = 0;
1238 msg.msg_iov = iov;
1239 msg.msg_iovlen = 1;
1240 msg.msg_control = (caddr_t)cmsgbuf;
1241 msg.msg_controllen = 0;
1242 msg.msg_flags = 0;
1243#if defined(SCTP_SNDINFO) && defined(SCTP_PRINFO)
1244 cmsg = (struct cmsghdr *)cmsgbuf;
1245 cmsg->cmsg_level = IPPROTO_SCTP;
1246 cmsg->cmsg_type = SCTP_SNDINFO;
1247 cmsg->cmsg_len = CMSG_LEN(sizeof(struct sctp_sndinfo));
1248 sndinfo = (struct sctp_sndinfo *)CMSG_DATA(cmsg);
1249 memset(sndinfo, 0, sizeof(struct sctp_sndinfo));
1250 sndinfo->snd_sid = sinfo->snd_sid;
1251 sndinfo->snd_flags = sinfo->snd_flags;
1252 sndinfo->snd_ppid = sinfo->snd_ppid;
1253 sndinfo->snd_context = sinfo->snd_context;
1254 msg.msg_controllen += CMSG_SPACE(sizeof(struct sctp_sndinfo));
1255
1256 cmsg = (struct cmsghdr *)&cmsgbuf[CMSG_SPACE(sizeof(struct sctp_sndinfo))];
1257 cmsg->cmsg_level = IPPROTO_SCTP;
1258 cmsg->cmsg_type = SCTP_PRINFO;
1259 cmsg->cmsg_len = CMSG_LEN(sizeof(struct sctp_prinfo));
1260 prinfo = (struct sctp_prinfo *)CMSG_DATA(cmsg);
1261 memset(prinfo, 0, sizeof(struct sctp_prinfo));
1262 prinfo->pr_policy = pinfo->pr_policy;
1263 prinfo->pr_value = pinfo->pr_value;
1264 msg.msg_controllen += CMSG_SPACE(sizeof(struct sctp_prinfo));
1265#else
1266 cmsg = (struct cmsghdr *)cmsgbuf;
1267 cmsg->cmsg_level = IPPROTO_SCTP;
1268 cmsg->cmsg_type = SCTP_SNDRCV;
1269 cmsg->cmsg_len = CMSG_LEN(sizeof(struct sctp_sndrcvinfo));
1270 sndrcvinfo = (struct sctp_sndrcvinfo *)CMSG_DATA(cmsg);
1271 memset(sndrcvinfo, 0, sizeof(struct sctp_sndrcvinfo));
1272 sndrcvinfo->sinfo_stream = sinfo->snd_sid;
1273 sndrcvinfo->sinfo_flags = sinfo->snd_flags;
1274#ifdef __FreeBSD__
1275 sndrcvinfo->sinfo_flags |= pinfo->pr_policy;
1276#endif
1277 sndrcvinfo->sinfo_ppid = sinfo->snd_ppid;
1278 sndrcvinfo->sinfo_context = sinfo->snd_context;
1279 sndrcvinfo->sinfo_timetolive = pinfo->pr_value;
1280 msg.msg_controllen += CMSG_SPACE(sizeof(struct sctp_sndrcvinfo));
1281#endif
1282
1283 ret = sendmsg(b->num, &msg, 0);
1284
1285 BIO_clear_retry_flags(b);
1286 if (ret <= 0)
1287 {
1288 if (BIO_dgram_should_retry(ret))
1289 {
1290 BIO_set_retry_write(b);
1291 data->_errno = get_last_socket_error();
1292 }
1293 }
1294 return(ret);
1295 }
1296
1297static long dgram_sctp_ctrl(BIO *b, int cmd, long num, void *ptr)
1298 {
1299 long ret=1;
1300 bio_dgram_sctp_data *data = NULL;
1301 unsigned int sockopt_len = 0;
1302 struct sctp_authkeyid authkeyid;
1303 struct sctp_authkey *authkey;
1304
1305 data = (bio_dgram_sctp_data *)b->ptr;
1306
1307 switch (cmd)
1308 {
1309 case BIO_CTRL_DGRAM_QUERY_MTU:
1310 /* Set to maximum (2^14)
1311 * and ignore user input to enable transport
1312 * protocol fragmentation.
1313 * Returns always 2^14.
1314 */
1315 data->mtu = 16384;
1316 ret = data->mtu;
1317 break;
1318 case BIO_CTRL_DGRAM_SET_MTU:
1319 /* Set to maximum (2^14)
1320 * and ignore input to enable transport
1321 * protocol fragmentation.
1322 * Returns always 2^14.
1323 */
1324 data->mtu = 16384;
1325 ret = data->mtu;
1326 break;
1327 case BIO_CTRL_DGRAM_SET_CONNECTED:
1328 case BIO_CTRL_DGRAM_CONNECT:
1329 /* Returns always -1. */
1330 ret = -1;
1331 break;
1332 case BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT:
1333 /* SCTP doesn't need the DTLS timer
1334 * Returns always 1.
1335 */
1336 break;
1337 case BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE:
1338 if (num > 0)
1339 data->in_handshake = 1;
1340 else
1341 data->in_handshake = 0;
1342
1343 ret = setsockopt(b->num, IPPROTO_SCTP, SCTP_NODELAY, &data->in_handshake, sizeof(int));
1344 break;
1345 case BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY:
1346 /* New shared key for SCTP AUTH.
1347 * Returns 0 on success, -1 otherwise.
1348 */
1349
1350 /* Get active key */
1351 sockopt_len = sizeof(struct sctp_authkeyid);
1352 ret = getsockopt(b->num, IPPROTO_SCTP, SCTP_AUTH_ACTIVE_KEY, &authkeyid, &sockopt_len);
1353 if (ret < 0) break;
1354
1355 /* Add new key */
1356 sockopt_len = sizeof(struct sctp_authkey) + 64 * sizeof(uint8_t);
1357 authkey = OPENSSL_malloc(sockopt_len);
1358 memset(authkey, 0x00, sockopt_len);
1359 authkey->sca_keynumber = authkeyid.scact_keynumber + 1;
1360#ifndef __FreeBSD__
1361 /* This field is missing in FreeBSD 8.2 and earlier,
1362 * and FreeBSD 8.3 and higher work without it.
1363 */
1364 authkey->sca_keylength = 64;
1365#endif
1366 memcpy(&authkey->sca_key[0], ptr, 64 * sizeof(uint8_t));
1367
1368 ret = setsockopt(b->num, IPPROTO_SCTP, SCTP_AUTH_KEY, authkey, sockopt_len);
1369 if (ret < 0) break;
1370
1371 /* Reset active key */
1372 ret = setsockopt(b->num, IPPROTO_SCTP, SCTP_AUTH_ACTIVE_KEY,
1373 &authkeyid, sizeof(struct sctp_authkeyid));
1374 if (ret < 0) break;
1375
1376 break;
1377 case BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY:
1378 /* Returns 0 on success, -1 otherwise. */
1379
1380 /* Get active key */
1381 sockopt_len = sizeof(struct sctp_authkeyid);
1382 ret = getsockopt(b->num, IPPROTO_SCTP, SCTP_AUTH_ACTIVE_KEY, &authkeyid, &sockopt_len);
1383 if (ret < 0) break;
1384
1385 /* Set active key */
1386 authkeyid.scact_keynumber = authkeyid.scact_keynumber + 1;
1387 ret = setsockopt(b->num, IPPROTO_SCTP, SCTP_AUTH_ACTIVE_KEY,
1388 &authkeyid, sizeof(struct sctp_authkeyid));
1389 if (ret < 0) break;
1390
1391 /* CCS has been sent, so remember that and fall through
1392 * to check if we need to deactivate an old key
1393 */
1394 data->ccs_sent = 1;
1395
1396 case BIO_CTRL_DGRAM_SCTP_AUTH_CCS_RCVD:
1397 /* Returns 0 on success, -1 otherwise. */
1398
1399 /* Has this command really been called or is this just a fall-through? */
1400 if (cmd == BIO_CTRL_DGRAM_SCTP_AUTH_CCS_RCVD)
1401 data->ccs_rcvd = 1;
1402
1403 /* CSS has been both, received and sent, so deactivate an old key */
1404 if (data->ccs_rcvd == 1 && data->ccs_sent == 1)
1405 {
1406 /* Get active key */
1407 sockopt_len = sizeof(struct sctp_authkeyid);
1408 ret = getsockopt(b->num, IPPROTO_SCTP, SCTP_AUTH_ACTIVE_KEY, &authkeyid, &sockopt_len);
1409 if (ret < 0) break;
1410
1411 /* Deactivate key or delete second last key if
1412 * SCTP_AUTHENTICATION_EVENT is not available.
1413 */
1414 authkeyid.scact_keynumber = authkeyid.scact_keynumber - 1;
1415#ifdef SCTP_AUTH_DEACTIVATE_KEY
1416 sockopt_len = sizeof(struct sctp_authkeyid);
1417 ret = setsockopt(b->num, IPPROTO_SCTP, SCTP_AUTH_DEACTIVATE_KEY,
1418 &authkeyid, sockopt_len);
1419 if (ret < 0) break;
1420#endif
1421#ifndef SCTP_AUTHENTICATION_EVENT
1422 if (authkeyid.scact_keynumber > 0)
1423 {
1424 authkeyid.scact_keynumber = authkeyid.scact_keynumber - 1;
1425 ret = setsockopt(b->num, IPPROTO_SCTP, SCTP_AUTH_DELETE_KEY,
1426 &authkeyid, sizeof(struct sctp_authkeyid));
1427 if (ret < 0) break;
1428 }
1429#endif
1430
1431 data->ccs_rcvd = 0;
1432 data->ccs_sent = 0;
1433 }
1434 break;
1435 case BIO_CTRL_DGRAM_SCTP_GET_SNDINFO:
1436 /* Returns the size of the copied struct. */
1437 if (num > (long) sizeof(struct bio_dgram_sctp_sndinfo))
1438 num = sizeof(struct bio_dgram_sctp_sndinfo);
1439
1440 memcpy(ptr, &(data->sndinfo), num);
1441 ret = num;
1442 break;
1443 case BIO_CTRL_DGRAM_SCTP_SET_SNDINFO:
1444 /* Returns the size of the copied struct. */
1445 if (num > (long) sizeof(struct bio_dgram_sctp_sndinfo))
1446 num = sizeof(struct bio_dgram_sctp_sndinfo);
1447
1448 memcpy(&(data->sndinfo), ptr, num);
1449 break;
1450 case BIO_CTRL_DGRAM_SCTP_GET_RCVINFO:
1451 /* Returns the size of the copied struct. */
1452 if (num > (long) sizeof(struct bio_dgram_sctp_rcvinfo))
1453 num = sizeof(struct bio_dgram_sctp_rcvinfo);
1454
1455 memcpy(ptr, &data->rcvinfo, num);
1456
1457 ret = num;
1458 break;
1459 case BIO_CTRL_DGRAM_SCTP_SET_RCVINFO:
1460 /* Returns the size of the copied struct. */
1461 if (num > (long) sizeof(struct bio_dgram_sctp_rcvinfo))
1462 num = sizeof(struct bio_dgram_sctp_rcvinfo);
1463
1464 memcpy(&(data->rcvinfo), ptr, num);
1465 break;
1466 case BIO_CTRL_DGRAM_SCTP_GET_PRINFO:
1467 /* Returns the size of the copied struct. */
1468 if (num > (long) sizeof(struct bio_dgram_sctp_prinfo))
1469 num = sizeof(struct bio_dgram_sctp_prinfo);
1470
1471 memcpy(ptr, &(data->prinfo), num);
1472 ret = num;
1473 break;
1474 case BIO_CTRL_DGRAM_SCTP_SET_PRINFO:
1475 /* Returns the size of the copied struct. */
1476 if (num > (long) sizeof(struct bio_dgram_sctp_prinfo))
1477 num = sizeof(struct bio_dgram_sctp_prinfo);
1478
1479 memcpy(&(data->prinfo), ptr, num);
1480 break;
1481 case BIO_CTRL_DGRAM_SCTP_SAVE_SHUTDOWN:
1482 /* Returns always 1. */
1483 if (num > 0)
1484 data->save_shutdown = 1;
1485 else
1486 data->save_shutdown = 0;
1487 break;
1488
1489 default:
1490 /* Pass to default ctrl function to
1491 * process SCTP unspecific commands
1492 */
1493 ret=dgram_ctrl(b, cmd, num, ptr);
1494 break;
1495 }
1496 return(ret);
1497 }
1498
1499int BIO_dgram_sctp_notification_cb(BIO *b,
1500 void (*handle_notifications)(BIO *bio, void *context, void *buf),
1501 void *context)
1502 {
1503 bio_dgram_sctp_data *data = (bio_dgram_sctp_data *) b->ptr;
1504
1505 if (handle_notifications != NULL)
1506 {
1507 data->handle_notifications = handle_notifications;
1508 data->notification_context = context;
1509 }
1510 else
1511 return -1;
1512
1513 return 0;
1514 }
1515
1516int BIO_dgram_sctp_wait_for_dry(BIO *b)
1517{
1518 int is_dry = 0;
1519 int n, sockflags, ret;
1520 union sctp_notification snp;
1521 struct msghdr msg;
1522 struct iovec iov;
1523#ifdef SCTP_EVENT
1524 struct sctp_event event;
1525#else
1526 struct sctp_event_subscribe event;
1527 socklen_t eventsize;
1528#endif
1529 bio_dgram_sctp_data *data = (bio_dgram_sctp_data *)b->ptr;
1530
1531 /* set sender dry event */
1532#ifdef SCTP_EVENT
1533 memset(&event, 0, sizeof(struct sctp_event));
1534 event.se_assoc_id = 0;
1535 event.se_type = SCTP_SENDER_DRY_EVENT;
1536 event.se_on = 1;
1537 ret = setsockopt(b->num, IPPROTO_SCTP, SCTP_EVENT, &event, sizeof(struct sctp_event));
1538#else
1539 eventsize = sizeof(struct sctp_event_subscribe);
1540 ret = getsockopt(b->num, IPPROTO_SCTP, SCTP_EVENTS, &event, &eventsize);
1541 if (ret < 0)
1542 return -1;
1543
1544 event.sctp_sender_dry_event = 1;
1545
1546 ret = setsockopt(b->num, IPPROTO_SCTP, SCTP_EVENTS, &event, sizeof(struct sctp_event_subscribe));
1547#endif
1548 if (ret < 0)
1549 return -1;
1550
1551 /* peek for notification */
1552 memset(&snp, 0x00, sizeof(union sctp_notification));
1553 iov.iov_base = (char *)&snp;
1554 iov.iov_len = sizeof(union sctp_notification);
1555 msg.msg_name = NULL;
1556 msg.msg_namelen = 0;
1557 msg.msg_iov = &iov;
1558 msg.msg_iovlen = 1;
1559 msg.msg_control = NULL;
1560 msg.msg_controllen = 0;
1561 msg.msg_flags = 0;
1562
1563 n = recvmsg(b->num, &msg, MSG_PEEK);
1564 if (n <= 0)
1565 {
1566 if ((n < 0) && (get_last_socket_error() != EAGAIN) && (get_last_socket_error() != EWOULDBLOCK))
1567 return -1;
1568 else
1569 return 0;
1570 }
1571
1572 /* if we find a notification, process it and try again if necessary */
1573 while (msg.msg_flags & MSG_NOTIFICATION)
1574 {
1575 memset(&snp, 0x00, sizeof(union sctp_notification));
1576 iov.iov_base = (char *)&snp;
1577 iov.iov_len = sizeof(union sctp_notification);
1578 msg.msg_name = NULL;
1579 msg.msg_namelen = 0;
1580 msg.msg_iov = &iov;
1581 msg.msg_iovlen = 1;
1582 msg.msg_control = NULL;
1583 msg.msg_controllen = 0;
1584 msg.msg_flags = 0;
1585
1586 n = recvmsg(b->num, &msg, 0);
1587 if (n <= 0)
1588 {
1589 if ((n < 0) && (get_last_socket_error() != EAGAIN) && (get_last_socket_error() != EWOULDBLOCK))
1590 return -1;
1591 else
1592 return is_dry;
1593 }
1594
1595 if (snp.sn_header.sn_type == SCTP_SENDER_DRY_EVENT)
1596 {
1597 is_dry = 1;
1598
1599 /* disable sender dry event */
1600#ifdef SCTP_EVENT
1601 memset(&event, 0, sizeof(struct sctp_event));
1602 event.se_assoc_id = 0;
1603 event.se_type = SCTP_SENDER_DRY_EVENT;
1604 event.se_on = 0;
1605 ret = setsockopt(b->num, IPPROTO_SCTP, SCTP_EVENT, &event, sizeof(struct sctp_event));
1606#else
1607 eventsize = (socklen_t) sizeof(struct sctp_event_subscribe);
1608 ret = getsockopt(b->num, IPPROTO_SCTP, SCTP_EVENTS, &event, &eventsize);
1609 if (ret < 0)
1610 return -1;
1611
1612 event.sctp_sender_dry_event = 0;
1613
1614 ret = setsockopt(b->num, IPPROTO_SCTP, SCTP_EVENTS, &event, sizeof(struct sctp_event_subscribe));
1615#endif
1616 if (ret < 0)
1617 return -1;
1618 }
1619
1620#ifdef SCTP_AUTHENTICATION_EVENT
1621 if (snp.sn_header.sn_type == SCTP_AUTHENTICATION_EVENT)
1622 dgram_sctp_handle_auth_free_key_event(b, &snp);
1623#endif
1624
1625 if (data->handle_notifications != NULL)
1626 data->handle_notifications(b, data->notification_context, (void*) &snp);
1627
1628 /* found notification, peek again */
1629 memset(&snp, 0x00, sizeof(union sctp_notification));
1630 iov.iov_base = (char *)&snp;
1631 iov.iov_len = sizeof(union sctp_notification);
1632 msg.msg_name = NULL;
1633 msg.msg_namelen = 0;
1634 msg.msg_iov = &iov;
1635 msg.msg_iovlen = 1;
1636 msg.msg_control = NULL;
1637 msg.msg_controllen = 0;
1638 msg.msg_flags = 0;
1639
1640 /* if we have seen the dry already, don't wait */
1641 if (is_dry)
1642 {
1643 sockflags = fcntl(b->num, F_GETFL, 0);
1644 fcntl(b->num, F_SETFL, O_NONBLOCK);
1645 }
1646
1647 n = recvmsg(b->num, &msg, MSG_PEEK);
1648
1649 if (is_dry)
1650 {
1651 fcntl(b->num, F_SETFL, sockflags);
1652 }
1653
1654 if (n <= 0)
1655 {
1656 if ((n < 0) && (get_last_socket_error() != EAGAIN) && (get_last_socket_error() != EWOULDBLOCK))
1657 return -1;
1658 else
1659 return is_dry;
1660 }
1661 }
1662
1663 /* read anything else */
1664 return is_dry;
1665}
1666
1667int BIO_dgram_sctp_msg_waiting(BIO *b)
1668 {
1669 int n, sockflags;
1670 union sctp_notification snp;
1671 struct msghdr msg;
1672 struct iovec iov;
1673 bio_dgram_sctp_data *data = (bio_dgram_sctp_data *)b->ptr;
1674
1675 /* Check if there are any messages waiting to be read */
1676 do
1677 {
1678 memset(&snp, 0x00, sizeof(union sctp_notification));
1679 iov.iov_base = (char *)&snp;
1680 iov.iov_len = sizeof(union sctp_notification);
1681 msg.msg_name = NULL;
1682 msg.msg_namelen = 0;
1683 msg.msg_iov = &iov;
1684 msg.msg_iovlen = 1;
1685 msg.msg_control = NULL;
1686 msg.msg_controllen = 0;
1687 msg.msg_flags = 0;
1688
1689 sockflags = fcntl(b->num, F_GETFL, 0);
1690 fcntl(b->num, F_SETFL, O_NONBLOCK);
1691 n = recvmsg(b->num, &msg, MSG_PEEK);
1692 fcntl(b->num, F_SETFL, sockflags);
1693
1694 /* if notification, process and try again */
1695 if (n > 0 && (msg.msg_flags & MSG_NOTIFICATION))
1696 {
1697#ifdef SCTP_AUTHENTICATION_EVENT
1698 if (snp.sn_header.sn_type == SCTP_AUTHENTICATION_EVENT)
1699 dgram_sctp_handle_auth_free_key_event(b, &snp);
1700#endif
1701
1702 memset(&snp, 0x00, sizeof(union sctp_notification));
1703 iov.iov_base = (char *)&snp;
1704 iov.iov_len = sizeof(union sctp_notification);
1705 msg.msg_name = NULL;
1706 msg.msg_namelen = 0;
1707 msg.msg_iov = &iov;
1708 msg.msg_iovlen = 1;
1709 msg.msg_control = NULL;
1710 msg.msg_controllen = 0;
1711 msg.msg_flags = 0;
1712 n = recvmsg(b->num, &msg, 0);
1713
1714 if (data->handle_notifications != NULL)
1715 data->handle_notifications(b, data->notification_context, (void*) &snp);
1716 }
1717
1718 } while (n > 0 && (msg.msg_flags & MSG_NOTIFICATION));
1719
1720 /* Return 1 if there is a message to be read, return 0 otherwise. */
1721 if (n > 0)
1722 return 1;
1723 else
1724 return 0;
1725 }
1726
1727static int dgram_sctp_puts(BIO *bp, const char *str)
1728 {
1729 int n,ret;
1730
1731 n=strlen(str);
1732 ret=dgram_sctp_write(bp,str,n);
1733 return(ret);
1734 }
1735#endif
1736
741static int BIO_dgram_should_retry(int i) 1737static int BIO_dgram_should_retry(int i)
742 { 1738 {
743 int err; 1739 int err;
diff --git a/src/lib/libcrypto/bn/Makefile b/src/lib/libcrypto/bn/Makefile
index aabc4f56b8..672773454c 100644
--- a/src/lib/libcrypto/bn/Makefile
+++ b/src/lib/libcrypto/bn/Makefile
@@ -26,13 +26,13 @@ LIBSRC= bn_add.c bn_div.c bn_exp.c bn_lib.c bn_ctx.c bn_mul.c bn_mod.c \
26 bn_print.c bn_rand.c bn_shift.c bn_word.c bn_blind.c \ 26 bn_print.c bn_rand.c bn_shift.c bn_word.c bn_blind.c \
27 bn_kron.c bn_sqrt.c bn_gcd.c bn_prime.c bn_err.c bn_sqr.c bn_asm.c \ 27 bn_kron.c bn_sqrt.c bn_gcd.c bn_prime.c bn_err.c bn_sqr.c bn_asm.c \
28 bn_recp.c bn_mont.c bn_mpi.c bn_exp2.c bn_gf2m.c bn_nist.c \ 28 bn_recp.c bn_mont.c bn_mpi.c bn_exp2.c bn_gf2m.c bn_nist.c \
29 bn_depr.c bn_const.c 29 bn_depr.c bn_const.c bn_x931p.c
30 30
31LIBOBJ= bn_add.o bn_div.o bn_exp.o bn_lib.o bn_ctx.o bn_mul.o bn_mod.o \ 31LIBOBJ= bn_add.o bn_div.o bn_exp.o bn_lib.o bn_ctx.o bn_mul.o bn_mod.o \
32 bn_print.o bn_rand.o bn_shift.o bn_word.o bn_blind.o \ 32 bn_print.o bn_rand.o bn_shift.o bn_word.o bn_blind.o \
33 bn_kron.o bn_sqrt.o bn_gcd.o bn_prime.o bn_err.o bn_sqr.o $(BN_ASM) \ 33 bn_kron.o bn_sqrt.o bn_gcd.o bn_prime.o bn_err.o bn_sqr.o $(BN_ASM) \
34 bn_recp.o bn_mont.o bn_mpi.o bn_exp2.o bn_gf2m.o bn_nist.o \ 34 bn_recp.o bn_mont.o bn_mpi.o bn_exp2.o bn_gf2m.o bn_nist.o \
35 bn_depr.o bn_const.o 35 bn_depr.o bn_const.o bn_x931p.o
36 36
37SRC= $(LIBSRC) 37SRC= $(LIBSRC)
38 38
@@ -66,6 +66,8 @@ co-586.s: asm/co-586.pl ../perlasm/x86asm.pl
66 $(PERL) asm/co-586.pl $(PERLASM_SCHEME) $(CFLAGS) $(PROCESSOR) > $@ 66 $(PERL) asm/co-586.pl $(PERLASM_SCHEME) $(CFLAGS) $(PROCESSOR) > $@
67x86-mont.s: asm/x86-mont.pl ../perlasm/x86asm.pl 67x86-mont.s: asm/x86-mont.pl ../perlasm/x86asm.pl
68 $(PERL) asm/x86-mont.pl $(PERLASM_SCHEME) $(CFLAGS) $(PROCESSOR) > $@ 68 $(PERL) asm/x86-mont.pl $(PERLASM_SCHEME) $(CFLAGS) $(PROCESSOR) > $@
69x86-gf2m.s: asm/x86-gf2m.pl ../perlasm/x86asm.pl
70 $(PERL) asm/x86-gf2m.pl $(PERLASM_SCHEME) $(CFLAGS) $(PROCESSOR) > $@
69 71
70sparcv8.o: asm/sparcv8.S 72sparcv8.o: asm/sparcv8.S
71 $(CC) $(CFLAGS) -c asm/sparcv8.S 73 $(CC) $(CFLAGS) -c asm/sparcv8.S
@@ -82,16 +84,31 @@ bn-mips3.o: asm/mips3.s
82 as -$$ABI -O -o $@ asm/mips3.s; \ 84 as -$$ABI -O -o $@ asm/mips3.s; \
83 else $(CC) -c $(CFLAGS) -o $@ asm/mips3.s; fi 85 else $(CC) -c $(CFLAGS) -o $@ asm/mips3.s; fi
84 86
87bn-mips.s: asm/mips.pl
88 $(PERL) asm/mips.pl $(PERLASM_SCHEME) $@
89mips-mont.s: asm/mips-mont.pl
90 $(PERL) asm/mips-mont.pl $(PERLASM_SCHEME) $@
91
85bn-s390x.o: asm/s390x.S 92bn-s390x.o: asm/s390x.S
86 $(CC) $(CFLAGS) -c -o $@ asm/s390x.S 93 $(CC) $(CFLAGS) -c -o $@ asm/s390x.S
94s390x-gf2m.s: asm/s390x-gf2m.pl
95 $(PERL) asm/s390x-gf2m.pl $(PERLASM_SCHEME) $@
87 96
88x86_64-gcc.o: asm/x86_64-gcc.c 97x86_64-gcc.o: asm/x86_64-gcc.c
89 $(CC) $(CFLAGS) -c -o $@ asm/x86_64-gcc.c 98 $(CC) $(CFLAGS) -c -o $@ asm/x86_64-gcc.c
90x86_64-mont.s: asm/x86_64-mont.pl 99x86_64-mont.s: asm/x86_64-mont.pl
91 $(PERL) asm/x86_64-mont.pl $(PERLASM_SCHEME) > $@ 100 $(PERL) asm/x86_64-mont.pl $(PERLASM_SCHEME) > $@
101x86_64-mont5.s: asm/x86_64-mont5.pl
102 $(PERL) asm/x86_64-mont5.pl $(PERLASM_SCHEME) > $@
103x86_64-gf2m.s: asm/x86_64-gf2m.pl
104 $(PERL) asm/x86_64-gf2m.pl $(PERLASM_SCHEME) > $@
105modexp512-x86_64.s: asm/modexp512-x86_64.pl
106 $(PERL) asm/modexp512-x86_64.pl $(PERLASM_SCHEME) > $@
92 107
93bn-ia64.s: asm/ia64.S 108bn-ia64.s: asm/ia64.S
94 $(CC) $(CFLAGS) -E asm/ia64.S > $@ 109 $(CC) $(CFLAGS) -E asm/ia64.S > $@
110ia64-mont.s: asm/ia64-mont.pl
111 $(PERL) asm/ia64-mont.pl $@ $(CFLAGS)
95 112
96# GNU assembler fails to compile PA-RISC2 modules, insist on calling 113# GNU assembler fails to compile PA-RISC2 modules, insist on calling
97# vendor assembler... 114# vendor assembler...
@@ -99,16 +116,22 @@ pa-risc2W.o: asm/pa-risc2W.s
99 /usr/ccs/bin/as -o pa-risc2W.o asm/pa-risc2W.s 116 /usr/ccs/bin/as -o pa-risc2W.o asm/pa-risc2W.s
100pa-risc2.o: asm/pa-risc2.s 117pa-risc2.o: asm/pa-risc2.s
101 /usr/ccs/bin/as -o pa-risc2.o asm/pa-risc2.s 118 /usr/ccs/bin/as -o pa-risc2.o asm/pa-risc2.s
119parisc-mont.s: asm/parisc-mont.pl
120 $(PERL) asm/parisc-mont.pl $(PERLASM_SCHEME) $@
102 121
103# ppc - AIX, Linux, MacOS X... 122# ppc - AIX, Linux, MacOS X...
104bn-ppc.s: asm/ppc.pl; $(PERL) asm/ppc.pl $(PERLASM_SCHEME) $@ 123bn-ppc.s: asm/ppc.pl; $(PERL) asm/ppc.pl $(PERLASM_SCHEME) $@
105ppc-mont.s: asm/ppc-mont.pl;$(PERL) asm/ppc-mont.pl $(PERLASM_SCHEME) $@ 124ppc-mont.s: asm/ppc-mont.pl;$(PERL) asm/ppc-mont.pl $(PERLASM_SCHEME) $@
125ppc64-mont.s: asm/ppc64-mont.pl;$(PERL) asm/ppc64-mont.pl $(PERLASM_SCHEME) $@
106 126
107alpha-mont.s: asm/alpha-mont.pl 127alpha-mont.s: asm/alpha-mont.pl
108 $(PERL) $< | $(CC) -E - | tee $@ > /dev/null 128 $(PERL) $< | $(CC) -E - | tee $@ > /dev/null
109 129
110# GNU make "catch all" 130# GNU make "catch all"
111%-mont.s: asm/%-mont.pl; $(PERL) $< $(CFLAGS) > $@ 131%-mont.s: asm/%-mont.pl; $(PERL) $< $(PERLASM_SCHEME) $@
132%-gf2m.S: asm/%-gf2m.pl; $(PERL) $< $(PERLASM_SCHEME) $@
133
134armv4-gf2m.o: armv4-gf2m.S
112 135
113files: 136files:
114 $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO 137 $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
@@ -345,3 +368,8 @@ bn_word.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
345bn_word.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h 368bn_word.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
346bn_word.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h 369bn_word.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
347bn_word.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_lcl.h bn_word.c 370bn_word.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_lcl.h bn_word.c
371bn_x931p.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
372bn_x931p.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
373bn_x931p.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
374bn_x931p.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
375bn_x931p.o: ../../include/openssl/symhacks.h bn_x931p.c
diff --git a/src/lib/libcrypto/bn/bn.h b/src/lib/libcrypto/bn/bn.h
index a0bc47837d..f34248ec4f 100644
--- a/src/lib/libcrypto/bn/bn.h
+++ b/src/lib/libcrypto/bn/bn.h
@@ -558,6 +558,17 @@ int BN_is_prime_ex(const BIGNUM *p,int nchecks, BN_CTX *ctx, BN_GENCB *cb);
558int BN_is_prime_fasttest_ex(const BIGNUM *p,int nchecks, BN_CTX *ctx, 558int BN_is_prime_fasttest_ex(const BIGNUM *p,int nchecks, BN_CTX *ctx,
559 int do_trial_division, BN_GENCB *cb); 559 int do_trial_division, BN_GENCB *cb);
560 560
561int BN_X931_generate_Xpq(BIGNUM *Xp, BIGNUM *Xq, int nbits, BN_CTX *ctx);
562
563int BN_X931_derive_prime_ex(BIGNUM *p, BIGNUM *p1, BIGNUM *p2,
564 const BIGNUM *Xp, const BIGNUM *Xp1, const BIGNUM *Xp2,
565 const BIGNUM *e, BN_CTX *ctx, BN_GENCB *cb);
566int BN_X931_generate_prime_ex(BIGNUM *p, BIGNUM *p1, BIGNUM *p2,
567 BIGNUM *Xp1, BIGNUM *Xp2,
568 const BIGNUM *Xp,
569 const BIGNUM *e, BN_CTX *ctx,
570 BN_GENCB *cb);
571
561BN_MONT_CTX *BN_MONT_CTX_new(void ); 572BN_MONT_CTX *BN_MONT_CTX_new(void );
562void BN_MONT_CTX_init(BN_MONT_CTX *ctx); 573void BN_MONT_CTX_init(BN_MONT_CTX *ctx);
563int BN_mod_mul_montgomery(BIGNUM *r,const BIGNUM *a,const BIGNUM *b, 574int BN_mod_mul_montgomery(BIGNUM *r,const BIGNUM *a,const BIGNUM *b,
@@ -612,6 +623,8 @@ int BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
612int BN_div_recp(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, 623int BN_div_recp(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m,
613 BN_RECP_CTX *recp, BN_CTX *ctx); 624 BN_RECP_CTX *recp, BN_CTX *ctx);
614 625
626#ifndef OPENSSL_NO_EC2M
627
615/* Functions for arithmetic over binary polynomials represented by BIGNUMs. 628/* Functions for arithmetic over binary polynomials represented by BIGNUMs.
616 * 629 *
617 * The BIGNUM::neg property of BIGNUMs representing binary polynomials is 630 * The BIGNUM::neg property of BIGNUMs representing binary polynomials is
@@ -663,6 +676,8 @@ int BN_GF2m_mod_solve_quad_arr(BIGNUM *r, const BIGNUM *a,
663int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max); 676int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max);
664int BN_GF2m_arr2poly(const int p[], BIGNUM *a); 677int BN_GF2m_arr2poly(const int p[], BIGNUM *a);
665 678
679#endif
680
666/* faster mod functions for the 'NIST primes' 681/* faster mod functions for the 'NIST primes'
667 * 0 <= a < p^2 */ 682 * 0 <= a < p^2 */
668int BN_nist_mod_192(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx); 683int BN_nist_mod_192(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx);
diff --git a/src/lib/libcrypto/bn/bn_div.c b/src/lib/libcrypto/bn/bn_div.c
index 802a43d642..52b3304293 100644
--- a/src/lib/libcrypto/bn/bn_div.c
+++ b/src/lib/libcrypto/bn/bn_div.c
@@ -169,15 +169,13 @@ int BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, const BIGNUM *d,
169#endif /* OPENSSL_NO_ASM */ 169#endif /* OPENSSL_NO_ASM */
170 170
171 171
172/* BN_div[_no_branch] computes dv := num / divisor, rounding towards 172/* BN_div computes dv := num / divisor, rounding towards
173 * zero, and sets up rm such that dv*divisor + rm = num holds. 173 * zero, and sets up rm such that dv*divisor + rm = num holds.
174 * Thus: 174 * Thus:
175 * dv->neg == num->neg ^ divisor->neg (unless the result is zero) 175 * dv->neg == num->neg ^ divisor->neg (unless the result is zero)
176 * rm->neg == num->neg (unless the remainder is zero) 176 * rm->neg == num->neg (unless the remainder is zero)
177 * If 'dv' or 'rm' is NULL, the respective value is not returned. 177 * If 'dv' or 'rm' is NULL, the respective value is not returned.
178 */ 178 */
179static int BN_div_no_branch(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num,
180 const BIGNUM *divisor, BN_CTX *ctx);
181int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor, 179int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
182 BN_CTX *ctx) 180 BN_CTX *ctx)
183 { 181 {
@@ -186,6 +184,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
186 BN_ULONG *resp,*wnump; 184 BN_ULONG *resp,*wnump;
187 BN_ULONG d0,d1; 185 BN_ULONG d0,d1;
188 int num_n,div_n; 186 int num_n,div_n;
187 int no_branch=0;
189 188
190 /* Invalid zero-padding would have particularly bad consequences 189 /* Invalid zero-padding would have particularly bad consequences
191 * in the case of 'num', so don't just rely on bn_check_top() for this one 190 * in the case of 'num', so don't just rely on bn_check_top() for this one
@@ -200,7 +199,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
200 199
201 if ((BN_get_flags(num, BN_FLG_CONSTTIME) != 0) || (BN_get_flags(divisor, BN_FLG_CONSTTIME) != 0)) 200 if ((BN_get_flags(num, BN_FLG_CONSTTIME) != 0) || (BN_get_flags(divisor, BN_FLG_CONSTTIME) != 0))
202 { 201 {
203 return BN_div_no_branch(dv, rm, num, divisor, ctx); 202 no_branch=1;
204 } 203 }
205 204
206 bn_check_top(dv); 205 bn_check_top(dv);
@@ -214,7 +213,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
214 return(0); 213 return(0);
215 } 214 }
216 215
217 if (BN_ucmp(num,divisor) < 0) 216 if (!no_branch && BN_ucmp(num,divisor) < 0)
218 { 217 {
219 if (rm != NULL) 218 if (rm != NULL)
220 { if (BN_copy(rm,num) == NULL) return(0); } 219 { if (BN_copy(rm,num) == NULL) return(0); }
@@ -239,242 +238,25 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
239 norm_shift+=BN_BITS2; 238 norm_shift+=BN_BITS2;
240 if (!(BN_lshift(snum,num,norm_shift))) goto err; 239 if (!(BN_lshift(snum,num,norm_shift))) goto err;
241 snum->neg=0; 240 snum->neg=0;
242 div_n=sdiv->top;
243 num_n=snum->top;
244 loop=num_n-div_n;
245 /* Lets setup a 'window' into snum
246 * This is the part that corresponds to the current
247 * 'area' being divided */
248 wnum.neg = 0;
249 wnum.d = &(snum->d[loop]);
250 wnum.top = div_n;
251 /* only needed when BN_ucmp messes up the values between top and max */
252 wnum.dmax = snum->dmax - loop; /* so we don't step out of bounds */
253
254 /* Get the top 2 words of sdiv */
255 /* div_n=sdiv->top; */
256 d0=sdiv->d[div_n-1];
257 d1=(div_n == 1)?0:sdiv->d[div_n-2];
258
259 /* pointer to the 'top' of snum */
260 wnump= &(snum->d[num_n-1]);
261
262 /* Setup to 'res' */
263 res->neg= (num->neg^divisor->neg);
264 if (!bn_wexpand(res,(loop+1))) goto err;
265 res->top=loop;
266 resp= &(res->d[loop-1]);
267
268 /* space for temp */
269 if (!bn_wexpand(tmp,(div_n+1))) goto err;
270 241
271 if (BN_ucmp(&wnum,sdiv) >= 0) 242 if (no_branch)
272 { 243 {
273 /* If BN_DEBUG_RAND is defined BN_ucmp changes (via 244 /* Since we don't know whether snum is larger than sdiv,
274 * bn_pollute) the const bignum arguments => 245 * we pad snum with enough zeroes without changing its
275 * clean the values between top and max again */ 246 * value.
276 bn_clear_top2max(&wnum); 247 */
277 bn_sub_words(wnum.d, wnum.d, sdiv->d, div_n); 248 if (snum->top <= sdiv->top+1)
278 *resp=1;
279 }
280 else
281 res->top--;
282 /* if res->top == 0 then clear the neg value otherwise decrease
283 * the resp pointer */
284 if (res->top == 0)
285 res->neg = 0;
286 else
287 resp--;
288
289 for (i=0; i<loop-1; i++, wnump--, resp--)
290 {
291 BN_ULONG q,l0;
292 /* the first part of the loop uses the top two words of
293 * snum and sdiv to calculate a BN_ULONG q such that
294 * | wnum - sdiv * q | < sdiv */
295#if defined(BN_DIV3W) && !defined(OPENSSL_NO_ASM)
296 BN_ULONG bn_div_3_words(BN_ULONG*,BN_ULONG,BN_ULONG);
297 q=bn_div_3_words(wnump,d1,d0);
298#else
299 BN_ULONG n0,n1,rem=0;
300
301 n0=wnump[0];
302 n1=wnump[-1];
303 if (n0 == d0)
304 q=BN_MASK2;
305 else /* n0 < d0 */
306 {
307#ifdef BN_LLONG
308 BN_ULLONG t2;
309
310#if defined(BN_LLONG) && defined(BN_DIV2W) && !defined(bn_div_words)
311 q=(BN_ULONG)(((((BN_ULLONG)n0)<<BN_BITS2)|n1)/d0);
312#else
313 q=bn_div_words(n0,n1,d0);
314#ifdef BN_DEBUG_LEVITTE
315 fprintf(stderr,"DEBUG: bn_div_words(0x%08X,0x%08X,0x%08\
316X) -> 0x%08X\n",
317 n0, n1, d0, q);
318#endif
319#endif
320
321#ifndef REMAINDER_IS_ALREADY_CALCULATED
322 /*
323 * rem doesn't have to be BN_ULLONG. The least we
324 * know it's less that d0, isn't it?
325 */
326 rem=(n1-q*d0)&BN_MASK2;
327#endif
328 t2=(BN_ULLONG)d1*q;
329
330 for (;;)
331 {
332 if (t2 <= ((((BN_ULLONG)rem)<<BN_BITS2)|wnump[-2]))
333 break;
334 q--;
335 rem += d0;
336 if (rem < d0) break; /* don't let rem overflow */
337 t2 -= d1;
338 }
339#else /* !BN_LLONG */
340 BN_ULONG t2l,t2h;
341
342 q=bn_div_words(n0,n1,d0);
343#ifdef BN_DEBUG_LEVITTE
344 fprintf(stderr,"DEBUG: bn_div_words(0x%08X,0x%08X,0x%08\
345X) -> 0x%08X\n",
346 n0, n1, d0, q);
347#endif
348#ifndef REMAINDER_IS_ALREADY_CALCULATED
349 rem=(n1-q*d0)&BN_MASK2;
350#endif
351
352#if defined(BN_UMULT_LOHI)
353 BN_UMULT_LOHI(t2l,t2h,d1,q);
354#elif defined(BN_UMULT_HIGH)
355 t2l = d1 * q;
356 t2h = BN_UMULT_HIGH(d1,q);
357#else
358 { 249 {
359 BN_ULONG ql, qh; 250 if (bn_wexpand(snum, sdiv->top + 2) == NULL) goto err;
360 t2l=LBITS(d1); t2h=HBITS(d1); 251 for (i = snum->top; i < sdiv->top + 2; i++) snum->d[i] = 0;
361 ql =LBITS(q); qh =HBITS(q); 252 snum->top = sdiv->top + 2;
362 mul64(t2l,t2h,ql,qh); /* t2=(BN_ULLONG)d1*q; */
363 } 253 }
364#endif 254 else
365
366 for (;;)
367 {
368 if ((t2h < rem) ||
369 ((t2h == rem) && (t2l <= wnump[-2])))
370 break;
371 q--;
372 rem += d0;
373 if (rem < d0) break; /* don't let rem overflow */
374 if (t2l < d1) t2h--; t2l -= d1;
375 }
376#endif /* !BN_LLONG */
377 }
378#endif /* !BN_DIV3W */
379
380 l0=bn_mul_words(tmp->d,sdiv->d,div_n,q);
381 tmp->d[div_n]=l0;
382 wnum.d--;
383 /* ingore top values of the bignums just sub the two
384 * BN_ULONG arrays with bn_sub_words */
385 if (bn_sub_words(wnum.d, wnum.d, tmp->d, div_n+1))
386 { 255 {
387 /* Note: As we have considered only the leading 256 if (bn_wexpand(snum, snum->top + 1) == NULL) goto err;
388 * two BN_ULONGs in the calculation of q, sdiv * q 257 snum->d[snum->top] = 0;
389 * might be greater than wnum (but then (q-1) * sdiv 258 snum->top ++;
390 * is less or equal than wnum)
391 */
392 q--;
393 if (bn_add_words(wnum.d, wnum.d, sdiv->d, div_n))
394 /* we can't have an overflow here (assuming
395 * that q != 0, but if q == 0 then tmp is
396 * zero anyway) */
397 (*wnump)++;
398 } 259 }
399 /* store part of the result */
400 *resp = q;
401 }
402 bn_correct_top(snum);
403 if (rm != NULL)
404 {
405 /* Keep a copy of the neg flag in num because if rm==num
406 * BN_rshift() will overwrite it.
407 */
408 int neg = num->neg;
409 BN_rshift(rm,snum,norm_shift);
410 if (!BN_is_zero(rm))
411 rm->neg = neg;
412 bn_check_top(rm);
413 }
414 BN_CTX_end(ctx);
415 return(1);
416err:
417 bn_check_top(rm);
418 BN_CTX_end(ctx);
419 return(0);
420 }
421
422
423/* BN_div_no_branch is a special version of BN_div. It does not contain
424 * branches that may leak sensitive information.
425 */
426static int BN_div_no_branch(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num,
427 const BIGNUM *divisor, BN_CTX *ctx)
428 {
429 int norm_shift,i,loop;
430 BIGNUM *tmp,wnum,*snum,*sdiv,*res;
431 BN_ULONG *resp,*wnump;
432 BN_ULONG d0,d1;
433 int num_n,div_n;
434
435 bn_check_top(dv);
436 bn_check_top(rm);
437 /* bn_check_top(num); */ /* 'num' has been checked in BN_div() */
438 bn_check_top(divisor);
439
440 if (BN_is_zero(divisor))
441 {
442 BNerr(BN_F_BN_DIV_NO_BRANCH,BN_R_DIV_BY_ZERO);
443 return(0);
444 }
445
446 BN_CTX_start(ctx);
447 tmp=BN_CTX_get(ctx);
448 snum=BN_CTX_get(ctx);
449 sdiv=BN_CTX_get(ctx);
450 if (dv == NULL)
451 res=BN_CTX_get(ctx);
452 else res=dv;
453 if (sdiv == NULL || res == NULL) goto err;
454
455 /* First we normalise the numbers */
456 norm_shift=BN_BITS2-((BN_num_bits(divisor))%BN_BITS2);
457 if (!(BN_lshift(sdiv,divisor,norm_shift))) goto err;
458 sdiv->neg=0;
459 norm_shift+=BN_BITS2;
460 if (!(BN_lshift(snum,num,norm_shift))) goto err;
461 snum->neg=0;
462
463 /* Since we don't know whether snum is larger than sdiv,
464 * we pad snum with enough zeroes without changing its
465 * value.
466 */
467 if (snum->top <= sdiv->top+1)
468 {
469 if (bn_wexpand(snum, sdiv->top + 2) == NULL) goto err;
470 for (i = snum->top; i < sdiv->top + 2; i++) snum->d[i] = 0;
471 snum->top = sdiv->top + 2;
472 }
473 else
474 {
475 if (bn_wexpand(snum, snum->top + 1) == NULL) goto err;
476 snum->d[snum->top] = 0;
477 snum->top ++;
478 } 260 }
479 261
480 div_n=sdiv->top; 262 div_n=sdiv->top;
@@ -500,12 +282,27 @@ static int BN_div_no_branch(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num,
500 /* Setup to 'res' */ 282 /* Setup to 'res' */
501 res->neg= (num->neg^divisor->neg); 283 res->neg= (num->neg^divisor->neg);
502 if (!bn_wexpand(res,(loop+1))) goto err; 284 if (!bn_wexpand(res,(loop+1))) goto err;
503 res->top=loop-1; 285 res->top=loop-no_branch;
504 resp= &(res->d[loop-1]); 286 resp= &(res->d[loop-1]);
505 287
506 /* space for temp */ 288 /* space for temp */
507 if (!bn_wexpand(tmp,(div_n+1))) goto err; 289 if (!bn_wexpand(tmp,(div_n+1))) goto err;
508 290
291 if (!no_branch)
292 {
293 if (BN_ucmp(&wnum,sdiv) >= 0)
294 {
295 /* If BN_DEBUG_RAND is defined BN_ucmp changes (via
296 * bn_pollute) the const bignum arguments =>
297 * clean the values between top and max again */
298 bn_clear_top2max(&wnum);
299 bn_sub_words(wnum.d, wnum.d, sdiv->d, div_n);
300 *resp=1;
301 }
302 else
303 res->top--;
304 }
305
509 /* if res->top == 0 then clear the neg value otherwise decrease 306 /* if res->top == 0 then clear the neg value otherwise decrease
510 * the resp pointer */ 307 * the resp pointer */
511 if (res->top == 0) 308 if (res->top == 0)
@@ -638,7 +435,7 @@ X) -> 0x%08X\n",
638 rm->neg = neg; 435 rm->neg = neg;
639 bn_check_top(rm); 436 bn_check_top(rm);
640 } 437 }
641 bn_correct_top(res); 438 if (no_branch) bn_correct_top(res);
642 BN_CTX_end(ctx); 439 BN_CTX_end(ctx);
643 return(1); 440 return(1);
644err: 441err:
@@ -646,5 +443,4 @@ err:
646 BN_CTX_end(ctx); 443 BN_CTX_end(ctx);
647 return(0); 444 return(0);
648 } 445 }
649
650#endif 446#endif
diff --git a/src/lib/libcrypto/bn/bn_exp.c b/src/lib/libcrypto/bn/bn_exp.c
index d9b6c737fc..2abf6fd678 100644
--- a/src/lib/libcrypto/bn/bn_exp.c
+++ b/src/lib/libcrypto/bn/bn_exp.c
@@ -113,6 +113,18 @@
113#include "cryptlib.h" 113#include "cryptlib.h"
114#include "bn_lcl.h" 114#include "bn_lcl.h"
115 115
116#include <stdlib.h>
117#ifdef _WIN32
118# include <malloc.h>
119# ifndef alloca
120# define alloca _alloca
121# endif
122#elif defined(__GNUC__)
123# ifndef alloca
124# define alloca(s) __builtin_alloca((s))
125# endif
126#endif
127
116/* maximum precomputation table size for *variable* sliding windows */ 128/* maximum precomputation table size for *variable* sliding windows */
117#define TABLE_SIZE 32 129#define TABLE_SIZE 32
118 130
@@ -522,23 +534,17 @@ err:
522 * as cache lines are concerned. The following functions are used to transfer a BIGNUM 534 * as cache lines are concerned. The following functions are used to transfer a BIGNUM
523 * from/to that table. */ 535 * from/to that table. */
524 536
525static int MOD_EXP_CTIME_COPY_TO_PREBUF(BIGNUM *b, int top, unsigned char *buf, int idx, int width) 537static int MOD_EXP_CTIME_COPY_TO_PREBUF(const BIGNUM *b, int top, unsigned char *buf, int idx, int width)
526 { 538 {
527 size_t i, j; 539 size_t i, j;
528 540
529 if (bn_wexpand(b, top) == NULL) 541 if (top > b->top)
530 return 0; 542 top = b->top; /* this works because 'buf' is explicitly zeroed */
531 while (b->top < top)
532 {
533 b->d[b->top++] = 0;
534 }
535
536 for (i = 0, j=idx; i < top * sizeof b->d[0]; i++, j+=width) 543 for (i = 0, j=idx; i < top * sizeof b->d[0]; i++, j+=width)
537 { 544 {
538 buf[j] = ((unsigned char*)b->d)[i]; 545 buf[j] = ((unsigned char*)b->d)[i];
539 } 546 }
540 547
541 bn_correct_top(b);
542 return 1; 548 return 1;
543 } 549 }
544 550
@@ -561,7 +567,7 @@ static int MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM *b, int top, unsigned char *buf
561 567
562/* Given a pointer value, compute the next address that is a cache line multiple. */ 568/* Given a pointer value, compute the next address that is a cache line multiple. */
563#define MOD_EXP_CTIME_ALIGN(x_) \ 569#define MOD_EXP_CTIME_ALIGN(x_) \
564 ((unsigned char*)(x_) + (MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH - (((BN_ULONG)(x_)) & (MOD_EXP_CTIME_MIN_CACHE_LINE_MASK)))) 570 ((unsigned char*)(x_) + (MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH - (((size_t)(x_)) & (MOD_EXP_CTIME_MIN_CACHE_LINE_MASK))))
565 571
566/* This variant of BN_mod_exp_mont() uses fixed windows and the special 572/* This variant of BN_mod_exp_mont() uses fixed windows and the special
567 * precomputation memory layout to limit data-dependency to a minimum 573 * precomputation memory layout to limit data-dependency to a minimum
@@ -572,17 +578,15 @@ static int MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM *b, int top, unsigned char *buf
572int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, 578int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
573 const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont) 579 const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont)
574 { 580 {
575 int i,bits,ret=0,idx,window,wvalue; 581 int i,bits,ret=0,window,wvalue;
576 int top; 582 int top;
577 BIGNUM *r;
578 const BIGNUM *aa;
579 BN_MONT_CTX *mont=NULL; 583 BN_MONT_CTX *mont=NULL;
580 584
581 int numPowers; 585 int numPowers;
582 unsigned char *powerbufFree=NULL; 586 unsigned char *powerbufFree=NULL;
583 int powerbufLen = 0; 587 int powerbufLen = 0;
584 unsigned char *powerbuf=NULL; 588 unsigned char *powerbuf=NULL;
585 BIGNUM *computeTemp=NULL, *am=NULL; 589 BIGNUM tmp, am;
586 590
587 bn_check_top(a); 591 bn_check_top(a);
588 bn_check_top(p); 592 bn_check_top(p);
@@ -602,10 +606,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
602 return ret; 606 return ret;
603 } 607 }
604 608
605 /* Initialize BIGNUM context and allocate intermediate result */
606 BN_CTX_start(ctx); 609 BN_CTX_start(ctx);
607 r = BN_CTX_get(ctx);
608 if (r == NULL) goto err;
609 610
610 /* Allocate a montgomery context if it was not supplied by the caller. 611 /* Allocate a montgomery context if it was not supplied by the caller.
611 * If this is not done, things will break in the montgomery part. 612 * If this is not done, things will break in the montgomery part.
@@ -620,40 +621,154 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
620 621
621 /* Get the window size to use with size of p. */ 622 /* Get the window size to use with size of p. */
622 window = BN_window_bits_for_ctime_exponent_size(bits); 623 window = BN_window_bits_for_ctime_exponent_size(bits);
624#if defined(OPENSSL_BN_ASM_MONT5)
625 if (window==6 && bits<=1024) window=5; /* ~5% improvement of 2048-bit RSA sign */
626#endif
623 627
624 /* Allocate a buffer large enough to hold all of the pre-computed 628 /* Allocate a buffer large enough to hold all of the pre-computed
625 * powers of a. 629 * powers of am, am itself and tmp.
626 */ 630 */
627 numPowers = 1 << window; 631 numPowers = 1 << window;
628 powerbufLen = sizeof(m->d[0])*top*numPowers; 632 powerbufLen = sizeof(m->d[0])*(top*numPowers +
633 ((2*top)>numPowers?(2*top):numPowers));
634#ifdef alloca
635 if (powerbufLen < 3072)
636 powerbufFree = alloca(powerbufLen+MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH);
637 else
638#endif
629 if ((powerbufFree=(unsigned char*)OPENSSL_malloc(powerbufLen+MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH)) == NULL) 639 if ((powerbufFree=(unsigned char*)OPENSSL_malloc(powerbufLen+MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH)) == NULL)
630 goto err; 640 goto err;
631 641
632 powerbuf = MOD_EXP_CTIME_ALIGN(powerbufFree); 642 powerbuf = MOD_EXP_CTIME_ALIGN(powerbufFree);
633 memset(powerbuf, 0, powerbufLen); 643 memset(powerbuf, 0, powerbufLen);
634 644
635 /* Initialize the intermediate result. Do this early to save double conversion, 645#ifdef alloca
636 * once each for a^0 and intermediate result. 646 if (powerbufLen < 3072)
637 */ 647 powerbufFree = NULL;
638 if (!BN_to_montgomery(r,BN_value_one(),mont,ctx)) goto err; 648#endif
639 if (!MOD_EXP_CTIME_COPY_TO_PREBUF(r, top, powerbuf, 0, numPowers)) goto err;
640 649
641 /* Initialize computeTemp as a^1 with montgomery precalcs */ 650 /* lay down tmp and am right after powers table */
642 computeTemp = BN_CTX_get(ctx); 651 tmp.d = (BN_ULONG *)(powerbuf + sizeof(m->d[0])*top*numPowers);
643 am = BN_CTX_get(ctx); 652 am.d = tmp.d + top;
644 if (computeTemp==NULL || am==NULL) goto err; 653 tmp.top = am.top = 0;
654 tmp.dmax = am.dmax = top;
655 tmp.neg = am.neg = 0;
656 tmp.flags = am.flags = BN_FLG_STATIC_DATA;
657
658 /* prepare a^0 in Montgomery domain */
659#if 1
660 if (!BN_to_montgomery(&tmp,BN_value_one(),mont,ctx)) goto err;
661#else
662 tmp.d[0] = (0-m->d[0])&BN_MASK2; /* 2^(top*BN_BITS2) - m */
663 for (i=1;i<top;i++)
664 tmp.d[i] = (~m->d[i])&BN_MASK2;
665 tmp.top = top;
666#endif
645 667
668 /* prepare a^1 in Montgomery domain */
646 if (a->neg || BN_ucmp(a,m) >= 0) 669 if (a->neg || BN_ucmp(a,m) >= 0)
647 { 670 {
648 if (!BN_mod(am,a,m,ctx)) 671 if (!BN_mod(&am,a,m,ctx)) goto err;
649 goto err; 672 if (!BN_to_montgomery(&am,&am,mont,ctx)) goto err;
650 aa= am;
651 } 673 }
652 else 674 else if (!BN_to_montgomery(&am,a,mont,ctx)) goto err;
653 aa=a; 675
654 if (!BN_to_montgomery(am,aa,mont,ctx)) goto err; 676#if defined(OPENSSL_BN_ASM_MONT5)
655 if (!BN_copy(computeTemp, am)) goto err; 677 /* This optimization uses ideas from http://eprint.iacr.org/2011/239,
656 if (!MOD_EXP_CTIME_COPY_TO_PREBUF(am, top, powerbuf, 1, numPowers)) goto err; 678 * specifically optimization of cache-timing attack countermeasures
679 * and pre-computation optimization. */
680
681 /* Dedicated window==4 case improves 512-bit RSA sign by ~15%, but as
682 * 512-bit RSA is hardly relevant, we omit it to spare size... */
683 if (window==5)
684 {
685 void bn_mul_mont_gather5(BN_ULONG *rp,const BN_ULONG *ap,
686 const void *table,const BN_ULONG *np,
687 const BN_ULONG *n0,int num,int power);
688 void bn_scatter5(const BN_ULONG *inp,size_t num,
689 void *table,size_t power);
690 void bn_gather5(BN_ULONG *out,size_t num,
691 void *table,size_t power);
692
693 BN_ULONG *np=mont->N.d, *n0=mont->n0;
694
695 /* BN_to_montgomery can contaminate words above .top
696 * [in BN_DEBUG[_DEBUG] build]... */
697 for (i=am.top; i<top; i++) am.d[i]=0;
698 for (i=tmp.top; i<top; i++) tmp.d[i]=0;
699
700 bn_scatter5(tmp.d,top,powerbuf,0);
701 bn_scatter5(am.d,am.top,powerbuf,1);
702 bn_mul_mont(tmp.d,am.d,am.d,np,n0,top);
703 bn_scatter5(tmp.d,top,powerbuf,2);
704
705#if 0
706 for (i=3; i<32; i++)
707 {
708 /* Calculate a^i = a^(i-1) * a */
709 bn_mul_mont_gather5(tmp.d,am.d,powerbuf,np,n0,top,i-1);
710 bn_scatter5(tmp.d,top,powerbuf,i);
711 }
712#else
713 /* same as above, but uses squaring for 1/2 of operations */
714 for (i=4; i<32; i*=2)
715 {
716 bn_mul_mont(tmp.d,tmp.d,tmp.d,np,n0,top);
717 bn_scatter5(tmp.d,top,powerbuf,i);
718 }
719 for (i=3; i<8; i+=2)
720 {
721 int j;
722 bn_mul_mont_gather5(tmp.d,am.d,powerbuf,np,n0,top,i-1);
723 bn_scatter5(tmp.d,top,powerbuf,i);
724 for (j=2*i; j<32; j*=2)
725 {
726 bn_mul_mont(tmp.d,tmp.d,tmp.d,np,n0,top);
727 bn_scatter5(tmp.d,top,powerbuf,j);
728 }
729 }
730 for (; i<16; i+=2)
731 {
732 bn_mul_mont_gather5(tmp.d,am.d,powerbuf,np,n0,top,i-1);
733 bn_scatter5(tmp.d,top,powerbuf,i);
734 bn_mul_mont(tmp.d,tmp.d,tmp.d,np,n0,top);
735 bn_scatter5(tmp.d,top,powerbuf,2*i);
736 }
737 for (; i<32; i+=2)
738 {
739 bn_mul_mont_gather5(tmp.d,am.d,powerbuf,np,n0,top,i-1);
740 bn_scatter5(tmp.d,top,powerbuf,i);
741 }
742#endif
743 bits--;
744 for (wvalue=0, i=bits%5; i>=0; i--,bits--)
745 wvalue = (wvalue<<1)+BN_is_bit_set(p,bits);
746 bn_gather5(tmp.d,top,powerbuf,wvalue);
747
748 /* Scan the exponent one window at a time starting from the most
749 * significant bits.
750 */
751 while (bits >= 0)
752 {
753 for (wvalue=0, i=0; i<5; i++,bits--)
754 wvalue = (wvalue<<1)+BN_is_bit_set(p,bits);
755
756 bn_mul_mont(tmp.d,tmp.d,tmp.d,np,n0,top);
757 bn_mul_mont(tmp.d,tmp.d,tmp.d,np,n0,top);
758 bn_mul_mont(tmp.d,tmp.d,tmp.d,np,n0,top);
759 bn_mul_mont(tmp.d,tmp.d,tmp.d,np,n0,top);
760 bn_mul_mont(tmp.d,tmp.d,tmp.d,np,n0,top);
761 bn_mul_mont_gather5(tmp.d,tmp.d,powerbuf,np,n0,top,wvalue);
762 }
763
764 tmp.top=top;
765 bn_correct_top(&tmp);
766 }
767 else
768#endif
769 {
770 if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&tmp, top, powerbuf, 0, numPowers)) goto err;
771 if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&am, top, powerbuf, 1, numPowers)) goto err;
657 772
658 /* If the window size is greater than 1, then calculate 773 /* If the window size is greater than 1, then calculate
659 * val[i=2..2^winsize-1]. Powers are computed as a*a^(i-1) 774 * val[i=2..2^winsize-1]. Powers are computed as a*a^(i-1)
@@ -662,62 +777,54 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
662 */ 777 */
663 if (window > 1) 778 if (window > 1)
664 { 779 {
665 for (i=2; i<numPowers; i++) 780 if (!BN_mod_mul_montgomery(&tmp,&am,&am,mont,ctx)) goto err;
781 if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&tmp, top, powerbuf, 2, numPowers)) goto err;
782 for (i=3; i<numPowers; i++)
666 { 783 {
667 /* Calculate a^i = a^(i-1) * a */ 784 /* Calculate a^i = a^(i-1) * a */
668 if (!BN_mod_mul_montgomery(computeTemp,am,computeTemp,mont,ctx)) 785 if (!BN_mod_mul_montgomery(&tmp,&am,&tmp,mont,ctx))
669 goto err; 786 goto err;
670 if (!MOD_EXP_CTIME_COPY_TO_PREBUF(computeTemp, top, powerbuf, i, numPowers)) goto err; 787 if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&tmp, top, powerbuf, i, numPowers)) goto err;
671 } 788 }
672 } 789 }
673 790
674 /* Adjust the number of bits up to a multiple of the window size. 791 bits--;
675 * If the exponent length is not a multiple of the window size, then 792 for (wvalue=0, i=bits%window; i>=0; i--,bits--)
676 * this pads the most significant bits with zeros to normalize the 793 wvalue = (wvalue<<1)+BN_is_bit_set(p,bits);
677 * scanning loop to there's no special cases. 794 if (!MOD_EXP_CTIME_COPY_FROM_PREBUF(&tmp,top,powerbuf,wvalue,numPowers)) goto err;
678 * 795
679 * * NOTE: Making the window size a power of two less than the native 796 /* Scan the exponent one window at a time starting from the most
680 * * word size ensures that the padded bits won't go past the last 797 * significant bits.
681 * * word in the internal BIGNUM structure. Going past the end will 798 */
682 * * still produce the correct result, but causes a different branch 799 while (bits >= 0)
683 * * to be taken in the BN_is_bit_set function.
684 */
685 bits = ((bits+window-1)/window)*window;
686 idx=bits-1; /* The top bit of the window */
687
688 /* Scan the exponent one window at a time starting from the most
689 * significant bits.
690 */
691 while (idx >= 0)
692 { 800 {
693 wvalue=0; /* The 'value' of the window */ 801 wvalue=0; /* The 'value' of the window */
694 802
695 /* Scan the window, squaring the result as we go */ 803 /* Scan the window, squaring the result as we go */
696 for (i=0; i<window; i++,idx--) 804 for (i=0; i<window; i++,bits--)
697 { 805 {
698 if (!BN_mod_mul_montgomery(r,r,r,mont,ctx)) goto err; 806 if (!BN_mod_mul_montgomery(&tmp,&tmp,&tmp,mont,ctx)) goto err;
699 wvalue = (wvalue<<1)+BN_is_bit_set(p,idx); 807 wvalue = (wvalue<<1)+BN_is_bit_set(p,bits);
700 } 808 }
701 809
702 /* Fetch the appropriate pre-computed value from the pre-buf */ 810 /* Fetch the appropriate pre-computed value from the pre-buf */
703 if (!MOD_EXP_CTIME_COPY_FROM_PREBUF(computeTemp, top, powerbuf, wvalue, numPowers)) goto err; 811 if (!MOD_EXP_CTIME_COPY_FROM_PREBUF(&am, top, powerbuf, wvalue, numPowers)) goto err;
704 812
705 /* Multiply the result into the intermediate result */ 813 /* Multiply the result into the intermediate result */
706 if (!BN_mod_mul_montgomery(r,r,computeTemp,mont,ctx)) goto err; 814 if (!BN_mod_mul_montgomery(&tmp,&tmp,&am,mont,ctx)) goto err;
707 } 815 }
816 }
708 817
709 /* Convert the final result from montgomery to standard format */ 818 /* Convert the final result from montgomery to standard format */
710 if (!BN_from_montgomery(rr,r,mont,ctx)) goto err; 819 if (!BN_from_montgomery(rr,&tmp,mont,ctx)) goto err;
711 ret=1; 820 ret=1;
712err: 821err:
713 if ((in_mont == NULL) && (mont != NULL)) BN_MONT_CTX_free(mont); 822 if ((in_mont == NULL) && (mont != NULL)) BN_MONT_CTX_free(mont);
714 if (powerbuf!=NULL) 823 if (powerbuf!=NULL)
715 { 824 {
716 OPENSSL_cleanse(powerbuf,powerbufLen); 825 OPENSSL_cleanse(powerbuf,powerbufLen);
717 OPENSSL_free(powerbufFree); 826 if (powerbufFree) OPENSSL_free(powerbufFree);
718 } 827 }
719 if (am!=NULL) BN_clear(am);
720 if (computeTemp!=NULL) BN_clear(computeTemp);
721 BN_CTX_end(ctx); 828 BN_CTX_end(ctx);
722 return(ret); 829 return(ret);
723 } 830 }
@@ -988,4 +1095,3 @@ err:
988 bn_check_top(r); 1095 bn_check_top(r);
989 return(ret); 1096 return(ret);
990 } 1097 }
991
diff --git a/src/lib/libcrypto/bn/bn_gf2m.c b/src/lib/libcrypto/bn/bn_gf2m.c
index 432a3aa338..8a4dc20ad9 100644
--- a/src/lib/libcrypto/bn/bn_gf2m.c
+++ b/src/lib/libcrypto/bn/bn_gf2m.c
@@ -94,6 +94,8 @@
94#include "cryptlib.h" 94#include "cryptlib.h"
95#include "bn_lcl.h" 95#include "bn_lcl.h"
96 96
97#ifndef OPENSSL_NO_EC2M
98
97/* Maximum number of iterations before BN_GF2m_mod_solve_quad_arr should fail. */ 99/* Maximum number of iterations before BN_GF2m_mod_solve_quad_arr should fail. */
98#define MAX_ITERATIONS 50 100#define MAX_ITERATIONS 50
99 101
@@ -122,6 +124,7 @@ static const BN_ULONG SQR_tb[16] =
122 SQR_tb[(w) >> 4 & 0xF] << 8 | SQR_tb[(w) & 0xF] 124 SQR_tb[(w) >> 4 & 0xF] << 8 | SQR_tb[(w) & 0xF]
123#endif 125#endif
124 126
127#if !defined(OPENSSL_BN_ASM_GF2m)
125/* Product of two polynomials a, b each with degree < BN_BITS2 - 1, 128/* Product of two polynomials a, b each with degree < BN_BITS2 - 1,
126 * result is a polynomial r with degree < 2 * BN_BITS - 1 129 * result is a polynomial r with degree < 2 * BN_BITS - 1
127 * The caller MUST ensure that the variables have the right amount 130 * The caller MUST ensure that the variables have the right amount
@@ -216,7 +219,9 @@ static void bn_GF2m_mul_2x2(BN_ULONG *r, const BN_ULONG a1, const BN_ULONG a0, c
216 r[2] ^= m1 ^ r[1] ^ r[3]; /* h0 ^= m1 ^ l1 ^ h1; */ 219 r[2] ^= m1 ^ r[1] ^ r[3]; /* h0 ^= m1 ^ l1 ^ h1; */
217 r[1] = r[3] ^ r[2] ^ r[0] ^ m1 ^ m0; /* l1 ^= l0 ^ h0 ^ m0; */ 220 r[1] = r[3] ^ r[2] ^ r[0] ^ m1 ^ m0; /* l1 ^= l0 ^ h0 ^ m0; */
218 } 221 }
219 222#else
223void bn_GF2m_mul_2x2(BN_ULONG *r, BN_ULONG a1, BN_ULONG a0, BN_ULONG b1, BN_ULONG b0);
224#endif
220 225
221/* Add polynomials a and b and store result in r; r could be a or b, a and b 226/* Add polynomials a and b and store result in r; r could be a or b, a and b
222 * could be equal; r is the bitwise XOR of a and b. 227 * could be equal; r is the bitwise XOR of a and b.
@@ -360,21 +365,17 @@ int BN_GF2m_mod_arr(BIGNUM *r, const BIGNUM *a, const int p[])
360int BN_GF2m_mod(BIGNUM *r, const BIGNUM *a, const BIGNUM *p) 365int BN_GF2m_mod(BIGNUM *r, const BIGNUM *a, const BIGNUM *p)
361 { 366 {
362 int ret = 0; 367 int ret = 0;
363 const int max = BN_num_bits(p) + 1; 368 int arr[6];
364 int *arr=NULL;
365 bn_check_top(a); 369 bn_check_top(a);
366 bn_check_top(p); 370 bn_check_top(p);
367 if ((arr = (int *)OPENSSL_malloc(sizeof(int) * max)) == NULL) goto err; 371 ret = BN_GF2m_poly2arr(p, arr, sizeof(arr)/sizeof(arr[0]));
368 ret = BN_GF2m_poly2arr(p, arr, max); 372 if (!ret || ret > (int)(sizeof(arr)/sizeof(arr[0])))
369 if (!ret || ret > max)
370 { 373 {
371 BNerr(BN_F_BN_GF2M_MOD,BN_R_INVALID_LENGTH); 374 BNerr(BN_F_BN_GF2M_MOD,BN_R_INVALID_LENGTH);
372 goto err; 375 return 0;
373 } 376 }
374 ret = BN_GF2m_mod_arr(r, a, arr); 377 ret = BN_GF2m_mod_arr(r, a, arr);
375 bn_check_top(r); 378 bn_check_top(r);
376err:
377 if (arr) OPENSSL_free(arr);
378 return ret; 379 return ret;
379 } 380 }
380 381
@@ -521,7 +522,7 @@ err:
521 */ 522 */
522int BN_GF2m_mod_inv(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) 523int BN_GF2m_mod_inv(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
523 { 524 {
524 BIGNUM *b, *c, *u, *v, *tmp; 525 BIGNUM *b, *c = NULL, *u = NULL, *v = NULL, *tmp;
525 int ret = 0; 526 int ret = 0;
526 527
527 bn_check_top(a); 528 bn_check_top(a);
@@ -529,18 +530,18 @@ int BN_GF2m_mod_inv(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
529 530
530 BN_CTX_start(ctx); 531 BN_CTX_start(ctx);
531 532
532 b = BN_CTX_get(ctx); 533 if ((b = BN_CTX_get(ctx))==NULL) goto err;
533 c = BN_CTX_get(ctx); 534 if ((c = BN_CTX_get(ctx))==NULL) goto err;
534 u = BN_CTX_get(ctx); 535 if ((u = BN_CTX_get(ctx))==NULL) goto err;
535 v = BN_CTX_get(ctx); 536 if ((v = BN_CTX_get(ctx))==NULL) goto err;
536 if (v == NULL) goto err;
537 537
538 if (!BN_one(b)) goto err;
539 if (!BN_GF2m_mod(u, a, p)) goto err; 538 if (!BN_GF2m_mod(u, a, p)) goto err;
540 if (!BN_copy(v, p)) goto err;
541
542 if (BN_is_zero(u)) goto err; 539 if (BN_is_zero(u)) goto err;
543 540
541 if (!BN_copy(v, p)) goto err;
542#if 0
543 if (!BN_one(b)) goto err;
544
544 while (1) 545 while (1)
545 { 546 {
546 while (!BN_is_odd(u)) 547 while (!BN_is_odd(u))
@@ -565,13 +566,89 @@ int BN_GF2m_mod_inv(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
565 if (!BN_GF2m_add(u, u, v)) goto err; 566 if (!BN_GF2m_add(u, u, v)) goto err;
566 if (!BN_GF2m_add(b, b, c)) goto err; 567 if (!BN_GF2m_add(b, b, c)) goto err;
567 } 568 }
569#else
570 {
571 int i, ubits = BN_num_bits(u),
572 vbits = BN_num_bits(v), /* v is copy of p */
573 top = p->top;
574 BN_ULONG *udp,*bdp,*vdp,*cdp;
575
576 bn_wexpand(u,top); udp = u->d;
577 for (i=u->top;i<top;i++) udp[i] = 0;
578 u->top = top;
579 bn_wexpand(b,top); bdp = b->d;
580 bdp[0] = 1;
581 for (i=1;i<top;i++) bdp[i] = 0;
582 b->top = top;
583 bn_wexpand(c,top); cdp = c->d;
584 for (i=0;i<top;i++) cdp[i] = 0;
585 c->top = top;
586 vdp = v->d; /* It pays off to "cache" *->d pointers, because
587 * it allows optimizer to be more aggressive.
588 * But we don't have to "cache" p->d, because *p
589 * is declared 'const'... */
590 while (1)
591 {
592 while (ubits && !(udp[0]&1))
593 {
594 BN_ULONG u0,u1,b0,b1,mask;
595
596 u0 = udp[0];
597 b0 = bdp[0];
598 mask = (BN_ULONG)0-(b0&1);
599 b0 ^= p->d[0]&mask;
600 for (i=0;i<top-1;i++)
601 {
602 u1 = udp[i+1];
603 udp[i] = ((u0>>1)|(u1<<(BN_BITS2-1)))&BN_MASK2;
604 u0 = u1;
605 b1 = bdp[i+1]^(p->d[i+1]&mask);
606 bdp[i] = ((b0>>1)|(b1<<(BN_BITS2-1)))&BN_MASK2;
607 b0 = b1;
608 }
609 udp[i] = u0>>1;
610 bdp[i] = b0>>1;
611 ubits--;
612 }
568 613
614 if (ubits<=BN_BITS2 && udp[0]==1) break;
615
616 if (ubits<vbits)
617 {
618 i = ubits; ubits = vbits; vbits = i;
619 tmp = u; u = v; v = tmp;
620 tmp = b; b = c; c = tmp;
621 udp = vdp; vdp = v->d;
622 bdp = cdp; cdp = c->d;
623 }
624 for(i=0;i<top;i++)
625 {
626 udp[i] ^= vdp[i];
627 bdp[i] ^= cdp[i];
628 }
629 if (ubits==vbits)
630 {
631 BN_ULONG ul;
632 int utop = (ubits-1)/BN_BITS2;
633
634 while ((ul=udp[utop])==0 && utop) utop--;
635 ubits = utop*BN_BITS2 + BN_num_bits_word(ul);
636 }
637 }
638 bn_correct_top(b);
639 }
640#endif
569 641
570 if (!BN_copy(r, b)) goto err; 642 if (!BN_copy(r, b)) goto err;
571 bn_check_top(r); 643 bn_check_top(r);
572 ret = 1; 644 ret = 1;
573 645
574err: 646err:
647#ifdef BN_DEBUG /* BN_CTX_end would complain about the expanded form */
648 bn_correct_top(c);
649 bn_correct_top(u);
650 bn_correct_top(v);
651#endif
575 BN_CTX_end(ctx); 652 BN_CTX_end(ctx);
576 return ret; 653 return ret;
577 } 654 }
@@ -1033,3 +1110,4 @@ int BN_GF2m_arr2poly(const int p[], BIGNUM *a)
1033 return 1; 1110 return 1;
1034 } 1111 }
1035 1112
1113#endif
diff --git a/src/lib/libcrypto/bn/bn_lcl.h b/src/lib/libcrypto/bn/bn_lcl.h
index 8e5e98e3f2..eecfd8cc99 100644
--- a/src/lib/libcrypto/bn/bn_lcl.h
+++ b/src/lib/libcrypto/bn/bn_lcl.h
@@ -238,7 +238,7 @@ extern "C" {
238# if defined(__DECC) 238# if defined(__DECC)
239# include <c_asm.h> 239# include <c_asm.h>
240# define BN_UMULT_HIGH(a,b) (BN_ULONG)asm("umulh %a0,%a1,%v0",(a),(b)) 240# define BN_UMULT_HIGH(a,b) (BN_ULONG)asm("umulh %a0,%a1,%v0",(a),(b))
241# elif defined(__GNUC__) 241# elif defined(__GNUC__) && __GNUC__>=2
242# define BN_UMULT_HIGH(a,b) ({ \ 242# define BN_UMULT_HIGH(a,b) ({ \
243 register BN_ULONG ret; \ 243 register BN_ULONG ret; \
244 asm ("umulh %1,%2,%0" \ 244 asm ("umulh %1,%2,%0" \
@@ -247,7 +247,7 @@ extern "C" {
247 ret; }) 247 ret; })
248# endif /* compiler */ 248# endif /* compiler */
249# elif defined(_ARCH_PPC) && defined(__64BIT__) && defined(SIXTY_FOUR_BIT_LONG) 249# elif defined(_ARCH_PPC) && defined(__64BIT__) && defined(SIXTY_FOUR_BIT_LONG)
250# if defined(__GNUC__) 250# if defined(__GNUC__) && __GNUC__>=2
251# define BN_UMULT_HIGH(a,b) ({ \ 251# define BN_UMULT_HIGH(a,b) ({ \
252 register BN_ULONG ret; \ 252 register BN_ULONG ret; \
253 asm ("mulhdu %0,%1,%2" \ 253 asm ("mulhdu %0,%1,%2" \
@@ -257,7 +257,7 @@ extern "C" {
257# endif /* compiler */ 257# endif /* compiler */
258# elif (defined(__x86_64) || defined(__x86_64__)) && \ 258# elif (defined(__x86_64) || defined(__x86_64__)) && \
259 (defined(SIXTY_FOUR_BIT_LONG) || defined(SIXTY_FOUR_BIT)) 259 (defined(SIXTY_FOUR_BIT_LONG) || defined(SIXTY_FOUR_BIT))
260# if defined(__GNUC__) 260# if defined(__GNUC__) && __GNUC__>=2
261# define BN_UMULT_HIGH(a,b) ({ \ 261# define BN_UMULT_HIGH(a,b) ({ \
262 register BN_ULONG ret,discard; \ 262 register BN_ULONG ret,discard; \
263 asm ("mulq %3" \ 263 asm ("mulq %3" \
@@ -280,6 +280,19 @@ extern "C" {
280# define BN_UMULT_HIGH(a,b) __umulh((a),(b)) 280# define BN_UMULT_HIGH(a,b) __umulh((a),(b))
281# define BN_UMULT_LOHI(low,high,a,b) ((low)=_umul128((a),(b),&(high))) 281# define BN_UMULT_LOHI(low,high,a,b) ((low)=_umul128((a),(b),&(high)))
282# endif 282# endif
283# elif defined(__mips) && (defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG))
284# if defined(__GNUC__) && __GNUC__>=2
285# define BN_UMULT_HIGH(a,b) ({ \
286 register BN_ULONG ret; \
287 asm ("dmultu %1,%2" \
288 : "=h"(ret) \
289 : "r"(a), "r"(b) : "l"); \
290 ret; })
291# define BN_UMULT_LOHI(low,high,a,b) \
292 asm ("dmultu %2,%3" \
293 : "=l"(low),"=h"(high) \
294 : "r"(a), "r"(b));
295# endif
283# endif /* cpu */ 296# endif /* cpu */
284#endif /* OPENSSL_NO_ASM */ 297#endif /* OPENSSL_NO_ASM */
285 298
@@ -459,6 +472,10 @@ extern "C" {
459 } 472 }
460#endif /* !BN_LLONG */ 473#endif /* !BN_LLONG */
461 474
475#if defined(OPENSSL_DOING_MAKEDEPEND) && defined(OPENSSL_FIPS)
476#undef bn_div_words
477#endif
478
462void bn_mul_normal(BN_ULONG *r,BN_ULONG *a,int na,BN_ULONG *b,int nb); 479void bn_mul_normal(BN_ULONG *r,BN_ULONG *a,int na,BN_ULONG *b,int nb);
463void bn_mul_comba8(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b); 480void bn_mul_comba8(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b);
464void bn_mul_comba4(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b); 481void bn_mul_comba4(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b);
diff --git a/src/lib/libcrypto/bn/bn_lib.c b/src/lib/libcrypto/bn/bn_lib.c
index 5470fbe6ef..7a5676de69 100644
--- a/src/lib/libcrypto/bn/bn_lib.c
+++ b/src/lib/libcrypto/bn/bn_lib.c
@@ -139,25 +139,6 @@ const BIGNUM *BN_value_one(void)
139 return(&const_one); 139 return(&const_one);
140 } 140 }
141 141
142char *BN_options(void)
143 {
144 static int init=0;
145 static char data[16];
146
147 if (!init)
148 {
149 init++;
150#ifdef BN_LLONG
151 BIO_snprintf(data,sizeof data,"bn(%d,%d)",
152 (int)sizeof(BN_ULLONG)*8,(int)sizeof(BN_ULONG)*8);
153#else
154 BIO_snprintf(data,sizeof data,"bn(%d,%d)",
155 (int)sizeof(BN_ULONG)*8,(int)sizeof(BN_ULONG)*8);
156#endif
157 }
158 return(data);
159 }
160
161int BN_num_bits_word(BN_ULONG l) 142int BN_num_bits_word(BN_ULONG l)
162 { 143 {
163 static const unsigned char bits[256]={ 144 static const unsigned char bits[256]={
diff --git a/src/lib/libcrypto/bn/bn_mont.c b/src/lib/libcrypto/bn/bn_mont.c
index 1a866880f5..427b5cf4df 100644
--- a/src/lib/libcrypto/bn/bn_mont.c
+++ b/src/lib/libcrypto/bn/bn_mont.c
@@ -177,31 +177,26 @@ err:
177static int BN_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont) 177static int BN_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont)
178 { 178 {
179 BIGNUM *n; 179 BIGNUM *n;
180 BN_ULONG *ap,*np,*rp,n0,v,*nrp; 180 BN_ULONG *ap,*np,*rp,n0,v,carry;
181 int al,nl,max,i,x,ri; 181 int nl,max,i;
182 182
183 n= &(mont->N); 183 n= &(mont->N);
184 /* mont->ri is the size of mont->N in bits (rounded up
185 to the word size) */
186 al=ri=mont->ri/BN_BITS2;
187
188 nl=n->top; 184 nl=n->top;
189 if ((al == 0) || (nl == 0)) { ret->top=0; return(1); } 185 if (nl == 0) { ret->top=0; return(1); }
190 186
191 max=(nl+al+1); /* allow for overflow (no?) XXX */ 187 max=(2*nl); /* carry is stored separately */
192 if (bn_wexpand(r,max) == NULL) return(0); 188 if (bn_wexpand(r,max) == NULL) return(0);
193 189
194 r->neg^=n->neg; 190 r->neg^=n->neg;
195 np=n->d; 191 np=n->d;
196 rp=r->d; 192 rp=r->d;
197 nrp= &(r->d[nl]);
198 193
199 /* clear the top words of T */ 194 /* clear the top words of T */
200#if 1 195#if 1
201 for (i=r->top; i<max; i++) /* memset? XXX */ 196 for (i=r->top; i<max; i++) /* memset? XXX */
202 r->d[i]=0; 197 rp[i]=0;
203#else 198#else
204 memset(&(r->d[r->top]),0,(max-r->top)*sizeof(BN_ULONG)); 199 memset(&(rp[r->top]),0,(max-r->top)*sizeof(BN_ULONG));
205#endif 200#endif
206 201
207 r->top=max; 202 r->top=max;
@@ -210,7 +205,7 @@ static int BN_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont)
210#ifdef BN_COUNT 205#ifdef BN_COUNT
211 fprintf(stderr,"word BN_from_montgomery_word %d * %d\n",nl,nl); 206 fprintf(stderr,"word BN_from_montgomery_word %d * %d\n",nl,nl);
212#endif 207#endif
213 for (i=0; i<nl; i++) 208 for (carry=0, i=0; i<nl; i++, rp++)
214 { 209 {
215#ifdef __TANDEM 210#ifdef __TANDEM
216 { 211 {
@@ -228,61 +223,33 @@ static int BN_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont)
228#else 223#else
229 v=bn_mul_add_words(rp,np,nl,(rp[0]*n0)&BN_MASK2); 224 v=bn_mul_add_words(rp,np,nl,(rp[0]*n0)&BN_MASK2);
230#endif 225#endif
231 nrp++; 226 v = (v+carry+rp[nl])&BN_MASK2;
232 rp++; 227 carry |= (v != rp[nl]);
233 if (((nrp[-1]+=v)&BN_MASK2) >= v) 228 carry &= (v <= rp[nl]);
234 continue; 229 rp[nl]=v;
235 else
236 {
237 if (((++nrp[0])&BN_MASK2) != 0) continue;
238 if (((++nrp[1])&BN_MASK2) != 0) continue;
239 for (x=2; (((++nrp[x])&BN_MASK2) == 0); x++) ;
240 }
241 }
242 bn_correct_top(r);
243
244 /* mont->ri will be a multiple of the word size and below code
245 * is kind of BN_rshift(ret,r,mont->ri) equivalent */
246 if (r->top <= ri)
247 {
248 ret->top=0;
249 return(1);
250 } 230 }
251 al=r->top-ri;
252 231
253#define BRANCH_FREE 1 232 if (bn_wexpand(ret,nl) == NULL) return(0);
254#if BRANCH_FREE 233 ret->top=nl;
255 if (bn_wexpand(ret,ri) == NULL) return(0);
256 x=0-(((al-ri)>>(sizeof(al)*8-1))&1);
257 ret->top=x=(ri&~x)|(al&x); /* min(ri,al) */
258 ret->neg=r->neg; 234 ret->neg=r->neg;
259 235
260 rp=ret->d; 236 rp=ret->d;
261 ap=&(r->d[ri]); 237 ap=&(r->d[nl]);
262 238
239#define BRANCH_FREE 1
240#if BRANCH_FREE
263 { 241 {
264 size_t m1,m2; 242 BN_ULONG *nrp;
265 243 size_t m;
266 v=bn_sub_words(rp,ap,np,ri);
267 /* this ----------------^^ works even in al<ri case
268 * thanks to zealous zeroing of top of the vector in the
269 * beginning. */
270 244
271 /* if (al==ri && !v) || al>ri) nrp=rp; else nrp=ap; */ 245 v=bn_sub_words(rp,ap,np,nl)-carry;
272 /* in other words if subtraction result is real, then 246 /* if subtraction result is real, then
273 * trick unconditional memcpy below to perform in-place 247 * trick unconditional memcpy below to perform in-place
274 * "refresh" instead of actual copy. */ 248 * "refresh" instead of actual copy. */
275 m1=0-(size_t)(((al-ri)>>(sizeof(al)*8-1))&1); /* al<ri */ 249 m=(0-(size_t)v);
276 m2=0-(size_t)(((ri-al)>>(sizeof(al)*8-1))&1); /* al>ri */ 250 nrp=(BN_ULONG *)(((PTR_SIZE_INT)rp&~m)|((PTR_SIZE_INT)ap&m));
277 m1|=m2; /* (al!=ri) */
278 m1|=(0-(size_t)v); /* (al!=ri || v) */
279 m1&=~m2; /* (al!=ri || v) && !al>ri */
280 nrp=(BN_ULONG *)(((PTR_SIZE_INT)rp&~m1)|((PTR_SIZE_INT)ap&m1));
281 }
282 251
283 /* 'i<ri' is chosen to eliminate dependency on input data, even 252 for (i=0,nl-=4; i<nl; i+=4)
284 * though it results in redundant copy in al<ri case. */
285 for (i=0,ri-=4; i<ri; i+=4)
286 { 253 {
287 BN_ULONG t1,t2,t3,t4; 254 BN_ULONG t1,t2,t3,t4;
288 255
@@ -295,40 +262,15 @@ static int BN_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont)
295 rp[i+2]=t3; 262 rp[i+2]=t3;
296 rp[i+3]=t4; 263 rp[i+3]=t4;
297 } 264 }
298 for (ri+=4; i<ri; i++) 265 for (nl+=4; i<nl; i++)
299 rp[i]=nrp[i], ap[i]=0; 266 rp[i]=nrp[i], ap[i]=0;
300 bn_correct_top(r); 267 }
301 bn_correct_top(ret);
302#else 268#else
303 if (bn_wexpand(ret,al) == NULL) return(0); 269 if (bn_sub_words (rp,ap,np,nl)-carry)
304 ret->top=al; 270 memcpy(rp,ap,nl*sizeof(BN_ULONG));
305 ret->neg=r->neg;
306
307 rp=ret->d;
308 ap=&(r->d[ri]);
309 al-=4;
310 for (i=0; i<al; i+=4)
311 {
312 BN_ULONG t1,t2,t3,t4;
313
314 t1=ap[i+0];
315 t2=ap[i+1];
316 t3=ap[i+2];
317 t4=ap[i+3];
318 rp[i+0]=t1;
319 rp[i+1]=t2;
320 rp[i+2]=t3;
321 rp[i+3]=t4;
322 }
323 al+=4;
324 for (; i<al; i++)
325 rp[i]=ap[i];
326
327 if (BN_ucmp(ret, &(mont->N)) >= 0)
328 {
329 if (!BN_usub(ret,ret,&(mont->N))) return(0);
330 }
331#endif 271#endif
272 bn_correct_top(r);
273 bn_correct_top(ret);
332 bn_check_top(ret); 274 bn_check_top(ret);
333 275
334 return(1); 276 return(1);
diff --git a/src/lib/libcrypto/bn/bn_nist.c b/src/lib/libcrypto/bn/bn_nist.c
index c6de032696..43caee4770 100644
--- a/src/lib/libcrypto/bn/bn_nist.c
+++ b/src/lib/libcrypto/bn/bn_nist.c
@@ -319,6 +319,13 @@ static void nist_cp_bn(BN_ULONG *buf, BN_ULONG *a, int top)
319 :(to[(n)/2] =((m)&1)?(from[(m)/2]>>32):(from[(m)/2]&BN_MASK2l))) 319 :(to[(n)/2] =((m)&1)?(from[(m)/2]>>32):(from[(m)/2]&BN_MASK2l)))
320#define bn_32_set_0(to, n) (((n)&1)?(to[(n)/2]&=BN_MASK2l):(to[(n)/2]=0)); 320#define bn_32_set_0(to, n) (((n)&1)?(to[(n)/2]&=BN_MASK2l):(to[(n)/2]=0));
321#define bn_cp_32(to,n,from,m) ((m)>=0)?bn_cp_32_naked(to,n,from,m):bn_32_set_0(to,n) 321#define bn_cp_32(to,n,from,m) ((m)>=0)?bn_cp_32_naked(to,n,from,m):bn_32_set_0(to,n)
322# if defined(L_ENDIAN)
323# if defined(__arch64__)
324# define NIST_INT64 long
325# else
326# define NIST_INT64 long long
327# endif
328# endif
322#else 329#else
323#define bn_cp_64(to, n, from, m) \ 330#define bn_cp_64(to, n, from, m) \
324 { \ 331 { \
@@ -330,13 +337,15 @@ static void nist_cp_bn(BN_ULONG *buf, BN_ULONG *a, int top)
330 bn_32_set_0(to, (n)*2); \ 337 bn_32_set_0(to, (n)*2); \
331 bn_32_set_0(to, (n)*2+1); \ 338 bn_32_set_0(to, (n)*2+1); \
332 } 339 }
333#if BN_BITS2 == 32
334#define bn_cp_32(to, n, from, m) (to)[n] = (m>=0)?((from)[m]):0; 340#define bn_cp_32(to, n, from, m) (to)[n] = (m>=0)?((from)[m]):0;
335#define bn_32_set_0(to, n) (to)[n] = (BN_ULONG)0; 341#define bn_32_set_0(to, n) (to)[n] = (BN_ULONG)0;
336#endif 342# if defined(_WIN32) && !defined(__GNUC__)
343# define NIST_INT64 __int64
344# elif defined(BN_LLONG)
345# define NIST_INT64 long long
346# endif
337#endif /* BN_BITS2 != 64 */ 347#endif /* BN_BITS2 != 64 */
338 348
339
340#define nist_set_192(to, from, a1, a2, a3) \ 349#define nist_set_192(to, from, a1, a2, a3) \
341 { \ 350 { \
342 bn_cp_64(to, 0, from, (a3) - 3) \ 351 bn_cp_64(to, 0, from, (a3) - 3) \
@@ -350,9 +359,11 @@ int BN_nist_mod_192(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
350 int top = a->top, i; 359 int top = a->top, i;
351 int carry; 360 int carry;
352 register BN_ULONG *r_d, *a_d = a->d; 361 register BN_ULONG *r_d, *a_d = a->d;
353 BN_ULONG t_d[BN_NIST_192_TOP], 362 union {
354 buf[BN_NIST_192_TOP], 363 BN_ULONG bn[BN_NIST_192_TOP];
355 c_d[BN_NIST_192_TOP], 364 unsigned int ui[BN_NIST_192_TOP*sizeof(BN_ULONG)/sizeof(unsigned int)];
365 } buf;
366 BN_ULONG c_d[BN_NIST_192_TOP],
356 *res; 367 *res;
357 PTR_SIZE_INT mask; 368 PTR_SIZE_INT mask;
358 static const BIGNUM _bignum_nist_p_192_sqr = { 369 static const BIGNUM _bignum_nist_p_192_sqr = {
@@ -385,15 +396,48 @@ int BN_nist_mod_192(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
385 else 396 else
386 r_d = a_d; 397 r_d = a_d;
387 398
388 nist_cp_bn_0(buf, a_d + BN_NIST_192_TOP, top - BN_NIST_192_TOP, BN_NIST_192_TOP); 399 nist_cp_bn_0(buf.bn, a_d + BN_NIST_192_TOP, top - BN_NIST_192_TOP, BN_NIST_192_TOP);
400
401#if defined(NIST_INT64)
402 {
403 NIST_INT64 acc; /* accumulator */
404 unsigned int *rp=(unsigned int *)r_d;
405 const unsigned int *bp=(const unsigned int *)buf.ui;
406
407 acc = rp[0]; acc += bp[3*2-6];
408 acc += bp[5*2-6]; rp[0] = (unsigned int)acc; acc >>= 32;
409
410 acc += rp[1]; acc += bp[3*2-5];
411 acc += bp[5*2-5]; rp[1] = (unsigned int)acc; acc >>= 32;
389 412
390 nist_set_192(t_d, buf, 0, 3, 3); 413 acc += rp[2]; acc += bp[3*2-6];
414 acc += bp[4*2-6];
415 acc += bp[5*2-6]; rp[2] = (unsigned int)acc; acc >>= 32;
416
417 acc += rp[3]; acc += bp[3*2-5];
418 acc += bp[4*2-5];
419 acc += bp[5*2-5]; rp[3] = (unsigned int)acc; acc >>= 32;
420
421 acc += rp[4]; acc += bp[4*2-6];
422 acc += bp[5*2-6]; rp[4] = (unsigned int)acc; acc >>= 32;
423
424 acc += rp[5]; acc += bp[4*2-5];
425 acc += bp[5*2-5]; rp[5] = (unsigned int)acc;
426
427 carry = (int)(acc>>32);
428 }
429#else
430 {
431 BN_ULONG t_d[BN_NIST_192_TOP];
432
433 nist_set_192(t_d, buf.bn, 0, 3, 3);
391 carry = (int)bn_add_words(r_d, r_d, t_d, BN_NIST_192_TOP); 434 carry = (int)bn_add_words(r_d, r_d, t_d, BN_NIST_192_TOP);
392 nist_set_192(t_d, buf, 4, 4, 0); 435 nist_set_192(t_d, buf.bn, 4, 4, 0);
393 carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_192_TOP); 436 carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_192_TOP);
394 nist_set_192(t_d, buf, 5, 5, 5) 437 nist_set_192(t_d, buf.bn, 5, 5, 5)
395 carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_192_TOP); 438 carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_192_TOP);
396 439 }
440#endif
397 if (carry > 0) 441 if (carry > 0)
398 carry = (int)bn_sub_words(r_d,r_d,_nist_p_192[carry-1],BN_NIST_192_TOP); 442 carry = (int)bn_sub_words(r_d,r_d,_nist_p_192[carry-1],BN_NIST_192_TOP);
399 else 443 else
@@ -435,8 +479,7 @@ int BN_nist_mod_224(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
435 int top = a->top, i; 479 int top = a->top, i;
436 int carry; 480 int carry;
437 BN_ULONG *r_d, *a_d = a->d; 481 BN_ULONG *r_d, *a_d = a->d;
438 BN_ULONG t_d[BN_NIST_224_TOP], 482 BN_ULONG buf[BN_NIST_224_TOP],
439 buf[BN_NIST_224_TOP],
440 c_d[BN_NIST_224_TOP], 483 c_d[BN_NIST_224_TOP],
441 *res; 484 *res;
442 PTR_SIZE_INT mask; 485 PTR_SIZE_INT mask;
@@ -474,14 +517,54 @@ int BN_nist_mod_224(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
474 517
475#if BN_BITS2==64 518#if BN_BITS2==64
476 /* copy upper 256 bits of 448 bit number ... */ 519 /* copy upper 256 bits of 448 bit number ... */
477 nist_cp_bn_0(t_d, a_d + (BN_NIST_224_TOP-1), top - (BN_NIST_224_TOP-1), BN_NIST_224_TOP); 520 nist_cp_bn_0(c_d, a_d + (BN_NIST_224_TOP-1), top - (BN_NIST_224_TOP-1), BN_NIST_224_TOP);
478 /* ... and right shift by 32 to obtain upper 224 bits */ 521 /* ... and right shift by 32 to obtain upper 224 bits */
479 nist_set_224(buf, t_d, 14, 13, 12, 11, 10, 9, 8); 522 nist_set_224(buf, c_d, 14, 13, 12, 11, 10, 9, 8);
480 /* truncate lower part to 224 bits too */ 523 /* truncate lower part to 224 bits too */
481 r_d[BN_NIST_224_TOP-1] &= BN_MASK2l; 524 r_d[BN_NIST_224_TOP-1] &= BN_MASK2l;
482#else 525#else
483 nist_cp_bn_0(buf, a_d + BN_NIST_224_TOP, top - BN_NIST_224_TOP, BN_NIST_224_TOP); 526 nist_cp_bn_0(buf, a_d + BN_NIST_224_TOP, top - BN_NIST_224_TOP, BN_NIST_224_TOP);
484#endif 527#endif
528
529#if defined(NIST_INT64) && BN_BITS2!=64
530 {
531 NIST_INT64 acc; /* accumulator */
532 unsigned int *rp=(unsigned int *)r_d;
533 const unsigned int *bp=(const unsigned int *)buf;
534
535 acc = rp[0]; acc -= bp[7-7];
536 acc -= bp[11-7]; rp[0] = (unsigned int)acc; acc >>= 32;
537
538 acc += rp[1]; acc -= bp[8-7];
539 acc -= bp[12-7]; rp[1] = (unsigned int)acc; acc >>= 32;
540
541 acc += rp[2]; acc -= bp[9-7];
542 acc -= bp[13-7]; rp[2] = (unsigned int)acc; acc >>= 32;
543
544 acc += rp[3]; acc += bp[7-7];
545 acc += bp[11-7];
546 acc -= bp[10-7]; rp[3] = (unsigned int)acc; acc>>= 32;
547
548 acc += rp[4]; acc += bp[8-7];
549 acc += bp[12-7];
550 acc -= bp[11-7]; rp[4] = (unsigned int)acc; acc >>= 32;
551
552 acc += rp[5]; acc += bp[9-7];
553 acc += bp[13-7];
554 acc -= bp[12-7]; rp[5] = (unsigned int)acc; acc >>= 32;
555
556 acc += rp[6]; acc += bp[10-7];
557 acc -= bp[13-7]; rp[6] = (unsigned int)acc;
558
559 carry = (int)(acc>>32);
560# if BN_BITS2==64
561 rp[7] = carry;
562# endif
563 }
564#else
565 {
566 BN_ULONG t_d[BN_NIST_224_TOP];
567
485 nist_set_224(t_d, buf, 10, 9, 8, 7, 0, 0, 0); 568 nist_set_224(t_d, buf, 10, 9, 8, 7, 0, 0, 0);
486 carry = (int)bn_add_words(r_d, r_d, t_d, BN_NIST_224_TOP); 569 carry = (int)bn_add_words(r_d, r_d, t_d, BN_NIST_224_TOP);
487 nist_set_224(t_d, buf, 0, 13, 12, 11, 0, 0, 0); 570 nist_set_224(t_d, buf, 0, 13, 12, 11, 0, 0, 0);
@@ -494,6 +577,8 @@ int BN_nist_mod_224(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
494#if BN_BITS2==64 577#if BN_BITS2==64
495 carry = (int)(r_d[BN_NIST_224_TOP-1]>>32); 578 carry = (int)(r_d[BN_NIST_224_TOP-1]>>32);
496#endif 579#endif
580 }
581#endif
497 u.f = bn_sub_words; 582 u.f = bn_sub_words;
498 if (carry > 0) 583 if (carry > 0)
499 { 584 {
@@ -548,9 +633,11 @@ int BN_nist_mod_256(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
548 int i, top = a->top; 633 int i, top = a->top;
549 int carry = 0; 634 int carry = 0;
550 register BN_ULONG *a_d = a->d, *r_d; 635 register BN_ULONG *a_d = a->d, *r_d;
551 BN_ULONG t_d[BN_NIST_256_TOP], 636 union {
552 buf[BN_NIST_256_TOP], 637 BN_ULONG bn[BN_NIST_256_TOP];
553 c_d[BN_NIST_256_TOP], 638 unsigned int ui[BN_NIST_256_TOP*sizeof(BN_ULONG)/sizeof(unsigned int)];
639 } buf;
640 BN_ULONG c_d[BN_NIST_256_TOP],
554 *res; 641 *res;
555 PTR_SIZE_INT mask; 642 PTR_SIZE_INT mask;
556 union { bn_addsub_f f; PTR_SIZE_INT p; } u; 643 union { bn_addsub_f f; PTR_SIZE_INT p; } u;
@@ -584,12 +671,87 @@ int BN_nist_mod_256(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
584 else 671 else
585 r_d = a_d; 672 r_d = a_d;
586 673
587 nist_cp_bn_0(buf, a_d + BN_NIST_256_TOP, top - BN_NIST_256_TOP, BN_NIST_256_TOP); 674 nist_cp_bn_0(buf.bn, a_d + BN_NIST_256_TOP, top - BN_NIST_256_TOP, BN_NIST_256_TOP);
675
676#if defined(NIST_INT64)
677 {
678 NIST_INT64 acc; /* accumulator */
679 unsigned int *rp=(unsigned int *)r_d;
680 const unsigned int *bp=(const unsigned int *)buf.ui;
681
682 acc = rp[0]; acc += bp[8-8];
683 acc += bp[9-8];
684 acc -= bp[11-8];
685 acc -= bp[12-8];
686 acc -= bp[13-8];
687 acc -= bp[14-8]; rp[0] = (unsigned int)acc; acc >>= 32;
688
689 acc += rp[1]; acc += bp[9-8];
690 acc += bp[10-8];
691 acc -= bp[12-8];
692 acc -= bp[13-8];
693 acc -= bp[14-8];
694 acc -= bp[15-8]; rp[1] = (unsigned int)acc; acc >>= 32;
695
696 acc += rp[2]; acc += bp[10-8];
697 acc += bp[11-8];
698 acc -= bp[13-8];
699 acc -= bp[14-8];
700 acc -= bp[15-8]; rp[2] = (unsigned int)acc; acc >>= 32;
701
702 acc += rp[3]; acc += bp[11-8];
703 acc += bp[11-8];
704 acc += bp[12-8];
705 acc += bp[12-8];
706 acc += bp[13-8];
707 acc -= bp[15-8];
708 acc -= bp[8-8];
709 acc -= bp[9-8]; rp[3] = (unsigned int)acc; acc >>= 32;
710
711 acc += rp[4]; acc += bp[12-8];
712 acc += bp[12-8];
713 acc += bp[13-8];
714 acc += bp[13-8];
715 acc += bp[14-8];
716 acc -= bp[9-8];
717 acc -= bp[10-8]; rp[4] = (unsigned int)acc; acc >>= 32;
718
719 acc += rp[5]; acc += bp[13-8];
720 acc += bp[13-8];
721 acc += bp[14-8];
722 acc += bp[14-8];
723 acc += bp[15-8];
724 acc -= bp[10-8];
725 acc -= bp[11-8]; rp[5] = (unsigned int)acc; acc >>= 32;
726
727 acc += rp[6]; acc += bp[14-8];
728 acc += bp[14-8];
729 acc += bp[15-8];
730 acc += bp[15-8];
731 acc += bp[14-8];
732 acc += bp[13-8];
733 acc -= bp[8-8];
734 acc -= bp[9-8]; rp[6] = (unsigned int)acc; acc >>= 32;
735
736 acc += rp[7]; acc += bp[15-8];
737 acc += bp[15-8];
738 acc += bp[15-8];
739 acc += bp[8 -8];
740 acc -= bp[10-8];
741 acc -= bp[11-8];
742 acc -= bp[12-8];
743 acc -= bp[13-8]; rp[7] = (unsigned int)acc;
744
745 carry = (int)(acc>>32);
746 }
747#else
748 {
749 BN_ULONG t_d[BN_NIST_256_TOP];
588 750
589 /*S1*/ 751 /*S1*/
590 nist_set_256(t_d, buf, 15, 14, 13, 12, 11, 0, 0, 0); 752 nist_set_256(t_d, buf.bn, 15, 14, 13, 12, 11, 0, 0, 0);
591 /*S2*/ 753 /*S2*/
592 nist_set_256(c_d, buf, 0, 15, 14, 13, 12, 0, 0, 0); 754 nist_set_256(c_d, buf.bn, 0, 15, 14, 13, 12, 0, 0, 0);
593 carry = (int)bn_add_words(t_d, t_d, c_d, BN_NIST_256_TOP); 755 carry = (int)bn_add_words(t_d, t_d, c_d, BN_NIST_256_TOP);
594 /* left shift */ 756 /* left shift */
595 { 757 {
@@ -607,24 +769,26 @@ int BN_nist_mod_256(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
607 } 769 }
608 carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_256_TOP); 770 carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_256_TOP);
609 /*S3*/ 771 /*S3*/
610 nist_set_256(t_d, buf, 15, 14, 0, 0, 0, 10, 9, 8); 772 nist_set_256(t_d, buf.bn, 15, 14, 0, 0, 0, 10, 9, 8);
611 carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_256_TOP); 773 carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_256_TOP);
612 /*S4*/ 774 /*S4*/
613 nist_set_256(t_d, buf, 8, 13, 15, 14, 13, 11, 10, 9); 775 nist_set_256(t_d, buf.bn, 8, 13, 15, 14, 13, 11, 10, 9);
614 carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_256_TOP); 776 carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_256_TOP);
615 /*D1*/ 777 /*D1*/
616 nist_set_256(t_d, buf, 10, 8, 0, 0, 0, 13, 12, 11); 778 nist_set_256(t_d, buf.bn, 10, 8, 0, 0, 0, 13, 12, 11);
617 carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_256_TOP); 779 carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_256_TOP);
618 /*D2*/ 780 /*D2*/
619 nist_set_256(t_d, buf, 11, 9, 0, 0, 15, 14, 13, 12); 781 nist_set_256(t_d, buf.bn, 11, 9, 0, 0, 15, 14, 13, 12);
620 carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_256_TOP); 782 carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_256_TOP);
621 /*D3*/ 783 /*D3*/
622 nist_set_256(t_d, buf, 12, 0, 10, 9, 8, 15, 14, 13); 784 nist_set_256(t_d, buf.bn, 12, 0, 10, 9, 8, 15, 14, 13);
623 carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_256_TOP); 785 carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_256_TOP);
624 /*D4*/ 786 /*D4*/
625 nist_set_256(t_d, buf, 13, 0, 11, 10, 9, 0, 15, 14); 787 nist_set_256(t_d, buf.bn, 13, 0, 11, 10, 9, 0, 15, 14);
626 carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_256_TOP); 788 carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_256_TOP);
627 789
790 }
791#endif
628 /* see BN_nist_mod_224 for explanation */ 792 /* see BN_nist_mod_224 for explanation */
629 u.f = bn_sub_words; 793 u.f = bn_sub_words;
630 if (carry > 0) 794 if (carry > 0)
@@ -672,9 +836,11 @@ int BN_nist_mod_384(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
672 int i, top = a->top; 836 int i, top = a->top;
673 int carry = 0; 837 int carry = 0;
674 register BN_ULONG *r_d, *a_d = a->d; 838 register BN_ULONG *r_d, *a_d = a->d;
675 BN_ULONG t_d[BN_NIST_384_TOP], 839 union {
676 buf[BN_NIST_384_TOP], 840 BN_ULONG bn[BN_NIST_384_TOP];
677 c_d[BN_NIST_384_TOP], 841 unsigned int ui[BN_NIST_384_TOP*sizeof(BN_ULONG)/sizeof(unsigned int)];
842 } buf;
843 BN_ULONG c_d[BN_NIST_384_TOP],
678 *res; 844 *res;
679 PTR_SIZE_INT mask; 845 PTR_SIZE_INT mask;
680 union { bn_addsub_f f; PTR_SIZE_INT p; } u; 846 union { bn_addsub_f f; PTR_SIZE_INT p; } u;
@@ -709,10 +875,100 @@ int BN_nist_mod_384(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
709 else 875 else
710 r_d = a_d; 876 r_d = a_d;
711 877
712 nist_cp_bn_0(buf, a_d + BN_NIST_384_TOP, top - BN_NIST_384_TOP, BN_NIST_384_TOP); 878 nist_cp_bn_0(buf.bn, a_d + BN_NIST_384_TOP, top - BN_NIST_384_TOP, BN_NIST_384_TOP);
879
880#if defined(NIST_INT64)
881 {
882 NIST_INT64 acc; /* accumulator */
883 unsigned int *rp=(unsigned int *)r_d;
884 const unsigned int *bp=(const unsigned int *)buf.ui;
885
886 acc = rp[0]; acc += bp[12-12];
887 acc += bp[21-12];
888 acc += bp[20-12];
889 acc -= bp[23-12]; rp[0] = (unsigned int)acc; acc >>= 32;
890
891 acc += rp[1]; acc += bp[13-12];
892 acc += bp[22-12];
893 acc += bp[23-12];
894 acc -= bp[12-12];
895 acc -= bp[20-12]; rp[1] = (unsigned int)acc; acc >>= 32;
896
897 acc += rp[2]; acc += bp[14-12];
898 acc += bp[23-12];
899 acc -= bp[13-12];
900 acc -= bp[21-12]; rp[2] = (unsigned int)acc; acc >>= 32;
901
902 acc += rp[3]; acc += bp[15-12];
903 acc += bp[12-12];
904 acc += bp[20-12];
905 acc += bp[21-12];
906 acc -= bp[14-12];
907 acc -= bp[22-12];
908 acc -= bp[23-12]; rp[3] = (unsigned int)acc; acc >>= 32;
909
910 acc += rp[4]; acc += bp[21-12];
911 acc += bp[21-12];
912 acc += bp[16-12];
913 acc += bp[13-12];
914 acc += bp[12-12];
915 acc += bp[20-12];
916 acc += bp[22-12];
917 acc -= bp[15-12];
918 acc -= bp[23-12];
919 acc -= bp[23-12]; rp[4] = (unsigned int)acc; acc >>= 32;
920
921 acc += rp[5]; acc += bp[22-12];
922 acc += bp[22-12];
923 acc += bp[17-12];
924 acc += bp[14-12];
925 acc += bp[13-12];
926 acc += bp[21-12];
927 acc += bp[23-12];
928 acc -= bp[16-12]; rp[5] = (unsigned int)acc; acc >>= 32;
929
930 acc += rp[6]; acc += bp[23-12];
931 acc += bp[23-12];
932 acc += bp[18-12];
933 acc += bp[15-12];
934 acc += bp[14-12];
935 acc += bp[22-12];
936 acc -= bp[17-12]; rp[6] = (unsigned int)acc; acc >>= 32;
937
938 acc += rp[7]; acc += bp[19-12];
939 acc += bp[16-12];
940 acc += bp[15-12];
941 acc += bp[23-12];
942 acc -= bp[18-12]; rp[7] = (unsigned int)acc; acc >>= 32;
943
944 acc += rp[8]; acc += bp[20-12];
945 acc += bp[17-12];
946 acc += bp[16-12];
947 acc -= bp[19-12]; rp[8] = (unsigned int)acc; acc >>= 32;
948
949 acc += rp[9]; acc += bp[21-12];
950 acc += bp[18-12];
951 acc += bp[17-12];
952 acc -= bp[20-12]; rp[9] = (unsigned int)acc; acc >>= 32;
953
954 acc += rp[10]; acc += bp[22-12];
955 acc += bp[19-12];
956 acc += bp[18-12];
957 acc -= bp[21-12]; rp[10] = (unsigned int)acc; acc >>= 32;
958
959 acc += rp[11]; acc += bp[23-12];
960 acc += bp[20-12];
961 acc += bp[19-12];
962 acc -= bp[22-12]; rp[11] = (unsigned int)acc;
963
964 carry = (int)(acc>>32);
965 }
966#else
967 {
968 BN_ULONG t_d[BN_NIST_384_TOP];
713 969
714 /*S1*/ 970 /*S1*/
715 nist_set_256(t_d, buf, 0, 0, 0, 0, 0, 23-4, 22-4, 21-4); 971 nist_set_256(t_d, buf.bn, 0, 0, 0, 0, 0, 23-4, 22-4, 21-4);
716 /* left shift */ 972 /* left shift */
717 { 973 {
718 register BN_ULONG *ap,t,c; 974 register BN_ULONG *ap,t,c;
@@ -729,29 +985,31 @@ int BN_nist_mod_384(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
729 carry = (int)bn_add_words(r_d+(128/BN_BITS2), r_d+(128/BN_BITS2), 985 carry = (int)bn_add_words(r_d+(128/BN_BITS2), r_d+(128/BN_BITS2),
730 t_d, BN_NIST_256_TOP); 986 t_d, BN_NIST_256_TOP);
731 /*S2 */ 987 /*S2 */
732 carry += (int)bn_add_words(r_d, r_d, buf, BN_NIST_384_TOP); 988 carry += (int)bn_add_words(r_d, r_d, buf.bn, BN_NIST_384_TOP);
733 /*S3*/ 989 /*S3*/
734 nist_set_384(t_d,buf,20,19,18,17,16,15,14,13,12,23,22,21); 990 nist_set_384(t_d,buf.bn,20,19,18,17,16,15,14,13,12,23,22,21);
735 carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_384_TOP); 991 carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_384_TOP);
736 /*S4*/ 992 /*S4*/
737 nist_set_384(t_d,buf,19,18,17,16,15,14,13,12,20,0,23,0); 993 nist_set_384(t_d,buf.bn,19,18,17,16,15,14,13,12,20,0,23,0);
738 carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_384_TOP); 994 carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_384_TOP);
739 /*S5*/ 995 /*S5*/
740 nist_set_384(t_d, buf,0,0,0,0,23,22,21,20,0,0,0,0); 996 nist_set_384(t_d, buf.bn,0,0,0,0,23,22,21,20,0,0,0,0);
741 carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_384_TOP); 997 carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_384_TOP);
742 /*S6*/ 998 /*S6*/
743 nist_set_384(t_d,buf,0,0,0,0,0,0,23,22,21,0,0,20); 999 nist_set_384(t_d,buf.bn,0,0,0,0,0,0,23,22,21,0,0,20);
744 carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_384_TOP); 1000 carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_384_TOP);
745 /*D1*/ 1001 /*D1*/
746 nist_set_384(t_d,buf,22,21,20,19,18,17,16,15,14,13,12,23); 1002 nist_set_384(t_d,buf.bn,22,21,20,19,18,17,16,15,14,13,12,23);
747 carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_384_TOP); 1003 carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_384_TOP);
748 /*D2*/ 1004 /*D2*/
749 nist_set_384(t_d,buf,0,0,0,0,0,0,0,23,22,21,20,0); 1005 nist_set_384(t_d,buf.bn,0,0,0,0,0,0,0,23,22,21,20,0);
750 carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_384_TOP); 1006 carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_384_TOP);
751 /*D3*/ 1007 /*D3*/
752 nist_set_384(t_d,buf,0,0,0,0,0,0,0,23,23,0,0,0); 1008 nist_set_384(t_d,buf.bn,0,0,0,0,0,0,0,23,23,0,0,0);
753 carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_384_TOP); 1009 carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_384_TOP);
754 1010
1011 }
1012#endif
755 /* see BN_nist_mod_224 for explanation */ 1013 /* see BN_nist_mod_224 for explanation */
756 u.f = bn_sub_words; 1014 u.f = bn_sub_words;
757 if (carry > 0) 1015 if (carry > 0)
diff --git a/src/lib/libcrypto/bn/bn_print.c b/src/lib/libcrypto/bn/bn_print.c
index bebb466d08..1743b6a7e2 100644
--- a/src/lib/libcrypto/bn/bn_print.c
+++ b/src/lib/libcrypto/bn/bn_print.c
@@ -357,3 +357,22 @@ end:
357 return(ret); 357 return(ret);
358 } 358 }
359#endif 359#endif
360
361char *BN_options(void)
362 {
363 static int init=0;
364 static char data[16];
365
366 if (!init)
367 {
368 init++;
369#ifdef BN_LLONG
370 BIO_snprintf(data,sizeof data,"bn(%d,%d)",
371 (int)sizeof(BN_ULLONG)*8,(int)sizeof(BN_ULONG)*8);
372#else
373 BIO_snprintf(data,sizeof data,"bn(%d,%d)",
374 (int)sizeof(BN_ULONG)*8,(int)sizeof(BN_ULONG)*8);
375#endif
376 }
377 return(data);
378 }
diff --git a/src/lib/libcrypto/bn/bn_shift.c b/src/lib/libcrypto/bn/bn_shift.c
index c4d301afc4..a6fca2c424 100644
--- a/src/lib/libcrypto/bn/bn_shift.c
+++ b/src/lib/libcrypto/bn/bn_shift.c
@@ -99,7 +99,7 @@ int BN_lshift1(BIGNUM *r, const BIGNUM *a)
99int BN_rshift1(BIGNUM *r, const BIGNUM *a) 99int BN_rshift1(BIGNUM *r, const BIGNUM *a)
100 { 100 {
101 BN_ULONG *ap,*rp,t,c; 101 BN_ULONG *ap,*rp,t,c;
102 int i; 102 int i,j;
103 103
104 bn_check_top(r); 104 bn_check_top(r);
105 bn_check_top(a); 105 bn_check_top(a);
@@ -109,22 +109,25 @@ int BN_rshift1(BIGNUM *r, const BIGNUM *a)
109 BN_zero(r); 109 BN_zero(r);
110 return(1); 110 return(1);
111 } 111 }
112 i = a->top;
113 ap= a->d;
114 j = i-(ap[i-1]==1);
112 if (a != r) 115 if (a != r)
113 { 116 {
114 if (bn_wexpand(r,a->top) == NULL) return(0); 117 if (bn_wexpand(r,j) == NULL) return(0);
115 r->top=a->top;
116 r->neg=a->neg; 118 r->neg=a->neg;
117 } 119 }
118 ap=a->d;
119 rp=r->d; 120 rp=r->d;
120 c=0; 121 t=ap[--i];
121 for (i=a->top-1; i>=0; i--) 122 c=(t&1)?BN_TBIT:0;
123 if (t>>=1) rp[i]=t;
124 while (i>0)
122 { 125 {
123 t=ap[i]; 126 t=ap[--i];
124 rp[i]=((t>>1)&BN_MASK2)|c; 127 rp[i]=((t>>1)&BN_MASK2)|c;
125 c=(t&1)?BN_TBIT:0; 128 c=(t&1)?BN_TBIT:0;
126 } 129 }
127 bn_correct_top(r); 130 r->top=j;
128 bn_check_top(r); 131 bn_check_top(r);
129 return(1); 132 return(1);
130 } 133 }
@@ -182,10 +185,11 @@ int BN_rshift(BIGNUM *r, const BIGNUM *a, int n)
182 BN_zero(r); 185 BN_zero(r);
183 return(1); 186 return(1);
184 } 187 }
188 i = (BN_num_bits(a)-n+(BN_BITS2-1))/BN_BITS2;
185 if (r != a) 189 if (r != a)
186 { 190 {
187 r->neg=a->neg; 191 r->neg=a->neg;
188 if (bn_wexpand(r,a->top-nw+1) == NULL) return(0); 192 if (bn_wexpand(r,i) == NULL) return(0);
189 } 193 }
190 else 194 else
191 { 195 {
@@ -196,7 +200,7 @@ int BN_rshift(BIGNUM *r, const BIGNUM *a, int n)
196 f= &(a->d[nw]); 200 f= &(a->d[nw]);
197 t=r->d; 201 t=r->d;
198 j=a->top-nw; 202 j=a->top-nw;
199 r->top=j; 203 r->top=i;
200 204
201 if (rb == 0) 205 if (rb == 0)
202 { 206 {
@@ -212,9 +216,8 @@ int BN_rshift(BIGNUM *r, const BIGNUM *a, int n)
212 l= *(f++); 216 l= *(f++);
213 *(t++) =(tmp|(l<<lb))&BN_MASK2; 217 *(t++) =(tmp|(l<<lb))&BN_MASK2;
214 } 218 }
215 *(t++) =(l>>rb)&BN_MASK2; 219 if ((l = (l>>rb)&BN_MASK2)) *(t) = l;
216 } 220 }
217 bn_correct_top(r);
218 bn_check_top(r); 221 bn_check_top(r);
219 return(1); 222 return(1);
220 } 223 }
diff --git a/src/lib/libcrypto/bn/bntest.c b/src/lib/libcrypto/bn/bntest.c
index 0cd99c5b4b..06f5954acc 100644
--- a/src/lib/libcrypto/bn/bntest.c
+++ b/src/lib/libcrypto/bn/bntest.c
@@ -262,7 +262,7 @@ int main(int argc, char *argv[])
262 message(out,"BN_mod_sqrt"); 262 message(out,"BN_mod_sqrt");
263 if (!test_sqrt(out,ctx)) goto err; 263 if (!test_sqrt(out,ctx)) goto err;
264 (void)BIO_flush(out); 264 (void)BIO_flush(out);
265 265#ifndef OPENSSL_NO_EC2M
266 message(out,"BN_GF2m_add"); 266 message(out,"BN_GF2m_add");
267 if (!test_gf2m_add(out)) goto err; 267 if (!test_gf2m_add(out)) goto err;
268 (void)BIO_flush(out); 268 (void)BIO_flush(out);
@@ -298,7 +298,7 @@ int main(int argc, char *argv[])
298 message(out,"BN_GF2m_mod_solve_quad"); 298 message(out,"BN_GF2m_mod_solve_quad");
299 if (!test_gf2m_mod_solve_quad(out,ctx)) goto err; 299 if (!test_gf2m_mod_solve_quad(out,ctx)) goto err;
300 (void)BIO_flush(out); 300 (void)BIO_flush(out);
301 301#endif
302 BN_CTX_free(ctx); 302 BN_CTX_free(ctx);
303 BIO_free(out); 303 BIO_free(out);
304 304
@@ -1061,7 +1061,7 @@ int test_exp(BIO *bp, BN_CTX *ctx)
1061 BN_free(one); 1061 BN_free(one);
1062 return(1); 1062 return(1);
1063 } 1063 }
1064 1064#ifndef OPENSSL_NO_EC2M
1065int test_gf2m_add(BIO *bp) 1065int test_gf2m_add(BIO *bp)
1066 { 1066 {
1067 BIGNUM a,b,c; 1067 BIGNUM a,b,c;
@@ -1636,7 +1636,7 @@ int test_gf2m_mod_solve_quad(BIO *bp,BN_CTX *ctx)
1636 BN_free(e); 1636 BN_free(e);
1637 return ret; 1637 return ret;
1638 } 1638 }
1639 1639#endif
1640static int genprime_cb(int p, int n, BN_GENCB *arg) 1640static int genprime_cb(int p, int n, BN_GENCB *arg)
1641 { 1641 {
1642 char c='*'; 1642 char c='*';
diff --git a/src/lib/libcrypto/buffer/buffer.c b/src/lib/libcrypto/buffer/buffer.c
index bc803ab6c8..d7aa79ad7f 100644
--- a/src/lib/libcrypto/buffer/buffer.c
+++ b/src/lib/libcrypto/buffer/buffer.c
@@ -156,7 +156,7 @@ int BUF_MEM_grow_clean(BUF_MEM *str, size_t len)
156 /* This limit is sufficient to ensure (len+3)/3*4 < 2**31 */ 156 /* This limit is sufficient to ensure (len+3)/3*4 < 2**31 */
157 if (len > LIMIT_BEFORE_EXPANSION) 157 if (len > LIMIT_BEFORE_EXPANSION)
158 { 158 {
159 BUFerr(BUF_F_BUF_MEM_GROW,ERR_R_MALLOC_FAILURE); 159 BUFerr(BUF_F_BUF_MEM_GROW_CLEAN,ERR_R_MALLOC_FAILURE);
160 return 0; 160 return 0;
161 } 161 }
162 n=(len+3)/3*4; 162 n=(len+3)/3*4;
@@ -179,64 +179,6 @@ int BUF_MEM_grow_clean(BUF_MEM *str, size_t len)
179 return(len); 179 return(len);
180 } 180 }
181 181
182char *BUF_strdup(const char *str)
183 {
184 if (str == NULL) return(NULL);
185 return BUF_strndup(str, strlen(str));
186 }
187
188char *BUF_strndup(const char *str, size_t siz)
189 {
190 char *ret;
191
192 if (str == NULL) return(NULL);
193
194 ret=OPENSSL_malloc(siz+1);
195 if (ret == NULL)
196 {
197 BUFerr(BUF_F_BUF_STRNDUP,ERR_R_MALLOC_FAILURE);
198 return(NULL);
199 }
200 BUF_strlcpy(ret,str,siz+1);
201 return(ret);
202 }
203
204void *BUF_memdup(const void *data, size_t siz)
205 {
206 void *ret;
207
208 if (data == NULL) return(NULL);
209
210 ret=OPENSSL_malloc(siz);
211 if (ret == NULL)
212 {
213 BUFerr(BUF_F_BUF_MEMDUP,ERR_R_MALLOC_FAILURE);
214 return(NULL);
215 }
216 return memcpy(ret, data, siz);
217 }
218
219size_t BUF_strlcpy(char *dst, const char *src, size_t size)
220 {
221 size_t l = 0;
222 for(; size > 1 && *src; size--)
223 {
224 *dst++ = *src++;
225 l++;
226 }
227 if (size)
228 *dst = '\0';
229 return l + strlen(src);
230 }
231
232size_t BUF_strlcat(char *dst, const char *src, size_t size)
233 {
234 size_t l = 0;
235 for(; size > 0 && *dst; size--, dst++)
236 l++;
237 return l + BUF_strlcpy(dst, src, size);
238 }
239
240void BUF_reverse(unsigned char *out, unsigned char *in, size_t size) 182void BUF_reverse(unsigned char *out, unsigned char *in, size_t size)
241 { 183 {
242 size_t i; 184 size_t i;
diff --git a/src/lib/libcrypto/cast/c_skey.c b/src/lib/libcrypto/cast/c_skey.c
index 76e40005c9..cb6bf9fee3 100644
--- a/src/lib/libcrypto/cast/c_skey.c
+++ b/src/lib/libcrypto/cast/c_skey.c
@@ -56,6 +56,7 @@
56 * [including the GNU Public Licence.] 56 * [including the GNU Public Licence.]
57 */ 57 */
58 58
59#include <openssl/crypto.h>
59#include <openssl/cast.h> 60#include <openssl/cast.h>
60#include "cast_lcl.h" 61#include "cast_lcl.h"
61#include "cast_s.h" 62#include "cast_s.h"
@@ -71,8 +72,14 @@
71#define S5 CAST_S_table5 72#define S5 CAST_S_table5
72#define S6 CAST_S_table6 73#define S6 CAST_S_table6
73#define S7 CAST_S_table7 74#define S7 CAST_S_table7
74
75void CAST_set_key(CAST_KEY *key, int len, const unsigned char *data) 75void CAST_set_key(CAST_KEY *key, int len, const unsigned char *data)
76#ifdef OPENSSL_FIPS
77 {
78 fips_cipher_abort(CAST);
79 private_CAST_set_key(key, len, data);
80 }
81void private_CAST_set_key(CAST_KEY *key, int len, const unsigned char *data)
82#endif
76 { 83 {
77 CAST_LONG x[16]; 84 CAST_LONG x[16];
78 CAST_LONG z[16]; 85 CAST_LONG z[16];
diff --git a/src/lib/libcrypto/cast/cast.h b/src/lib/libcrypto/cast/cast.h
index 1a264f8143..203922ea2b 100644
--- a/src/lib/libcrypto/cast/cast.h
+++ b/src/lib/libcrypto/cast/cast.h
@@ -83,7 +83,9 @@ typedef struct cast_key_st
83 int short_key; /* Use reduced rounds for short key */ 83 int short_key; /* Use reduced rounds for short key */
84 } CAST_KEY; 84 } CAST_KEY;
85 85
86 86#ifdef OPENSSL_FIPS
87void private_CAST_set_key(CAST_KEY *key, int len, const unsigned char *data);
88#endif
87void CAST_set_key(CAST_KEY *key, int len, const unsigned char *data); 89void CAST_set_key(CAST_KEY *key, int len, const unsigned char *data);
88void CAST_ecb_encrypt(const unsigned char *in, unsigned char *out, const CAST_KEY *key, 90void CAST_ecb_encrypt(const unsigned char *in, unsigned char *out, const CAST_KEY *key,
89 int enc); 91 int enc);
diff --git a/src/lib/libcrypto/cms/cms_smime.c b/src/lib/libcrypto/cms/cms_smime.c
index 4a799eb897..8c56e3a852 100644
--- a/src/lib/libcrypto/cms/cms_smime.c
+++ b/src/lib/libcrypto/cms/cms_smime.c
@@ -611,7 +611,10 @@ int CMS_decrypt_set1_pkey(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert)
611 STACK_OF(CMS_RecipientInfo) *ris; 611 STACK_OF(CMS_RecipientInfo) *ris;
612 CMS_RecipientInfo *ri; 612 CMS_RecipientInfo *ri;
613 int i, r; 613 int i, r;
614 int debug = 0;
614 ris = CMS_get0_RecipientInfos(cms); 615 ris = CMS_get0_RecipientInfos(cms);
616 if (ris)
617 debug = cms->d.envelopedData->encryptedContentInfo->debug;
615 for (i = 0; i < sk_CMS_RecipientInfo_num(ris); i++) 618 for (i = 0; i < sk_CMS_RecipientInfo_num(ris); i++)
616 { 619 {
617 ri = sk_CMS_RecipientInfo_value(ris, i); 620 ri = sk_CMS_RecipientInfo_value(ris, i);
@@ -625,17 +628,38 @@ int CMS_decrypt_set1_pkey(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert)
625 CMS_RecipientInfo_set0_pkey(ri, pk); 628 CMS_RecipientInfo_set0_pkey(ri, pk);
626 r = CMS_RecipientInfo_decrypt(cms, ri); 629 r = CMS_RecipientInfo_decrypt(cms, ri);
627 CMS_RecipientInfo_set0_pkey(ri, NULL); 630 CMS_RecipientInfo_set0_pkey(ri, NULL);
628 if (r > 0)
629 return 1;
630 if (cert) 631 if (cert)
631 { 632 {
633 /* If not debugging clear any error and
634 * return success to avoid leaking of
635 * information useful to MMA
636 */
637 if (!debug)
638 {
639 ERR_clear_error();
640 return 1;
641 }
642 if (r > 0)
643 return 1;
632 CMSerr(CMS_F_CMS_DECRYPT_SET1_PKEY, 644 CMSerr(CMS_F_CMS_DECRYPT_SET1_PKEY,
633 CMS_R_DECRYPT_ERROR); 645 CMS_R_DECRYPT_ERROR);
634 return 0; 646 return 0;
635 } 647 }
636 ERR_clear_error(); 648 /* If no cert and not debugging don't leave loop
649 * after first successful decrypt. Always attempt
650 * to decrypt all recipients to avoid leaking timing
651 * of a successful decrypt.
652 */
653 else if (r > 0 && debug)
654 return 1;
637 } 655 }
638 } 656 }
657 /* If no cert and not debugging always return success */
658 if (!cert && !debug)
659 {
660 ERR_clear_error();
661 return 1;
662 }
639 663
640 CMSerr(CMS_F_CMS_DECRYPT_SET1_PKEY, CMS_R_NO_MATCHING_RECIPIENT); 664 CMSerr(CMS_F_CMS_DECRYPT_SET1_PKEY, CMS_R_NO_MATCHING_RECIPIENT);
641 return 0; 665 return 0;
@@ -680,6 +704,30 @@ int CMS_decrypt_set1_key(CMS_ContentInfo *cms,
680 return 0; 704 return 0;
681 705
682 } 706 }
707
708int CMS_decrypt_set1_password(CMS_ContentInfo *cms,
709 unsigned char *pass, ossl_ssize_t passlen)
710 {
711 STACK_OF(CMS_RecipientInfo) *ris;
712 CMS_RecipientInfo *ri;
713 int i, r;
714 ris = CMS_get0_RecipientInfos(cms);
715 for (i = 0; i < sk_CMS_RecipientInfo_num(ris); i++)
716 {
717 ri = sk_CMS_RecipientInfo_value(ris, i);
718 if (CMS_RecipientInfo_type(ri) != CMS_RECIPINFO_PASS)
719 continue;
720 CMS_RecipientInfo_set0_password(ri, pass, passlen);
721 r = CMS_RecipientInfo_decrypt(cms, ri);
722 CMS_RecipientInfo_set0_password(ri, NULL, 0);
723 if (r > 0)
724 return 1;
725 }
726
727 CMSerr(CMS_F_CMS_DECRYPT_SET1_PASSWORD, CMS_R_NO_MATCHING_RECIPIENT);
728 return 0;
729
730 }
683 731
684int CMS_decrypt(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert, 732int CMS_decrypt(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert,
685 BIO *dcont, BIO *out, 733 BIO *dcont, BIO *out,
@@ -694,9 +742,14 @@ int CMS_decrypt(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert,
694 } 742 }
695 if (!dcont && !check_content(cms)) 743 if (!dcont && !check_content(cms))
696 return 0; 744 return 0;
745 if (flags & CMS_DEBUG_DECRYPT)
746 cms->d.envelopedData->encryptedContentInfo->debug = 1;
747 else
748 cms->d.envelopedData->encryptedContentInfo->debug = 0;
749 if (!pk && !cert && !dcont && !out)
750 return 1;
697 if (pk && !CMS_decrypt_set1_pkey(cms, pk, cert)) 751 if (pk && !CMS_decrypt_set1_pkey(cms, pk, cert))
698 return 0; 752 return 0;
699
700 cont = CMS_dataInit(cms, dcont); 753 cont = CMS_dataInit(cms, dcont);
701 if (!cont) 754 if (!cont)
702 return 0; 755 return 0;
diff --git a/src/lib/libcrypto/comp/c_rle.c b/src/lib/libcrypto/comp/c_rle.c
index 18bceae51e..47dfb67fbd 100644
--- a/src/lib/libcrypto/comp/c_rle.c
+++ b/src/lib/libcrypto/comp/c_rle.c
@@ -30,7 +30,7 @@ static int rle_compress_block(COMP_CTX *ctx, unsigned char *out,
30 { 30 {
31 /* int i; */ 31 /* int i; */
32 32
33 if (olen < (ilen+1)) 33 if (ilen == 0 || olen < (ilen-1))
34 { 34 {
35 /* ZZZZZZZZZZZZZZZZZZZZZZ */ 35 /* ZZZZZZZZZZZZZZZZZZZZZZ */
36 return(-1); 36 return(-1);
@@ -46,7 +46,7 @@ static int rle_expand_block(COMP_CTX *ctx, unsigned char *out,
46 { 46 {
47 int i; 47 int i;
48 48
49 if (ilen == 0 || olen < (ilen-1)) 49 if (olen < (ilen-1))
50 { 50 {
51 /* ZZZZZZZZZZZZZZZZZZZZZZ */ 51 /* ZZZZZZZZZZZZZZZZZZZZZZ */
52 return(-1); 52 return(-1);
diff --git a/src/lib/libcrypto/cpt_err.c b/src/lib/libcrypto/cpt_err.c
index 139b9284e4..289005f662 100644
--- a/src/lib/libcrypto/cpt_err.c
+++ b/src/lib/libcrypto/cpt_err.c
@@ -1,6 +1,6 @@
1/* crypto/cpt_err.c */ 1/* crypto/cpt_err.c */
2/* ==================================================================== 2/* ====================================================================
3 * Copyright (c) 1999-2006 The OpenSSL Project. All rights reserved. 3 * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved.
4 * 4 *
5 * Redistribution and use in source and binary forms, with or without 5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions 6 * modification, are permitted provided that the following conditions
@@ -76,6 +76,7 @@ static ERR_STRING_DATA CRYPTO_str_functs[]=
76{ERR_FUNC(CRYPTO_F_CRYPTO_SET_EX_DATA), "CRYPTO_set_ex_data"}, 76{ERR_FUNC(CRYPTO_F_CRYPTO_SET_EX_DATA), "CRYPTO_set_ex_data"},
77{ERR_FUNC(CRYPTO_F_DEF_ADD_INDEX), "DEF_ADD_INDEX"}, 77{ERR_FUNC(CRYPTO_F_DEF_ADD_INDEX), "DEF_ADD_INDEX"},
78{ERR_FUNC(CRYPTO_F_DEF_GET_CLASS), "DEF_GET_CLASS"}, 78{ERR_FUNC(CRYPTO_F_DEF_GET_CLASS), "DEF_GET_CLASS"},
79{ERR_FUNC(CRYPTO_F_FIPS_MODE_SET), "FIPS_mode_set"},
79{ERR_FUNC(CRYPTO_F_INT_DUP_EX_DATA), "INT_DUP_EX_DATA"}, 80{ERR_FUNC(CRYPTO_F_INT_DUP_EX_DATA), "INT_DUP_EX_DATA"},
80{ERR_FUNC(CRYPTO_F_INT_FREE_EX_DATA), "INT_FREE_EX_DATA"}, 81{ERR_FUNC(CRYPTO_F_INT_FREE_EX_DATA), "INT_FREE_EX_DATA"},
81{ERR_FUNC(CRYPTO_F_INT_NEW_EX_DATA), "INT_NEW_EX_DATA"}, 82{ERR_FUNC(CRYPTO_F_INT_NEW_EX_DATA), "INT_NEW_EX_DATA"},
@@ -84,6 +85,7 @@ static ERR_STRING_DATA CRYPTO_str_functs[]=
84 85
85static ERR_STRING_DATA CRYPTO_str_reasons[]= 86static ERR_STRING_DATA CRYPTO_str_reasons[]=
86 { 87 {
88{ERR_REASON(CRYPTO_R_FIPS_MODE_NOT_SUPPORTED),"fips mode not supported"},
87{ERR_REASON(CRYPTO_R_NO_DYNLOCK_CREATE_CALLBACK),"no dynlock create callback"}, 89{ERR_REASON(CRYPTO_R_NO_DYNLOCK_CREATE_CALLBACK),"no dynlock create callback"},
88{0,NULL} 90{0,NULL}
89 }; 91 };
diff --git a/src/lib/libcrypto/cryptlib.c b/src/lib/libcrypto/cryptlib.c
index 24fe123e14..766ea8cac7 100644
--- a/src/lib/libcrypto/cryptlib.c
+++ b/src/lib/libcrypto/cryptlib.c
@@ -409,6 +409,10 @@ int (*CRYPTO_get_add_lock_callback(void))(int *num,int mount,int type,
409void CRYPTO_set_locking_callback(void (*func)(int mode,int type, 409void CRYPTO_set_locking_callback(void (*func)(int mode,int type,
410 const char *file,int line)) 410 const char *file,int line))
411 { 411 {
412 /* Calling this here ensures initialisation before any threads
413 * are started.
414 */
415 OPENSSL_init();
412 locking_callback=func; 416 locking_callback=func;
413 } 417 }
414 418
@@ -661,28 +665,52 @@ const char *CRYPTO_get_lock_name(int type)
661 defined(__INTEL__) || \ 665 defined(__INTEL__) || \
662 defined(__x86_64) || defined(__x86_64__) || defined(_M_AMD64) || defined(_M_X64) 666 defined(__x86_64) || defined(__x86_64__) || defined(_M_AMD64) || defined(_M_X64)
663 667
664unsigned long OPENSSL_ia32cap_P=0; 668unsigned int OPENSSL_ia32cap_P[2];
665unsigned long *OPENSSL_ia32cap_loc(void) { return &OPENSSL_ia32cap_P; } 669unsigned long *OPENSSL_ia32cap_loc(void)
670{ if (sizeof(long)==4)
671 /*
672 * If 32-bit application pulls address of OPENSSL_ia32cap_P[0]
673 * clear second element to maintain the illusion that vector
674 * is 32-bit.
675 */
676 OPENSSL_ia32cap_P[1]=0;
677 return (unsigned long *)OPENSSL_ia32cap_P;
678}
666 679
667#if defined(OPENSSL_CPUID_OBJ) && !defined(OPENSSL_NO_ASM) && !defined(I386_ONLY) 680#if defined(OPENSSL_CPUID_OBJ) && !defined(OPENSSL_NO_ASM) && !defined(I386_ONLY)
668#define OPENSSL_CPUID_SETUP 681#define OPENSSL_CPUID_SETUP
682#if defined(_WIN32)
683typedef unsigned __int64 IA32CAP;
684#else
685typedef unsigned long long IA32CAP;
686#endif
669void OPENSSL_cpuid_setup(void) 687void OPENSSL_cpuid_setup(void)
670{ static int trigger=0; 688{ static int trigger=0;
671 unsigned long OPENSSL_ia32_cpuid(void); 689 IA32CAP OPENSSL_ia32_cpuid(void);
690 IA32CAP vec;
672 char *env; 691 char *env;
673 692
674 if (trigger) return; 693 if (trigger) return;
675 694
676 trigger=1; 695 trigger=1;
677 if ((env=getenv("OPENSSL_ia32cap"))) 696 if ((env=getenv("OPENSSL_ia32cap"))) {
678 OPENSSL_ia32cap_P = strtoul(env,NULL,0)|(1<<10); 697 int off = (env[0]=='~')?1:0;
698#if defined(_WIN32)
699 if (!sscanf(env+off,"%I64i",&vec)) vec = strtoul(env+off,NULL,0);
700#else
701 if (!sscanf(env+off,"%lli",(long long *)&vec)) vec = strtoul(env+off,NULL,0);
702#endif
703 if (off) vec = OPENSSL_ia32_cpuid()&~vec;
704 }
679 else 705 else
680 OPENSSL_ia32cap_P = OPENSSL_ia32_cpuid()|(1<<10); 706 vec = OPENSSL_ia32_cpuid();
681 /* 707 /*
682 * |(1<<10) sets a reserved bit to signal that variable 708 * |(1<<10) sets a reserved bit to signal that variable
683 * was initialized already... This is to avoid interference 709 * was initialized already... This is to avoid interference
684 * with cpuid snippets in ELF .init segment. 710 * with cpuid snippets in ELF .init segment.
685 */ 711 */
712 OPENSSL_ia32cap_P[0] = (unsigned int)vec|(1<<10);
713 OPENSSL_ia32cap_P[1] = (unsigned int)(vec>>32);
686} 714}
687#endif 715#endif
688 716
diff --git a/src/lib/libcrypto/cryptlib.h b/src/lib/libcrypto/cryptlib.h
index fc249c57f3..1761f6b668 100644
--- a/src/lib/libcrypto/cryptlib.h
+++ b/src/lib/libcrypto/cryptlib.h
@@ -99,7 +99,7 @@ extern "C" {
99#define HEX_SIZE(type) (sizeof(type)*2) 99#define HEX_SIZE(type) (sizeof(type)*2)
100 100
101void OPENSSL_cpuid_setup(void); 101void OPENSSL_cpuid_setup(void);
102extern unsigned long OPENSSL_ia32cap_P; 102extern unsigned int OPENSSL_ia32cap_P[];
103void OPENSSL_showfatal(const char *,...); 103void OPENSSL_showfatal(const char *,...);
104void *OPENSSL_stderr(void); 104void *OPENSSL_stderr(void);
105extern int OPENSSL_NONPIC_relocated; 105extern int OPENSSL_NONPIC_relocated;
diff --git a/src/lib/libcrypto/crypto-lib.com b/src/lib/libcrypto/crypto-lib.com
index a29c0afd93..c280aa03a8 100644
--- a/src/lib/libcrypto/crypto-lib.com
+++ b/src/lib/libcrypto/crypto-lib.com
@@ -117,7 +117,7 @@ $ ENCRYPT_TYPES = "Basic,"+ -
117 "BUFFER,BIO,STACK,LHASH,RAND,ERR,"+ - 117 "BUFFER,BIO,STACK,LHASH,RAND,ERR,"+ -
118 "EVP,EVP_2,EVP_3,ASN1,ASN1_2,PEM,X509,X509V3,"+ - 118 "EVP,EVP_2,EVP_3,ASN1,ASN1_2,PEM,X509,X509V3,"+ -
119 "CONF,TXT_DB,PKCS7,PKCS12,COMP,OCSP,UI,KRB5,"+ - 119 "CONF,TXT_DB,PKCS7,PKCS12,COMP,OCSP,UI,KRB5,"+ -
120 "STORE,CMS,PQUEUE,TS,JPAKE" 120 "CMS,PQUEUE,TS,JPAKE,SRP,STORE,CMAC"
121$! 121$!
122$! Check To Make Sure We Have Valid Command Line Parameters. 122$! Check To Make Sure We Have Valid Command Line Parameters.
123$! 123$!
@@ -207,7 +207,8 @@ $!
207$ APPS_DES = "DES/DES,CBC3_ENC" 207$ APPS_DES = "DES/DES,CBC3_ENC"
208$ APPS_PKCS7 = "ENC/ENC;DEC/DEC;SIGN/SIGN;VERIFY/VERIFY,EXAMPLE" 208$ APPS_PKCS7 = "ENC/ENC;DEC/DEC;SIGN/SIGN;VERIFY/VERIFY,EXAMPLE"
209$ 209$
210$ LIB_ = "cryptlib,mem,mem_clr,mem_dbg,cversion,ex_data,cpt_err,ebcdic,uid,o_time,o_str,o_dir" 210$ LIB_ = "cryptlib,mem,mem_clr,mem_dbg,cversion,ex_data,cpt_err,"+ -
211 "ebcdic,uid,o_time,o_str,o_dir,o_fips.c,o_init,fips_ers"
211$ LIB_MD2 = "md2_dgst,md2_one" 212$ LIB_MD2 = "md2_dgst,md2_one"
212$ LIB_MD4 = "md4_dgst,md4_one" 213$ LIB_MD4 = "md4_dgst,md4_one"
213$ LIB_MD5 = "md5_dgst,md5_one" 214$ LIB_MD5 = "md5_dgst,md5_one"
@@ -224,15 +225,16 @@ $ LIB_DES = "set_key,ecb_enc,cbc_enc,"+ -
224 "fcrypt,xcbc_enc,rpc_enc,cbc_cksm,"+ - 225 "fcrypt,xcbc_enc,rpc_enc,cbc_cksm,"+ -
225 "ede_cbcm_enc,des_old,des_old2,read2pwd" 226 "ede_cbcm_enc,des_old,des_old2,read2pwd"
226$ LIB_RC2 = "rc2_ecb,rc2_skey,rc2_cbc,rc2cfb64,rc2ofb64" 227$ LIB_RC2 = "rc2_ecb,rc2_skey,rc2_cbc,rc2cfb64,rc2ofb64"
227$ LIB_RC4 = "rc4_skey,rc4_enc" 228$ LIB_RC4 = "rc4_skey,rc4_enc,rc4_utl"
228$ LIB_RC5 = "rc5_skey,rc5_ecb,rc5_enc,rc5cfb64,rc5ofb64" 229$ LIB_RC5 = "rc5_skey,rc5_ecb,rc5_enc,rc5cfb64,rc5ofb64"
229$ LIB_IDEA = "i_cbc,i_cfb64,i_ofb64,i_ecb,i_skey" 230$ LIB_IDEA = "i_cbc,i_cfb64,i_ofb64,i_ecb,i_skey"
230$ LIB_BF = "bf_skey,bf_ecb,bf_enc,bf_cfb64,bf_ofb64" 231$ LIB_BF = "bf_skey,bf_ecb,bf_enc,bf_cfb64,bf_ofb64"
231$ LIB_CAST = "c_skey,c_ecb,c_enc,c_cfb64,c_ofb64" 232$ LIB_CAST = "c_skey,c_ecb,c_enc,c_cfb64,c_ofb64"
232$ LIB_CAMELLIA = "camellia,cmll_misc,cmll_ecb,cmll_cbc,cmll_ofb,"+ - 233$ LIB_CAMELLIA = "camellia,cmll_misc,cmll_ecb,cmll_cbc,cmll_ofb,"+ -
233 "cmll_cfb,cmll_ctr" 234 "cmll_cfb,cmll_ctr,cmll_utl"
234$ LIB_SEED = "seed,seed_ecb,seed_cbc,seed_cfb,seed_ofb" 235$ LIB_SEED = "seed,seed_ecb,seed_cbc,seed_cfb,seed_ofb"
235$ LIB_MODES = "cbc128,ctr128,cts128,cfb128,ofb128" 236$ LIB_MODES = "cbc128,ctr128,cts128,cfb128,ofb128,gcm128,"+ -
237 "ccm128,xts128"
236$ LIB_BN_ASM = "[.asm]vms.mar,vms-helper" 238$ LIB_BN_ASM = "[.asm]vms.mar,vms-helper"
237$ IF F$TRNLNM("OPENSSL_NO_ASM") .OR. ARCH .NES. "VAX" THEN - 239$ IF F$TRNLNM("OPENSSL_NO_ASM") .OR. ARCH .NES. "VAX" THEN -
238 LIB_BN_ASM = "bn_asm" 240 LIB_BN_ASM = "bn_asm"
@@ -240,14 +242,16 @@ $ LIB_BN = "bn_add,bn_div,bn_exp,bn_lib,bn_ctx,bn_mul,bn_mod,"+ -
240 "bn_print,bn_rand,bn_shift,bn_word,bn_blind,"+ - 242 "bn_print,bn_rand,bn_shift,bn_word,bn_blind,"+ -
241 "bn_kron,bn_sqrt,bn_gcd,bn_prime,bn_err,bn_sqr,"+LIB_BN_ASM+","+ - 243 "bn_kron,bn_sqrt,bn_gcd,bn_prime,bn_err,bn_sqr,"+LIB_BN_ASM+","+ -
242 "bn_recp,bn_mont,bn_mpi,bn_exp2,bn_gf2m,bn_nist,"+ - 244 "bn_recp,bn_mont,bn_mpi,bn_exp2,bn_gf2m,bn_nist,"+ -
243 "bn_depr,bn_const" 245 "bn_depr,bn_const,bn_x931p"
244$ LIB_EC = "ec_lib,ecp_smpl,ecp_mont,ecp_nist,ec_cvt,ec_mult,"+ - 246$ LIB_EC = "ec_lib,ecp_smpl,ecp_mont,ecp_nist,ec_cvt,ec_mult,"+ -
245 "ec_err,ec_curve,ec_check,ec_print,ec_asn1,ec_key,"+ - 247 "ec_err,ec_curve,ec_check,ec_print,ec_asn1,ec_key,"+ -
246 "ec2_smpl,ec2_mult,ec_ameth,ec_pmeth,eck_prn" 248 "ec2_smpl,ec2_mult,ec_ameth,ec_pmeth,eck_prn,"+ -
249 "ecp_nistp224,ecp_nistp256,ecp_nistp521,ecp_nistputil,"+ -
250 "ecp_oct,ec2_oct,ec_oct"
247$ LIB_RSA = "rsa_eay,rsa_gen,rsa_lib,rsa_sign,rsa_saos,rsa_err,"+ - 251$ LIB_RSA = "rsa_eay,rsa_gen,rsa_lib,rsa_sign,rsa_saos,rsa_err,"+ -
248 "rsa_pk1,rsa_ssl,rsa_none,rsa_oaep,rsa_chk,rsa_null,"+ - 252 "rsa_pk1,rsa_ssl,rsa_none,rsa_oaep,rsa_chk,rsa_null,"+ -
249 "rsa_pss,rsa_x931,rsa_asn1,rsa_depr,rsa_ameth,rsa_prn,"+ - 253 "rsa_pss,rsa_x931,rsa_asn1,rsa_depr,rsa_ameth,rsa_prn,"+ -
250 "rsa_pmeth" 254 "rsa_pmeth,rsa_crpt"
251$ LIB_DSA = "dsa_gen,dsa_key,dsa_lib,dsa_asn1,dsa_vrf,dsa_sign,"+ - 255$ LIB_DSA = "dsa_gen,dsa_key,dsa_lib,dsa_asn1,dsa_vrf,dsa_sign,"+ -
252 "dsa_err,dsa_ossl,dsa_depr,dsa_ameth,dsa_pmeth,dsa_prn" 256 "dsa_err,dsa_ossl,dsa_depr,dsa_ameth,dsa_pmeth,dsa_prn"
253$ LIB_ECDSA = "ecs_lib,ecs_asn1,ecs_ossl,ecs_sign,ecs_vrf,ecs_err" 257$ LIB_ECDSA = "ecs_lib,ecs_asn1,ecs_ossl,ecs_sign,ecs_vrf,ecs_err"
@@ -260,10 +264,11 @@ $ LIB_ENGINE = "eng_err,eng_lib,eng_list,eng_init,eng_ctrl,"+ -
260 "eng_table,eng_pkey,eng_fat,eng_all,"+ - 264 "eng_table,eng_pkey,eng_fat,eng_all,"+ -
261 "tb_rsa,tb_dsa,tb_ecdsa,tb_dh,tb_ecdh,tb_rand,tb_store,"+ - 265 "tb_rsa,tb_dsa,tb_ecdsa,tb_dh,tb_ecdh,tb_rand,tb_store,"+ -
262 "tb_cipher,tb_digest,tb_pkmeth,tb_asnmth,"+ - 266 "tb_cipher,tb_digest,tb_pkmeth,tb_asnmth,"+ -
263 "eng_openssl,eng_dyn,eng_cnf,eng_cryptodev" 267 "eng_openssl,eng_dyn,eng_cnf,eng_cryptodev,"+ -
268 "eng_rsax,eng_rdrand"
264$ LIB_AES = "aes_core,aes_misc,aes_ecb,aes_cbc,aes_cfb,aes_ofb,aes_ctr,"+ - 269$ LIB_AES = "aes_core,aes_misc,aes_ecb,aes_cbc,aes_cfb,aes_ofb,aes_ctr,"+ -
265 "aes_ige,aes_wrap" 270 "aes_ige,aes_wrap"
266$ LIB_BUFFER = "buffer,buf_err" 271$ LIB_BUFFER = "buffer,buf_str,buf_err"
267$ LIB_BIO = "bio_lib,bio_cb,bio_err,"+ - 272$ LIB_BIO = "bio_lib,bio_cb,bio_err,"+ -
268 "bss_mem,bss_null,bss_fd,"+ - 273 "bss_mem,bss_null,bss_fd,"+ -
269 "bss_file,bss_sock,bss_conn,"+ - 274 "bss_file,bss_sock,bss_conn,"+ -
@@ -287,7 +292,8 @@ $ LIB_EVP_2 = "m_null,m_md2,m_md4,m_md5,m_sha,m_sha1,m_wp," + -
287 "bio_md,bio_b64,bio_enc,evp_err,e_null,"+ - 292 "bio_md,bio_b64,bio_enc,evp_err,e_null,"+ -
288 "c_all,c_allc,c_alld,evp_lib,bio_ok,"+- 293 "c_all,c_allc,c_alld,evp_lib,bio_ok,"+-
289 "evp_pkey,evp_pbe,p5_crpt,p5_crpt2" 294 "evp_pkey,evp_pbe,p5_crpt,p5_crpt2"
290$ LIB_EVP_3 = "e_old,pmeth_lib,pmeth_fn,pmeth_gn,m_sigver" 295$ LIB_EVP_3 = "e_old,pmeth_lib,pmeth_fn,pmeth_gn,m_sigver,evp_fips,"+ -
296 "e_aes_cbc_hmac_sha1,e_rc4_hmac_md5"
291$ LIB_ASN1 = "a_object,a_bitstr,a_utctm,a_gentm,a_time,a_int,a_octet,"+ - 297$ LIB_ASN1 = "a_object,a_bitstr,a_utctm,a_gentm,a_time,a_int,a_octet,"+ -
292 "a_print,a_type,a_set,a_dup,a_d2i_fp,a_i2d_fp,"+ - 298 "a_print,a_type,a_set,a_dup,a_d2i_fp,a_i2d_fp,"+ -
293 "a_enum,a_utf8,a_sign,a_digest,a_verify,a_mbstr,a_strex,"+ - 299 "a_enum,a_utf8,a_sign,a_digest,a_verify,a_mbstr,a_strex,"+ -
@@ -329,14 +335,17 @@ $ LIB_OCSP = "ocsp_asn,ocsp_ext,ocsp_ht,ocsp_lib,ocsp_cl,"+ -
329$ LIB_UI_COMPAT = ",ui_compat" 335$ LIB_UI_COMPAT = ",ui_compat"
330$ LIB_UI = "ui_err,ui_lib,ui_openssl,ui_util"+LIB_UI_COMPAT 336$ LIB_UI = "ui_err,ui_lib,ui_openssl,ui_util"+LIB_UI_COMPAT
331$ LIB_KRB5 = "krb5_asn" 337$ LIB_KRB5 = "krb5_asn"
332$ LIB_STORE = "str_err,str_lib,str_meth,str_mem"
333$ LIB_CMS = "cms_lib,cms_asn1,cms_att,cms_io,cms_smime,cms_err,"+ - 338$ LIB_CMS = "cms_lib,cms_asn1,cms_att,cms_io,cms_smime,cms_err,"+ -
334 "cms_sd,cms_dd,cms_cd,cms_env,cms_enc,cms_ess" 339 "cms_sd,cms_dd,cms_cd,cms_env,cms_enc,cms_ess,"+ -
340 "cms_pwri"
335$ LIB_PQUEUE = "pqueue" 341$ LIB_PQUEUE = "pqueue"
336$ LIB_TS = "ts_err,ts_req_utils,ts_req_print,ts_rsp_utils,ts_rsp_print,"+ - 342$ LIB_TS = "ts_err,ts_req_utils,ts_req_print,ts_rsp_utils,ts_rsp_print,"+ -
337 "ts_rsp_sign,ts_rsp_verify,ts_verify_ctx,ts_lib,ts_conf,"+ - 343 "ts_rsp_sign,ts_rsp_verify,ts_verify_ctx,ts_lib,ts_conf,"+ -
338 "ts_asn1" 344 "ts_asn1"
339$ LIB_JPAKE = "jpake,jpake_err" 345$ LIB_JPAKE = "jpake,jpake_err"
346$ LIB_SRP = "srp_lib,srp_vfy"
347$ LIB_STORE = "str_err,str_lib,str_meth,str_mem"
348$ LIB_CMAC = "cmac,cm_ameth.c,cm_pmeth"
340$! 349$!
341$! Setup exceptional compilations 350$! Setup exceptional compilations
342$! 351$!
@@ -1021,7 +1030,7 @@ $!
1021$! Set basic C compiler /INCLUDE directories. 1030$! Set basic C compiler /INCLUDE directories.
1022$! 1031$!
1023$ CC_INCLUDES = "SYS$DISK:[.''ARCHD'],SYS$DISK:[],SYS$DISK:[-],"+ - 1032$ CC_INCLUDES = "SYS$DISK:[.''ARCHD'],SYS$DISK:[],SYS$DISK:[-],"+ -
1024 "SYS$DISK:[.ENGINE.VENDOR_DEFNS],SYS$DISK:[.EVP],SYS$DISK:[.ASN1]" 1033 "SYS$DISK:[.ENGINE.VENDOR_DEFNS],SYS$DISK:[.MODES],SYS$DISK:[.ASN1],SYS$DISK:[.EVP]"
1025$! 1034$!
1026$! Check To See If P3 Is Blank. 1035$! Check To See If P3 Is Blank.
1027$! 1036$!
diff --git a/src/lib/libcrypto/crypto.h b/src/lib/libcrypto/crypto.h
index b0360cec51..6aeda0a9ac 100644
--- a/src/lib/libcrypto/crypto.h
+++ b/src/lib/libcrypto/crypto.h
@@ -547,6 +547,33 @@ unsigned long *OPENSSL_ia32cap_loc(void);
547#define OPENSSL_ia32cap (*(OPENSSL_ia32cap_loc())) 547#define OPENSSL_ia32cap (*(OPENSSL_ia32cap_loc()))
548int OPENSSL_isservice(void); 548int OPENSSL_isservice(void);
549 549
550int FIPS_mode(void);
551int FIPS_mode_set(int r);
552
553void OPENSSL_init(void);
554
555#define fips_md_init(alg) fips_md_init_ctx(alg, alg)
556
557#ifdef OPENSSL_FIPS
558#define fips_md_init_ctx(alg, cx) \
559 int alg##_Init(cx##_CTX *c) \
560 { \
561 if (FIPS_mode()) OpenSSLDie(__FILE__, __LINE__, \
562 "Low level API call to digest " #alg " forbidden in FIPS mode!"); \
563 return private_##alg##_Init(c); \
564 } \
565 int private_##alg##_Init(cx##_CTX *c)
566
567#define fips_cipher_abort(alg) \
568 if (FIPS_mode()) OpenSSLDie(__FILE__, __LINE__, \
569 "Low level API call to cipher " #alg " forbidden in FIPS mode!")
570
571#else
572#define fips_md_init_ctx(alg, cx) \
573 int alg##_Init(cx##_CTX *c)
574#define fips_cipher_abort(alg) while(0)
575#endif
576
550/* BEGIN ERROR CODES */ 577/* BEGIN ERROR CODES */
551/* The following lines are auto generated by the script mkerr.pl. Any changes 578/* The following lines are auto generated by the script mkerr.pl. Any changes
552 * made after this point may be overwritten when the script is next run. 579 * made after this point may be overwritten when the script is next run.
@@ -562,11 +589,13 @@ void ERR_load_CRYPTO_strings(void);
562#define CRYPTO_F_CRYPTO_SET_EX_DATA 102 589#define CRYPTO_F_CRYPTO_SET_EX_DATA 102
563#define CRYPTO_F_DEF_ADD_INDEX 104 590#define CRYPTO_F_DEF_ADD_INDEX 104
564#define CRYPTO_F_DEF_GET_CLASS 105 591#define CRYPTO_F_DEF_GET_CLASS 105
592#define CRYPTO_F_FIPS_MODE_SET 109
565#define CRYPTO_F_INT_DUP_EX_DATA 106 593#define CRYPTO_F_INT_DUP_EX_DATA 106
566#define CRYPTO_F_INT_FREE_EX_DATA 107 594#define CRYPTO_F_INT_FREE_EX_DATA 107
567#define CRYPTO_F_INT_NEW_EX_DATA 108 595#define CRYPTO_F_INT_NEW_EX_DATA 108
568 596
569/* Reason codes. */ 597/* Reason codes. */
598#define CRYPTO_R_FIPS_MODE_NOT_SUPPORTED 101
570#define CRYPTO_R_NO_DYNLOCK_CREATE_CALLBACK 100 599#define CRYPTO_R_NO_DYNLOCK_CREATE_CALLBACK 100
571 600
572#ifdef __cplusplus 601#ifdef __cplusplus
diff --git a/src/lib/libcrypto/des/des.h b/src/lib/libcrypto/des/des.h
index 7318593699..23c8cfc901 100644
--- a/src/lib/libcrypto/des/des.h
+++ b/src/lib/libcrypto/des/des.h
@@ -226,6 +226,9 @@ int DES_set_key(const_DES_cblock *key,DES_key_schedule *schedule);
226int DES_key_sched(const_DES_cblock *key,DES_key_schedule *schedule); 226int DES_key_sched(const_DES_cblock *key,DES_key_schedule *schedule);
227int DES_set_key_checked(const_DES_cblock *key,DES_key_schedule *schedule); 227int DES_set_key_checked(const_DES_cblock *key,DES_key_schedule *schedule);
228void DES_set_key_unchecked(const_DES_cblock *key,DES_key_schedule *schedule); 228void DES_set_key_unchecked(const_DES_cblock *key,DES_key_schedule *schedule);
229#ifdef OPENSSL_FIPS
230void private_DES_set_key_unchecked(const_DES_cblock *key,DES_key_schedule *schedule);
231#endif
229void DES_string_to_key(const char *str,DES_cblock *key); 232void DES_string_to_key(const char *str,DES_cblock *key);
230void DES_string_to_2keys(const char *str,DES_cblock *key1,DES_cblock *key2); 233void DES_string_to_2keys(const char *str,DES_cblock *key1,DES_cblock *key2);
231void DES_cfb64_encrypt(const unsigned char *in,unsigned char *out,long length, 234void DES_cfb64_encrypt(const unsigned char *in,unsigned char *out,long length,
diff --git a/src/lib/libcrypto/des/set_key.c b/src/lib/libcrypto/des/set_key.c
index 3004cc3ab3..d3e69ca8b5 100644
--- a/src/lib/libcrypto/des/set_key.c
+++ b/src/lib/libcrypto/des/set_key.c
@@ -65,6 +65,8 @@
65 */ 65 */
66#include "des_locl.h" 66#include "des_locl.h"
67 67
68#include <openssl/crypto.h>
69
68OPENSSL_IMPLEMENT_GLOBAL(int,DES_check_key,0) /* defaults to false */ 70OPENSSL_IMPLEMENT_GLOBAL(int,DES_check_key,0) /* defaults to false */
69 71
70static const unsigned char odd_parity[256]={ 72static const unsigned char odd_parity[256]={
@@ -335,6 +337,13 @@ int DES_set_key_checked(const_DES_cblock *key, DES_key_schedule *schedule)
335 } 337 }
336 338
337void DES_set_key_unchecked(const_DES_cblock *key, DES_key_schedule *schedule) 339void DES_set_key_unchecked(const_DES_cblock *key, DES_key_schedule *schedule)
340#ifdef OPENSSL_FIPS
341 {
342 fips_cipher_abort(DES);
343 private_DES_set_key_unchecked(key, schedule);
344 }
345void private_DES_set_key_unchecked(const_DES_cblock *key, DES_key_schedule *schedule)
346#endif
338 { 347 {
339 static const int shifts2[16]={0,0,1,1,1,1,1,1,0,1,1,1,1,1,1,0}; 348 static const int shifts2[16]={0,0,1,1,1,1,1,1,0,1,1,1,1,1,1,0};
340 register DES_LONG c,d,t,s,t2; 349 register DES_LONG c,d,t,s,t2;
diff --git a/src/lib/libcrypto/dh/dh.h b/src/lib/libcrypto/dh/dh.h
index 849309a489..ea59e610ef 100644
--- a/src/lib/libcrypto/dh/dh.h
+++ b/src/lib/libcrypto/dh/dh.h
@@ -86,6 +86,21 @@
86 * be used for all exponents. 86 * be used for all exponents.
87 */ 87 */
88 88
89/* If this flag is set the DH method is FIPS compliant and can be used
90 * in FIPS mode. This is set in the validated module method. If an
91 * application sets this flag in its own methods it is its reposibility
92 * to ensure the result is compliant.
93 */
94
95#define DH_FLAG_FIPS_METHOD 0x0400
96
97/* If this flag is set the operations normally disabled in FIPS mode are
98 * permitted it is then the applications responsibility to ensure that the
99 * usage is compliant.
100 */
101
102#define DH_FLAG_NON_FIPS_ALLOW 0x0400
103
89#ifdef __cplusplus 104#ifdef __cplusplus
90extern "C" { 105extern "C" {
91#endif 106#endif
@@ -230,6 +245,9 @@ void ERR_load_DH_strings(void);
230#define DH_F_COMPUTE_KEY 102 245#define DH_F_COMPUTE_KEY 102
231#define DH_F_DHPARAMS_PRINT_FP 101 246#define DH_F_DHPARAMS_PRINT_FP 101
232#define DH_F_DH_BUILTIN_GENPARAMS 106 247#define DH_F_DH_BUILTIN_GENPARAMS 106
248#define DH_F_DH_COMPUTE_KEY 114
249#define DH_F_DH_GENERATE_KEY 115
250#define DH_F_DH_GENERATE_PARAMETERS_EX 116
233#define DH_F_DH_NEW_METHOD 105 251#define DH_F_DH_NEW_METHOD 105
234#define DH_F_DH_PARAM_DECODE 107 252#define DH_F_DH_PARAM_DECODE 107
235#define DH_F_DH_PRIV_DECODE 110 253#define DH_F_DH_PRIV_DECODE 110
@@ -249,7 +267,9 @@ void ERR_load_DH_strings(void);
249#define DH_R_DECODE_ERROR 104 267#define DH_R_DECODE_ERROR 104
250#define DH_R_INVALID_PUBKEY 102 268#define DH_R_INVALID_PUBKEY 102
251#define DH_R_KEYS_NOT_SET 108 269#define DH_R_KEYS_NOT_SET 108
270#define DH_R_KEY_SIZE_TOO_SMALL 110
252#define DH_R_MODULUS_TOO_LARGE 103 271#define DH_R_MODULUS_TOO_LARGE 103
272#define DH_R_NON_FIPS_METHOD 111
253#define DH_R_NO_PARAMETERS_SET 107 273#define DH_R_NO_PARAMETERS_SET 107
254#define DH_R_NO_PRIVATE_VALUE 100 274#define DH_R_NO_PRIVATE_VALUE 100
255#define DH_R_PARAMETER_ENCODING_ERROR 105 275#define DH_R_PARAMETER_ENCODING_ERROR 105
diff --git a/src/lib/libcrypto/dh/dh_err.c b/src/lib/libcrypto/dh/dh_err.c
index d5cf0c22a3..56d3df7356 100644
--- a/src/lib/libcrypto/dh/dh_err.c
+++ b/src/lib/libcrypto/dh/dh_err.c
@@ -1,6 +1,6 @@
1/* crypto/dh/dh_err.c */ 1/* crypto/dh/dh_err.c */
2/* ==================================================================== 2/* ====================================================================
3 * Copyright (c) 1999-2006 The OpenSSL Project. All rights reserved. 3 * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved.
4 * 4 *
5 * Redistribution and use in source and binary forms, with or without 5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions 6 * modification, are permitted provided that the following conditions
@@ -73,6 +73,9 @@ static ERR_STRING_DATA DH_str_functs[]=
73{ERR_FUNC(DH_F_COMPUTE_KEY), "COMPUTE_KEY"}, 73{ERR_FUNC(DH_F_COMPUTE_KEY), "COMPUTE_KEY"},
74{ERR_FUNC(DH_F_DHPARAMS_PRINT_FP), "DHparams_print_fp"}, 74{ERR_FUNC(DH_F_DHPARAMS_PRINT_FP), "DHparams_print_fp"},
75{ERR_FUNC(DH_F_DH_BUILTIN_GENPARAMS), "DH_BUILTIN_GENPARAMS"}, 75{ERR_FUNC(DH_F_DH_BUILTIN_GENPARAMS), "DH_BUILTIN_GENPARAMS"},
76{ERR_FUNC(DH_F_DH_COMPUTE_KEY), "DH_compute_key"},
77{ERR_FUNC(DH_F_DH_GENERATE_KEY), "DH_generate_key"},
78{ERR_FUNC(DH_F_DH_GENERATE_PARAMETERS_EX), "DH_generate_parameters_ex"},
76{ERR_FUNC(DH_F_DH_NEW_METHOD), "DH_new_method"}, 79{ERR_FUNC(DH_F_DH_NEW_METHOD), "DH_new_method"},
77{ERR_FUNC(DH_F_DH_PARAM_DECODE), "DH_PARAM_DECODE"}, 80{ERR_FUNC(DH_F_DH_PARAM_DECODE), "DH_PARAM_DECODE"},
78{ERR_FUNC(DH_F_DH_PRIV_DECODE), "DH_PRIV_DECODE"}, 81{ERR_FUNC(DH_F_DH_PRIV_DECODE), "DH_PRIV_DECODE"},
@@ -95,7 +98,9 @@ static ERR_STRING_DATA DH_str_reasons[]=
95{ERR_REASON(DH_R_DECODE_ERROR) ,"decode error"}, 98{ERR_REASON(DH_R_DECODE_ERROR) ,"decode error"},
96{ERR_REASON(DH_R_INVALID_PUBKEY) ,"invalid public key"}, 99{ERR_REASON(DH_R_INVALID_PUBKEY) ,"invalid public key"},
97{ERR_REASON(DH_R_KEYS_NOT_SET) ,"keys not set"}, 100{ERR_REASON(DH_R_KEYS_NOT_SET) ,"keys not set"},
101{ERR_REASON(DH_R_KEY_SIZE_TOO_SMALL) ,"key size too small"},
98{ERR_REASON(DH_R_MODULUS_TOO_LARGE) ,"modulus too large"}, 102{ERR_REASON(DH_R_MODULUS_TOO_LARGE) ,"modulus too large"},
103{ERR_REASON(DH_R_NON_FIPS_METHOD) ,"non fips method"},
99{ERR_REASON(DH_R_NO_PARAMETERS_SET) ,"no parameters set"}, 104{ERR_REASON(DH_R_NO_PARAMETERS_SET) ,"no parameters set"},
100{ERR_REASON(DH_R_NO_PRIVATE_VALUE) ,"no private value"}, 105{ERR_REASON(DH_R_NO_PRIVATE_VALUE) ,"no private value"},
101{ERR_REASON(DH_R_PARAMETER_ENCODING_ERROR),"parameter encoding error"}, 106{ERR_REASON(DH_R_PARAMETER_ENCODING_ERROR),"parameter encoding error"},
diff --git a/src/lib/libcrypto/dh/dh_gen.c b/src/lib/libcrypto/dh/dh_gen.c
index cfd5b11868..7b1fe9c9cb 100644
--- a/src/lib/libcrypto/dh/dh_gen.c
+++ b/src/lib/libcrypto/dh/dh_gen.c
@@ -66,12 +66,29 @@
66#include <openssl/bn.h> 66#include <openssl/bn.h>
67#include <openssl/dh.h> 67#include <openssl/dh.h>
68 68
69#ifdef OPENSSL_FIPS
70#include <openssl/fips.h>
71#endif
72
69static int dh_builtin_genparams(DH *ret, int prime_len, int generator, BN_GENCB *cb); 73static int dh_builtin_genparams(DH *ret, int prime_len, int generator, BN_GENCB *cb);
70 74
71int DH_generate_parameters_ex(DH *ret, int prime_len, int generator, BN_GENCB *cb) 75int DH_generate_parameters_ex(DH *ret, int prime_len, int generator, BN_GENCB *cb)
72 { 76 {
77#ifdef OPENSSL_FIPS
78 if (FIPS_mode() && !(ret->meth->flags & DH_FLAG_FIPS_METHOD)
79 && !(ret->flags & DH_FLAG_NON_FIPS_ALLOW))
80 {
81 DHerr(DH_F_DH_GENERATE_PARAMETERS_EX, DH_R_NON_FIPS_METHOD);
82 return 0;
83 }
84#endif
73 if(ret->meth->generate_params) 85 if(ret->meth->generate_params)
74 return ret->meth->generate_params(ret, prime_len, generator, cb); 86 return ret->meth->generate_params(ret, prime_len, generator, cb);
87#ifdef OPENSSL_FIPS
88 if (FIPS_mode())
89 return FIPS_dh_generate_parameters_ex(ret, prime_len,
90 generator, cb);
91#endif
75 return dh_builtin_genparams(ret, prime_len, generator, cb); 92 return dh_builtin_genparams(ret, prime_len, generator, cb);
76 } 93 }
77 94
diff --git a/src/lib/libcrypto/dh/dh_key.c b/src/lib/libcrypto/dh/dh_key.c
index e7db440342..89a74db4e6 100644
--- a/src/lib/libcrypto/dh/dh_key.c
+++ b/src/lib/libcrypto/dh/dh_key.c
@@ -73,11 +73,27 @@ static int dh_finish(DH *dh);
73 73
74int DH_generate_key(DH *dh) 74int DH_generate_key(DH *dh)
75 { 75 {
76#ifdef OPENSSL_FIPS
77 if (FIPS_mode() && !(dh->meth->flags & DH_FLAG_FIPS_METHOD)
78 && !(dh->flags & DH_FLAG_NON_FIPS_ALLOW))
79 {
80 DHerr(DH_F_DH_GENERATE_KEY, DH_R_NON_FIPS_METHOD);
81 return 0;
82 }
83#endif
76 return dh->meth->generate_key(dh); 84 return dh->meth->generate_key(dh);
77 } 85 }
78 86
79int DH_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) 87int DH_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
80 { 88 {
89#ifdef OPENSSL_FIPS
90 if (FIPS_mode() && !(dh->meth->flags & DH_FLAG_FIPS_METHOD)
91 && !(dh->flags & DH_FLAG_NON_FIPS_ALLOW))
92 {
93 DHerr(DH_F_DH_COMPUTE_KEY, DH_R_NON_FIPS_METHOD);
94 return 0;
95 }
96#endif
81 return dh->meth->compute_key(key, pub_key, dh); 97 return dh->meth->compute_key(key, pub_key, dh);
82 } 98 }
83 99
@@ -138,8 +154,21 @@ static int generate_key(DH *dh)
138 154
139 if (generate_new_key) 155 if (generate_new_key)
140 { 156 {
141 l = dh->length ? dh->length : BN_num_bits(dh->p)-1; /* secret exponent length */ 157 if (dh->q)
142 if (!BN_rand(priv_key, l, 0, 0)) goto err; 158 {
159 do
160 {
161 if (!BN_rand_range(priv_key, dh->q))
162 goto err;
163 }
164 while (BN_is_zero(priv_key) || BN_is_one(priv_key));
165 }
166 else
167 {
168 /* secret exponent length */
169 l = dh->length ? dh->length : BN_num_bits(dh->p)-1;
170 if (!BN_rand(priv_key, l, 0, 0)) goto err;
171 }
143 } 172 }
144 173
145 { 174 {
diff --git a/src/lib/libcrypto/dh/dh_lib.c b/src/lib/libcrypto/dh/dh_lib.c
index 7aef080e7a..00218f2b92 100644
--- a/src/lib/libcrypto/dh/dh_lib.c
+++ b/src/lib/libcrypto/dh/dh_lib.c
@@ -64,6 +64,10 @@
64#include <openssl/engine.h> 64#include <openssl/engine.h>
65#endif 65#endif
66 66
67#ifdef OPENSSL_FIPS
68#include <openssl/fips.h>
69#endif
70
67const char DH_version[]="Diffie-Hellman" OPENSSL_VERSION_PTEXT; 71const char DH_version[]="Diffie-Hellman" OPENSSL_VERSION_PTEXT;
68 72
69static const DH_METHOD *default_DH_method = NULL; 73static const DH_METHOD *default_DH_method = NULL;
@@ -76,7 +80,16 @@ void DH_set_default_method(const DH_METHOD *meth)
76const DH_METHOD *DH_get_default_method(void) 80const DH_METHOD *DH_get_default_method(void)
77 { 81 {
78 if(!default_DH_method) 82 if(!default_DH_method)
83 {
84#ifdef OPENSSL_FIPS
85 if (FIPS_mode())
86 return FIPS_dh_openssl();
87 else
88 return DH_OpenSSL();
89#else
79 default_DH_method = DH_OpenSSL(); 90 default_DH_method = DH_OpenSSL();
91#endif
92 }
80 return default_DH_method; 93 return default_DH_method;
81 } 94 }
82 95
@@ -156,7 +169,7 @@ DH *DH_new_method(ENGINE *engine)
156 ret->counter = NULL; 169 ret->counter = NULL;
157 ret->method_mont_p=NULL; 170 ret->method_mont_p=NULL;
158 ret->references = 1; 171 ret->references = 1;
159 ret->flags=ret->meth->flags; 172 ret->flags=ret->meth->flags & ~DH_FLAG_NON_FIPS_ALLOW;
160 CRYPTO_new_ex_data(CRYPTO_EX_INDEX_DH, ret, &ret->ex_data); 173 CRYPTO_new_ex_data(CRYPTO_EX_INDEX_DH, ret, &ret->ex_data);
161 if ((ret->meth->init != NULL) && !ret->meth->init(ret)) 174 if ((ret->meth->init != NULL) && !ret->meth->init(ret))
162 { 175 {
diff --git a/src/lib/libcrypto/doc/EVP_DigestInit.pod b/src/lib/libcrypto/doc/EVP_DigestInit.pod
index 37a751b1c5..1aa15acb61 100644
--- a/src/lib/libcrypto/doc/EVP_DigestInit.pod
+++ b/src/lib/libcrypto/doc/EVP_DigestInit.pod
@@ -6,7 +6,8 @@ EVP_MD_CTX_init, EVP_MD_CTX_create, EVP_DigestInit_ex, EVP_DigestUpdate,
6EVP_DigestFinal_ex, EVP_MD_CTX_cleanup, EVP_MD_CTX_destroy, EVP_MAX_MD_SIZE, 6EVP_DigestFinal_ex, EVP_MD_CTX_cleanup, EVP_MD_CTX_destroy, EVP_MAX_MD_SIZE,
7EVP_MD_CTX_copy_ex, EVP_MD_CTX_copy, EVP_MD_type, EVP_MD_pkey_type, EVP_MD_size, 7EVP_MD_CTX_copy_ex, EVP_MD_CTX_copy, EVP_MD_type, EVP_MD_pkey_type, EVP_MD_size,
8EVP_MD_block_size, EVP_MD_CTX_md, EVP_MD_CTX_size, EVP_MD_CTX_block_size, EVP_MD_CTX_type, 8EVP_MD_block_size, EVP_MD_CTX_md, EVP_MD_CTX_size, EVP_MD_CTX_block_size, EVP_MD_CTX_type,
9EVP_md_null, EVP_md2, EVP_md5, EVP_sha, EVP_sha1, EVP_dss, EVP_dss1, EVP_mdc2, 9EVP_md_null, EVP_md2, EVP_md5, EVP_sha, EVP_sha1, EVP_sha224, EVP_sha256,
10EVP_sha384, EVP_sha512, EVP_dss, EVP_dss1, EVP_mdc2,
10EVP_ripemd160, EVP_get_digestbyname, EVP_get_digestbynid, EVP_get_digestbyobj - 11EVP_ripemd160, EVP_get_digestbyname, EVP_get_digestbynid, EVP_get_digestbyobj -
11EVP digest routines 12EVP digest routines
12 13
@@ -33,16 +34,15 @@ EVP digest routines
33 34
34 int EVP_MD_CTX_copy(EVP_MD_CTX *out,EVP_MD_CTX *in); 35 int EVP_MD_CTX_copy(EVP_MD_CTX *out,EVP_MD_CTX *in);
35 36
36 #define EVP_MAX_MD_SIZE (16+20) /* The SSLv3 md5+sha1 type */ 37 #define EVP_MAX_MD_SIZE 64 /* SHA512 */
37 38
39 int EVP_MD_type(const EVP_MD *md);
40 int EVP_MD_pkey_type(const EVP_MD *md);
41 int EVP_MD_size(const EVP_MD *md);
42 int EVP_MD_block_size(const EVP_MD *md);
38 43
39 #define EVP_MD_type(e) ((e)->type) 44 const EVP_MD *EVP_MD_CTX_md(const EVP_MD_CTX *ctx);
40 #define EVP_MD_pkey_type(e) ((e)->pkey_type) 45 #define EVP_MD_CTX_size(e) EVP_MD_size(EVP_MD_CTX_md(e))
41 #define EVP_MD_size(e) ((e)->md_size)
42 #define EVP_MD_block_size(e) ((e)->block_size)
43
44 #define EVP_MD_CTX_md(e) (e)->digest)
45 #define EVP_MD_CTX_size(e) EVP_MD_size((e)->digest)
46 #define EVP_MD_CTX_block_size(e) EVP_MD_block_size((e)->digest) 46 #define EVP_MD_CTX_block_size(e) EVP_MD_block_size((e)->digest)
47 #define EVP_MD_CTX_type(e) EVP_MD_type((e)->digest) 47 #define EVP_MD_CTX_type(e) EVP_MD_type((e)->digest)
48 48
@@ -56,6 +56,11 @@ EVP digest routines
56 const EVP_MD *EVP_mdc2(void); 56 const EVP_MD *EVP_mdc2(void);
57 const EVP_MD *EVP_ripemd160(void); 57 const EVP_MD *EVP_ripemd160(void);
58 58
59 const EVP_MD *EVP_sha224(void);
60 const EVP_MD *EVP_sha256(void);
61 const EVP_MD *EVP_sha384(void);
62 const EVP_MD *EVP_sha512(void);
63
59 const EVP_MD *EVP_get_digestbyname(const char *name); 64 const EVP_MD *EVP_get_digestbyname(const char *name);
60 #define EVP_get_digestbynid(a) EVP_get_digestbyname(OBJ_nid2sn(a)) 65 #define EVP_get_digestbynid(a) EVP_get_digestbyname(OBJ_nid2sn(a))
61 #define EVP_get_digestbyobj(a) EVP_get_digestbynid(OBJ_obj2nid(a)) 66 #define EVP_get_digestbyobj(a) EVP_get_digestbynid(OBJ_obj2nid(a))
@@ -124,12 +129,14 @@ B<EVP_MD_CTX>.
124 129
125EVP_MD_pkey_type() returns the NID of the public key signing algorithm associated 130EVP_MD_pkey_type() returns the NID of the public key signing algorithm associated
126with this digest. For example EVP_sha1() is associated with RSA so this will 131with this digest. For example EVP_sha1() is associated with RSA so this will
127return B<NID_sha1WithRSAEncryption>. This "link" between digests and signature 132return B<NID_sha1WithRSAEncryption>. Since digests and signature algorithms
128algorithms may not be retained in future versions of OpenSSL. 133are no longer linked this function is only retained for compatibility
134reasons.
129 135
130EVP_md2(), EVP_md5(), EVP_sha(), EVP_sha1(), EVP_mdc2() and EVP_ripemd160() 136EVP_md2(), EVP_md5(), EVP_sha(), EVP_sha1(), EVP_sha224(), EVP_sha256(),
131return B<EVP_MD> structures for the MD2, MD5, SHA, SHA1, MDC2 and RIPEMD160 digest 137EVP_sha384(), EVP_sha512(), EVP_mdc2() and EVP_ripemd160() return B<EVP_MD>
132algorithms respectively. The associated signature algorithm is RSA in each case. 138structures for the MD2, MD5, SHA, SHA1, SHA224, SHA256, SHA384, SHA512, MDC2
139and RIPEMD160 digest algorithms respectively.
133 140
134EVP_dss() and EVP_dss1() return B<EVP_MD> structures for SHA and SHA1 digest 141EVP_dss() and EVP_dss1() return B<EVP_MD> structures for SHA and SHA1 digest
135algorithms but using DSS (DSA) for the signature algorithm. Note: there is 142algorithms but using DSS (DSA) for the signature algorithm. Note: there is
@@ -171,8 +178,8 @@ The B<EVP> interface to message digests should almost always be used in
171preference to the low level interfaces. This is because the code then becomes 178preference to the low level interfaces. This is because the code then becomes
172transparent to the digest used and much more flexible. 179transparent to the digest used and much more flexible.
173 180
174SHA1 is the digest of choice for new applications. The other digest algorithms 181New applications should use the SHA2 digest algorithms such as SHA256.
175are still in common use. 182The other digest algorithms are still in common use.
176 183
177For most applications the B<impl> parameter to EVP_DigestInit_ex() will be 184For most applications the B<impl> parameter to EVP_DigestInit_ex() will be
178set to NULL to use the default digest implementation. 185set to NULL to use the default digest implementation.
@@ -187,6 +194,19 @@ implementations of digests to be specified.
187In OpenSSL 0.9.7 and later if digest contexts are not cleaned up after use 194In OpenSSL 0.9.7 and later if digest contexts are not cleaned up after use
188memory leaks will occur. 195memory leaks will occur.
189 196
197Stack allocation of EVP_MD_CTX structures is common, for example:
198
199 EVP_MD_CTX mctx;
200 EVP_MD_CTX_init(&mctx);
201
202This will cause binary compatibility issues if the size of EVP_MD_CTX
203structure changes (this will only happen with a major release of OpenSSL).
204Applications wishing to avoid this should use EVP_MD_CTX_create() instead:
205
206 EVP_MD_CTX *mctx;
207 mctx = EVP_MD_CTX_create();
208
209
190=head1 EXAMPLE 210=head1 EXAMPLE
191 211
192This example digests the data "Test Message\n" and "Hello World\n", using the 212This example digests the data "Test Message\n" and "Hello World\n", using the
@@ -197,7 +217,7 @@ digest name passed on the command line.
197 217
198 main(int argc, char *argv[]) 218 main(int argc, char *argv[])
199 { 219 {
200 EVP_MD_CTX mdctx; 220 EVP_MD_CTX *mdctx;
201 const EVP_MD *md; 221 const EVP_MD *md;
202 char mess1[] = "Test Message\n"; 222 char mess1[] = "Test Message\n";
203 char mess2[] = "Hello World\n"; 223 char mess2[] = "Hello World\n";
@@ -218,12 +238,12 @@ digest name passed on the command line.
218 exit(1); 238 exit(1);
219 } 239 }
220 240
221 EVP_MD_CTX_init(&mdctx); 241 mdctx = EVP_MD_CTX_create();
222 EVP_DigestInit_ex(&mdctx, md, NULL); 242 EVP_DigestInit_ex(mdctx, md, NULL);
223 EVP_DigestUpdate(&mdctx, mess1, strlen(mess1)); 243 EVP_DigestUpdate(mdctx, mess1, strlen(mess1));
224 EVP_DigestUpdate(&mdctx, mess2, strlen(mess2)); 244 EVP_DigestUpdate(mdctx, mess2, strlen(mess2));
225 EVP_DigestFinal_ex(&mdctx, md_value, &md_len); 245 EVP_DigestFinal_ex(mdctx, md_value, &md_len);
226 EVP_MD_CTX_cleanup(&mdctx); 246 EVP_MD_CTX_destroy(mdctx);
227 247
228 printf("Digest is: "); 248 printf("Digest is: ");
229 for(i = 0; i < md_len; i++) printf("%02x", md_value[i]); 249 for(i = 0; i < md_len; i++) printf("%02x", md_value[i]);
diff --git a/src/lib/libcrypto/dsa/Makefile b/src/lib/libcrypto/dsa/Makefile
index 8073c4ecfe..5fef4ca5ad 100644
--- a/src/lib/libcrypto/dsa/Makefile
+++ b/src/lib/libcrypto/dsa/Makefile
@@ -99,8 +99,9 @@ dsa_asn1.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
99dsa_asn1.o: ../../include/openssl/err.h ../../include/openssl/lhash.h 99dsa_asn1.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
100dsa_asn1.o: ../../include/openssl/opensslconf.h 100dsa_asn1.o: ../../include/openssl/opensslconf.h
101dsa_asn1.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h 101dsa_asn1.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
102dsa_asn1.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h 102dsa_asn1.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
103dsa_asn1.o: ../../include/openssl/symhacks.h ../cryptlib.h dsa_asn1.c 103dsa_asn1.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
104dsa_asn1.o: ../cryptlib.h dsa_asn1.c
104dsa_depr.o: ../../e_os.h ../../include/openssl/asn1.h 105dsa_depr.o: ../../e_os.h ../../include/openssl/asn1.h
105dsa_depr.o: ../../include/openssl/bio.h ../../include/openssl/bn.h 106dsa_depr.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
106dsa_depr.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h 107dsa_depr.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
@@ -189,7 +190,7 @@ dsa_prn.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
189dsa_prn.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h 190dsa_prn.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
190dsa_prn.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h 191dsa_prn.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
191dsa_prn.o: ../cryptlib.h dsa_prn.c 192dsa_prn.o: ../cryptlib.h dsa_prn.c
192dsa_sign.o: ../../e_os.h ../../include/openssl/bio.h 193dsa_sign.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
193dsa_sign.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h 194dsa_sign.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
194dsa_sign.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h 195dsa_sign.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
195dsa_sign.o: ../../include/openssl/err.h ../../include/openssl/lhash.h 196dsa_sign.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
diff --git a/src/lib/libcrypto/dsa/dsa.h b/src/lib/libcrypto/dsa/dsa.h
index ac50a5c846..a6f6d0b0b2 100644
--- a/src/lib/libcrypto/dsa/dsa.h
+++ b/src/lib/libcrypto/dsa/dsa.h
@@ -97,6 +97,21 @@
97 * be used for all exponents. 97 * be used for all exponents.
98 */ 98 */
99 99
100/* If this flag is set the DSA method is FIPS compliant and can be used
101 * in FIPS mode. This is set in the validated module method. If an
102 * application sets this flag in its own methods it is its reposibility
103 * to ensure the result is compliant.
104 */
105
106#define DSA_FLAG_FIPS_METHOD 0x0400
107
108/* If this flag is set the operations normally disabled in FIPS mode are
109 * permitted it is then the applications responsibility to ensure that the
110 * usage is compliant.
111 */
112
113#define DSA_FLAG_NON_FIPS_ALLOW 0x0400
114
100#ifdef __cplusplus 115#ifdef __cplusplus
101extern "C" { 116extern "C" {
102#endif 117#endif
@@ -272,6 +287,8 @@ void ERR_load_DSA_strings(void);
272#define DSA_F_DSAPARAMS_PRINT_FP 101 287#define DSA_F_DSAPARAMS_PRINT_FP 101
273#define DSA_F_DSA_DO_SIGN 112 288#define DSA_F_DSA_DO_SIGN 112
274#define DSA_F_DSA_DO_VERIFY 113 289#define DSA_F_DSA_DO_VERIFY 113
290#define DSA_F_DSA_GENERATE_KEY 124
291#define DSA_F_DSA_GENERATE_PARAMETERS_EX 123
275#define DSA_F_DSA_NEW_METHOD 103 292#define DSA_F_DSA_NEW_METHOD 103
276#define DSA_F_DSA_PARAM_DECODE 119 293#define DSA_F_DSA_PARAM_DECODE 119
277#define DSA_F_DSA_PRINT_FP 105 294#define DSA_F_DSA_PRINT_FP 105
@@ -282,6 +299,7 @@ void ERR_load_DSA_strings(void);
282#define DSA_F_DSA_SIGN 106 299#define DSA_F_DSA_SIGN 106
283#define DSA_F_DSA_SIGN_SETUP 107 300#define DSA_F_DSA_SIGN_SETUP 107
284#define DSA_F_DSA_SIG_NEW 109 301#define DSA_F_DSA_SIG_NEW 109
302#define DSA_F_DSA_SIG_PRINT 125
285#define DSA_F_DSA_VERIFY 108 303#define DSA_F_DSA_VERIFY 108
286#define DSA_F_I2D_DSA_SIG 111 304#define DSA_F_I2D_DSA_SIG 111
287#define DSA_F_OLD_DSA_PRIV_DECODE 122 305#define DSA_F_OLD_DSA_PRIV_DECODE 122
@@ -298,6 +316,8 @@ void ERR_load_DSA_strings(void);
298#define DSA_R_INVALID_DIGEST_TYPE 106 316#define DSA_R_INVALID_DIGEST_TYPE 106
299#define DSA_R_MISSING_PARAMETERS 101 317#define DSA_R_MISSING_PARAMETERS 101
300#define DSA_R_MODULUS_TOO_LARGE 103 318#define DSA_R_MODULUS_TOO_LARGE 103
319#define DSA_R_NEED_NEW_SETUP_VALUES 110
320#define DSA_R_NON_FIPS_DSA_METHOD 111
301#define DSA_R_NO_PARAMETERS_SET 107 321#define DSA_R_NO_PARAMETERS_SET 107
302#define DSA_R_PARAMETER_ENCODING_ERROR 105 322#define DSA_R_PARAMETER_ENCODING_ERROR 105
303 323
diff --git a/src/lib/libcrypto/dsa/dsa_asn1.c b/src/lib/libcrypto/dsa/dsa_asn1.c
index c37460b2d6..6058534374 100644
--- a/src/lib/libcrypto/dsa/dsa_asn1.c
+++ b/src/lib/libcrypto/dsa/dsa_asn1.c
@@ -61,6 +61,7 @@
61#include <openssl/dsa.h> 61#include <openssl/dsa.h>
62#include <openssl/asn1.h> 62#include <openssl/asn1.h>
63#include <openssl/asn1t.h> 63#include <openssl/asn1t.h>
64#include <openssl/rand.h>
64 65
65/* Override the default new methods */ 66/* Override the default new methods */
66static int sig_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, 67static int sig_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
@@ -87,7 +88,7 @@ ASN1_SEQUENCE_cb(DSA_SIG, sig_cb) = {
87 ASN1_SIMPLE(DSA_SIG, s, CBIGNUM) 88 ASN1_SIMPLE(DSA_SIG, s, CBIGNUM)
88} ASN1_SEQUENCE_END_cb(DSA_SIG, DSA_SIG) 89} ASN1_SEQUENCE_END_cb(DSA_SIG, DSA_SIG)
89 90
90IMPLEMENT_ASN1_FUNCTIONS_const(DSA_SIG) 91IMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(DSA_SIG, DSA_SIG, DSA_SIG)
91 92
92/* Override the default free and new methods */ 93/* Override the default free and new methods */
93static int dsa_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, 94static int dsa_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
@@ -148,3 +149,40 @@ DSA *DSAparams_dup(DSA *dsa)
148 { 149 {
149 return ASN1_item_dup(ASN1_ITEM_rptr(DSAparams), dsa); 150 return ASN1_item_dup(ASN1_ITEM_rptr(DSAparams), dsa);
150 } 151 }
152
153int DSA_sign(int type, const unsigned char *dgst, int dlen, unsigned char *sig,
154 unsigned int *siglen, DSA *dsa)
155 {
156 DSA_SIG *s;
157 RAND_seed(dgst, dlen);
158 s=DSA_do_sign(dgst,dlen,dsa);
159 if (s == NULL)
160 {
161 *siglen=0;
162 return(0);
163 }
164 *siglen=i2d_DSA_SIG(s,&sig);
165 DSA_SIG_free(s);
166 return(1);
167 }
168
169/* data has already been hashed (probably with SHA or SHA-1). */
170/* returns
171 * 1: correct signature
172 * 0: incorrect signature
173 * -1: error
174 */
175int DSA_verify(int type, const unsigned char *dgst, int dgst_len,
176 const unsigned char *sigbuf, int siglen, DSA *dsa)
177 {
178 DSA_SIG *s;
179 int ret=-1;
180
181 s = DSA_SIG_new();
182 if (s == NULL) return(ret);
183 if (d2i_DSA_SIG(&s,&sigbuf,siglen) == NULL) goto err;
184 ret=DSA_do_verify(dgst,dgst_len,s,dsa);
185err:
186 DSA_SIG_free(s);
187 return(ret);
188 }
diff --git a/src/lib/libcrypto/dsa/dsa_err.c b/src/lib/libcrypto/dsa/dsa_err.c
index bba984e92e..00545b7b9f 100644
--- a/src/lib/libcrypto/dsa/dsa_err.c
+++ b/src/lib/libcrypto/dsa/dsa_err.c
@@ -1,6 +1,6 @@
1/* crypto/dsa/dsa_err.c */ 1/* crypto/dsa/dsa_err.c */
2/* ==================================================================== 2/* ====================================================================
3 * Copyright (c) 1999-2006 The OpenSSL Project. All rights reserved. 3 * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved.
4 * 4 *
5 * Redistribution and use in source and binary forms, with or without 5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions 6 * modification, are permitted provided that the following conditions
@@ -76,6 +76,8 @@ static ERR_STRING_DATA DSA_str_functs[]=
76{ERR_FUNC(DSA_F_DSAPARAMS_PRINT_FP), "DSAparams_print_fp"}, 76{ERR_FUNC(DSA_F_DSAPARAMS_PRINT_FP), "DSAparams_print_fp"},
77{ERR_FUNC(DSA_F_DSA_DO_SIGN), "DSA_do_sign"}, 77{ERR_FUNC(DSA_F_DSA_DO_SIGN), "DSA_do_sign"},
78{ERR_FUNC(DSA_F_DSA_DO_VERIFY), "DSA_do_verify"}, 78{ERR_FUNC(DSA_F_DSA_DO_VERIFY), "DSA_do_verify"},
79{ERR_FUNC(DSA_F_DSA_GENERATE_KEY), "DSA_generate_key"},
80{ERR_FUNC(DSA_F_DSA_GENERATE_PARAMETERS_EX), "DSA_generate_parameters_ex"},
79{ERR_FUNC(DSA_F_DSA_NEW_METHOD), "DSA_new_method"}, 81{ERR_FUNC(DSA_F_DSA_NEW_METHOD), "DSA_new_method"},
80{ERR_FUNC(DSA_F_DSA_PARAM_DECODE), "DSA_PARAM_DECODE"}, 82{ERR_FUNC(DSA_F_DSA_PARAM_DECODE), "DSA_PARAM_DECODE"},
81{ERR_FUNC(DSA_F_DSA_PRINT_FP), "DSA_print_fp"}, 83{ERR_FUNC(DSA_F_DSA_PRINT_FP), "DSA_print_fp"},
@@ -86,6 +88,7 @@ static ERR_STRING_DATA DSA_str_functs[]=
86{ERR_FUNC(DSA_F_DSA_SIGN), "DSA_sign"}, 88{ERR_FUNC(DSA_F_DSA_SIGN), "DSA_sign"},
87{ERR_FUNC(DSA_F_DSA_SIGN_SETUP), "DSA_sign_setup"}, 89{ERR_FUNC(DSA_F_DSA_SIGN_SETUP), "DSA_sign_setup"},
88{ERR_FUNC(DSA_F_DSA_SIG_NEW), "DSA_SIG_new"}, 90{ERR_FUNC(DSA_F_DSA_SIG_NEW), "DSA_SIG_new"},
91{ERR_FUNC(DSA_F_DSA_SIG_PRINT), "DSA_SIG_PRINT"},
89{ERR_FUNC(DSA_F_DSA_VERIFY), "DSA_verify"}, 92{ERR_FUNC(DSA_F_DSA_VERIFY), "DSA_verify"},
90{ERR_FUNC(DSA_F_I2D_DSA_SIG), "i2d_DSA_SIG"}, 93{ERR_FUNC(DSA_F_I2D_DSA_SIG), "i2d_DSA_SIG"},
91{ERR_FUNC(DSA_F_OLD_DSA_PRIV_DECODE), "OLD_DSA_PRIV_DECODE"}, 94{ERR_FUNC(DSA_F_OLD_DSA_PRIV_DECODE), "OLD_DSA_PRIV_DECODE"},
@@ -105,6 +108,8 @@ static ERR_STRING_DATA DSA_str_reasons[]=
105{ERR_REASON(DSA_R_INVALID_DIGEST_TYPE) ,"invalid digest type"}, 108{ERR_REASON(DSA_R_INVALID_DIGEST_TYPE) ,"invalid digest type"},
106{ERR_REASON(DSA_R_MISSING_PARAMETERS) ,"missing parameters"}, 109{ERR_REASON(DSA_R_MISSING_PARAMETERS) ,"missing parameters"},
107{ERR_REASON(DSA_R_MODULUS_TOO_LARGE) ,"modulus too large"}, 110{ERR_REASON(DSA_R_MODULUS_TOO_LARGE) ,"modulus too large"},
111{ERR_REASON(DSA_R_NEED_NEW_SETUP_VALUES) ,"need new setup values"},
112{ERR_REASON(DSA_R_NON_FIPS_DSA_METHOD) ,"non fips dsa method"},
108{ERR_REASON(DSA_R_NO_PARAMETERS_SET) ,"no parameters set"}, 113{ERR_REASON(DSA_R_NO_PARAMETERS_SET) ,"no parameters set"},
109{ERR_REASON(DSA_R_PARAMETER_ENCODING_ERROR),"parameter encoding error"}, 114{ERR_REASON(DSA_R_PARAMETER_ENCODING_ERROR),"parameter encoding error"},
110{0,NULL} 115{0,NULL}
diff --git a/src/lib/libcrypto/dsa/dsa_gen.c b/src/lib/libcrypto/dsa/dsa_gen.c
index cb0b4538a4..c398761d0d 100644
--- a/src/lib/libcrypto/dsa/dsa_gen.c
+++ b/src/lib/libcrypto/dsa/dsa_gen.c
@@ -81,13 +81,33 @@
81#include <openssl/sha.h> 81#include <openssl/sha.h>
82#include "dsa_locl.h" 82#include "dsa_locl.h"
83 83
84#ifdef OPENSSL_FIPS
85#include <openssl/fips.h>
86#endif
87
84int DSA_generate_parameters_ex(DSA *ret, int bits, 88int DSA_generate_parameters_ex(DSA *ret, int bits,
85 const unsigned char *seed_in, int seed_len, 89 const unsigned char *seed_in, int seed_len,
86 int *counter_ret, unsigned long *h_ret, BN_GENCB *cb) 90 int *counter_ret, unsigned long *h_ret, BN_GENCB *cb)
87 { 91 {
92#ifdef OPENSSL_FIPS
93 if (FIPS_mode() && !(ret->meth->flags & DSA_FLAG_FIPS_METHOD)
94 && !(ret->flags & DSA_FLAG_NON_FIPS_ALLOW))
95 {
96 DSAerr(DSA_F_DSA_GENERATE_PARAMETERS_EX, DSA_R_NON_FIPS_DSA_METHOD);
97 return 0;
98 }
99#endif
88 if(ret->meth->dsa_paramgen) 100 if(ret->meth->dsa_paramgen)
89 return ret->meth->dsa_paramgen(ret, bits, seed_in, seed_len, 101 return ret->meth->dsa_paramgen(ret, bits, seed_in, seed_len,
90 counter_ret, h_ret, cb); 102 counter_ret, h_ret, cb);
103#ifdef OPENSSL_FIPS
104 else if (FIPS_mode())
105 {
106 return FIPS_dsa_generate_parameters_ex(ret, bits,
107 seed_in, seed_len,
108 counter_ret, h_ret, cb);
109 }
110#endif
91 else 111 else
92 { 112 {
93 const EVP_MD *evpmd; 113 const EVP_MD *evpmd;
@@ -105,12 +125,13 @@ int DSA_generate_parameters_ex(DSA *ret, int bits,
105 } 125 }
106 126
107 return dsa_builtin_paramgen(ret, bits, qbits, evpmd, 127 return dsa_builtin_paramgen(ret, bits, qbits, evpmd,
108 seed_in, seed_len, counter_ret, h_ret, cb); 128 seed_in, seed_len, NULL, counter_ret, h_ret, cb);
109 } 129 }
110 } 130 }
111 131
112int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits, 132int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
113 const EVP_MD *evpmd, const unsigned char *seed_in, size_t seed_len, 133 const EVP_MD *evpmd, const unsigned char *seed_in, size_t seed_len,
134 unsigned char *seed_out,
114 int *counter_ret, unsigned long *h_ret, BN_GENCB *cb) 135 int *counter_ret, unsigned long *h_ret, BN_GENCB *cb)
115 { 136 {
116 int ok=0; 137 int ok=0;
@@ -201,8 +222,10 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
201 } 222 }
202 223
203 /* step 2 */ 224 /* step 2 */
204 EVP_Digest(seed, qsize, md, NULL, evpmd, NULL); 225 if (!EVP_Digest(seed, qsize, md, NULL, evpmd, NULL))
205 EVP_Digest(buf, qsize, buf2, NULL, evpmd, NULL); 226 goto err;
227 if (!EVP_Digest(buf, qsize, buf2, NULL, evpmd, NULL))
228 goto err;
206 for (i = 0; i < qsize; i++) 229 for (i = 0; i < qsize; i++)
207 md[i]^=buf2[i]; 230 md[i]^=buf2[i];
208 231
@@ -251,7 +274,9 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
251 break; 274 break;
252 } 275 }
253 276
254 EVP_Digest(buf, qsize, md ,NULL, evpmd, NULL); 277 if (!EVP_Digest(buf, qsize, md ,NULL, evpmd,
278 NULL))
279 goto err;
255 280
256 /* step 8 */ 281 /* step 8 */
257 if (!BN_bin2bn(md, qsize, r0)) 282 if (!BN_bin2bn(md, qsize, r0))
@@ -332,6 +357,8 @@ err:
332 } 357 }
333 if (counter_ret != NULL) *counter_ret=counter; 358 if (counter_ret != NULL) *counter_ret=counter;
334 if (h_ret != NULL) *h_ret=h; 359 if (h_ret != NULL) *h_ret=h;
360 if (seed_out)
361 memcpy(seed_out, seed, qsize);
335 } 362 }
336 if(ctx) 363 if(ctx)
337 { 364 {
diff --git a/src/lib/libcrypto/dsa/dsa_key.c b/src/lib/libcrypto/dsa/dsa_key.c
index c4aa86bc6d..9cf669b921 100644
--- a/src/lib/libcrypto/dsa/dsa_key.c
+++ b/src/lib/libcrypto/dsa/dsa_key.c
@@ -64,12 +64,28 @@
64#include <openssl/dsa.h> 64#include <openssl/dsa.h>
65#include <openssl/rand.h> 65#include <openssl/rand.h>
66 66
67#ifdef OPENSSL_FIPS
68#include <openssl/fips.h>
69#endif
70
67static int dsa_builtin_keygen(DSA *dsa); 71static int dsa_builtin_keygen(DSA *dsa);
68 72
69int DSA_generate_key(DSA *dsa) 73int DSA_generate_key(DSA *dsa)
70 { 74 {
75#ifdef OPENSSL_FIPS
76 if (FIPS_mode() && !(dsa->meth->flags & DSA_FLAG_FIPS_METHOD)
77 && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW))
78 {
79 DSAerr(DSA_F_DSA_GENERATE_KEY, DSA_R_NON_FIPS_DSA_METHOD);
80 return 0;
81 }
82#endif
71 if(dsa->meth->dsa_keygen) 83 if(dsa->meth->dsa_keygen)
72 return dsa->meth->dsa_keygen(dsa); 84 return dsa->meth->dsa_keygen(dsa);
85#ifdef OPENSSL_FIPS
86 if (FIPS_mode())
87 return FIPS_dsa_generate_key(dsa);
88#endif
73 return dsa_builtin_keygen(dsa); 89 return dsa_builtin_keygen(dsa);
74 } 90 }
75 91
diff --git a/src/lib/libcrypto/dsa/dsa_lib.c b/src/lib/libcrypto/dsa/dsa_lib.c
index e9b75902db..96d8d0c4b4 100644
--- a/src/lib/libcrypto/dsa/dsa_lib.c
+++ b/src/lib/libcrypto/dsa/dsa_lib.c
@@ -70,6 +70,10 @@
70#include <openssl/dh.h> 70#include <openssl/dh.h>
71#endif 71#endif
72 72
73#ifdef OPENSSL_FIPS
74#include <openssl/fips.h>
75#endif
76
73const char DSA_version[]="DSA" OPENSSL_VERSION_PTEXT; 77const char DSA_version[]="DSA" OPENSSL_VERSION_PTEXT;
74 78
75static const DSA_METHOD *default_DSA_method = NULL; 79static const DSA_METHOD *default_DSA_method = NULL;
@@ -82,7 +86,16 @@ void DSA_set_default_method(const DSA_METHOD *meth)
82const DSA_METHOD *DSA_get_default_method(void) 86const DSA_METHOD *DSA_get_default_method(void)
83 { 87 {
84 if(!default_DSA_method) 88 if(!default_DSA_method)
89 {
90#ifdef OPENSSL_FIPS
91 if (FIPS_mode())
92 return FIPS_dsa_openssl();
93 else
94 return DSA_OpenSSL();
95#else
85 default_DSA_method = DSA_OpenSSL(); 96 default_DSA_method = DSA_OpenSSL();
97#endif
98 }
86 return default_DSA_method; 99 return default_DSA_method;
87 } 100 }
88 101
@@ -163,7 +176,7 @@ DSA *DSA_new_method(ENGINE *engine)
163 ret->method_mont_p=NULL; 176 ret->method_mont_p=NULL;
164 177
165 ret->references=1; 178 ret->references=1;
166 ret->flags=ret->meth->flags; 179 ret->flags=ret->meth->flags & ~DSA_FLAG_NON_FIPS_ALLOW;
167 CRYPTO_new_ex_data(CRYPTO_EX_INDEX_DSA, ret, &ret->ex_data); 180 CRYPTO_new_ex_data(CRYPTO_EX_INDEX_DSA, ret, &ret->ex_data);
168 if ((ret->meth->init != NULL) && !ret->meth->init(ret)) 181 if ((ret->meth->init != NULL) && !ret->meth->init(ret))
169 { 182 {
@@ -276,7 +289,8 @@ void *DSA_get_ex_data(DSA *d, int idx)
276DH *DSA_dup_DH(const DSA *r) 289DH *DSA_dup_DH(const DSA *r)
277 { 290 {
278 /* DSA has p, q, g, optional pub_key, optional priv_key. 291 /* DSA has p, q, g, optional pub_key, optional priv_key.
279 * DH has p, optional length, g, optional pub_key, optional priv_key. 292 * DH has p, optional length, g, optional pub_key, optional priv_key,
293 * optional q.
280 */ 294 */
281 295
282 DH *ret = NULL; 296 DH *ret = NULL;
@@ -290,7 +304,11 @@ DH *DSA_dup_DH(const DSA *r)
290 if ((ret->p = BN_dup(r->p)) == NULL) 304 if ((ret->p = BN_dup(r->p)) == NULL)
291 goto err; 305 goto err;
292 if (r->q != NULL) 306 if (r->q != NULL)
307 {
293 ret->length = BN_num_bits(r->q); 308 ret->length = BN_num_bits(r->q);
309 if ((ret->q = BN_dup(r->q)) == NULL)
310 goto err;
311 }
294 if (r->g != NULL) 312 if (r->g != NULL)
295 if ((ret->g = BN_dup(r->g)) == NULL) 313 if ((ret->g = BN_dup(r->g)) == NULL)
296 goto err; 314 goto err;
diff --git a/src/lib/libcrypto/dsa/dsa_ossl.c b/src/lib/libcrypto/dsa/dsa_ossl.c
index a3ddd7d281..b3d78e524c 100644
--- a/src/lib/libcrypto/dsa/dsa_ossl.c
+++ b/src/lib/libcrypto/dsa/dsa_ossl.c
@@ -136,6 +136,7 @@ static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
136 BN_CTX *ctx=NULL; 136 BN_CTX *ctx=NULL;
137 int reason=ERR_R_BN_LIB; 137 int reason=ERR_R_BN_LIB;
138 DSA_SIG *ret=NULL; 138 DSA_SIG *ret=NULL;
139 int noredo = 0;
139 140
140 BN_init(&m); 141 BN_init(&m);
141 BN_init(&xr); 142 BN_init(&xr);
@@ -150,7 +151,7 @@ static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
150 if (s == NULL) goto err; 151 if (s == NULL) goto err;
151 ctx=BN_CTX_new(); 152 ctx=BN_CTX_new();
152 if (ctx == NULL) goto err; 153 if (ctx == NULL) goto err;
153 154redo:
154 if ((dsa->kinv == NULL) || (dsa->r == NULL)) 155 if ((dsa->kinv == NULL) || (dsa->r == NULL))
155 { 156 {
156 if (!DSA_sign_setup(dsa,ctx,&kinv,&r)) goto err; 157 if (!DSA_sign_setup(dsa,ctx,&kinv,&r)) goto err;
@@ -161,6 +162,7 @@ static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
161 dsa->kinv=NULL; 162 dsa->kinv=NULL;
162 r=dsa->r; 163 r=dsa->r;
163 dsa->r=NULL; 164 dsa->r=NULL;
165 noredo = 1;
164 } 166 }
165 167
166 168
@@ -181,6 +183,18 @@ static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
181 183
182 ret=DSA_SIG_new(); 184 ret=DSA_SIG_new();
183 if (ret == NULL) goto err; 185 if (ret == NULL) goto err;
186 /* Redo if r or s is zero as required by FIPS 186-3: this is
187 * very unlikely.
188 */
189 if (BN_is_zero(r) || BN_is_zero(s))
190 {
191 if (noredo)
192 {
193 reason = DSA_R_NEED_NEW_SETUP_VALUES;
194 goto err;
195 }
196 goto redo;
197 }
184 ret->r = r; 198 ret->r = r;
185 ret->s = s; 199 ret->s = s;
186 200
diff --git a/src/lib/libcrypto/dsa/dsa_sign.c b/src/lib/libcrypto/dsa/dsa_sign.c
index 17555e5892..c3cc3642ce 100644
--- a/src/lib/libcrypto/dsa/dsa_sign.c
+++ b/src/lib/libcrypto/dsa/dsa_sign.c
@@ -61,30 +61,54 @@
61#include "cryptlib.h" 61#include "cryptlib.h"
62#include <openssl/dsa.h> 62#include <openssl/dsa.h>
63#include <openssl/rand.h> 63#include <openssl/rand.h>
64#include <openssl/bn.h>
64 65
65DSA_SIG * DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) 66DSA_SIG * DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
66 { 67 {
68#ifdef OPENSSL_FIPS
69 if (FIPS_mode() && !(dsa->meth->flags & DSA_FLAG_FIPS_METHOD)
70 && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW))
71 {
72 DSAerr(DSA_F_DSA_DO_SIGN, DSA_R_NON_FIPS_DSA_METHOD);
73 return NULL;
74 }
75#endif
67 return dsa->meth->dsa_do_sign(dgst, dlen, dsa); 76 return dsa->meth->dsa_do_sign(dgst, dlen, dsa);
68 } 77 }
69 78
70int DSA_sign(int type, const unsigned char *dgst, int dlen, unsigned char *sig, 79int DSA_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
71 unsigned int *siglen, DSA *dsa)
72 { 80 {
73 DSA_SIG *s; 81#ifdef OPENSSL_FIPS
74 RAND_seed(dgst, dlen); 82 if (FIPS_mode() && !(dsa->meth->flags & DSA_FLAG_FIPS_METHOD)
75 s=DSA_do_sign(dgst,dlen,dsa); 83 && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW))
76 if (s == NULL)
77 { 84 {
78 *siglen=0; 85 DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_NON_FIPS_DSA_METHOD);
79 return(0); 86 return 0;
80 } 87 }
81 *siglen=i2d_DSA_SIG(s,&sig); 88#endif
82 DSA_SIG_free(s); 89 return dsa->meth->dsa_sign_setup(dsa, ctx_in, kinvp, rp);
83 return(1);
84 } 90 }
85 91
86int DSA_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) 92DSA_SIG *DSA_SIG_new(void)
87 { 93 {
88 return dsa->meth->dsa_sign_setup(dsa, ctx_in, kinvp, rp); 94 DSA_SIG *sig;
95 sig = OPENSSL_malloc(sizeof(DSA_SIG));
96 if (!sig)
97 return NULL;
98 sig->r = NULL;
99 sig->s = NULL;
100 return sig;
101 }
102
103void DSA_SIG_free(DSA_SIG *sig)
104 {
105 if (sig)
106 {
107 if (sig->r)
108 BN_free(sig->r);
109 if (sig->s)
110 BN_free(sig->s);
111 OPENSSL_free(sig);
112 }
89 } 113 }
90 114
diff --git a/src/lib/libcrypto/dsa/dsa_vrf.c b/src/lib/libcrypto/dsa/dsa_vrf.c
index 226a75ff3f..674cb5fa5f 100644
--- a/src/lib/libcrypto/dsa/dsa_vrf.c
+++ b/src/lib/libcrypto/dsa/dsa_vrf.c
@@ -64,26 +64,13 @@
64int DSA_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, 64int DSA_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
65 DSA *dsa) 65 DSA *dsa)
66 { 66 {
67#ifdef OPENSSL_FIPS
68 if (FIPS_mode() && !(dsa->meth->flags & DSA_FLAG_FIPS_METHOD)
69 && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW))
70 {
71 DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_NON_FIPS_DSA_METHOD);
72 return -1;
73 }
74#endif
67 return dsa->meth->dsa_do_verify(dgst, dgst_len, sig, dsa); 75 return dsa->meth->dsa_do_verify(dgst, dgst_len, sig, dsa);
68 } 76 }
69
70/* data has already been hashed (probably with SHA or SHA-1). */
71/* returns
72 * 1: correct signature
73 * 0: incorrect signature
74 * -1: error
75 */
76int DSA_verify(int type, const unsigned char *dgst, int dgst_len,
77 const unsigned char *sigbuf, int siglen, DSA *dsa)
78 {
79 DSA_SIG *s;
80 int ret=-1;
81
82 s = DSA_SIG_new();
83 if (s == NULL) return(ret);
84 if (d2i_DSA_SIG(&s,&sigbuf,siglen) == NULL) goto err;
85 ret=DSA_do_verify(dgst,dgst_len,s,dsa);
86err:
87 DSA_SIG_free(s);
88 return(ret);
89 }
diff --git a/src/lib/libcrypto/dso/dso_dlfcn.c b/src/lib/libcrypto/dso/dso_dlfcn.c
index e78004903c..5f351b318d 100644
--- a/src/lib/libcrypto/dso/dso_dlfcn.c
+++ b/src/lib/libcrypto/dso/dso_dlfcn.c
@@ -86,7 +86,8 @@ DSO_METHOD *DSO_METHOD_dlfcn(void)
86# if defined(_AIX) || defined(__CYGWIN__) || \ 86# if defined(_AIX) || defined(__CYGWIN__) || \
87 defined(__SCO_VERSION__) || defined(_SCO_ELF) || \ 87 defined(__SCO_VERSION__) || defined(_SCO_ELF) || \
88 (defined(__osf__) && !defined(RTLD_NEXT)) || \ 88 (defined(__osf__) && !defined(RTLD_NEXT)) || \
89 (defined(__OpenBSD__) && (!defined(__ELF__) || !defined(RTLD_SELF))) 89 (defined(__OpenBSD__) && !defined(RTLD_SELF)) || \
90 defined(__ANDROID__)
90# undef HAVE_DLINFO 91# undef HAVE_DLINFO
91# endif 92# endif
92#endif 93#endif
diff --git a/src/lib/libcrypto/ec/ec.h b/src/lib/libcrypto/ec/ec.h
index ee7078130c..9d01325af3 100644
--- a/src/lib/libcrypto/ec/ec.h
+++ b/src/lib/libcrypto/ec/ec.h
@@ -151,7 +151,24 @@ const EC_METHOD *EC_GFp_mont_method(void);
151 */ 151 */
152const EC_METHOD *EC_GFp_nist_method(void); 152const EC_METHOD *EC_GFp_nist_method(void);
153 153
154#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
155/** Returns 64-bit optimized methods for nistp224
156 * \return EC_METHOD object
157 */
158const EC_METHOD *EC_GFp_nistp224_method(void);
159
160/** Returns 64-bit optimized methods for nistp256
161 * \return EC_METHOD object
162 */
163const EC_METHOD *EC_GFp_nistp256_method(void);
164
165/** Returns 64-bit optimized methods for nistp521
166 * \return EC_METHOD object
167 */
168const EC_METHOD *EC_GFp_nistp521_method(void);
169#endif
154 170
171#ifndef OPENSSL_NO_EC2M
155/********************************************************************/ 172/********************************************************************/
156/* EC_METHOD for curves over GF(2^m) */ 173/* EC_METHOD for curves over GF(2^m) */
157/********************************************************************/ 174/********************************************************************/
@@ -161,6 +178,8 @@ const EC_METHOD *EC_GFp_nist_method(void);
161 */ 178 */
162const EC_METHOD *EC_GF2m_simple_method(void); 179const EC_METHOD *EC_GF2m_simple_method(void);
163 180
181#endif
182
164 183
165/********************************************************************/ 184/********************************************************************/
166/* EC_GROUP functions */ 185/* EC_GROUP functions */
@@ -282,6 +301,7 @@ int EC_GROUP_set_curve_GFp(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, co
282 */ 301 */
283int EC_GROUP_get_curve_GFp(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *ctx); 302int EC_GROUP_get_curve_GFp(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *ctx);
284 303
304#ifndef OPENSSL_NO_EC2M
285/** Sets the parameter of a ec over GF2m defined by y^2 + x*y = x^3 + a*x^2 + b 305/** Sets the parameter of a ec over GF2m defined by y^2 + x*y = x^3 + a*x^2 + b
286 * \param group EC_GROUP object 306 * \param group EC_GROUP object
287 * \param p BIGNUM with the polynomial defining the underlying field 307 * \param p BIGNUM with the polynomial defining the underlying field
@@ -301,7 +321,7 @@ int EC_GROUP_set_curve_GF2m(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, c
301 * \return 1 on success and 0 if an error occured 321 * \return 1 on success and 0 if an error occured
302 */ 322 */
303int EC_GROUP_get_curve_GF2m(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *ctx); 323int EC_GROUP_get_curve_GF2m(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *ctx);
304 324#endif
305/** Returns the number of bits needed to represent a field element 325/** Returns the number of bits needed to represent a field element
306 * \param group EC_GROUP object 326 * \param group EC_GROUP object
307 * \return number of bits needed to represent a field element 327 * \return number of bits needed to represent a field element
@@ -342,7 +362,7 @@ int EC_GROUP_cmp(const EC_GROUP *a, const EC_GROUP *b, BN_CTX *ctx);
342 * \return newly created EC_GROUP object with the specified parameters 362 * \return newly created EC_GROUP object with the specified parameters
343 */ 363 */
344EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx); 364EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);
345 365#ifndef OPENSSL_NO_EC2M
346/** Creates a new EC_GROUP object with the specified parameters defined 366/** Creates a new EC_GROUP object with the specified parameters defined
347 * over GF2m (defined by the equation y^2 + x*y = x^3 + a*x^2 + b) 367 * over GF2m (defined by the equation y^2 + x*y = x^3 + a*x^2 + b)
348 * \param p BIGNUM with the polynomial defining the underlying field 368 * \param p BIGNUM with the polynomial defining the underlying field
@@ -352,7 +372,7 @@ EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a, const BIGNUM
352 * \return newly created EC_GROUP object with the specified parameters 372 * \return newly created EC_GROUP object with the specified parameters
353 */ 373 */
354EC_GROUP *EC_GROUP_new_curve_GF2m(const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx); 374EC_GROUP *EC_GROUP_new_curve_GF2m(const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);
355 375#endif
356/** Creates a EC_GROUP object with a curve specified by a NID 376/** Creates a EC_GROUP object with a curve specified by a NID
357 * \param nid NID of the OID of the curve name 377 * \param nid NID of the OID of the curve name
358 * \return newly created EC_GROUP object with specified curve or NULL 378 * \return newly created EC_GROUP object with specified curve or NULL
@@ -481,7 +501,7 @@ int EC_POINT_get_affine_coordinates_GFp(const EC_GROUP *group,
481 */ 501 */
482int EC_POINT_set_compressed_coordinates_GFp(const EC_GROUP *group, EC_POINT *p, 502int EC_POINT_set_compressed_coordinates_GFp(const EC_GROUP *group, EC_POINT *p,
483 const BIGNUM *x, int y_bit, BN_CTX *ctx); 503 const BIGNUM *x, int y_bit, BN_CTX *ctx);
484 504#ifndef OPENSSL_NO_EC2M
485/** Sets the affine coordinates of a EC_POINT over GF2m 505/** Sets the affine coordinates of a EC_POINT over GF2m
486 * \param group underlying EC_GROUP object 506 * \param group underlying EC_GROUP object
487 * \param p EC_POINT object 507 * \param p EC_POINT object
@@ -514,7 +534,7 @@ int EC_POINT_get_affine_coordinates_GF2m(const EC_GROUP *group,
514 */ 534 */
515int EC_POINT_set_compressed_coordinates_GF2m(const EC_GROUP *group, EC_POINT *p, 535int EC_POINT_set_compressed_coordinates_GF2m(const EC_GROUP *group, EC_POINT *p,
516 const BIGNUM *x, int y_bit, BN_CTX *ctx); 536 const BIGNUM *x, int y_bit, BN_CTX *ctx);
517 537#endif
518/** Encodes a EC_POINT object to a octet string 538/** Encodes a EC_POINT object to a octet string
519 * \param group underlying EC_GROUP object 539 * \param group underlying EC_GROUP object
520 * \param p EC_POINT object 540 * \param p EC_POINT object
@@ -653,9 +673,11 @@ int EC_GROUP_have_precompute_mult(const EC_GROUP *group);
653/* EC_GROUP_get_basis_type() returns the NID of the basis type 673/* EC_GROUP_get_basis_type() returns the NID of the basis type
654 * used to represent the field elements */ 674 * used to represent the field elements */
655int EC_GROUP_get_basis_type(const EC_GROUP *); 675int EC_GROUP_get_basis_type(const EC_GROUP *);
676#ifndef OPENSSL_NO_EC2M
656int EC_GROUP_get_trinomial_basis(const EC_GROUP *, unsigned int *k); 677int EC_GROUP_get_trinomial_basis(const EC_GROUP *, unsigned int *k);
657int EC_GROUP_get_pentanomial_basis(const EC_GROUP *, unsigned int *k1, 678int EC_GROUP_get_pentanomial_basis(const EC_GROUP *, unsigned int *k1,
658 unsigned int *k2, unsigned int *k3); 679 unsigned int *k2, unsigned int *k3);
680#endif
659 681
660#define OPENSSL_EC_NAMED_CURVE 0x001 682#define OPENSSL_EC_NAMED_CURVE 0x001
661 683
@@ -689,11 +711,21 @@ typedef struct ec_key_st EC_KEY;
689#define EC_PKEY_NO_PARAMETERS 0x001 711#define EC_PKEY_NO_PARAMETERS 0x001
690#define EC_PKEY_NO_PUBKEY 0x002 712#define EC_PKEY_NO_PUBKEY 0x002
691 713
714/* some values for the flags field */
715#define EC_FLAG_NON_FIPS_ALLOW 0x1
716#define EC_FLAG_FIPS_CHECKED 0x2
717
692/** Creates a new EC_KEY object. 718/** Creates a new EC_KEY object.
693 * \return EC_KEY object or NULL if an error occurred. 719 * \return EC_KEY object or NULL if an error occurred.
694 */ 720 */
695EC_KEY *EC_KEY_new(void); 721EC_KEY *EC_KEY_new(void);
696 722
723int EC_KEY_get_flags(const EC_KEY *key);
724
725void EC_KEY_set_flags(EC_KEY *key, int flags);
726
727void EC_KEY_clear_flags(EC_KEY *key, int flags);
728
697/** Creates a new EC_KEY object using a named curve as underlying 729/** Creates a new EC_KEY object using a named curve as underlying
698 * EC_GROUP object. 730 * EC_GROUP object.
699 * \param nid NID of the named curve. 731 * \param nid NID of the named curve.
@@ -799,6 +831,15 @@ int EC_KEY_generate_key(EC_KEY *key);
799 */ 831 */
800int EC_KEY_check_key(const EC_KEY *key); 832int EC_KEY_check_key(const EC_KEY *key);
801 833
834/** Sets a public key from affine coordindates performing
835 * neccessary NIST PKV tests.
836 * \param key the EC_KEY object
837 * \param x public key x coordinate
838 * \param y public key y coordinate
839 * \return 1 on success and 0 otherwise.
840 */
841int EC_KEY_set_public_key_affine_coordinates(EC_KEY *key, BIGNUM *x, BIGNUM *y);
842
802 843
803/********************************************************************/ 844/********************************************************************/
804/* de- and encoding functions for SEC1 ECPrivateKey */ 845/* de- and encoding functions for SEC1 ECPrivateKey */
@@ -926,6 +967,7 @@ void ERR_load_EC_strings(void);
926/* Error codes for the EC functions. */ 967/* Error codes for the EC functions. */
927 968
928/* Function codes. */ 969/* Function codes. */
970#define EC_F_BN_TO_FELEM 224
929#define EC_F_COMPUTE_WNAF 143 971#define EC_F_COMPUTE_WNAF 143
930#define EC_F_D2I_ECPARAMETERS 144 972#define EC_F_D2I_ECPARAMETERS 144
931#define EC_F_D2I_ECPKPARAMETERS 145 973#define EC_F_D2I_ECPKPARAMETERS 145
@@ -968,6 +1010,15 @@ void ERR_load_EC_strings(void);
968#define EC_F_EC_GFP_MONT_FIELD_SQR 132 1010#define EC_F_EC_GFP_MONT_FIELD_SQR 132
969#define EC_F_EC_GFP_MONT_GROUP_SET_CURVE 189 1011#define EC_F_EC_GFP_MONT_GROUP_SET_CURVE 189
970#define EC_F_EC_GFP_MONT_GROUP_SET_CURVE_GFP 135 1012#define EC_F_EC_GFP_MONT_GROUP_SET_CURVE_GFP 135
1013#define EC_F_EC_GFP_NISTP224_GROUP_SET_CURVE 225
1014#define EC_F_EC_GFP_NISTP224_POINTS_MUL 228
1015#define EC_F_EC_GFP_NISTP224_POINT_GET_AFFINE_COORDINATES 226
1016#define EC_F_EC_GFP_NISTP256_GROUP_SET_CURVE 230
1017#define EC_F_EC_GFP_NISTP256_POINTS_MUL 231
1018#define EC_F_EC_GFP_NISTP256_POINT_GET_AFFINE_COORDINATES 232
1019#define EC_F_EC_GFP_NISTP521_GROUP_SET_CURVE 233
1020#define EC_F_EC_GFP_NISTP521_POINTS_MUL 234
1021#define EC_F_EC_GFP_NISTP521_POINT_GET_AFFINE_COORDINATES 235
971#define EC_F_EC_GFP_NIST_FIELD_MUL 200 1022#define EC_F_EC_GFP_NIST_FIELD_MUL 200
972#define EC_F_EC_GFP_NIST_FIELD_SQR 201 1023#define EC_F_EC_GFP_NIST_FIELD_SQR 201
973#define EC_F_EC_GFP_NIST_GROUP_SET_CURVE 202 1024#define EC_F_EC_GFP_NIST_GROUP_SET_CURVE 202
@@ -1010,6 +1061,7 @@ void ERR_load_EC_strings(void);
1010#define EC_F_EC_KEY_NEW 182 1061#define EC_F_EC_KEY_NEW 182
1011#define EC_F_EC_KEY_PRINT 180 1062#define EC_F_EC_KEY_PRINT 180
1012#define EC_F_EC_KEY_PRINT_FP 181 1063#define EC_F_EC_KEY_PRINT_FP 181
1064#define EC_F_EC_KEY_SET_PUBLIC_KEY_AFFINE_COORDINATES 229
1013#define EC_F_EC_POINTS_MAKE_AFFINE 136 1065#define EC_F_EC_POINTS_MAKE_AFFINE 136
1014#define EC_F_EC_POINT_ADD 112 1066#define EC_F_EC_POINT_ADD 112
1015#define EC_F_EC_POINT_CMP 113 1067#define EC_F_EC_POINT_CMP 113
@@ -1040,6 +1092,9 @@ void ERR_load_EC_strings(void);
1040#define EC_F_I2D_ECPKPARAMETERS 191 1092#define EC_F_I2D_ECPKPARAMETERS 191
1041#define EC_F_I2D_ECPRIVATEKEY 192 1093#define EC_F_I2D_ECPRIVATEKEY 192
1042#define EC_F_I2O_ECPUBLICKEY 151 1094#define EC_F_I2O_ECPUBLICKEY 151
1095#define EC_F_NISTP224_PRE_COMP_NEW 227
1096#define EC_F_NISTP256_PRE_COMP_NEW 236
1097#define EC_F_NISTP521_PRE_COMP_NEW 237
1043#define EC_F_O2I_ECPUBLICKEY 152 1098#define EC_F_O2I_ECPUBLICKEY 152
1044#define EC_F_OLD_EC_PRIV_DECODE 222 1099#define EC_F_OLD_EC_PRIV_DECODE 222
1045#define EC_F_PKEY_EC_CTRL 197 1100#define EC_F_PKEY_EC_CTRL 197
@@ -1052,12 +1107,15 @@ void ERR_load_EC_strings(void);
1052/* Reason codes. */ 1107/* Reason codes. */
1053#define EC_R_ASN1_ERROR 115 1108#define EC_R_ASN1_ERROR 115
1054#define EC_R_ASN1_UNKNOWN_FIELD 116 1109#define EC_R_ASN1_UNKNOWN_FIELD 116
1110#define EC_R_BIGNUM_OUT_OF_RANGE 144
1055#define EC_R_BUFFER_TOO_SMALL 100 1111#define EC_R_BUFFER_TOO_SMALL 100
1112#define EC_R_COORDINATES_OUT_OF_RANGE 146
1056#define EC_R_D2I_ECPKPARAMETERS_FAILURE 117 1113#define EC_R_D2I_ECPKPARAMETERS_FAILURE 117
1057#define EC_R_DECODE_ERROR 142 1114#define EC_R_DECODE_ERROR 142
1058#define EC_R_DISCRIMINANT_IS_ZERO 118 1115#define EC_R_DISCRIMINANT_IS_ZERO 118
1059#define EC_R_EC_GROUP_NEW_BY_NAME_FAILURE 119 1116#define EC_R_EC_GROUP_NEW_BY_NAME_FAILURE 119
1060#define EC_R_FIELD_TOO_LARGE 143 1117#define EC_R_FIELD_TOO_LARGE 143
1118#define EC_R_GF2M_NOT_SUPPORTED 147
1061#define EC_R_GROUP2PKPARAMETERS_FAILURE 120 1119#define EC_R_GROUP2PKPARAMETERS_FAILURE 120
1062#define EC_R_I2D_ECPKPARAMETERS_FAILURE 121 1120#define EC_R_I2D_ECPKPARAMETERS_FAILURE 121
1063#define EC_R_INCOMPATIBLE_OBJECTS 101 1121#define EC_R_INCOMPATIBLE_OBJECTS 101
@@ -1092,6 +1150,7 @@ void ERR_load_EC_strings(void);
1092#define EC_R_UNKNOWN_GROUP 129 1150#define EC_R_UNKNOWN_GROUP 129
1093#define EC_R_UNKNOWN_ORDER 114 1151#define EC_R_UNKNOWN_ORDER 114
1094#define EC_R_UNSUPPORTED_FIELD 131 1152#define EC_R_UNSUPPORTED_FIELD 131
1153#define EC_R_WRONG_CURVE_PARAMETERS 145
1095#define EC_R_WRONG_ORDER 130 1154#define EC_R_WRONG_ORDER 130
1096 1155
1097#ifdef __cplusplus 1156#ifdef __cplusplus
diff --git a/src/lib/libcrypto/ec/ec2_smpl.c b/src/lib/libcrypto/ec/ec2_smpl.c
index 03deae6674..e0e59c7d82 100644
--- a/src/lib/libcrypto/ec/ec2_smpl.c
+++ b/src/lib/libcrypto/ec/ec2_smpl.c
@@ -71,10 +71,20 @@
71 71
72#include "ec_lcl.h" 72#include "ec_lcl.h"
73 73
74#ifndef OPENSSL_NO_EC2M
75
76#ifdef OPENSSL_FIPS
77#include <openssl/fips.h>
78#endif
79
74 80
75const EC_METHOD *EC_GF2m_simple_method(void) 81const EC_METHOD *EC_GF2m_simple_method(void)
76 { 82 {
83#ifdef OPENSSL_FIPS
84 return fips_ec_gf2m_simple_method();
85#else
77 static const EC_METHOD ret = { 86 static const EC_METHOD ret = {
87 EC_FLAGS_DEFAULT_OCT,
78 NID_X9_62_characteristic_two_field, 88 NID_X9_62_characteristic_two_field,
79 ec_GF2m_simple_group_init, 89 ec_GF2m_simple_group_init,
80 ec_GF2m_simple_group_finish, 90 ec_GF2m_simple_group_finish,
@@ -93,9 +103,7 @@ const EC_METHOD *EC_GF2m_simple_method(void)
93 0 /* get_Jprojective_coordinates_GFp */, 103 0 /* get_Jprojective_coordinates_GFp */,
94 ec_GF2m_simple_point_set_affine_coordinates, 104 ec_GF2m_simple_point_set_affine_coordinates,
95 ec_GF2m_simple_point_get_affine_coordinates, 105 ec_GF2m_simple_point_get_affine_coordinates,
96 ec_GF2m_simple_set_compressed_coordinates, 106 0,0,0,
97 ec_GF2m_simple_point2oct,
98 ec_GF2m_simple_oct2point,
99 ec_GF2m_simple_add, 107 ec_GF2m_simple_add,
100 ec_GF2m_simple_dbl, 108 ec_GF2m_simple_dbl,
101 ec_GF2m_simple_invert, 109 ec_GF2m_simple_invert,
@@ -118,6 +126,7 @@ const EC_METHOD *EC_GF2m_simple_method(void)
118 0 /* field_set_to_one */ }; 126 0 /* field_set_to_one */ };
119 127
120 return &ret; 128 return &ret;
129#endif
121 } 130 }
122 131
123 132
@@ -405,340 +414,6 @@ int ec_GF2m_simple_point_get_affine_coordinates(const EC_GROUP *group, const EC_
405 return ret; 414 return ret;
406 } 415 }
407 416
408
409/* Calculates and sets the affine coordinates of an EC_POINT from the given
410 * compressed coordinates. Uses algorithm 2.3.4 of SEC 1.
411 * Note that the simple implementation only uses affine coordinates.
412 *
413 * The method is from the following publication:
414 *
415 * Harper, Menezes, Vanstone:
416 * "Public-Key Cryptosystems with Very Small Key Lengths",
417 * EUROCRYPT '92, Springer-Verlag LNCS 658,
418 * published February 1993
419 *
420 * US Patents 6,141,420 and 6,618,483 (Vanstone, Mullin, Agnew) describe
421 * the same method, but claim no priority date earlier than July 29, 1994
422 * (and additionally fail to cite the EUROCRYPT '92 publication as prior art).
423 */
424int ec_GF2m_simple_set_compressed_coordinates(const EC_GROUP *group, EC_POINT *point,
425 const BIGNUM *x_, int y_bit, BN_CTX *ctx)
426 {
427 BN_CTX *new_ctx = NULL;
428 BIGNUM *tmp, *x, *y, *z;
429 int ret = 0, z0;
430
431 /* clear error queue */
432 ERR_clear_error();
433
434 if (ctx == NULL)
435 {
436 ctx = new_ctx = BN_CTX_new();
437 if (ctx == NULL)
438 return 0;
439 }
440
441 y_bit = (y_bit != 0) ? 1 : 0;
442
443 BN_CTX_start(ctx);
444 tmp = BN_CTX_get(ctx);
445 x = BN_CTX_get(ctx);
446 y = BN_CTX_get(ctx);
447 z = BN_CTX_get(ctx);
448 if (z == NULL) goto err;
449
450 if (!BN_GF2m_mod_arr(x, x_, group->poly)) goto err;
451 if (BN_is_zero(x))
452 {
453 if (!BN_GF2m_mod_sqrt_arr(y, &group->b, group->poly, ctx)) goto err;
454 }
455 else
456 {
457 if (!group->meth->field_sqr(group, tmp, x, ctx)) goto err;
458 if (!group->meth->field_div(group, tmp, &group->b, tmp, ctx)) goto err;
459 if (!BN_GF2m_add(tmp, &group->a, tmp)) goto err;
460 if (!BN_GF2m_add(tmp, x, tmp)) goto err;
461 if (!BN_GF2m_mod_solve_quad_arr(z, tmp, group->poly, ctx))
462 {
463 unsigned long err = ERR_peek_last_error();
464
465 if (ERR_GET_LIB(err) == ERR_LIB_BN && ERR_GET_REASON(err) == BN_R_NO_SOLUTION)
466 {
467 ERR_clear_error();
468 ECerr(EC_F_EC_GF2M_SIMPLE_SET_COMPRESSED_COORDINATES, EC_R_INVALID_COMPRESSED_POINT);
469 }
470 else
471 ECerr(EC_F_EC_GF2M_SIMPLE_SET_COMPRESSED_COORDINATES, ERR_R_BN_LIB);
472 goto err;
473 }
474 z0 = (BN_is_odd(z)) ? 1 : 0;
475 if (!group->meth->field_mul(group, y, x, z, ctx)) goto err;
476 if (z0 != y_bit)
477 {
478 if (!BN_GF2m_add(y, y, x)) goto err;
479 }
480 }
481
482 if (!EC_POINT_set_affine_coordinates_GF2m(group, point, x, y, ctx)) goto err;
483
484 ret = 1;
485
486 err:
487 BN_CTX_end(ctx);
488 if (new_ctx != NULL)
489 BN_CTX_free(new_ctx);
490 return ret;
491 }
492
493
494/* Converts an EC_POINT to an octet string.
495 * If buf is NULL, the encoded length will be returned.
496 * If the length len of buf is smaller than required an error will be returned.
497 */
498size_t ec_GF2m_simple_point2oct(const EC_GROUP *group, const EC_POINT *point, point_conversion_form_t form,
499 unsigned char *buf, size_t len, BN_CTX *ctx)
500 {
501 size_t ret;
502 BN_CTX *new_ctx = NULL;
503 int used_ctx = 0;
504 BIGNUM *x, *y, *yxi;
505 size_t field_len, i, skip;
506
507 if ((form != POINT_CONVERSION_COMPRESSED)
508 && (form != POINT_CONVERSION_UNCOMPRESSED)
509 && (form != POINT_CONVERSION_HYBRID))
510 {
511 ECerr(EC_F_EC_GF2M_SIMPLE_POINT2OCT, EC_R_INVALID_FORM);
512 goto err;
513 }
514
515 if (EC_POINT_is_at_infinity(group, point))
516 {
517 /* encodes to a single 0 octet */
518 if (buf != NULL)
519 {
520 if (len < 1)
521 {
522 ECerr(EC_F_EC_GF2M_SIMPLE_POINT2OCT, EC_R_BUFFER_TOO_SMALL);
523 return 0;
524 }
525 buf[0] = 0;
526 }
527 return 1;
528 }
529
530
531 /* ret := required output buffer length */
532 field_len = (EC_GROUP_get_degree(group) + 7) / 8;
533 ret = (form == POINT_CONVERSION_COMPRESSED) ? 1 + field_len : 1 + 2*field_len;
534
535 /* if 'buf' is NULL, just return required length */
536 if (buf != NULL)
537 {
538 if (len < ret)
539 {
540 ECerr(EC_F_EC_GF2M_SIMPLE_POINT2OCT, EC_R_BUFFER_TOO_SMALL);
541 goto err;
542 }
543
544 if (ctx == NULL)
545 {
546 ctx = new_ctx = BN_CTX_new();
547 if (ctx == NULL)
548 return 0;
549 }
550
551 BN_CTX_start(ctx);
552 used_ctx = 1;
553 x = BN_CTX_get(ctx);
554 y = BN_CTX_get(ctx);
555 yxi = BN_CTX_get(ctx);
556 if (yxi == NULL) goto err;
557
558 if (!EC_POINT_get_affine_coordinates_GF2m(group, point, x, y, ctx)) goto err;
559
560 buf[0] = form;
561 if ((form != POINT_CONVERSION_UNCOMPRESSED) && !BN_is_zero(x))
562 {
563 if (!group->meth->field_div(group, yxi, y, x, ctx)) goto err;
564 if (BN_is_odd(yxi)) buf[0]++;
565 }
566
567 i = 1;
568
569 skip = field_len - BN_num_bytes(x);
570 if (skip > field_len)
571 {
572 ECerr(EC_F_EC_GF2M_SIMPLE_POINT2OCT, ERR_R_INTERNAL_ERROR);
573 goto err;
574 }
575 while (skip > 0)
576 {
577 buf[i++] = 0;
578 skip--;
579 }
580 skip = BN_bn2bin(x, buf + i);
581 i += skip;
582 if (i != 1 + field_len)
583 {
584 ECerr(EC_F_EC_GF2M_SIMPLE_POINT2OCT, ERR_R_INTERNAL_ERROR);
585 goto err;
586 }
587
588 if (form == POINT_CONVERSION_UNCOMPRESSED || form == POINT_CONVERSION_HYBRID)
589 {
590 skip = field_len - BN_num_bytes(y);
591 if (skip > field_len)
592 {
593 ECerr(EC_F_EC_GF2M_SIMPLE_POINT2OCT, ERR_R_INTERNAL_ERROR);
594 goto err;
595 }
596 while (skip > 0)
597 {
598 buf[i++] = 0;
599 skip--;
600 }
601 skip = BN_bn2bin(y, buf + i);
602 i += skip;
603 }
604
605 if (i != ret)
606 {
607 ECerr(EC_F_EC_GF2M_SIMPLE_POINT2OCT, ERR_R_INTERNAL_ERROR);
608 goto err;
609 }
610 }
611
612 if (used_ctx)
613 BN_CTX_end(ctx);
614 if (new_ctx != NULL)
615 BN_CTX_free(new_ctx);
616 return ret;
617
618 err:
619 if (used_ctx)
620 BN_CTX_end(ctx);
621 if (new_ctx != NULL)
622 BN_CTX_free(new_ctx);
623 return 0;
624 }
625
626
627/* Converts an octet string representation to an EC_POINT.
628 * Note that the simple implementation only uses affine coordinates.
629 */
630int ec_GF2m_simple_oct2point(const EC_GROUP *group, EC_POINT *point,
631 const unsigned char *buf, size_t len, BN_CTX *ctx)
632 {
633 point_conversion_form_t form;
634 int y_bit;
635 BN_CTX *new_ctx = NULL;
636 BIGNUM *x, *y, *yxi;
637 size_t field_len, enc_len;
638 int ret = 0;
639
640 if (len == 0)
641 {
642 ECerr(EC_F_EC_GF2M_SIMPLE_OCT2POINT, EC_R_BUFFER_TOO_SMALL);
643 return 0;
644 }
645 form = buf[0];
646 y_bit = form & 1;
647 form = form & ~1U;
648 if ((form != 0) && (form != POINT_CONVERSION_COMPRESSED)
649 && (form != POINT_CONVERSION_UNCOMPRESSED)
650 && (form != POINT_CONVERSION_HYBRID))
651 {
652 ECerr(EC_F_EC_GF2M_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
653 return 0;
654 }
655 if ((form == 0 || form == POINT_CONVERSION_UNCOMPRESSED) && y_bit)
656 {
657 ECerr(EC_F_EC_GF2M_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
658 return 0;
659 }
660
661 if (form == 0)
662 {
663 if (len != 1)
664 {
665 ECerr(EC_F_EC_GF2M_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
666 return 0;
667 }
668
669 return EC_POINT_set_to_infinity(group, point);
670 }
671
672 field_len = (EC_GROUP_get_degree(group) + 7) / 8;
673 enc_len = (form == POINT_CONVERSION_COMPRESSED) ? 1 + field_len : 1 + 2*field_len;
674
675 if (len != enc_len)
676 {
677 ECerr(EC_F_EC_GF2M_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
678 return 0;
679 }
680
681 if (ctx == NULL)
682 {
683 ctx = new_ctx = BN_CTX_new();
684 if (ctx == NULL)
685 return 0;
686 }
687
688 BN_CTX_start(ctx);
689 x = BN_CTX_get(ctx);
690 y = BN_CTX_get(ctx);
691 yxi = BN_CTX_get(ctx);
692 if (yxi == NULL) goto err;
693
694 if (!BN_bin2bn(buf + 1, field_len, x)) goto err;
695 if (BN_ucmp(x, &group->field) >= 0)
696 {
697 ECerr(EC_F_EC_GF2M_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
698 goto err;
699 }
700
701 if (form == POINT_CONVERSION_COMPRESSED)
702 {
703 if (!EC_POINT_set_compressed_coordinates_GF2m(group, point, x, y_bit, ctx)) goto err;
704 }
705 else
706 {
707 if (!BN_bin2bn(buf + 1 + field_len, field_len, y)) goto err;
708 if (BN_ucmp(y, &group->field) >= 0)
709 {
710 ECerr(EC_F_EC_GF2M_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
711 goto err;
712 }
713 if (form == POINT_CONVERSION_HYBRID)
714 {
715 if (!group->meth->field_div(group, yxi, y, x, ctx)) goto err;
716 if (y_bit != BN_is_odd(yxi))
717 {
718 ECerr(EC_F_EC_GF2M_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
719 goto err;
720 }
721 }
722
723 if (!EC_POINT_set_affine_coordinates_GF2m(group, point, x, y, ctx)) goto err;
724 }
725
726 if (!EC_POINT_is_on_curve(group, point, ctx)) /* test required by X9.62 */
727 {
728 ECerr(EC_F_EC_GF2M_SIMPLE_OCT2POINT, EC_R_POINT_IS_NOT_ON_CURVE);
729 goto err;
730 }
731
732 ret = 1;
733
734 err:
735 BN_CTX_end(ctx);
736 if (new_ctx != NULL)
737 BN_CTX_free(new_ctx);
738 return ret;
739 }
740
741
742/* Computes a + b and stores the result in r. r could be a or b, a could be b. 417/* Computes a + b and stores the result in r. r could be a or b, a could be b.
743 * Uses algorithm A.10.2 of IEEE P1363. 418 * Uses algorithm A.10.2 of IEEE P1363.
744 */ 419 */
@@ -1040,3 +715,5 @@ int ec_GF2m_simple_field_div(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
1040 { 715 {
1041 return BN_GF2m_mod_div(r, a, b, &group->field, ctx); 716 return BN_GF2m_mod_div(r, a, b, &group->field, ctx);
1042 } 717 }
718
719#endif
diff --git a/src/lib/libcrypto/ec/ec_cvt.c b/src/lib/libcrypto/ec/ec_cvt.c
index d45640bab9..bfcbab35fe 100644
--- a/src/lib/libcrypto/ec/ec_cvt.c
+++ b/src/lib/libcrypto/ec/ec_cvt.c
@@ -78,7 +78,32 @@ EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a, const BIGNUM
78 const EC_METHOD *meth; 78 const EC_METHOD *meth;
79 EC_GROUP *ret; 79 EC_GROUP *ret;
80 80
81#if defined(OPENSSL_BN_ASM_MONT)
82 /*
83 * This might appear controversial, but the fact is that generic
84 * prime method was observed to deliver better performance even
85 * for NIST primes on a range of platforms, e.g.: 60%-15%
86 * improvement on IA-64, ~25% on ARM, 30%-90% on P4, 20%-25%
87 * in 32-bit build and 35%--12% in 64-bit build on Core2...
88 * Coefficients are relative to optimized bn_nist.c for most
89 * intensive ECDSA verify and ECDH operations for 192- and 521-
90 * bit keys respectively. Choice of these boundary values is
91 * arguable, because the dependency of improvement coefficient
92 * from key length is not a "monotone" curve. For example while
93 * 571-bit result is 23% on ARM, 384-bit one is -1%. But it's
94 * generally faster, sometimes "respectfully" faster, sometimes
95 * "tolerably" slower... What effectively happens is that loop
96 * with bn_mul_add_words is put against bn_mul_mont, and the
97 * latter "wins" on short vectors. Correct solution should be
98 * implementing dedicated NxN multiplication subroutines for
99 * small N. But till it materializes, let's stick to generic
100 * prime method...
101 * <appro>
102 */
103 meth = EC_GFp_mont_method();
104#else
81 meth = EC_GFp_nist_method(); 105 meth = EC_GFp_nist_method();
106#endif
82 107
83 ret = EC_GROUP_new(meth); 108 ret = EC_GROUP_new(meth);
84 if (ret == NULL) 109 if (ret == NULL)
@@ -122,7 +147,7 @@ EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a, const BIGNUM
122 return ret; 147 return ret;
123 } 148 }
124 149
125 150#ifndef OPENSSL_NO_EC2M
126EC_GROUP *EC_GROUP_new_curve_GF2m(const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) 151EC_GROUP *EC_GROUP_new_curve_GF2m(const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
127 { 152 {
128 const EC_METHOD *meth; 153 const EC_METHOD *meth;
@@ -142,3 +167,4 @@ EC_GROUP *EC_GROUP_new_curve_GF2m(const BIGNUM *p, const BIGNUM *a, const BIGNUM
142 167
143 return ret; 168 return ret;
144 } 169 }
170#endif
diff --git a/src/lib/libcrypto/ec/ec_err.c b/src/lib/libcrypto/ec/ec_err.c
index 84b4833371..0d19398731 100644
--- a/src/lib/libcrypto/ec/ec_err.c
+++ b/src/lib/libcrypto/ec/ec_err.c
@@ -1,6 +1,6 @@
1/* crypto/ec/ec_err.c */ 1/* crypto/ec/ec_err.c */
2/* ==================================================================== 2/* ====================================================================
3 * Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved. 3 * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved.
4 * 4 *
5 * Redistribution and use in source and binary forms, with or without 5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions 6 * modification, are permitted provided that the following conditions
@@ -70,6 +70,7 @@
70 70
71static ERR_STRING_DATA EC_str_functs[]= 71static ERR_STRING_DATA EC_str_functs[]=
72 { 72 {
73{ERR_FUNC(EC_F_BN_TO_FELEM), "BN_TO_FELEM"},
73{ERR_FUNC(EC_F_COMPUTE_WNAF), "COMPUTE_WNAF"}, 74{ERR_FUNC(EC_F_COMPUTE_WNAF), "COMPUTE_WNAF"},
74{ERR_FUNC(EC_F_D2I_ECPARAMETERS), "d2i_ECParameters"}, 75{ERR_FUNC(EC_F_D2I_ECPARAMETERS), "d2i_ECParameters"},
75{ERR_FUNC(EC_F_D2I_ECPKPARAMETERS), "d2i_ECPKParameters"}, 76{ERR_FUNC(EC_F_D2I_ECPKPARAMETERS), "d2i_ECPKParameters"},
@@ -112,6 +113,15 @@ static ERR_STRING_DATA EC_str_functs[]=
112{ERR_FUNC(EC_F_EC_GFP_MONT_FIELD_SQR), "ec_GFp_mont_field_sqr"}, 113{ERR_FUNC(EC_F_EC_GFP_MONT_FIELD_SQR), "ec_GFp_mont_field_sqr"},
113{ERR_FUNC(EC_F_EC_GFP_MONT_GROUP_SET_CURVE), "ec_GFp_mont_group_set_curve"}, 114{ERR_FUNC(EC_F_EC_GFP_MONT_GROUP_SET_CURVE), "ec_GFp_mont_group_set_curve"},
114{ERR_FUNC(EC_F_EC_GFP_MONT_GROUP_SET_CURVE_GFP), "EC_GFP_MONT_GROUP_SET_CURVE_GFP"}, 115{ERR_FUNC(EC_F_EC_GFP_MONT_GROUP_SET_CURVE_GFP), "EC_GFP_MONT_GROUP_SET_CURVE_GFP"},
116{ERR_FUNC(EC_F_EC_GFP_NISTP224_GROUP_SET_CURVE), "ec_GFp_nistp224_group_set_curve"},
117{ERR_FUNC(EC_F_EC_GFP_NISTP224_POINTS_MUL), "ec_GFp_nistp224_points_mul"},
118{ERR_FUNC(EC_F_EC_GFP_NISTP224_POINT_GET_AFFINE_COORDINATES), "ec_GFp_nistp224_point_get_affine_coordinates"},
119{ERR_FUNC(EC_F_EC_GFP_NISTP256_GROUP_SET_CURVE), "ec_GFp_nistp256_group_set_curve"},
120{ERR_FUNC(EC_F_EC_GFP_NISTP256_POINTS_MUL), "ec_GFp_nistp256_points_mul"},
121{ERR_FUNC(EC_F_EC_GFP_NISTP256_POINT_GET_AFFINE_COORDINATES), "ec_GFp_nistp256_point_get_affine_coordinates"},
122{ERR_FUNC(EC_F_EC_GFP_NISTP521_GROUP_SET_CURVE), "ec_GFp_nistp521_group_set_curve"},
123{ERR_FUNC(EC_F_EC_GFP_NISTP521_POINTS_MUL), "ec_GFp_nistp521_points_mul"},
124{ERR_FUNC(EC_F_EC_GFP_NISTP521_POINT_GET_AFFINE_COORDINATES), "ec_GFp_nistp521_point_get_affine_coordinates"},
115{ERR_FUNC(EC_F_EC_GFP_NIST_FIELD_MUL), "ec_GFp_nist_field_mul"}, 125{ERR_FUNC(EC_F_EC_GFP_NIST_FIELD_MUL), "ec_GFp_nist_field_mul"},
116{ERR_FUNC(EC_F_EC_GFP_NIST_FIELD_SQR), "ec_GFp_nist_field_sqr"}, 126{ERR_FUNC(EC_F_EC_GFP_NIST_FIELD_SQR), "ec_GFp_nist_field_sqr"},
117{ERR_FUNC(EC_F_EC_GFP_NIST_GROUP_SET_CURVE), "ec_GFp_nist_group_set_curve"}, 127{ERR_FUNC(EC_F_EC_GFP_NIST_GROUP_SET_CURVE), "ec_GFp_nist_group_set_curve"},
@@ -154,6 +164,7 @@ static ERR_STRING_DATA EC_str_functs[]=
154{ERR_FUNC(EC_F_EC_KEY_NEW), "EC_KEY_new"}, 164{ERR_FUNC(EC_F_EC_KEY_NEW), "EC_KEY_new"},
155{ERR_FUNC(EC_F_EC_KEY_PRINT), "EC_KEY_print"}, 165{ERR_FUNC(EC_F_EC_KEY_PRINT), "EC_KEY_print"},
156{ERR_FUNC(EC_F_EC_KEY_PRINT_FP), "EC_KEY_print_fp"}, 166{ERR_FUNC(EC_F_EC_KEY_PRINT_FP), "EC_KEY_print_fp"},
167{ERR_FUNC(EC_F_EC_KEY_SET_PUBLIC_KEY_AFFINE_COORDINATES), "EC_KEY_set_public_key_affine_coordinates"},
157{ERR_FUNC(EC_F_EC_POINTS_MAKE_AFFINE), "EC_POINTs_make_affine"}, 168{ERR_FUNC(EC_F_EC_POINTS_MAKE_AFFINE), "EC_POINTs_make_affine"},
158{ERR_FUNC(EC_F_EC_POINT_ADD), "EC_POINT_add"}, 169{ERR_FUNC(EC_F_EC_POINT_ADD), "EC_POINT_add"},
159{ERR_FUNC(EC_F_EC_POINT_CMP), "EC_POINT_cmp"}, 170{ERR_FUNC(EC_F_EC_POINT_CMP), "EC_POINT_cmp"},
@@ -184,6 +195,9 @@ static ERR_STRING_DATA EC_str_functs[]=
184{ERR_FUNC(EC_F_I2D_ECPKPARAMETERS), "i2d_ECPKParameters"}, 195{ERR_FUNC(EC_F_I2D_ECPKPARAMETERS), "i2d_ECPKParameters"},
185{ERR_FUNC(EC_F_I2D_ECPRIVATEKEY), "i2d_ECPrivateKey"}, 196{ERR_FUNC(EC_F_I2D_ECPRIVATEKEY), "i2d_ECPrivateKey"},
186{ERR_FUNC(EC_F_I2O_ECPUBLICKEY), "i2o_ECPublicKey"}, 197{ERR_FUNC(EC_F_I2O_ECPUBLICKEY), "i2o_ECPublicKey"},
198{ERR_FUNC(EC_F_NISTP224_PRE_COMP_NEW), "NISTP224_PRE_COMP_NEW"},
199{ERR_FUNC(EC_F_NISTP256_PRE_COMP_NEW), "NISTP256_PRE_COMP_NEW"},
200{ERR_FUNC(EC_F_NISTP521_PRE_COMP_NEW), "NISTP521_PRE_COMP_NEW"},
187{ERR_FUNC(EC_F_O2I_ECPUBLICKEY), "o2i_ECPublicKey"}, 201{ERR_FUNC(EC_F_O2I_ECPUBLICKEY), "o2i_ECPublicKey"},
188{ERR_FUNC(EC_F_OLD_EC_PRIV_DECODE), "OLD_EC_PRIV_DECODE"}, 202{ERR_FUNC(EC_F_OLD_EC_PRIV_DECODE), "OLD_EC_PRIV_DECODE"},
189{ERR_FUNC(EC_F_PKEY_EC_CTRL), "PKEY_EC_CTRL"}, 203{ERR_FUNC(EC_F_PKEY_EC_CTRL), "PKEY_EC_CTRL"},
@@ -199,12 +213,15 @@ static ERR_STRING_DATA EC_str_reasons[]=
199 { 213 {
200{ERR_REASON(EC_R_ASN1_ERROR) ,"asn1 error"}, 214{ERR_REASON(EC_R_ASN1_ERROR) ,"asn1 error"},
201{ERR_REASON(EC_R_ASN1_UNKNOWN_FIELD) ,"asn1 unknown field"}, 215{ERR_REASON(EC_R_ASN1_UNKNOWN_FIELD) ,"asn1 unknown field"},
216{ERR_REASON(EC_R_BIGNUM_OUT_OF_RANGE) ,"bignum out of range"},
202{ERR_REASON(EC_R_BUFFER_TOO_SMALL) ,"buffer too small"}, 217{ERR_REASON(EC_R_BUFFER_TOO_SMALL) ,"buffer too small"},
218{ERR_REASON(EC_R_COORDINATES_OUT_OF_RANGE),"coordinates out of range"},
203{ERR_REASON(EC_R_D2I_ECPKPARAMETERS_FAILURE),"d2i ecpkparameters failure"}, 219{ERR_REASON(EC_R_D2I_ECPKPARAMETERS_FAILURE),"d2i ecpkparameters failure"},
204{ERR_REASON(EC_R_DECODE_ERROR) ,"decode error"}, 220{ERR_REASON(EC_R_DECODE_ERROR) ,"decode error"},
205{ERR_REASON(EC_R_DISCRIMINANT_IS_ZERO) ,"discriminant is zero"}, 221{ERR_REASON(EC_R_DISCRIMINANT_IS_ZERO) ,"discriminant is zero"},
206{ERR_REASON(EC_R_EC_GROUP_NEW_BY_NAME_FAILURE),"ec group new by name failure"}, 222{ERR_REASON(EC_R_EC_GROUP_NEW_BY_NAME_FAILURE),"ec group new by name failure"},
207{ERR_REASON(EC_R_FIELD_TOO_LARGE) ,"field too large"}, 223{ERR_REASON(EC_R_FIELD_TOO_LARGE) ,"field too large"},
224{ERR_REASON(EC_R_GF2M_NOT_SUPPORTED) ,"gf2m not supported"},
208{ERR_REASON(EC_R_GROUP2PKPARAMETERS_FAILURE),"group2pkparameters failure"}, 225{ERR_REASON(EC_R_GROUP2PKPARAMETERS_FAILURE),"group2pkparameters failure"},
209{ERR_REASON(EC_R_I2D_ECPKPARAMETERS_FAILURE),"i2d ecpkparameters failure"}, 226{ERR_REASON(EC_R_I2D_ECPKPARAMETERS_FAILURE),"i2d ecpkparameters failure"},
210{ERR_REASON(EC_R_INCOMPATIBLE_OBJECTS) ,"incompatible objects"}, 227{ERR_REASON(EC_R_INCOMPATIBLE_OBJECTS) ,"incompatible objects"},
@@ -239,6 +256,7 @@ static ERR_STRING_DATA EC_str_reasons[]=
239{ERR_REASON(EC_R_UNKNOWN_GROUP) ,"unknown group"}, 256{ERR_REASON(EC_R_UNKNOWN_GROUP) ,"unknown group"},
240{ERR_REASON(EC_R_UNKNOWN_ORDER) ,"unknown order"}, 257{ERR_REASON(EC_R_UNKNOWN_ORDER) ,"unknown order"},
241{ERR_REASON(EC_R_UNSUPPORTED_FIELD) ,"unsupported field"}, 258{ERR_REASON(EC_R_UNSUPPORTED_FIELD) ,"unsupported field"},
259{ERR_REASON(EC_R_WRONG_CURVE_PARAMETERS) ,"wrong curve parameters"},
242{ERR_REASON(EC_R_WRONG_ORDER) ,"wrong order"}, 260{ERR_REASON(EC_R_WRONG_ORDER) ,"wrong order"},
243{0,NULL} 261{0,NULL}
244 }; 262 };
diff --git a/src/lib/libcrypto/ec/ec_lcl.h b/src/lib/libcrypto/ec/ec_lcl.h
index 3e2c34b0bc..da7967df38 100644
--- a/src/lib/libcrypto/ec/ec_lcl.h
+++ b/src/lib/libcrypto/ec/ec_lcl.h
@@ -3,7 +3,7 @@
3 * Originally written by Bodo Moeller for the OpenSSL project. 3 * Originally written by Bodo Moeller for the OpenSSL project.
4 */ 4 */
5/* ==================================================================== 5/* ====================================================================
6 * Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved. 6 * Copyright (c) 1998-2010 The OpenSSL Project. All rights reserved.
7 * 7 *
8 * Redistribution and use in source and binary forms, with or without 8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions 9 * modification, are permitted provided that the following conditions
@@ -82,10 +82,15 @@
82# endif 82# endif
83#endif 83#endif
84 84
85/* Use default functions for poin2oct, oct2point and compressed coordinates */
86#define EC_FLAGS_DEFAULT_OCT 0x1
87
85/* Structure details are not part of the exported interface, 88/* Structure details are not part of the exported interface,
86 * so all this may change in future versions. */ 89 * so all this may change in future versions. */
87 90
88struct ec_method_st { 91struct ec_method_st {
92 /* Various method flags */
93 int flags;
89 /* used by EC_METHOD_get_field_type: */ 94 /* used by EC_METHOD_get_field_type: */
90 int field_type; /* a NID */ 95 int field_type; /* a NID */
91 96
@@ -244,6 +249,7 @@ struct ec_key_st {
244 point_conversion_form_t conv_form; 249 point_conversion_form_t conv_form;
245 250
246 int references; 251 int references;
252 int flags;
247 253
248 EC_EXTRA_DATA *method_data; 254 EC_EXTRA_DATA *method_data;
249} /* EC_KEY */; 255} /* EC_KEY */;
@@ -391,3 +397,50 @@ int ec_GF2m_simple_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
391 size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *); 397 size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *);
392int ec_GF2m_precompute_mult(EC_GROUP *group, BN_CTX *ctx); 398int ec_GF2m_precompute_mult(EC_GROUP *group, BN_CTX *ctx);
393int ec_GF2m_have_precompute_mult(const EC_GROUP *group); 399int ec_GF2m_have_precompute_mult(const EC_GROUP *group);
400
401/* method functions in ec2_mult.c */
402int ec_GF2m_simple_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
403 size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *);
404int ec_GF2m_precompute_mult(EC_GROUP *group, BN_CTX *ctx);
405int ec_GF2m_have_precompute_mult(const EC_GROUP *group);
406
407#ifndef OPENSSL_EC_NISTP_64_GCC_128
408/* method functions in ecp_nistp224.c */
409int ec_GFp_nistp224_group_init(EC_GROUP *group);
410int ec_GFp_nistp224_group_set_curve(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, const BIGNUM *n, BN_CTX *);
411int ec_GFp_nistp224_point_get_affine_coordinates(const EC_GROUP *group, const EC_POINT *point, BIGNUM *x, BIGNUM *y, BN_CTX *ctx);
412int ec_GFp_nistp224_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *);
413int ec_GFp_nistp224_points_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *ctx);
414int ec_GFp_nistp224_precompute_mult(EC_GROUP *group, BN_CTX *ctx);
415int ec_GFp_nistp224_have_precompute_mult(const EC_GROUP *group);
416
417/* method functions in ecp_nistp256.c */
418int ec_GFp_nistp256_group_init(EC_GROUP *group);
419int ec_GFp_nistp256_group_set_curve(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, const BIGNUM *n, BN_CTX *);
420int ec_GFp_nistp256_point_get_affine_coordinates(const EC_GROUP *group, const EC_POINT *point, BIGNUM *x, BIGNUM *y, BN_CTX *ctx);
421int ec_GFp_nistp256_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *);
422int ec_GFp_nistp256_points_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *ctx);
423int ec_GFp_nistp256_precompute_mult(EC_GROUP *group, BN_CTX *ctx);
424int ec_GFp_nistp256_have_precompute_mult(const EC_GROUP *group);
425
426/* method functions in ecp_nistp521.c */
427int ec_GFp_nistp521_group_init(EC_GROUP *group);
428int ec_GFp_nistp521_group_set_curve(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, const BIGNUM *n, BN_CTX *);
429int ec_GFp_nistp521_point_get_affine_coordinates(const EC_GROUP *group, const EC_POINT *point, BIGNUM *x, BIGNUM *y, BN_CTX *ctx);
430int ec_GFp_nistp521_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *);
431int ec_GFp_nistp521_points_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *ctx);
432int ec_GFp_nistp521_precompute_mult(EC_GROUP *group, BN_CTX *ctx);
433int ec_GFp_nistp521_have_precompute_mult(const EC_GROUP *group);
434
435/* utility functions in ecp_nistputil.c */
436void ec_GFp_nistp_points_make_affine_internal(size_t num, void *point_array,
437 size_t felem_size, void *tmp_felems,
438 void (*felem_one)(void *out),
439 int (*felem_is_zero)(const void *in),
440 void (*felem_assign)(void *out, const void *in),
441 void (*felem_square)(void *out, const void *in),
442 void (*felem_mul)(void *out, const void *in1, const void *in2),
443 void (*felem_inv)(void *out, const void *in),
444 void (*felem_contract)(void *out, const void *in));
445void ec_GFp_nistp_recode_scalar_bits(unsigned char *sign, unsigned char *digit, unsigned char in);
446#endif
diff --git a/src/lib/libcrypto/ec/ec_lib.c b/src/lib/libcrypto/ec/ec_lib.c
index dd7da0fcf9..25247b5803 100644
--- a/src/lib/libcrypto/ec/ec_lib.c
+++ b/src/lib/libcrypto/ec/ec_lib.c
@@ -425,7 +425,7 @@ int EC_GROUP_get_curve_GFp(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *
425 return group->meth->group_get_curve(group, p, a, b, ctx); 425 return group->meth->group_get_curve(group, p, a, b, ctx);
426 } 426 }
427 427
428 428#ifndef OPENSSL_NO_EC2M
429int EC_GROUP_set_curve_GF2m(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) 429int EC_GROUP_set_curve_GF2m(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
430 { 430 {
431 if (group->meth->group_set_curve == 0) 431 if (group->meth->group_set_curve == 0)
@@ -446,7 +446,7 @@ int EC_GROUP_get_curve_GF2m(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM
446 } 446 }
447 return group->meth->group_get_curve(group, p, a, b, ctx); 447 return group->meth->group_get_curve(group, p, a, b, ctx);
448 } 448 }
449 449#endif
450 450
451int EC_GROUP_get_degree(const EC_GROUP *group) 451int EC_GROUP_get_degree(const EC_GROUP *group)
452 { 452 {
@@ -856,7 +856,7 @@ int EC_POINT_set_affine_coordinates_GFp(const EC_GROUP *group, EC_POINT *point,
856 return group->meth->point_set_affine_coordinates(group, point, x, y, ctx); 856 return group->meth->point_set_affine_coordinates(group, point, x, y, ctx);
857 } 857 }
858 858
859 859#ifndef OPENSSL_NO_EC2M
860int EC_POINT_set_affine_coordinates_GF2m(const EC_GROUP *group, EC_POINT *point, 860int EC_POINT_set_affine_coordinates_GF2m(const EC_GROUP *group, EC_POINT *point,
861 const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx) 861 const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx)
862 { 862 {
@@ -872,7 +872,7 @@ int EC_POINT_set_affine_coordinates_GF2m(const EC_GROUP *group, EC_POINT *point,
872 } 872 }
873 return group->meth->point_set_affine_coordinates(group, point, x, y, ctx); 873 return group->meth->point_set_affine_coordinates(group, point, x, y, ctx);
874 } 874 }
875 875#endif
876 876
877int EC_POINT_get_affine_coordinates_GFp(const EC_GROUP *group, const EC_POINT *point, 877int EC_POINT_get_affine_coordinates_GFp(const EC_GROUP *group, const EC_POINT *point,
878 BIGNUM *x, BIGNUM *y, BN_CTX *ctx) 878 BIGNUM *x, BIGNUM *y, BN_CTX *ctx)
@@ -890,7 +890,7 @@ int EC_POINT_get_affine_coordinates_GFp(const EC_GROUP *group, const EC_POINT *p
890 return group->meth->point_get_affine_coordinates(group, point, x, y, ctx); 890 return group->meth->point_get_affine_coordinates(group, point, x, y, ctx);
891 } 891 }
892 892
893 893#ifndef OPENSSL_NO_EC2M
894int EC_POINT_get_affine_coordinates_GF2m(const EC_GROUP *group, const EC_POINT *point, 894int EC_POINT_get_affine_coordinates_GF2m(const EC_GROUP *group, const EC_POINT *point,
895 BIGNUM *x, BIGNUM *y, BN_CTX *ctx) 895 BIGNUM *x, BIGNUM *y, BN_CTX *ctx)
896 { 896 {
@@ -906,75 +906,7 @@ int EC_POINT_get_affine_coordinates_GF2m(const EC_GROUP *group, const EC_POINT *
906 } 906 }
907 return group->meth->point_get_affine_coordinates(group, point, x, y, ctx); 907 return group->meth->point_get_affine_coordinates(group, point, x, y, ctx);
908 } 908 }
909 909#endif
910
911int EC_POINT_set_compressed_coordinates_GFp(const EC_GROUP *group, EC_POINT *point,
912 const BIGNUM *x, int y_bit, BN_CTX *ctx)
913 {
914 if (group->meth->point_set_compressed_coordinates == 0)
915 {
916 ECerr(EC_F_EC_POINT_SET_COMPRESSED_COORDINATES_GFP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
917 return 0;
918 }
919 if (group->meth != point->meth)
920 {
921 ECerr(EC_F_EC_POINT_SET_COMPRESSED_COORDINATES_GFP, EC_R_INCOMPATIBLE_OBJECTS);
922 return 0;
923 }
924 return group->meth->point_set_compressed_coordinates(group, point, x, y_bit, ctx);
925 }
926
927
928int EC_POINT_set_compressed_coordinates_GF2m(const EC_GROUP *group, EC_POINT *point,
929 const BIGNUM *x, int y_bit, BN_CTX *ctx)
930 {
931 if (group->meth->point_set_compressed_coordinates == 0)
932 {
933 ECerr(EC_F_EC_POINT_SET_COMPRESSED_COORDINATES_GF2M, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
934 return 0;
935 }
936 if (group->meth != point->meth)
937 {
938 ECerr(EC_F_EC_POINT_SET_COMPRESSED_COORDINATES_GF2M, EC_R_INCOMPATIBLE_OBJECTS);
939 return 0;
940 }
941 return group->meth->point_set_compressed_coordinates(group, point, x, y_bit, ctx);
942 }
943
944
945size_t EC_POINT_point2oct(const EC_GROUP *group, const EC_POINT *point, point_conversion_form_t form,
946 unsigned char *buf, size_t len, BN_CTX *ctx)
947 {
948 if (group->meth->point2oct == 0)
949 {
950 ECerr(EC_F_EC_POINT_POINT2OCT, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
951 return 0;
952 }
953 if (group->meth != point->meth)
954 {
955 ECerr(EC_F_EC_POINT_POINT2OCT, EC_R_INCOMPATIBLE_OBJECTS);
956 return 0;
957 }
958 return group->meth->point2oct(group, point, form, buf, len, ctx);
959 }
960
961
962int EC_POINT_oct2point(const EC_GROUP *group, EC_POINT *point,
963 const unsigned char *buf, size_t len, BN_CTX *ctx)
964 {
965 if (group->meth->oct2point == 0)
966 {
967 ECerr(EC_F_EC_POINT_OCT2POINT, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
968 return 0;
969 }
970 if (group->meth != point->meth)
971 {
972 ECerr(EC_F_EC_POINT_OCT2POINT, EC_R_INCOMPATIBLE_OBJECTS);
973 return 0;
974 }
975 return group->meth->oct2point(group, point, buf, len, ctx);
976 }
977
978 910
979int EC_POINT_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx) 911int EC_POINT_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx)
980 { 912 {
diff --git a/src/lib/libcrypto/ec/ecp_mont.c b/src/lib/libcrypto/ec/ecp_mont.c
index 9fc4a466a5..079e47431b 100644
--- a/src/lib/libcrypto/ec/ecp_mont.c
+++ b/src/lib/libcrypto/ec/ecp_mont.c
@@ -63,12 +63,20 @@
63 63
64#include <openssl/err.h> 64#include <openssl/err.h>
65 65
66#ifdef OPENSSL_FIPS
67#include <openssl/fips.h>
68#endif
69
66#include "ec_lcl.h" 70#include "ec_lcl.h"
67 71
68 72
69const EC_METHOD *EC_GFp_mont_method(void) 73const EC_METHOD *EC_GFp_mont_method(void)
70 { 74 {
75#ifdef OPENSSL_FIPS
76 return fips_ec_gfp_mont_method();
77#else
71 static const EC_METHOD ret = { 78 static const EC_METHOD ret = {
79 EC_FLAGS_DEFAULT_OCT,
72 NID_X9_62_prime_field, 80 NID_X9_62_prime_field,
73 ec_GFp_mont_group_init, 81 ec_GFp_mont_group_init,
74 ec_GFp_mont_group_finish, 82 ec_GFp_mont_group_finish,
@@ -87,9 +95,7 @@ const EC_METHOD *EC_GFp_mont_method(void)
87 ec_GFp_simple_get_Jprojective_coordinates_GFp, 95 ec_GFp_simple_get_Jprojective_coordinates_GFp,
88 ec_GFp_simple_point_set_affine_coordinates, 96 ec_GFp_simple_point_set_affine_coordinates,
89 ec_GFp_simple_point_get_affine_coordinates, 97 ec_GFp_simple_point_get_affine_coordinates,
90 ec_GFp_simple_set_compressed_coordinates, 98 0,0,0,
91 ec_GFp_simple_point2oct,
92 ec_GFp_simple_oct2point,
93 ec_GFp_simple_add, 99 ec_GFp_simple_add,
94 ec_GFp_simple_dbl, 100 ec_GFp_simple_dbl,
95 ec_GFp_simple_invert, 101 ec_GFp_simple_invert,
@@ -108,7 +114,9 @@ const EC_METHOD *EC_GFp_mont_method(void)
108 ec_GFp_mont_field_decode, 114 ec_GFp_mont_field_decode,
109 ec_GFp_mont_field_set_to_one }; 115 ec_GFp_mont_field_set_to_one };
110 116
117
111 return &ret; 118 return &ret;
119#endif
112 } 120 }
113 121
114 122
diff --git a/src/lib/libcrypto/ec/ecp_nist.c b/src/lib/libcrypto/ec/ecp_nist.c
index 2a5682ea41..aad2d5f443 100644
--- a/src/lib/libcrypto/ec/ecp_nist.c
+++ b/src/lib/libcrypto/ec/ecp_nist.c
@@ -67,9 +67,17 @@
67#include <openssl/obj_mac.h> 67#include <openssl/obj_mac.h>
68#include "ec_lcl.h" 68#include "ec_lcl.h"
69 69
70#ifdef OPENSSL_FIPS
71#include <openssl/fips.h>
72#endif
73
70const EC_METHOD *EC_GFp_nist_method(void) 74const EC_METHOD *EC_GFp_nist_method(void)
71 { 75 {
76#ifdef OPENSSL_FIPS
77 return fips_ec_gfp_nist_method();
78#else
72 static const EC_METHOD ret = { 79 static const EC_METHOD ret = {
80 EC_FLAGS_DEFAULT_OCT,
73 NID_X9_62_prime_field, 81 NID_X9_62_prime_field,
74 ec_GFp_simple_group_init, 82 ec_GFp_simple_group_init,
75 ec_GFp_simple_group_finish, 83 ec_GFp_simple_group_finish,
@@ -88,9 +96,7 @@ const EC_METHOD *EC_GFp_nist_method(void)
88 ec_GFp_simple_get_Jprojective_coordinates_GFp, 96 ec_GFp_simple_get_Jprojective_coordinates_GFp,
89 ec_GFp_simple_point_set_affine_coordinates, 97 ec_GFp_simple_point_set_affine_coordinates,
90 ec_GFp_simple_point_get_affine_coordinates, 98 ec_GFp_simple_point_get_affine_coordinates,
91 ec_GFp_simple_set_compressed_coordinates, 99 0,0,0,
92 ec_GFp_simple_point2oct,
93 ec_GFp_simple_oct2point,
94 ec_GFp_simple_add, 100 ec_GFp_simple_add,
95 ec_GFp_simple_dbl, 101 ec_GFp_simple_dbl,
96 ec_GFp_simple_invert, 102 ec_GFp_simple_invert,
@@ -110,6 +116,7 @@ const EC_METHOD *EC_GFp_nist_method(void)
110 0 /* field_set_to_one */ }; 116 0 /* field_set_to_one */ };
111 117
112 return &ret; 118 return &ret;
119#endif
113 } 120 }
114 121
115int ec_GFp_nist_group_copy(EC_GROUP *dest, const EC_GROUP *src) 122int ec_GFp_nist_group_copy(EC_GROUP *dest, const EC_GROUP *src)
diff --git a/src/lib/libcrypto/ec/ecp_smpl.c b/src/lib/libcrypto/ec/ecp_smpl.c
index 66a92e2a90..7cbb321f9a 100644
--- a/src/lib/libcrypto/ec/ecp_smpl.c
+++ b/src/lib/libcrypto/ec/ecp_smpl.c
@@ -65,11 +65,19 @@
65#include <openssl/err.h> 65#include <openssl/err.h>
66#include <openssl/symhacks.h> 66#include <openssl/symhacks.h>
67 67
68#ifdef OPENSSL_FIPS
69#include <openssl/fips.h>
70#endif
71
68#include "ec_lcl.h" 72#include "ec_lcl.h"
69 73
70const EC_METHOD *EC_GFp_simple_method(void) 74const EC_METHOD *EC_GFp_simple_method(void)
71 { 75 {
76#ifdef OPENSSL_FIPS
77 return fips_ec_gfp_simple_method();
78#else
72 static const EC_METHOD ret = { 79 static const EC_METHOD ret = {
80 EC_FLAGS_DEFAULT_OCT,
73 NID_X9_62_prime_field, 81 NID_X9_62_prime_field,
74 ec_GFp_simple_group_init, 82 ec_GFp_simple_group_init,
75 ec_GFp_simple_group_finish, 83 ec_GFp_simple_group_finish,
@@ -88,9 +96,7 @@ const EC_METHOD *EC_GFp_simple_method(void)
88 ec_GFp_simple_get_Jprojective_coordinates_GFp, 96 ec_GFp_simple_get_Jprojective_coordinates_GFp,
89 ec_GFp_simple_point_set_affine_coordinates, 97 ec_GFp_simple_point_set_affine_coordinates,
90 ec_GFp_simple_point_get_affine_coordinates, 98 ec_GFp_simple_point_get_affine_coordinates,
91 ec_GFp_simple_set_compressed_coordinates, 99 0,0,0,
92 ec_GFp_simple_point2oct,
93 ec_GFp_simple_oct2point,
94 ec_GFp_simple_add, 100 ec_GFp_simple_add,
95 ec_GFp_simple_dbl, 101 ec_GFp_simple_dbl,
96 ec_GFp_simple_invert, 102 ec_GFp_simple_invert,
@@ -110,6 +116,7 @@ const EC_METHOD *EC_GFp_simple_method(void)
110 0 /* field_set_to_one */ }; 116 0 /* field_set_to_one */ };
111 117
112 return &ret; 118 return &ret;
119#endif
113 } 120 }
114 121
115 122
@@ -633,372 +640,6 @@ int ec_GFp_simple_point_get_affine_coordinates(const EC_GROUP *group, const EC_P
633 return ret; 640 return ret;
634 } 641 }
635 642
636
637int ec_GFp_simple_set_compressed_coordinates(const EC_GROUP *group, EC_POINT *point,
638 const BIGNUM *x_, int y_bit, BN_CTX *ctx)
639 {
640 BN_CTX *new_ctx = NULL;
641 BIGNUM *tmp1, *tmp2, *x, *y;
642 int ret = 0;
643
644 /* clear error queue*/
645 ERR_clear_error();
646
647 if (ctx == NULL)
648 {
649 ctx = new_ctx = BN_CTX_new();
650 if (ctx == NULL)
651 return 0;
652 }
653
654 y_bit = (y_bit != 0);
655
656 BN_CTX_start(ctx);
657 tmp1 = BN_CTX_get(ctx);
658 tmp2 = BN_CTX_get(ctx);
659 x = BN_CTX_get(ctx);
660 y = BN_CTX_get(ctx);
661 if (y == NULL) goto err;
662
663 /* Recover y. We have a Weierstrass equation
664 * y^2 = x^3 + a*x + b,
665 * so y is one of the square roots of x^3 + a*x + b.
666 */
667
668 /* tmp1 := x^3 */
669 if (!BN_nnmod(x, x_, &group->field,ctx)) goto err;
670 if (group->meth->field_decode == 0)
671 {
672 /* field_{sqr,mul} work on standard representation */
673 if (!group->meth->field_sqr(group, tmp2, x_, ctx)) goto err;
674 if (!group->meth->field_mul(group, tmp1, tmp2, x_, ctx)) goto err;
675 }
676 else
677 {
678 if (!BN_mod_sqr(tmp2, x_, &group->field, ctx)) goto err;
679 if (!BN_mod_mul(tmp1, tmp2, x_, &group->field, ctx)) goto err;
680 }
681
682 /* tmp1 := tmp1 + a*x */
683 if (group->a_is_minus3)
684 {
685 if (!BN_mod_lshift1_quick(tmp2, x, &group->field)) goto err;
686 if (!BN_mod_add_quick(tmp2, tmp2, x, &group->field)) goto err;
687 if (!BN_mod_sub_quick(tmp1, tmp1, tmp2, &group->field)) goto err;
688 }
689 else
690 {
691 if (group->meth->field_decode)
692 {
693 if (!group->meth->field_decode(group, tmp2, &group->a, ctx)) goto err;
694 if (!BN_mod_mul(tmp2, tmp2, x, &group->field, ctx)) goto err;
695 }
696 else
697 {
698 /* field_mul works on standard representation */
699 if (!group->meth->field_mul(group, tmp2, &group->a, x, ctx)) goto err;
700 }
701
702 if (!BN_mod_add_quick(tmp1, tmp1, tmp2, &group->field)) goto err;
703 }
704
705 /* tmp1 := tmp1 + b */
706 if (group->meth->field_decode)
707 {
708 if (!group->meth->field_decode(group, tmp2, &group->b, ctx)) goto err;
709 if (!BN_mod_add_quick(tmp1, tmp1, tmp2, &group->field)) goto err;
710 }
711 else
712 {
713 if (!BN_mod_add_quick(tmp1, tmp1, &group->b, &group->field)) goto err;
714 }
715
716 if (!BN_mod_sqrt(y, tmp1, &group->field, ctx))
717 {
718 unsigned long err = ERR_peek_last_error();
719
720 if (ERR_GET_LIB(err) == ERR_LIB_BN && ERR_GET_REASON(err) == BN_R_NOT_A_SQUARE)
721 {
722 ERR_clear_error();
723 ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES, EC_R_INVALID_COMPRESSED_POINT);
724 }
725 else
726 ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES, ERR_R_BN_LIB);
727 goto err;
728 }
729
730 if (y_bit != BN_is_odd(y))
731 {
732 if (BN_is_zero(y))
733 {
734 int kron;
735
736 kron = BN_kronecker(x, &group->field, ctx);
737 if (kron == -2) goto err;
738
739 if (kron == 1)
740 ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES, EC_R_INVALID_COMPRESSION_BIT);
741 else
742 /* BN_mod_sqrt() should have cought this error (not a square) */
743 ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES, EC_R_INVALID_COMPRESSED_POINT);
744 goto err;
745 }
746 if (!BN_usub(y, &group->field, y)) goto err;
747 }
748 if (y_bit != BN_is_odd(y))
749 {
750 ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES, ERR_R_INTERNAL_ERROR);
751 goto err;
752 }
753
754 if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx)) goto err;
755
756 ret = 1;
757
758 err:
759 BN_CTX_end(ctx);
760 if (new_ctx != NULL)
761 BN_CTX_free(new_ctx);
762 return ret;
763 }
764
765
766size_t ec_GFp_simple_point2oct(const EC_GROUP *group, const EC_POINT *point, point_conversion_form_t form,
767 unsigned char *buf, size_t len, BN_CTX *ctx)
768 {
769 size_t ret;
770 BN_CTX *new_ctx = NULL;
771 int used_ctx = 0;
772 BIGNUM *x, *y;
773 size_t field_len, i, skip;
774
775 if ((form != POINT_CONVERSION_COMPRESSED)
776 && (form != POINT_CONVERSION_UNCOMPRESSED)
777 && (form != POINT_CONVERSION_HYBRID))
778 {
779 ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, EC_R_INVALID_FORM);
780 goto err;
781 }
782
783 if (EC_POINT_is_at_infinity(group, point))
784 {
785 /* encodes to a single 0 octet */
786 if (buf != NULL)
787 {
788 if (len < 1)
789 {
790 ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, EC_R_BUFFER_TOO_SMALL);
791 return 0;
792 }
793 buf[0] = 0;
794 }
795 return 1;
796 }
797
798
799 /* ret := required output buffer length */
800 field_len = BN_num_bytes(&group->field);
801 ret = (form == POINT_CONVERSION_COMPRESSED) ? 1 + field_len : 1 + 2*field_len;
802
803 /* if 'buf' is NULL, just return required length */
804 if (buf != NULL)
805 {
806 if (len < ret)
807 {
808 ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, EC_R_BUFFER_TOO_SMALL);
809 goto err;
810 }
811
812 if (ctx == NULL)
813 {
814 ctx = new_ctx = BN_CTX_new();
815 if (ctx == NULL)
816 return 0;
817 }
818
819 BN_CTX_start(ctx);
820 used_ctx = 1;
821 x = BN_CTX_get(ctx);
822 y = BN_CTX_get(ctx);
823 if (y == NULL) goto err;
824
825 if (!EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx)) goto err;
826
827 if ((form == POINT_CONVERSION_COMPRESSED || form == POINT_CONVERSION_HYBRID) && BN_is_odd(y))
828 buf[0] = form + 1;
829 else
830 buf[0] = form;
831
832 i = 1;
833
834 skip = field_len - BN_num_bytes(x);
835 if (skip > field_len)
836 {
837 ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, ERR_R_INTERNAL_ERROR);
838 goto err;
839 }
840 while (skip > 0)
841 {
842 buf[i++] = 0;
843 skip--;
844 }
845 skip = BN_bn2bin(x, buf + i);
846 i += skip;
847 if (i != 1 + field_len)
848 {
849 ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, ERR_R_INTERNAL_ERROR);
850 goto err;
851 }
852
853 if (form == POINT_CONVERSION_UNCOMPRESSED || form == POINT_CONVERSION_HYBRID)
854 {
855 skip = field_len - BN_num_bytes(y);
856 if (skip > field_len)
857 {
858 ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, ERR_R_INTERNAL_ERROR);
859 goto err;
860 }
861 while (skip > 0)
862 {
863 buf[i++] = 0;
864 skip--;
865 }
866 skip = BN_bn2bin(y, buf + i);
867 i += skip;
868 }
869
870 if (i != ret)
871 {
872 ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, ERR_R_INTERNAL_ERROR);
873 goto err;
874 }
875 }
876
877 if (used_ctx)
878 BN_CTX_end(ctx);
879 if (new_ctx != NULL)
880 BN_CTX_free(new_ctx);
881 return ret;
882
883 err:
884 if (used_ctx)
885 BN_CTX_end(ctx);
886 if (new_ctx != NULL)
887 BN_CTX_free(new_ctx);
888 return 0;
889 }
890
891
892int ec_GFp_simple_oct2point(const EC_GROUP *group, EC_POINT *point,
893 const unsigned char *buf, size_t len, BN_CTX *ctx)
894 {
895 point_conversion_form_t form;
896 int y_bit;
897 BN_CTX *new_ctx = NULL;
898 BIGNUM *x, *y;
899 size_t field_len, enc_len;
900 int ret = 0;
901
902 if (len == 0)
903 {
904 ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_BUFFER_TOO_SMALL);
905 return 0;
906 }
907 form = buf[0];
908 y_bit = form & 1;
909 form = form & ~1U;
910 if ((form != 0) && (form != POINT_CONVERSION_COMPRESSED)
911 && (form != POINT_CONVERSION_UNCOMPRESSED)
912 && (form != POINT_CONVERSION_HYBRID))
913 {
914 ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
915 return 0;
916 }
917 if ((form == 0 || form == POINT_CONVERSION_UNCOMPRESSED) && y_bit)
918 {
919 ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
920 return 0;
921 }
922
923 if (form == 0)
924 {
925 if (len != 1)
926 {
927 ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
928 return 0;
929 }
930
931 return EC_POINT_set_to_infinity(group, point);
932 }
933
934 field_len = BN_num_bytes(&group->field);
935 enc_len = (form == POINT_CONVERSION_COMPRESSED) ? 1 + field_len : 1 + 2*field_len;
936
937 if (len != enc_len)
938 {
939 ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
940 return 0;
941 }
942
943 if (ctx == NULL)
944 {
945 ctx = new_ctx = BN_CTX_new();
946 if (ctx == NULL)
947 return 0;
948 }
949
950 BN_CTX_start(ctx);
951 x = BN_CTX_get(ctx);
952 y = BN_CTX_get(ctx);
953 if (y == NULL) goto err;
954
955 if (!BN_bin2bn(buf + 1, field_len, x)) goto err;
956 if (BN_ucmp(x, &group->field) >= 0)
957 {
958 ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
959 goto err;
960 }
961
962 if (form == POINT_CONVERSION_COMPRESSED)
963 {
964 if (!EC_POINT_set_compressed_coordinates_GFp(group, point, x, y_bit, ctx)) goto err;
965 }
966 else
967 {
968 if (!BN_bin2bn(buf + 1 + field_len, field_len, y)) goto err;
969 if (BN_ucmp(y, &group->field) >= 0)
970 {
971 ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
972 goto err;
973 }
974 if (form == POINT_CONVERSION_HYBRID)
975 {
976 if (y_bit != BN_is_odd(y))
977 {
978 ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
979 goto err;
980 }
981 }
982
983 if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx)) goto err;
984 }
985
986 if (!EC_POINT_is_on_curve(group, point, ctx)) /* test required by X9.62 */
987 {
988 ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_POINT_IS_NOT_ON_CURVE);
989 goto err;
990 }
991
992 ret = 1;
993
994 err:
995 BN_CTX_end(ctx);
996 if (new_ctx != NULL)
997 BN_CTX_free(new_ctx);
998 return ret;
999 }
1000
1001
1002int ec_GFp_simple_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx) 643int ec_GFp_simple_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx)
1003 { 644 {
1004 int (*field_mul)(const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *); 645 int (*field_mul)(const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *);
diff --git a/src/lib/libcrypto/ec/ectest.c b/src/lib/libcrypto/ec/ectest.c
index 7509cb9c7c..f107782de0 100644
--- a/src/lib/libcrypto/ec/ectest.c
+++ b/src/lib/libcrypto/ec/ectest.c
@@ -94,6 +94,7 @@ int main(int argc, char * argv[]) { puts("Elliptic curves are disabled."); retur
94#include <openssl/objects.h> 94#include <openssl/objects.h>
95#include <openssl/rand.h> 95#include <openssl/rand.h>
96#include <openssl/bn.h> 96#include <openssl/bn.h>
97#include <openssl/opensslconf.h>
97 98
98#if defined(_MSC_VER) && defined(_MIPS_) && (_MSC_VER/100==12) 99#if defined(_MSC_VER) && defined(_MIPS_) && (_MSC_VER/100==12)
99/* suppress "too big too optimize" warning */ 100/* suppress "too big too optimize" warning */
@@ -107,10 +108,6 @@ int main(int argc, char * argv[]) { puts("Elliptic curves are disabled."); retur
107 EXIT(1); \ 108 EXIT(1); \
108} while (0) 109} while (0)
109 110
110void prime_field_tests(void);
111void char2_field_tests(void);
112void internal_curve_test(void);
113
114#define TIMING_BASE_PT 0 111#define TIMING_BASE_PT 0
115#define TIMING_RAND_PT 1 112#define TIMING_RAND_PT 1
116#define TIMING_SIMUL 2 113#define TIMING_SIMUL 2
@@ -195,7 +192,50 @@ static void timings(EC_GROUP *group, int type, BN_CTX *ctx)
195 } 192 }
196#endif 193#endif
197 194
198void prime_field_tests() 195/* test multiplication with group order, long and negative scalars */
196static void group_order_tests(EC_GROUP *group)
197 {
198 BIGNUM *n1, *n2, *order;
199 EC_POINT *P = EC_POINT_new(group);
200 EC_POINT *Q = EC_POINT_new(group);
201 BN_CTX *ctx = BN_CTX_new();
202
203 n1 = BN_new(); n2 = BN_new(); order = BN_new();
204 fprintf(stdout, "verify group order ...");
205 fflush(stdout);
206 if (!EC_GROUP_get_order(group, order, ctx)) ABORT;
207 if (!EC_POINT_mul(group, Q, order, NULL, NULL, ctx)) ABORT;
208 if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
209 fprintf(stdout, ".");
210 fflush(stdout);
211 if (!EC_GROUP_precompute_mult(group, ctx)) ABORT;
212 if (!EC_POINT_mul(group, Q, order, NULL, NULL, ctx)) ABORT;
213 if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
214 fprintf(stdout, " ok\n");
215 fprintf(stdout, "long/negative scalar tests ... ");
216 if (!BN_one(n1)) ABORT;
217 /* n1 = 1 - order */
218 if (!BN_sub(n1, n1, order)) ABORT;
219 if(!EC_POINT_mul(group, Q, NULL, P, n1, ctx)) ABORT;
220 if (0 != EC_POINT_cmp(group, Q, P, ctx)) ABORT;
221 /* n2 = 1 + order */
222 if (!BN_add(n2, order, BN_value_one())) ABORT;
223 if(!EC_POINT_mul(group, Q, NULL, P, n2, ctx)) ABORT;
224 if (0 != EC_POINT_cmp(group, Q, P, ctx)) ABORT;
225 /* n2 = (1 - order) * (1 + order) */
226 if (!BN_mul(n2, n1, n2, ctx)) ABORT;
227 if(!EC_POINT_mul(group, Q, NULL, P, n2, ctx)) ABORT;
228 if (0 != EC_POINT_cmp(group, Q, P, ctx)) ABORT;
229 fprintf(stdout, "ok\n");
230 EC_POINT_free(P);
231 EC_POINT_free(Q);
232 BN_free(n1);
233 BN_free(n2);
234 BN_free(order);
235 BN_CTX_free(ctx);
236 }
237
238static void prime_field_tests(void)
199 { 239 {
200 BN_CTX *ctx = NULL; 240 BN_CTX *ctx = NULL;
201 BIGNUM *p, *a, *b; 241 BIGNUM *p, *a, *b;
@@ -321,21 +361,21 @@ void prime_field_tests()
321 if (len == 0) ABORT; 361 if (len == 0) ABORT;
322 if (!EC_POINT_oct2point(group, P, buf, len, ctx)) ABORT; 362 if (!EC_POINT_oct2point(group, P, buf, len, ctx)) ABORT;
323 if (0 != EC_POINT_cmp(group, P, Q, ctx)) ABORT; 363 if (0 != EC_POINT_cmp(group, P, Q, ctx)) ABORT;
324 fprintf(stdout, "Generator as octect string, compressed form:\n "); 364 fprintf(stdout, "Generator as octet string, compressed form:\n ");
325 for (i = 0; i < len; i++) fprintf(stdout, "%02X", buf[i]); 365 for (i = 0; i < len; i++) fprintf(stdout, "%02X", buf[i]);
326 366
327 len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_UNCOMPRESSED, buf, sizeof buf, ctx); 367 len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_UNCOMPRESSED, buf, sizeof buf, ctx);
328 if (len == 0) ABORT; 368 if (len == 0) ABORT;
329 if (!EC_POINT_oct2point(group, P, buf, len, ctx)) ABORT; 369 if (!EC_POINT_oct2point(group, P, buf, len, ctx)) ABORT;
330 if (0 != EC_POINT_cmp(group, P, Q, ctx)) ABORT; 370 if (0 != EC_POINT_cmp(group, P, Q, ctx)) ABORT;
331 fprintf(stdout, "\nGenerator as octect string, uncompressed form:\n "); 371 fprintf(stdout, "\nGenerator as octet string, uncompressed form:\n ");
332 for (i = 0; i < len; i++) fprintf(stdout, "%02X", buf[i]); 372 for (i = 0; i < len; i++) fprintf(stdout, "%02X", buf[i]);
333 373
334 len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_HYBRID, buf, sizeof buf, ctx); 374 len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_HYBRID, buf, sizeof buf, ctx);
335 if (len == 0) ABORT; 375 if (len == 0) ABORT;
336 if (!EC_POINT_oct2point(group, P, buf, len, ctx)) ABORT; 376 if (!EC_POINT_oct2point(group, P, buf, len, ctx)) ABORT;
337 if (0 != EC_POINT_cmp(group, P, Q, ctx)) ABORT; 377 if (0 != EC_POINT_cmp(group, P, Q, ctx)) ABORT;
338 fprintf(stdout, "\nGenerator as octect string, hybrid form:\n "); 378 fprintf(stdout, "\nGenerator as octet string, hybrid form:\n ");
339 for (i = 0; i < len; i++) fprintf(stdout, "%02X", buf[i]); 379 for (i = 0; i < len; i++) fprintf(stdout, "%02X", buf[i]);
340 380
341 if (!EC_POINT_get_Jprojective_coordinates_GFp(group, R, x, y, z, ctx)) ABORT; 381 if (!EC_POINT_get_Jprojective_coordinates_GFp(group, R, x, y, z, ctx)) ABORT;
@@ -381,17 +421,7 @@ void prime_field_tests()
381 if (EC_GROUP_get_degree(group) != 160) ABORT; 421 if (EC_GROUP_get_degree(group) != 160) ABORT;
382 fprintf(stdout, " ok\n"); 422 fprintf(stdout, " ok\n");
383 423
384 fprintf(stdout, "verify group order ..."); 424 group_order_tests(group);
385 fflush(stdout);
386 if (!EC_GROUP_get_order(group, z, ctx)) ABORT;
387 if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;
388 if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
389 fprintf(stdout, ".");
390 fflush(stdout);
391 if (!EC_GROUP_precompute_mult(group, ctx)) ABORT;
392 if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;
393 if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
394 fprintf(stdout, " ok\n");
395 425
396 if (!(P_160 = EC_GROUP_new(EC_GROUP_method_of(group)))) ABORT; 426 if (!(P_160 = EC_GROUP_new(EC_GROUP_method_of(group)))) ABORT;
397 if (!EC_GROUP_copy(P_160, group)) ABORT; 427 if (!EC_GROUP_copy(P_160, group)) ABORT;
@@ -425,17 +455,7 @@ void prime_field_tests()
425 if (EC_GROUP_get_degree(group) != 192) ABORT; 455 if (EC_GROUP_get_degree(group) != 192) ABORT;
426 fprintf(stdout, " ok\n"); 456 fprintf(stdout, " ok\n");
427 457
428 fprintf(stdout, "verify group order ..."); 458 group_order_tests(group);
429 fflush(stdout);
430 if (!EC_GROUP_get_order(group, z, ctx)) ABORT;
431 if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;
432 if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
433 fprintf(stdout, ".");
434 fflush(stdout);
435 if (!EC_GROUP_precompute_mult(group, ctx)) ABORT;
436 if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;
437 if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
438 fprintf(stdout, " ok\n");
439 459
440 if (!(P_192 = EC_GROUP_new(EC_GROUP_method_of(group)))) ABORT; 460 if (!(P_192 = EC_GROUP_new(EC_GROUP_method_of(group)))) ABORT;
441 if (!EC_GROUP_copy(P_192, group)) ABORT; 461 if (!EC_GROUP_copy(P_192, group)) ABORT;
@@ -469,17 +489,7 @@ void prime_field_tests()
469 if (EC_GROUP_get_degree(group) != 224) ABORT; 489 if (EC_GROUP_get_degree(group) != 224) ABORT;
470 fprintf(stdout, " ok\n"); 490 fprintf(stdout, " ok\n");
471 491
472 fprintf(stdout, "verify group order ..."); 492 group_order_tests(group);
473 fflush(stdout);
474 if (!EC_GROUP_get_order(group, z, ctx)) ABORT;
475 if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;
476 if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
477 fprintf(stdout, ".");
478 fflush(stdout);
479 if (!EC_GROUP_precompute_mult(group, ctx)) ABORT;
480 if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;
481 if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
482 fprintf(stdout, " ok\n");
483 493
484 if (!(P_224 = EC_GROUP_new(EC_GROUP_method_of(group)))) ABORT; 494 if (!(P_224 = EC_GROUP_new(EC_GROUP_method_of(group)))) ABORT;
485 if (!EC_GROUP_copy(P_224, group)) ABORT; 495 if (!EC_GROUP_copy(P_224, group)) ABORT;
@@ -514,17 +524,7 @@ void prime_field_tests()
514 if (EC_GROUP_get_degree(group) != 256) ABORT; 524 if (EC_GROUP_get_degree(group) != 256) ABORT;
515 fprintf(stdout, " ok\n"); 525 fprintf(stdout, " ok\n");
516 526
517 fprintf(stdout, "verify group order ..."); 527 group_order_tests(group);
518 fflush(stdout);
519 if (!EC_GROUP_get_order(group, z, ctx)) ABORT;
520 if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;
521 if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
522 fprintf(stdout, ".");
523 fflush(stdout);
524 if (!EC_GROUP_precompute_mult(group, ctx)) ABORT;
525 if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;
526 if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
527 fprintf(stdout, " ok\n");
528 528
529 if (!(P_256 = EC_GROUP_new(EC_GROUP_method_of(group)))) ABORT; 529 if (!(P_256 = EC_GROUP_new(EC_GROUP_method_of(group)))) ABORT;
530 if (!EC_GROUP_copy(P_256, group)) ABORT; 530 if (!EC_GROUP_copy(P_256, group)) ABORT;
@@ -563,18 +563,8 @@ void prime_field_tests()
563 fprintf(stdout, "verify degree ..."); 563 fprintf(stdout, "verify degree ...");
564 if (EC_GROUP_get_degree(group) != 384) ABORT; 564 if (EC_GROUP_get_degree(group) != 384) ABORT;
565 fprintf(stdout, " ok\n"); 565 fprintf(stdout, " ok\n");
566 566
567 fprintf(stdout, "verify group order ..."); 567 group_order_tests(group);
568 fflush(stdout);
569 if (!EC_GROUP_get_order(group, z, ctx)) ABORT;
570 if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;
571 if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
572 fprintf(stdout, ".");
573 fflush(stdout);
574 if (!EC_GROUP_precompute_mult(group, ctx)) ABORT;
575 if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;
576 if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
577 fprintf(stdout, " ok\n");
578 568
579 if (!(P_384 = EC_GROUP_new(EC_GROUP_method_of(group)))) ABORT; 569 if (!(P_384 = EC_GROUP_new(EC_GROUP_method_of(group)))) ABORT;
580 if (!EC_GROUP_copy(P_384, group)) ABORT; 570 if (!EC_GROUP_copy(P_384, group)) ABORT;
@@ -619,18 +609,8 @@ void prime_field_tests()
619 fprintf(stdout, "verify degree ..."); 609 fprintf(stdout, "verify degree ...");
620 if (EC_GROUP_get_degree(group) != 521) ABORT; 610 if (EC_GROUP_get_degree(group) != 521) ABORT;
621 fprintf(stdout, " ok\n"); 611 fprintf(stdout, " ok\n");
622 612
623 fprintf(stdout, "verify group order ..."); 613 group_order_tests(group);
624 fflush(stdout);
625 if (!EC_GROUP_get_order(group, z, ctx)) ABORT;
626 if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;
627 if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
628 fprintf(stdout, ".");
629 fflush(stdout);
630 if (!EC_GROUP_precompute_mult(group, ctx)) ABORT;
631 if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;
632 if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
633 fprintf(stdout, " ok\n");
634 614
635 if (!(P_521 = EC_GROUP_new(EC_GROUP_method_of(group)))) ABORT; 615 if (!(P_521 = EC_GROUP_new(EC_GROUP_method_of(group)))) ABORT;
636 if (!EC_GROUP_copy(P_521, group)) ABORT; 616 if (!EC_GROUP_copy(P_521, group)) ABORT;
@@ -659,6 +639,7 @@ void prime_field_tests()
659 points[2] = Q; 639 points[2] = Q;
660 points[3] = Q; 640 points[3] = Q;
661 641
642 if (!EC_GROUP_get_order(group, z, ctx)) ABORT;
662 if (!BN_add(y, z, BN_value_one())) ABORT; 643 if (!BN_add(y, z, BN_value_one())) ABORT;
663 if (BN_is_odd(y)) ABORT; 644 if (BN_is_odd(y)) ABORT;
664 if (!BN_rshift1(y, y)) ABORT; 645 if (!BN_rshift1(y, y)) ABORT;
@@ -792,22 +773,14 @@ void prime_field_tests()
792 fprintf(stdout, "verify degree ..."); \ 773 fprintf(stdout, "verify degree ..."); \
793 if (EC_GROUP_get_degree(group) != _degree) ABORT; \ 774 if (EC_GROUP_get_degree(group) != _degree) ABORT; \
794 fprintf(stdout, " ok\n"); \ 775 fprintf(stdout, " ok\n"); \
795 fprintf(stdout, "verify group order ..."); \ 776 group_order_tests(group); \
796 fflush(stdout); \
797 if (!EC_GROUP_get_order(group, z, ctx)) ABORT; \
798 if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT; \
799 if (!EC_POINT_is_at_infinity(group, Q)) ABORT; \
800 fprintf(stdout, "."); \
801 fflush(stdout); \
802 if (!EC_GROUP_precompute_mult(group, ctx)) ABORT; \
803 if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT; \
804 if (!EC_POINT_is_at_infinity(group, Q)) ABORT; \
805 fprintf(stdout, " ok\n"); \
806 if (!(_variable = EC_GROUP_new(EC_GROUP_method_of(group)))) ABORT; \ 777 if (!(_variable = EC_GROUP_new(EC_GROUP_method_of(group)))) ABORT; \
807 if (!EC_GROUP_copy(_variable, group)) ABORT; 778 if (!EC_GROUP_copy(_variable, group)) ABORT; \
808 779
809void char2_field_tests() 780#ifndef OPENSSL_NO_EC2M
810 { 781
782static void char2_field_tests(void)
783 {
811 BN_CTX *ctx = NULL; 784 BN_CTX *ctx = NULL;
812 BIGNUM *p, *a, *b; 785 BIGNUM *p, *a, *b;
813 EC_GROUP *group; 786 EC_GROUP *group;
@@ -1239,8 +1212,9 @@ void char2_field_tests()
1239 if (C2_B571) EC_GROUP_free(C2_B571); 1212 if (C2_B571) EC_GROUP_free(C2_B571);
1240 1213
1241 } 1214 }
1215#endif
1242 1216
1243void internal_curve_test(void) 1217static void internal_curve_test(void)
1244 { 1218 {
1245 EC_builtin_curve *curves = NULL; 1219 EC_builtin_curve *curves = NULL;
1246 size_t crv_len = 0, n = 0; 1220 size_t crv_len = 0, n = 0;
@@ -1287,13 +1261,189 @@ void internal_curve_test(void)
1287 EC_GROUP_free(group); 1261 EC_GROUP_free(group);
1288 } 1262 }
1289 if (ok) 1263 if (ok)
1290 fprintf(stdout, " ok\n"); 1264 fprintf(stdout, " ok\n\n");
1291 else 1265 else
1292 fprintf(stdout, " failed\n"); 1266 {
1267 fprintf(stdout, " failed\n\n");
1268 ABORT;
1269 }
1293 OPENSSL_free(curves); 1270 OPENSSL_free(curves);
1294 return; 1271 return;
1295 } 1272 }
1296 1273
1274#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
1275/* nistp_test_params contains magic numbers for testing our optimized
1276 * implementations of several NIST curves with characteristic > 3. */
1277struct nistp_test_params
1278 {
1279 const EC_METHOD* (*meth) ();
1280 int degree;
1281 /* Qx, Qy and D are taken from
1282 * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/ECDSA_Prime.pdf
1283 * Otherwise, values are standard curve parameters from FIPS 180-3 */
1284 const char *p, *a, *b, *Qx, *Qy, *Gx, *Gy, *order, *d;
1285 };
1286
1287static const struct nistp_test_params nistp_tests_params[] =
1288 {
1289 {
1290 /* P-224 */
1291 EC_GFp_nistp224_method,
1292 224,
1293 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000001", /* p */
1294 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFE", /* a */
1295 "B4050A850C04B3ABF54132565044B0B7D7BFD8BA270B39432355FFB4", /* b */
1296 "E84FB0B8E7000CB657D7973CF6B42ED78B301674276DF744AF130B3E", /* Qx */
1297 "4376675C6FC5612C21A0FF2D2A89D2987DF7A2BC52183B5982298555", /* Qy */
1298 "B70E0CBD6BB4BF7F321390B94A03C1D356C21122343280D6115C1D21", /* Gx */
1299 "BD376388B5F723FB4C22DFE6CD4375A05A07476444D5819985007E34", /* Gy */
1300 "FFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2E0B8F03E13DD29455C5C2A3D", /* order */
1301 "3F0C488E987C80BE0FEE521F8D90BE6034EC69AE11CA72AA777481E8", /* d */
1302 },
1303 {
1304 /* P-256 */
1305 EC_GFp_nistp256_method,
1306 256,
1307 "ffffffff00000001000000000000000000000000ffffffffffffffffffffffff", /* p */
1308 "ffffffff00000001000000000000000000000000fffffffffffffffffffffffc", /* a */
1309 "5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b", /* b */
1310 "b7e08afdfe94bad3f1dc8c734798ba1c62b3a0ad1e9ea2a38201cd0889bc7a19", /* Qx */
1311 "3603f747959dbf7a4bb226e41928729063adc7ae43529e61b563bbc606cc5e09", /* Qy */
1312 "6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296", /* Gx */
1313 "4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5", /* Gy */
1314 "ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551", /* order */
1315 "c477f9f65c22cce20657faa5b2d1d8122336f851a508a1ed04e479c34985bf96", /* d */
1316 },
1317 {
1318 /* P-521 */
1319 EC_GFp_nistp521_method,
1320 521,
1321 "1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", /* p */
1322 "1fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffc", /* a */
1323 "051953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00", /* b */
1324 "0098e91eef9a68452822309c52fab453f5f117c1da8ed796b255e9ab8f6410cca16e59df403a6bdc6ca467a37056b1e54b3005d8ac030decfeb68df18b171885d5c4", /* Qx */
1325 "0164350c321aecfc1cca1ba4364c9b15656150b4b78d6a48d7d28e7f31985ef17be8554376b72900712c4b83ad668327231526e313f5f092999a4632fd50d946bc2e", /* Qy */
1326 "c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dbaa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66", /* Gx */
1327 "11839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650", /* Gy */
1328 "1fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409", /* order */
1329 "0100085f47b8e1b8b11b7eb33028c0b2888e304bfc98501955b45bba1478dc184eeedf09b86a5f7c21994406072787205e69a63709fe35aa93ba333514b24f961722", /* d */
1330 },
1331 };
1332
1333void nistp_single_test(const struct nistp_test_params *test)
1334 {
1335 BN_CTX *ctx;
1336 BIGNUM *p, *a, *b, *x, *y, *n, *m, *order;
1337 EC_GROUP *NISTP;
1338 EC_POINT *G, *P, *Q, *Q_CHECK;
1339
1340 fprintf(stdout, "\nNIST curve P-%d (optimised implementation):\n", test->degree);
1341 ctx = BN_CTX_new();
1342 p = BN_new();
1343 a = BN_new();
1344 b = BN_new();
1345 x = BN_new(); y = BN_new();
1346 m = BN_new(); n = BN_new(); order = BN_new();
1347
1348 NISTP = EC_GROUP_new(test->meth());
1349 if(!NISTP) ABORT;
1350 if (!BN_hex2bn(&p, test->p)) ABORT;
1351 if (1 != BN_is_prime_ex(p, BN_prime_checks, ctx, NULL)) ABORT;
1352 if (!BN_hex2bn(&a, test->a)) ABORT;
1353 if (!BN_hex2bn(&b, test->b)) ABORT;
1354 if (!EC_GROUP_set_curve_GFp(NISTP, p, a, b, ctx)) ABORT;
1355 G = EC_POINT_new(NISTP);
1356 P = EC_POINT_new(NISTP);
1357 Q = EC_POINT_new(NISTP);
1358 Q_CHECK = EC_POINT_new(NISTP);
1359 if(!BN_hex2bn(&x, test->Qx)) ABORT;
1360 if(!BN_hex2bn(&y, test->Qy)) ABORT;
1361 if(!EC_POINT_set_affine_coordinates_GFp(NISTP, Q_CHECK, x, y, ctx)) ABORT;
1362 if (!BN_hex2bn(&x, test->Gx)) ABORT;
1363 if (!BN_hex2bn(&y, test->Gy)) ABORT;
1364 if (!EC_POINT_set_affine_coordinates_GFp(NISTP, G, x, y, ctx)) ABORT;
1365 if (!BN_hex2bn(&order, test->order)) ABORT;
1366 if (!EC_GROUP_set_generator(NISTP, G, order, BN_value_one())) ABORT;
1367
1368 fprintf(stdout, "verify degree ... ");
1369 if (EC_GROUP_get_degree(NISTP) != test->degree) ABORT;
1370 fprintf(stdout, "ok\n");
1371
1372 fprintf(stdout, "NIST test vectors ... ");
1373 if (!BN_hex2bn(&n, test->d)) ABORT;
1374 /* fixed point multiplication */
1375 EC_POINT_mul(NISTP, Q, n, NULL, NULL, ctx);
1376 if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) ABORT;
1377 /* random point multiplication */
1378 EC_POINT_mul(NISTP, Q, NULL, G, n, ctx);
1379 if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) ABORT;
1380
1381 /* set generator to P = 2*G, where G is the standard generator */
1382 if (!EC_POINT_dbl(NISTP, P, G, ctx)) ABORT;
1383 if (!EC_GROUP_set_generator(NISTP, P, order, BN_value_one())) ABORT;
1384 /* set the scalar to m=n/2, where n is the NIST test scalar */
1385 if (!BN_rshift(m, n, 1)) ABORT;
1386
1387 /* test the non-standard generator */
1388 /* fixed point multiplication */
1389 EC_POINT_mul(NISTP, Q, m, NULL, NULL, ctx);
1390 if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) ABORT;
1391 /* random point multiplication */
1392 EC_POINT_mul(NISTP, Q, NULL, P, m, ctx);
1393 if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) ABORT;
1394
1395 /* now repeat all tests with precomputation */
1396 if (!EC_GROUP_precompute_mult(NISTP, ctx)) ABORT;
1397
1398 /* fixed point multiplication */
1399 EC_POINT_mul(NISTP, Q, m, NULL, NULL, ctx);
1400 if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) ABORT;
1401 /* random point multiplication */
1402 EC_POINT_mul(NISTP, Q, NULL, P, m, ctx);
1403 if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) ABORT;
1404
1405 /* reset generator */
1406 if (!EC_GROUP_set_generator(NISTP, G, order, BN_value_one())) ABORT;
1407 /* fixed point multiplication */
1408 EC_POINT_mul(NISTP, Q, n, NULL, NULL, ctx);
1409 if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) ABORT;
1410 /* random point multiplication */
1411 EC_POINT_mul(NISTP, Q, NULL, G, n, ctx);
1412 if (0 != EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) ABORT;
1413
1414 fprintf(stdout, "ok\n");
1415 group_order_tests(NISTP);
1416#if 0
1417 timings(NISTP, TIMING_BASE_PT, ctx);
1418 timings(NISTP, TIMING_RAND_PT, ctx);
1419#endif
1420 EC_GROUP_free(NISTP);
1421 EC_POINT_free(G);
1422 EC_POINT_free(P);
1423 EC_POINT_free(Q);
1424 EC_POINT_free(Q_CHECK);
1425 BN_free(n);
1426 BN_free(m);
1427 BN_free(p);
1428 BN_free(a);
1429 BN_free(b);
1430 BN_free(x);
1431 BN_free(y);
1432 BN_free(order);
1433 BN_CTX_free(ctx);
1434 }
1435
1436void nistp_tests()
1437 {
1438 unsigned i;
1439
1440 for (i = 0; i < sizeof(nistp_tests_params) / sizeof(struct nistp_test_params); i++)
1441 {
1442 nistp_single_test(&nistp_tests_params[i]);
1443 }
1444 }
1445#endif
1446
1297static const char rnd_seed[] = "string to make the random number generator think it has entropy"; 1447static const char rnd_seed[] = "string to make the random number generator think it has entropy";
1298 1448
1299int main(int argc, char *argv[]) 1449int main(int argc, char *argv[])
@@ -1317,7 +1467,12 @@ int main(int argc, char *argv[])
1317 1467
1318 prime_field_tests(); 1468 prime_field_tests();
1319 puts(""); 1469 puts("");
1470#ifndef OPENSSL_NO_EC2M
1320 char2_field_tests(); 1471 char2_field_tests();
1472#endif
1473#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
1474 nistp_tests();
1475#endif
1321 /* test the internal curves */ 1476 /* test the internal curves */
1322 internal_curve_test(); 1477 internal_curve_test();
1323 1478
diff --git a/src/lib/libcrypto/engine/Makefile b/src/lib/libcrypto/engine/Makefile
index 9c214824eb..d29bdd09a0 100644
--- a/src/lib/libcrypto/engine/Makefile
+++ b/src/lib/libcrypto/engine/Makefile
@@ -21,12 +21,14 @@ LIBSRC= eng_err.c eng_lib.c eng_list.c eng_init.c eng_ctrl.c \
21 eng_table.c eng_pkey.c eng_fat.c eng_all.c \ 21 eng_table.c eng_pkey.c eng_fat.c eng_all.c \
22 tb_rsa.c tb_dsa.c tb_ecdsa.c tb_dh.c tb_ecdh.c tb_rand.c tb_store.c \ 22 tb_rsa.c tb_dsa.c tb_ecdsa.c tb_dh.c tb_ecdh.c tb_rand.c tb_store.c \
23 tb_cipher.c tb_digest.c tb_pkmeth.c tb_asnmth.c \ 23 tb_cipher.c tb_digest.c tb_pkmeth.c tb_asnmth.c \
24 eng_openssl.c eng_cnf.c eng_dyn.c eng_cryptodev.c 24 eng_openssl.c eng_cnf.c eng_dyn.c eng_cryptodev.c \
25 eng_rsax.c eng_rdrand.c
25LIBOBJ= eng_err.o eng_lib.o eng_list.o eng_init.o eng_ctrl.o \ 26LIBOBJ= eng_err.o eng_lib.o eng_list.o eng_init.o eng_ctrl.o \
26 eng_table.o eng_pkey.o eng_fat.o eng_all.o \ 27 eng_table.o eng_pkey.o eng_fat.o eng_all.o \
27 tb_rsa.o tb_dsa.o tb_ecdsa.o tb_dh.o tb_ecdh.o tb_rand.o tb_store.o \ 28 tb_rsa.o tb_dsa.o tb_ecdsa.o tb_dh.o tb_ecdh.o tb_rand.o tb_store.o \
28 tb_cipher.o tb_digest.o tb_pkmeth.o tb_asnmth.o \ 29 tb_cipher.o tb_digest.o tb_pkmeth.o tb_asnmth.o \
29 eng_openssl.o eng_cnf.o eng_dyn.o eng_cryptodev.o 30 eng_openssl.o eng_cnf.o eng_dyn.o eng_cryptodev.o \
31 eng_rsax.o eng_rdrand.o
30 32
31SRC= $(LIBSRC) 33SRC= $(LIBSRC)
32 34
@@ -249,6 +251,34 @@ eng_pkey.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
249eng_pkey.o: ../../include/openssl/sha.h ../../include/openssl/stack.h 251eng_pkey.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
250eng_pkey.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h 252eng_pkey.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
251eng_pkey.o: ../../include/openssl/x509_vfy.h ../cryptlib.h eng_int.h eng_pkey.c 253eng_pkey.o: ../../include/openssl/x509_vfy.h ../cryptlib.h eng_int.h eng_pkey.c
254eng_rdrand.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
255eng_rdrand.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
256eng_rdrand.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
257eng_rdrand.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
258eng_rdrand.o: ../../include/openssl/engine.h ../../include/openssl/err.h
259eng_rdrand.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
260eng_rdrand.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
261eng_rdrand.o: ../../include/openssl/opensslconf.h
262eng_rdrand.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
263eng_rdrand.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
264eng_rdrand.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
265eng_rdrand.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
266eng_rdrand.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
267eng_rdrand.o: eng_rdrand.c
268eng_rsax.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
269eng_rsax.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
270eng_rsax.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
271eng_rsax.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
272eng_rsax.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
273eng_rsax.o: ../../include/openssl/err.h ../../include/openssl/evp.h
274eng_rsax.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
275eng_rsax.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
276eng_rsax.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
277eng_rsax.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
278eng_rsax.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
279eng_rsax.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
280eng_rsax.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
281eng_rsax.o: eng_rsax.c
252eng_table.o: ../../e_os.h ../../include/openssl/asn1.h 282eng_table.o: ../../e_os.h ../../include/openssl/asn1.h
253eng_table.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h 283eng_table.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
254eng_table.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h 284eng_table.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
diff --git a/src/lib/libcrypto/engine/eng_all.c b/src/lib/libcrypto/engine/eng_all.c
index 79d1f2beff..0ae5d672b1 100644
--- a/src/lib/libcrypto/engine/eng_all.c
+++ b/src/lib/libcrypto/engine/eng_all.c
@@ -61,6 +61,8 @@
61 61
62void ENGINE_load_builtin_engines(void) 62void ENGINE_load_builtin_engines(void)
63 { 63 {
64 /* Some ENGINEs need this */
65 OPENSSL_cpuid_setup();
64#if 0 66#if 0
65 /* There's no longer any need for an "openssl" ENGINE unless, one day, 67 /* There's no longer any need for an "openssl" ENGINE unless, one day,
66 * it is the *only* way for standard builtin implementations to be be 68 * it is the *only* way for standard builtin implementations to be be
@@ -72,10 +74,12 @@ void ENGINE_load_builtin_engines(void)
72 ENGINE_load_cryptodev(); 74 ENGINE_load_cryptodev();
73#endif 75#endif
74 76
75#if !defined(OPENSSL_NO_HW) && !defined(OPENSSL_NO_HW_AESNI) 77#ifndef OPENSSL_NO_RSAX
76 ENGINE_load_aesni(); 78 ENGINE_load_rsax();
79#endif
80#ifndef OPENSSL_NO_RDRAND
81 ENGINE_load_rdrand();
77#endif 82#endif
78
79 ENGINE_load_dynamic(); 83 ENGINE_load_dynamic();
80#ifndef OPENSSL_NO_STATIC_ENGINE 84#ifndef OPENSSL_NO_STATIC_ENGINE
81#ifndef OPENSSL_NO_HW 85#ifndef OPENSSL_NO_HW
@@ -117,6 +121,7 @@ void ENGINE_load_builtin_engines(void)
117 ENGINE_load_capi(); 121 ENGINE_load_capi();
118#endif 122#endif
119#endif 123#endif
124 ENGINE_register_all_complete();
120 } 125 }
121 126
122#if defined(__OpenBSD__) || defined(__FreeBSD__) || defined(HAVE_CRYPTODEV) 127#if defined(__OpenBSD__) || defined(__FreeBSD__) || defined(HAVE_CRYPTODEV)
diff --git a/src/lib/libcrypto/engine/eng_cryptodev.c b/src/lib/libcrypto/engine/eng_cryptodev.c
index 10b3856b4e..a7abac1a7b 100644
--- a/src/lib/libcrypto/engine/eng_cryptodev.c
+++ b/src/lib/libcrypto/engine/eng_cryptodev.c
@@ -79,8 +79,6 @@ struct dev_crypto_state {
79 unsigned char digest_res[HASH_MAX_LEN]; 79 unsigned char digest_res[HASH_MAX_LEN];
80 char *mac_data; 80 char *mac_data;
81 int mac_len; 81 int mac_len;
82
83 int copy;
84#endif 82#endif
85}; 83};
86 84
@@ -199,6 +197,7 @@ get_dev_crypto(void)
199 197
200 if ((fd = open_dev_crypto()) == -1) 198 if ((fd = open_dev_crypto()) == -1)
201 return (-1); 199 return (-1);
200#ifndef CRIOGET_NOT_NEEDED
202 if (ioctl(fd, CRIOGET, &retfd) == -1) 201 if (ioctl(fd, CRIOGET, &retfd) == -1)
203 return (-1); 202 return (-1);
204 203
@@ -207,9 +206,19 @@ get_dev_crypto(void)
207 close(retfd); 206 close(retfd);
208 return (-1); 207 return (-1);
209 } 208 }
209#else
210 retfd = fd;
211#endif
210 return (retfd); 212 return (retfd);
211} 213}
212 214
215static void put_dev_crypto(int fd)
216{
217#ifndef CRIOGET_NOT_NEEDED
218 close(fd);
219#endif
220}
221
213/* Caching version for asym operations */ 222/* Caching version for asym operations */
214static int 223static int
215get_asym_dev_crypto(void) 224get_asym_dev_crypto(void)
@@ -251,7 +260,7 @@ get_cryptodev_ciphers(const int **cnids)
251 ioctl(fd, CIOCFSESSION, &sess.ses) != -1) 260 ioctl(fd, CIOCFSESSION, &sess.ses) != -1)
252 nids[count++] = ciphers[i].nid; 261 nids[count++] = ciphers[i].nid;
253 } 262 }
254 close(fd); 263 put_dev_crypto(fd);
255 264
256 if (count > 0) 265 if (count > 0)
257 *cnids = nids; 266 *cnids = nids;
@@ -290,7 +299,7 @@ get_cryptodev_digests(const int **cnids)
290 ioctl(fd, CIOCFSESSION, &sess.ses) != -1) 299 ioctl(fd, CIOCFSESSION, &sess.ses) != -1)
291 nids[count++] = digests[i].nid; 300 nids[count++] = digests[i].nid;
292 } 301 }
293 close(fd); 302 put_dev_crypto(fd);
294 303
295 if (count > 0) 304 if (count > 0)
296 *cnids = nids; 305 *cnids = nids;
@@ -435,7 +444,7 @@ cryptodev_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
435 sess->cipher = cipher; 444 sess->cipher = cipher;
436 445
437 if (ioctl(state->d_fd, CIOCGSESSION, sess) == -1) { 446 if (ioctl(state->d_fd, CIOCGSESSION, sess) == -1) {
438 close(state->d_fd); 447 put_dev_crypto(state->d_fd);
439 state->d_fd = -1; 448 state->d_fd = -1;
440 return (0); 449 return (0);
441 } 450 }
@@ -472,7 +481,7 @@ cryptodev_cleanup(EVP_CIPHER_CTX *ctx)
472 } else { 481 } else {
473 ret = 1; 482 ret = 1;
474 } 483 }
475 close(state->d_fd); 484 put_dev_crypto(state->d_fd);
476 state->d_fd = -1; 485 state->d_fd = -1;
477 486
478 return (ret); 487 return (ret);
@@ -685,7 +694,7 @@ static int cryptodev_digest_init(EVP_MD_CTX *ctx)
685 sess->mac = digest; 694 sess->mac = digest;
686 695
687 if (ioctl(state->d_fd, CIOCGSESSION, sess) < 0) { 696 if (ioctl(state->d_fd, CIOCGSESSION, sess) < 0) {
688 close(state->d_fd); 697 put_dev_crypto(state->d_fd);
689 state->d_fd = -1; 698 state->d_fd = -1;
690 printf("cryptodev_digest_init: Open session failed\n"); 699 printf("cryptodev_digest_init: Open session failed\n");
691 return (0); 700 return (0);
@@ -757,14 +766,12 @@ static int cryptodev_digest_final(EVP_MD_CTX *ctx, unsigned char *md)
757 if (! (ctx->flags & EVP_MD_CTX_FLAG_ONESHOT) ) { 766 if (! (ctx->flags & EVP_MD_CTX_FLAG_ONESHOT) ) {
758 /* if application doesn't support one buffer */ 767 /* if application doesn't support one buffer */
759 memset(&cryp, 0, sizeof(cryp)); 768 memset(&cryp, 0, sizeof(cryp));
760
761 cryp.ses = sess->ses; 769 cryp.ses = sess->ses;
762 cryp.flags = 0; 770 cryp.flags = 0;
763 cryp.len = state->mac_len; 771 cryp.len = state->mac_len;
764 cryp.src = state->mac_data; 772 cryp.src = state->mac_data;
765 cryp.dst = NULL; 773 cryp.dst = NULL;
766 cryp.mac = (caddr_t)md; 774 cryp.mac = (caddr_t)md;
767
768 if (ioctl(state->d_fd, CIOCCRYPT, &cryp) < 0) { 775 if (ioctl(state->d_fd, CIOCCRYPT, &cryp) < 0) {
769 printf("cryptodev_digest_final: digest failed\n"); 776 printf("cryptodev_digest_final: digest failed\n");
770 return (0); 777 return (0);
@@ -785,6 +792,9 @@ static int cryptodev_digest_cleanup(EVP_MD_CTX *ctx)
785 struct dev_crypto_state *state = ctx->md_data; 792 struct dev_crypto_state *state = ctx->md_data;
786 struct session_op *sess = &state->d_sess; 793 struct session_op *sess = &state->d_sess;
787 794
795 if (state == NULL)
796 return 0;
797
788 if (state->d_fd < 0) { 798 if (state->d_fd < 0) {
789 printf("cryptodev_digest_cleanup: illegal input\n"); 799 printf("cryptodev_digest_cleanup: illegal input\n");
790 return (0); 800 return (0);
@@ -796,16 +806,13 @@ static int cryptodev_digest_cleanup(EVP_MD_CTX *ctx)
796 state->mac_len = 0; 806 state->mac_len = 0;
797 } 807 }
798 808
799 if (state->copy)
800 return 1;
801
802 if (ioctl(state->d_fd, CIOCFSESSION, &sess->ses) < 0) { 809 if (ioctl(state->d_fd, CIOCFSESSION, &sess->ses) < 0) {
803 printf("cryptodev_digest_cleanup: failed to close session\n"); 810 printf("cryptodev_digest_cleanup: failed to close session\n");
804 ret = 0; 811 ret = 0;
805 } else { 812 } else {
806 ret = 1; 813 ret = 1;
807 } 814 }
808 close(state->d_fd); 815 put_dev_crypto(state->d_fd);
809 state->d_fd = -1; 816 state->d_fd = -1;
810 817
811 return (ret); 818 return (ret);
@@ -815,15 +822,39 @@ static int cryptodev_digest_copy(EVP_MD_CTX *to,const EVP_MD_CTX *from)
815{ 822{
816 struct dev_crypto_state *fstate = from->md_data; 823 struct dev_crypto_state *fstate = from->md_data;
817 struct dev_crypto_state *dstate = to->md_data; 824 struct dev_crypto_state *dstate = to->md_data;
825 struct session_op *sess;
826 int digest;
818 827
819 memcpy(dstate, fstate, sizeof(struct dev_crypto_state)); 828 if (dstate == NULL || fstate == NULL)
829 return 1;
820 830
821 if (fstate->mac_len != 0) { 831 memcpy(dstate, fstate, sizeof(struct dev_crypto_state));
822 dstate->mac_data = OPENSSL_malloc(fstate->mac_len); 832
823 memcpy(dstate->mac_data, fstate->mac_data, fstate->mac_len); 833 sess = &dstate->d_sess;
834
835 digest = digest_nid_to_cryptodev(to->digest->type);
836
837 sess->mackey = dstate->dummy_mac_key;
838 sess->mackeylen = digest_key_length(to->digest->type);
839 sess->mac = digest;
840
841 dstate->d_fd = get_dev_crypto();
842
843 if (ioctl(dstate->d_fd, CIOCGSESSION, sess) < 0) {
844 put_dev_crypto(dstate->d_fd);
845 dstate->d_fd = -1;
846 printf("cryptodev_digest_init: Open session failed\n");
847 return (0);
824 } 848 }
825 849
826 dstate->copy = 1; 850 if (fstate->mac_len != 0) {
851 if (fstate->mac_data != NULL)
852 {
853 dstate->mac_data = OPENSSL_malloc(fstate->mac_len);
854 memcpy(dstate->mac_data, fstate->mac_data, fstate->mac_len);
855 dstate->mac_len = fstate->mac_len;
856 }
857 }
827 858
828 return 1; 859 return 1;
829} 860}
@@ -1346,11 +1377,11 @@ ENGINE_load_cryptodev(void)
1346 * find out what asymmetric crypto algorithms we support 1377 * find out what asymmetric crypto algorithms we support
1347 */ 1378 */
1348 if (ioctl(fd, CIOCASYMFEAT, &cryptodev_asymfeat) == -1) { 1379 if (ioctl(fd, CIOCASYMFEAT, &cryptodev_asymfeat) == -1) {
1349 close(fd); 1380 put_dev_crypto(fd);
1350 ENGINE_free(engine); 1381 ENGINE_free(engine);
1351 return; 1382 return;
1352 } 1383 }
1353 close(fd); 1384 put_dev_crypto(fd);
1354 1385
1355 if (!ENGINE_set_id(engine, "cryptodev") || 1386 if (!ENGINE_set_id(engine, "cryptodev") ||
1356 !ENGINE_set_name(engine, "BSD cryptodev engine") || 1387 !ENGINE_set_name(engine, "BSD cryptodev engine") ||
diff --git a/src/lib/libcrypto/engine/eng_fat.c b/src/lib/libcrypto/engine/eng_fat.c
index db66e62350..789b8d57e5 100644
--- a/src/lib/libcrypto/engine/eng_fat.c
+++ b/src/lib/libcrypto/engine/eng_fat.c
@@ -176,6 +176,7 @@ int ENGINE_register_all_complete(void)
176 ENGINE *e; 176 ENGINE *e;
177 177
178 for(e=ENGINE_get_first() ; e ; e=ENGINE_get_next(e)) 178 for(e=ENGINE_get_first() ; e ; e=ENGINE_get_next(e))
179 ENGINE_register_complete(e); 179 if (!(e->flags & ENGINE_FLAGS_NO_REGISTER_ALL))
180 ENGINE_register_complete(e);
180 return 1; 181 return 1;
181 } 182 }
diff --git a/src/lib/libcrypto/engine/engine.h b/src/lib/libcrypto/engine/engine.h
index 9d73abac8e..f8be497724 100644
--- a/src/lib/libcrypto/engine/engine.h
+++ b/src/lib/libcrypto/engine/engine.h
@@ -141,6 +141,13 @@ extern "C" {
141 * the existing ENGINE's structural reference count. */ 141 * the existing ENGINE's structural reference count. */
142#define ENGINE_FLAGS_BY_ID_COPY (int)0x0004 142#define ENGINE_FLAGS_BY_ID_COPY (int)0x0004
143 143
144/* This flag if for an ENGINE that does not want its methods registered as
145 * part of ENGINE_register_all_complete() for example if the methods are
146 * not usable as default methods.
147 */
148
149#define ENGINE_FLAGS_NO_REGISTER_ALL (int)0x0008
150
144/* ENGINEs can support their own command types, and these flags are used in 151/* ENGINEs can support their own command types, and these flags are used in
145 * ENGINE_CTRL_GET_CMD_FLAGS to indicate to the caller what kind of input each 152 * ENGINE_CTRL_GET_CMD_FLAGS to indicate to the caller what kind of input each
146 * command expects. Currently only numeric and string input is supported. If a 153 * command expects. Currently only numeric and string input is supported. If a
@@ -344,7 +351,8 @@ void ENGINE_load_gost(void);
344#endif 351#endif
345#endif 352#endif
346void ENGINE_load_cryptodev(void); 353void ENGINE_load_cryptodev(void);
347void ENGINE_load_aesni(void); 354void ENGINE_load_rsax(void);
355void ENGINE_load_rdrand(void);
348void ENGINE_load_builtin_engines(void); 356void ENGINE_load_builtin_engines(void);
349 357
350/* Get and set global flags (ENGINE_TABLE_FLAG_***) for the implementation 358/* Get and set global flags (ENGINE_TABLE_FLAG_***) for the implementation
diff --git a/src/lib/libcrypto/err/err.c b/src/lib/libcrypto/err/err.c
index 69713a6e2f..fcdb244008 100644
--- a/src/lib/libcrypto/err/err.c
+++ b/src/lib/libcrypto/err/err.c
@@ -1066,6 +1066,13 @@ void ERR_set_error_data(char *data, int flags)
1066void ERR_add_error_data(int num, ...) 1066void ERR_add_error_data(int num, ...)
1067 { 1067 {
1068 va_list args; 1068 va_list args;
1069 va_start(args, num);
1070 ERR_add_error_vdata(num, args);
1071 va_end(args);
1072 }
1073
1074void ERR_add_error_vdata(int num, va_list args)
1075 {
1069 int i,n,s; 1076 int i,n,s;
1070 char *str,*p,*a; 1077 char *str,*p,*a;
1071 1078
@@ -1074,7 +1081,6 @@ void ERR_add_error_data(int num, ...)
1074 if (str == NULL) return; 1081 if (str == NULL) return;
1075 str[0]='\0'; 1082 str[0]='\0';
1076 1083
1077 va_start(args, num);
1078 n=0; 1084 n=0;
1079 for (i=0; i<num; i++) 1085 for (i=0; i<num; i++)
1080 { 1086 {
@@ -1090,7 +1096,7 @@ void ERR_add_error_data(int num, ...)
1090 if (p == NULL) 1096 if (p == NULL)
1091 { 1097 {
1092 OPENSSL_free(str); 1098 OPENSSL_free(str);
1093 goto err; 1099 return;
1094 } 1100 }
1095 else 1101 else
1096 str=p; 1102 str=p;
@@ -1099,9 +1105,6 @@ void ERR_add_error_data(int num, ...)
1099 } 1105 }
1100 } 1106 }
1101 ERR_set_error_data(str,ERR_TXT_MALLOCED|ERR_TXT_STRING); 1107 ERR_set_error_data(str,ERR_TXT_MALLOCED|ERR_TXT_STRING);
1102
1103err:
1104 va_end(args);
1105 } 1108 }
1106 1109
1107int ERR_set_mark(void) 1110int ERR_set_mark(void)
diff --git a/src/lib/libcrypto/err/err.h b/src/lib/libcrypto/err/err.h
index b9f8c16d47..974cc9cc6f 100644
--- a/src/lib/libcrypto/err/err.h
+++ b/src/lib/libcrypto/err/err.h
@@ -344,8 +344,9 @@ void ERR_print_errors_fp(FILE *fp);
344#endif 344#endif
345#ifndef OPENSSL_NO_BIO 345#ifndef OPENSSL_NO_BIO
346void ERR_print_errors(BIO *bp); 346void ERR_print_errors(BIO *bp);
347void ERR_add_error_data(int num, ...);
348#endif 347#endif
348void ERR_add_error_data(int num, ...);
349void ERR_add_error_vdata(int num, va_list args);
349void ERR_load_strings(int lib,ERR_STRING_DATA str[]); 350void ERR_load_strings(int lib,ERR_STRING_DATA str[]);
350void ERR_unload_strings(int lib,ERR_STRING_DATA str[]); 351void ERR_unload_strings(int lib,ERR_STRING_DATA str[]);
351void ERR_load_ERR_strings(void); 352void ERR_load_ERR_strings(void);
diff --git a/src/lib/libcrypto/err/err_all.c b/src/lib/libcrypto/err/err_all.c
index fc049e8e88..bd8946d8ba 100644
--- a/src/lib/libcrypto/err/err_all.c
+++ b/src/lib/libcrypto/err/err_all.c
@@ -104,6 +104,10 @@
104#endif 104#endif
105#include <openssl/comp.h> 105#include <openssl/comp.h>
106 106
107#ifdef OPENSSL_FIPS
108#include <openssl/fips.h>
109#endif
110
107void ERR_load_crypto_strings(void) 111void ERR_load_crypto_strings(void)
108 { 112 {
109#ifndef OPENSSL_NO_ERR 113#ifndef OPENSSL_NO_ERR
@@ -157,4 +161,7 @@ void ERR_load_crypto_strings(void)
157#endif 161#endif
158 ERR_load_COMP_strings(); 162 ERR_load_COMP_strings();
159#endif 163#endif
164#ifdef OPENSSL_FIPS
165 ERR_load_FIPS_strings();
166#endif
160 } 167 }
diff --git a/src/lib/libcrypto/evp/Makefile b/src/lib/libcrypto/evp/Makefile
index 82825e5299..0fe1b96bff 100644
--- a/src/lib/libcrypto/evp/Makefile
+++ b/src/lib/libcrypto/evp/Makefile
@@ -28,7 +28,8 @@ LIBSRC= encode.c digest.c evp_enc.c evp_key.c evp_acnf.c \
28 bio_md.c bio_b64.c bio_enc.c evp_err.c e_null.c \ 28 bio_md.c bio_b64.c bio_enc.c evp_err.c e_null.c \
29 c_all.c c_allc.c c_alld.c evp_lib.c bio_ok.c \ 29 c_all.c c_allc.c c_alld.c evp_lib.c bio_ok.c \
30 evp_pkey.c evp_pbe.c p5_crpt.c p5_crpt2.c \ 30 evp_pkey.c evp_pbe.c p5_crpt.c p5_crpt2.c \
31 e_old.c pmeth_lib.c pmeth_fn.c pmeth_gn.c m_sigver.c 31 e_old.c pmeth_lib.c pmeth_fn.c pmeth_gn.c m_sigver.c evp_fips.c \
32 e_aes_cbc_hmac_sha1.c e_rc4_hmac_md5.c
32 33
33LIBOBJ= encode.o digest.o evp_enc.o evp_key.o evp_acnf.o \ 34LIBOBJ= encode.o digest.o evp_enc.o evp_key.o evp_acnf.o \
34 e_des.o e_bf.o e_idea.o e_des3.o e_camellia.o\ 35 e_des.o e_bf.o e_idea.o e_des3.o e_camellia.o\
@@ -40,7 +41,8 @@ LIBOBJ= encode.o digest.o evp_enc.o evp_key.o evp_acnf.o \
40 bio_md.o bio_b64.o bio_enc.o evp_err.o e_null.o \ 41 bio_md.o bio_b64.o bio_enc.o evp_err.o e_null.o \
41 c_all.o c_allc.o c_alld.o evp_lib.o bio_ok.o \ 42 c_all.o c_allc.o c_alld.o evp_lib.o bio_ok.o \
42 evp_pkey.o evp_pbe.o p5_crpt.o p5_crpt2.o \ 43 evp_pkey.o evp_pbe.o p5_crpt.o p5_crpt2.o \
43 e_old.o pmeth_lib.o pmeth_fn.o pmeth_gn.o m_sigver.o 44 e_old.o pmeth_lib.o pmeth_fn.o pmeth_gn.o m_sigver.o evp_fips.o \
45 e_aes_cbc_hmac_sha1.o e_rc4_hmac_md5.o
44 46
45SRC= $(LIBSRC) 47SRC= $(LIBSRC)
46 48
@@ -189,11 +191,27 @@ e_aes.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
189e_aes.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h 191e_aes.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
190e_aes.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h 192e_aes.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
191e_aes.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h 193e_aes.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
192e_aes.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h 194e_aes.o: ../../include/openssl/modes.h ../../include/openssl/obj_mac.h
193e_aes.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h 195e_aes.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
194e_aes.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h 196e_aes.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
195e_aes.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h e_aes.c 197e_aes.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
196e_aes.o: evp_locl.h 198e_aes.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
199e_aes.o: ../modes/modes_lcl.h e_aes.c evp_locl.h
200e_aes_cbc_hmac_sha1.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
201e_aes_cbc_hmac_sha1.o: ../../include/openssl/bio.h
202e_aes_cbc_hmac_sha1.o: ../../include/openssl/crypto.h
203e_aes_cbc_hmac_sha1.o: ../../include/openssl/e_os2.h
204e_aes_cbc_hmac_sha1.o: ../../include/openssl/evp.h
205e_aes_cbc_hmac_sha1.o: ../../include/openssl/obj_mac.h
206e_aes_cbc_hmac_sha1.o: ../../include/openssl/objects.h
207e_aes_cbc_hmac_sha1.o: ../../include/openssl/opensslconf.h
208e_aes_cbc_hmac_sha1.o: ../../include/openssl/opensslv.h
209e_aes_cbc_hmac_sha1.o: ../../include/openssl/ossl_typ.h
210e_aes_cbc_hmac_sha1.o: ../../include/openssl/safestack.h
211e_aes_cbc_hmac_sha1.o: ../../include/openssl/sha.h
212e_aes_cbc_hmac_sha1.o: ../../include/openssl/stack.h
213e_aes_cbc_hmac_sha1.o: ../../include/openssl/symhacks.h e_aes_cbc_hmac_sha1.c
214e_aes_cbc_hmac_sha1.o: evp_locl.h
197e_bf.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h 215e_bf.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
198e_bf.o: ../../include/openssl/blowfish.h ../../include/openssl/buffer.h 216e_bf.o: ../../include/openssl/blowfish.h ../../include/openssl/buffer.h
199e_bf.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h 217e_bf.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
@@ -279,7 +297,18 @@ e_rc4.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
279e_rc4.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h 297e_rc4.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
280e_rc4.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rc4.h 298e_rc4.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rc4.h
281e_rc4.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h 299e_rc4.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
282e_rc4.o: ../../include/openssl/symhacks.h ../cryptlib.h e_rc4.c 300e_rc4.o: ../../include/openssl/symhacks.h ../cryptlib.h e_rc4.c evp_locl.h
301e_rc4_hmac_md5.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
302e_rc4_hmac_md5.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
303e_rc4_hmac_md5.o: ../../include/openssl/evp.h ../../include/openssl/md5.h
304e_rc4_hmac_md5.o: ../../include/openssl/obj_mac.h
305e_rc4_hmac_md5.o: ../../include/openssl/objects.h
306e_rc4_hmac_md5.o: ../../include/openssl/opensslconf.h
307e_rc4_hmac_md5.o: ../../include/openssl/opensslv.h
308e_rc4_hmac_md5.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rc4.h
309e_rc4_hmac_md5.o: ../../include/openssl/safestack.h
310e_rc4_hmac_md5.o: ../../include/openssl/stack.h
311e_rc4_hmac_md5.o: ../../include/openssl/symhacks.h e_rc4_hmac_md5.c
283e_rc5.o: ../../e_os.h ../../include/openssl/bio.h 312e_rc5.o: ../../e_os.h ../../include/openssl/bio.h
284e_rc5.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h 313e_rc5.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
285e_rc5.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h 314e_rc5.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
@@ -349,6 +378,13 @@ evp_err.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
349evp_err.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h 378evp_err.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
350evp_err.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h 379evp_err.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
351evp_err.o: ../../include/openssl/symhacks.h evp_err.c 380evp_err.o: ../../include/openssl/symhacks.h evp_err.c
381evp_fips.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
382evp_fips.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
383evp_fips.o: ../../include/openssl/evp.h ../../include/openssl/obj_mac.h
384evp_fips.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
385evp_fips.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
386evp_fips.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
387evp_fips.o: ../../include/openssl/symhacks.h evp_fips.c
352evp_key.o: ../../e_os.h ../../include/openssl/asn1.h 388evp_key.o: ../../e_os.h ../../include/openssl/asn1.h
353evp_key.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h 389evp_key.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
354evp_key.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h 390evp_key.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
@@ -383,7 +419,7 @@ evp_pbe.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs12.h
383evp_pbe.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h 419evp_pbe.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
384evp_pbe.o: ../../include/openssl/sha.h ../../include/openssl/stack.h 420evp_pbe.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
385evp_pbe.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h 421evp_pbe.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
386evp_pbe.o: ../../include/openssl/x509_vfy.h ../cryptlib.h evp_pbe.c 422evp_pbe.o: ../../include/openssl/x509_vfy.h ../cryptlib.h evp_locl.h evp_pbe.c
387evp_pkey.o: ../../e_os.h ../../include/openssl/asn1.h 423evp_pkey.o: ../../e_os.h ../../include/openssl/asn1.h
388evp_pkey.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h 424evp_pkey.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
389evp_pkey.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h 425evp_pkey.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
@@ -456,7 +492,7 @@ m_md4.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
456m_md4.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h 492m_md4.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
457m_md4.o: ../../include/openssl/sha.h ../../include/openssl/stack.h 493m_md4.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
458m_md4.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h 494m_md4.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
459m_md4.o: ../../include/openssl/x509_vfy.h ../cryptlib.h m_md4.c 495m_md4.o: ../../include/openssl/x509_vfy.h ../cryptlib.h evp_locl.h m_md4.c
460m_md5.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h 496m_md5.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
461m_md5.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h 497m_md5.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
462m_md5.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h 498m_md5.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
@@ -469,7 +505,7 @@ m_md5.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
469m_md5.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h 505m_md5.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
470m_md5.o: ../../include/openssl/sha.h ../../include/openssl/stack.h 506m_md5.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
471m_md5.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h 507m_md5.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
472m_md5.o: ../../include/openssl/x509_vfy.h ../cryptlib.h m_md5.c 508m_md5.o: ../../include/openssl/x509_vfy.h ../cryptlib.h evp_locl.h m_md5.c
473m_mdc2.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h 509m_mdc2.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
474m_mdc2.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h 510m_mdc2.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
475m_mdc2.o: ../../include/openssl/des.h ../../include/openssl/des_old.h 511m_mdc2.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
@@ -484,7 +520,7 @@ m_mdc2.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
484m_mdc2.o: ../../include/openssl/sha.h ../../include/openssl/stack.h 520m_mdc2.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
485m_mdc2.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h 521m_mdc2.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
486m_mdc2.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h 522m_mdc2.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
487m_mdc2.o: ../../include/openssl/x509_vfy.h ../cryptlib.h m_mdc2.c 523m_mdc2.o: ../../include/openssl/x509_vfy.h ../cryptlib.h evp_locl.h m_mdc2.c
488m_null.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h 524m_null.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
489m_null.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h 525m_null.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
490m_null.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h 526m_null.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
@@ -510,7 +546,8 @@ m_ripemd.o: ../../include/openssl/pkcs7.h ../../include/openssl/ripemd.h
510m_ripemd.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h 546m_ripemd.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
511m_ripemd.o: ../../include/openssl/sha.h ../../include/openssl/stack.h 547m_ripemd.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
512m_ripemd.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h 548m_ripemd.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
513m_ripemd.o: ../../include/openssl/x509_vfy.h ../cryptlib.h m_ripemd.c 549m_ripemd.o: ../../include/openssl/x509_vfy.h ../cryptlib.h evp_locl.h
550m_ripemd.o: m_ripemd.c
514m_sha.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h 551m_sha.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
515m_sha.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h 552m_sha.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
516m_sha.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h 553m_sha.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
@@ -523,7 +560,7 @@ m_sha.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
523m_sha.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h 560m_sha.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
524m_sha.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h 561m_sha.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
525m_sha.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h 562m_sha.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
526m_sha.o: ../cryptlib.h m_sha.c 563m_sha.o: ../cryptlib.h evp_locl.h m_sha.c
527m_sha1.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h 564m_sha1.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
528m_sha1.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h 565m_sha1.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
529m_sha1.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h 566m_sha1.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
@@ -563,7 +600,7 @@ m_wp.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
563m_wp.o: ../../include/openssl/sha.h ../../include/openssl/stack.h 600m_wp.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
564m_wp.o: ../../include/openssl/symhacks.h ../../include/openssl/whrlpool.h 601m_wp.o: ../../include/openssl/symhacks.h ../../include/openssl/whrlpool.h
565m_wp.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h 602m_wp.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
566m_wp.o: ../cryptlib.h m_wp.c 603m_wp.o: ../cryptlib.h evp_locl.h m_wp.c
567names.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h 604names.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
568names.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h 605names.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
569names.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h 606names.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
@@ -601,7 +638,8 @@ p5_crpt2.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
601p5_crpt2.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h 638p5_crpt2.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
602p5_crpt2.o: ../../include/openssl/sha.h ../../include/openssl/stack.h 639p5_crpt2.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
603p5_crpt2.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h 640p5_crpt2.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
604p5_crpt2.o: ../../include/openssl/x509_vfy.h ../cryptlib.h p5_crpt2.c 641p5_crpt2.o: ../../include/openssl/x509_vfy.h ../cryptlib.h evp_locl.h
642p5_crpt2.o: p5_crpt2.c
605p_dec.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h 643p_dec.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
606p_dec.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h 644p_dec.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
607p_dec.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h 645p_dec.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
diff --git a/src/lib/libcrypto/evp/bio_md.c b/src/lib/libcrypto/evp/bio_md.c
index 9841e32e1a..144fdfd56a 100644
--- a/src/lib/libcrypto/evp/bio_md.c
+++ b/src/lib/libcrypto/evp/bio_md.c
@@ -153,8 +153,12 @@ static int md_write(BIO *b, const char *in, int inl)
153 { 153 {
154 if (ret > 0) 154 if (ret > 0)
155 { 155 {
156 EVP_DigestUpdate(ctx,(const unsigned char *)in, 156 if (!EVP_DigestUpdate(ctx,(const unsigned char *)in,
157 (unsigned int)ret); 157 (unsigned int)ret))
158 {
159 BIO_clear_retry_flags(b);
160 return 0;
161 }
158 } 162 }
159 } 163 }
160 if(b->next_bio != NULL) 164 if(b->next_bio != NULL)
@@ -220,7 +224,8 @@ static long md_ctrl(BIO *b, int cmd, long num, void *ptr)
220 case BIO_CTRL_DUP: 224 case BIO_CTRL_DUP:
221 dbio=ptr; 225 dbio=ptr;
222 dctx=dbio->ptr; 226 dctx=dbio->ptr;
223 EVP_MD_CTX_copy_ex(dctx,ctx); 227 if (!EVP_MD_CTX_copy_ex(dctx,ctx))
228 return 0;
224 b->init=1; 229 b->init=1;
225 break; 230 break;
226 default: 231 default:
diff --git a/src/lib/libcrypto/evp/bio_ok.c b/src/lib/libcrypto/evp/bio_ok.c
index 98bc1ab409..e64335353f 100644
--- a/src/lib/libcrypto/evp/bio_ok.c
+++ b/src/lib/libcrypto/evp/bio_ok.c
@@ -133,10 +133,10 @@ static int ok_new(BIO *h);
133static int ok_free(BIO *data); 133static int ok_free(BIO *data);
134static long ok_callback_ctrl(BIO *h, int cmd, bio_info_cb *fp); 134static long ok_callback_ctrl(BIO *h, int cmd, bio_info_cb *fp);
135 135
136static void sig_out(BIO* b); 136static int sig_out(BIO* b);
137static void sig_in(BIO* b); 137static int sig_in(BIO* b);
138static void block_out(BIO* b); 138static int block_out(BIO* b);
139static void block_in(BIO* b); 139static int block_in(BIO* b);
140#define OK_BLOCK_SIZE (1024*4) 140#define OK_BLOCK_SIZE (1024*4)
141#define OK_BLOCK_BLOCK 4 141#define OK_BLOCK_BLOCK 4
142#define IOBS (OK_BLOCK_SIZE+ OK_BLOCK_BLOCK+ 3*EVP_MAX_MD_SIZE) 142#define IOBS (OK_BLOCK_SIZE+ OK_BLOCK_BLOCK+ 3*EVP_MAX_MD_SIZE)
@@ -266,10 +266,24 @@ static int ok_read(BIO *b, char *out, int outl)
266 ctx->buf_len+= i; 266 ctx->buf_len+= i;
267 267
268 /* no signature yet -- check if we got one */ 268 /* no signature yet -- check if we got one */
269 if (ctx->sigio == 1) sig_in(b); 269 if (ctx->sigio == 1)
270 {
271 if (!sig_in(b))
272 {
273 BIO_clear_retry_flags(b);
274 return 0;
275 }
276 }
270 277
271 /* signature ok -- check if we got block */ 278 /* signature ok -- check if we got block */
272 if (ctx->sigio == 0) block_in(b); 279 if (ctx->sigio == 0)
280 {
281 if (!block_in(b))
282 {
283 BIO_clear_retry_flags(b);
284 return 0;
285 }
286 }
273 287
274 /* invalid block -- cancel */ 288 /* invalid block -- cancel */
275 if (ctx->cont <= 0) break; 289 if (ctx->cont <= 0) break;
@@ -293,7 +307,8 @@ static int ok_write(BIO *b, const char *in, int inl)
293 307
294 if ((ctx == NULL) || (b->next_bio == NULL) || (b->init == 0)) return(0); 308 if ((ctx == NULL) || (b->next_bio == NULL) || (b->init == 0)) return(0);
295 309
296 if(ctx->sigio) sig_out(b); 310 if(ctx->sigio && !sig_out(b))
311 return 0;
297 312
298 do{ 313 do{
299 BIO_clear_retry_flags(b); 314 BIO_clear_retry_flags(b);
@@ -332,7 +347,11 @@ static int ok_write(BIO *b, const char *in, int inl)
332 347
333 if(ctx->buf_len >= OK_BLOCK_SIZE+ OK_BLOCK_BLOCK) 348 if(ctx->buf_len >= OK_BLOCK_SIZE+ OK_BLOCK_BLOCK)
334 { 349 {
335 block_out(b); 350 if (!block_out(b))
351 {
352 BIO_clear_retry_flags(b);
353 return 0;
354 }
336 } 355 }
337 }while(inl > 0); 356 }while(inl > 0);
338 357
@@ -379,7 +398,8 @@ static long ok_ctrl(BIO *b, int cmd, long num, void *ptr)
379 case BIO_CTRL_FLUSH: 398 case BIO_CTRL_FLUSH:
380 /* do a final write */ 399 /* do a final write */
381 if(ctx->blockout == 0) 400 if(ctx->blockout == 0)
382 block_out(b); 401 if (!block_out(b))
402 return 0;
383 403
384 while (ctx->blockout) 404 while (ctx->blockout)
385 { 405 {
@@ -408,7 +428,8 @@ static long ok_ctrl(BIO *b, int cmd, long num, void *ptr)
408 break; 428 break;
409 case BIO_C_SET_MD: 429 case BIO_C_SET_MD:
410 md=ptr; 430 md=ptr;
411 EVP_DigestInit_ex(&ctx->md, md, NULL); 431 if (!EVP_DigestInit_ex(&ctx->md, md, NULL))
432 return 0;
412 b->init=1; 433 b->init=1;
413 break; 434 break;
414 case BIO_C_GET_MD: 435 case BIO_C_GET_MD:
@@ -455,7 +476,7 @@ static void longswap(void *_ptr, size_t len)
455 } 476 }
456} 477}
457 478
458static void sig_out(BIO* b) 479static int sig_out(BIO* b)
459 { 480 {
460 BIO_OK_CTX *ctx; 481 BIO_OK_CTX *ctx;
461 EVP_MD_CTX *md; 482 EVP_MD_CTX *md;
@@ -463,9 +484,10 @@ static void sig_out(BIO* b)
463 ctx=b->ptr; 484 ctx=b->ptr;
464 md=&ctx->md; 485 md=&ctx->md;
465 486
466 if(ctx->buf_len+ 2* md->digest->md_size > OK_BLOCK_SIZE) return; 487 if(ctx->buf_len+ 2* md->digest->md_size > OK_BLOCK_SIZE) return 1;
467 488
468 EVP_DigestInit_ex(md, md->digest, NULL); 489 if (!EVP_DigestInit_ex(md, md->digest, NULL))
490 goto berr;
469 /* FIXME: there's absolutely no guarantee this makes any sense at all, 491 /* FIXME: there's absolutely no guarantee this makes any sense at all,
470 * particularly now EVP_MD_CTX has been restructured. 492 * particularly now EVP_MD_CTX has been restructured.
471 */ 493 */
@@ -474,14 +496,20 @@ static void sig_out(BIO* b)
474 longswap(&(ctx->buf[ctx->buf_len]), md->digest->md_size); 496 longswap(&(ctx->buf[ctx->buf_len]), md->digest->md_size);
475 ctx->buf_len+= md->digest->md_size; 497 ctx->buf_len+= md->digest->md_size;
476 498
477 EVP_DigestUpdate(md, WELLKNOWN, strlen(WELLKNOWN)); 499 if (!EVP_DigestUpdate(md, WELLKNOWN, strlen(WELLKNOWN)))
478 EVP_DigestFinal_ex(md, &(ctx->buf[ctx->buf_len]), NULL); 500 goto berr;
501 if (!EVP_DigestFinal_ex(md, &(ctx->buf[ctx->buf_len]), NULL))
502 goto berr;
479 ctx->buf_len+= md->digest->md_size; 503 ctx->buf_len+= md->digest->md_size;
480 ctx->blockout= 1; 504 ctx->blockout= 1;
481 ctx->sigio= 0; 505 ctx->sigio= 0;
506 return 1;
507 berr:
508 BIO_clear_retry_flags(b);
509 return 0;
482 } 510 }
483 511
484static void sig_in(BIO* b) 512static int sig_in(BIO* b)
485 { 513 {
486 BIO_OK_CTX *ctx; 514 BIO_OK_CTX *ctx;
487 EVP_MD_CTX *md; 515 EVP_MD_CTX *md;
@@ -491,15 +519,18 @@ static void sig_in(BIO* b)
491 ctx=b->ptr; 519 ctx=b->ptr;
492 md=&ctx->md; 520 md=&ctx->md;
493 521
494 if((int)(ctx->buf_len-ctx->buf_off) < 2*md->digest->md_size) return; 522 if((int)(ctx->buf_len-ctx->buf_off) < 2*md->digest->md_size) return 1;
495 523
496 EVP_DigestInit_ex(md, md->digest, NULL); 524 if (!EVP_DigestInit_ex(md, md->digest, NULL))
525 goto berr;
497 memcpy(md->md_data, &(ctx->buf[ctx->buf_off]), md->digest->md_size); 526 memcpy(md->md_data, &(ctx->buf[ctx->buf_off]), md->digest->md_size);
498 longswap(md->md_data, md->digest->md_size); 527 longswap(md->md_data, md->digest->md_size);
499 ctx->buf_off+= md->digest->md_size; 528 ctx->buf_off+= md->digest->md_size;
500 529
501 EVP_DigestUpdate(md, WELLKNOWN, strlen(WELLKNOWN)); 530 if (!EVP_DigestUpdate(md, WELLKNOWN, strlen(WELLKNOWN)))
502 EVP_DigestFinal_ex(md, tmp, NULL); 531 goto berr;
532 if (!EVP_DigestFinal_ex(md, tmp, NULL))
533 goto berr;
503 ret= memcmp(&(ctx->buf[ctx->buf_off]), tmp, md->digest->md_size) == 0; 534 ret= memcmp(&(ctx->buf[ctx->buf_off]), tmp, md->digest->md_size) == 0;
504 ctx->buf_off+= md->digest->md_size; 535 ctx->buf_off+= md->digest->md_size;
505 if(ret == 1) 536 if(ret == 1)
@@ -516,9 +547,13 @@ static void sig_in(BIO* b)
516 { 547 {
517 ctx->cont= 0; 548 ctx->cont= 0;
518 } 549 }
550 return 1;
551 berr:
552 BIO_clear_retry_flags(b);
553 return 0;
519 } 554 }
520 555
521static void block_out(BIO* b) 556static int block_out(BIO* b)
522 { 557 {
523 BIO_OK_CTX *ctx; 558 BIO_OK_CTX *ctx;
524 EVP_MD_CTX *md; 559 EVP_MD_CTX *md;
@@ -532,13 +567,20 @@ static void block_out(BIO* b)
532 ctx->buf[1]=(unsigned char)(tl>>16); 567 ctx->buf[1]=(unsigned char)(tl>>16);
533 ctx->buf[2]=(unsigned char)(tl>>8); 568 ctx->buf[2]=(unsigned char)(tl>>8);
534 ctx->buf[3]=(unsigned char)(tl); 569 ctx->buf[3]=(unsigned char)(tl);
535 EVP_DigestUpdate(md, (unsigned char*) &(ctx->buf[OK_BLOCK_BLOCK]), tl); 570 if (!EVP_DigestUpdate(md,
536 EVP_DigestFinal_ex(md, &(ctx->buf[ctx->buf_len]), NULL); 571 (unsigned char*) &(ctx->buf[OK_BLOCK_BLOCK]), tl))
572 goto berr;
573 if (!EVP_DigestFinal_ex(md, &(ctx->buf[ctx->buf_len]), NULL))
574 goto berr;
537 ctx->buf_len+= md->digest->md_size; 575 ctx->buf_len+= md->digest->md_size;
538 ctx->blockout= 1; 576 ctx->blockout= 1;
577 return 1;
578 berr:
579 BIO_clear_retry_flags(b);
580 return 0;
539 } 581 }
540 582
541static void block_in(BIO* b) 583static int block_in(BIO* b)
542 { 584 {
543 BIO_OK_CTX *ctx; 585 BIO_OK_CTX *ctx;
544 EVP_MD_CTX *md; 586 EVP_MD_CTX *md;
@@ -554,10 +596,13 @@ static void block_in(BIO* b)
554 tl|=ctx->buf[2]; tl<<=8; 596 tl|=ctx->buf[2]; tl<<=8;
555 tl|=ctx->buf[3]; 597 tl|=ctx->buf[3];
556 598
557 if (ctx->buf_len < tl+ OK_BLOCK_BLOCK+ md->digest->md_size) return; 599 if (ctx->buf_len < tl+ OK_BLOCK_BLOCK+ md->digest->md_size) return 1;
558 600
559 EVP_DigestUpdate(md, (unsigned char*) &(ctx->buf[OK_BLOCK_BLOCK]), tl); 601 if (!EVP_DigestUpdate(md,
560 EVP_DigestFinal_ex(md, tmp, NULL); 602 (unsigned char*) &(ctx->buf[OK_BLOCK_BLOCK]), tl))
603 goto berr;
604 if (!EVP_DigestFinal_ex(md, tmp, NULL))
605 goto berr;
561 if(memcmp(&(ctx->buf[tl+ OK_BLOCK_BLOCK]), tmp, md->digest->md_size) == 0) 606 if(memcmp(&(ctx->buf[tl+ OK_BLOCK_BLOCK]), tmp, md->digest->md_size) == 0)
562 { 607 {
563 /* there might be parts from next block lurking around ! */ 608 /* there might be parts from next block lurking around ! */
@@ -571,5 +616,9 @@ static void block_in(BIO* b)
571 { 616 {
572 ctx->cont= 0; 617 ctx->cont= 0;
573 } 618 }
619 return 1;
620 berr:
621 BIO_clear_retry_flags(b);
622 return 0;
574 } 623 }
575 624
diff --git a/src/lib/libcrypto/evp/c_allc.c b/src/lib/libcrypto/evp/c_allc.c
index c5f9268378..2a45d435e5 100644
--- a/src/lib/libcrypto/evp/c_allc.c
+++ b/src/lib/libcrypto/evp/c_allc.c
@@ -98,6 +98,9 @@ void OpenSSL_add_all_ciphers(void)
98#ifndef OPENSSL_NO_RC4 98#ifndef OPENSSL_NO_RC4
99 EVP_add_cipher(EVP_rc4()); 99 EVP_add_cipher(EVP_rc4());
100 EVP_add_cipher(EVP_rc4_40()); 100 EVP_add_cipher(EVP_rc4_40());
101#ifndef OPENSSL_NO_MD5
102 EVP_add_cipher(EVP_rc4_hmac_md5());
103#endif
101#endif 104#endif
102 105
103#ifndef OPENSSL_NO_IDEA 106#ifndef OPENSSL_NO_IDEA
@@ -166,9 +169,9 @@ void OpenSSL_add_all_ciphers(void)
166 EVP_add_cipher(EVP_aes_128_cfb1()); 169 EVP_add_cipher(EVP_aes_128_cfb1());
167 EVP_add_cipher(EVP_aes_128_cfb8()); 170 EVP_add_cipher(EVP_aes_128_cfb8());
168 EVP_add_cipher(EVP_aes_128_ofb()); 171 EVP_add_cipher(EVP_aes_128_ofb());
169#if 0
170 EVP_add_cipher(EVP_aes_128_ctr()); 172 EVP_add_cipher(EVP_aes_128_ctr());
171#endif 173 EVP_add_cipher(EVP_aes_128_gcm());
174 EVP_add_cipher(EVP_aes_128_xts());
172 EVP_add_cipher_alias(SN_aes_128_cbc,"AES128"); 175 EVP_add_cipher_alias(SN_aes_128_cbc,"AES128");
173 EVP_add_cipher_alias(SN_aes_128_cbc,"aes128"); 176 EVP_add_cipher_alias(SN_aes_128_cbc,"aes128");
174 EVP_add_cipher(EVP_aes_192_ecb()); 177 EVP_add_cipher(EVP_aes_192_ecb());
@@ -177,9 +180,8 @@ void OpenSSL_add_all_ciphers(void)
177 EVP_add_cipher(EVP_aes_192_cfb1()); 180 EVP_add_cipher(EVP_aes_192_cfb1());
178 EVP_add_cipher(EVP_aes_192_cfb8()); 181 EVP_add_cipher(EVP_aes_192_cfb8());
179 EVP_add_cipher(EVP_aes_192_ofb()); 182 EVP_add_cipher(EVP_aes_192_ofb());
180#if 0
181 EVP_add_cipher(EVP_aes_192_ctr()); 183 EVP_add_cipher(EVP_aes_192_ctr());
182#endif 184 EVP_add_cipher(EVP_aes_192_gcm());
183 EVP_add_cipher_alias(SN_aes_192_cbc,"AES192"); 185 EVP_add_cipher_alias(SN_aes_192_cbc,"AES192");
184 EVP_add_cipher_alias(SN_aes_192_cbc,"aes192"); 186 EVP_add_cipher_alias(SN_aes_192_cbc,"aes192");
185 EVP_add_cipher(EVP_aes_256_ecb()); 187 EVP_add_cipher(EVP_aes_256_ecb());
@@ -188,11 +190,15 @@ void OpenSSL_add_all_ciphers(void)
188 EVP_add_cipher(EVP_aes_256_cfb1()); 190 EVP_add_cipher(EVP_aes_256_cfb1());
189 EVP_add_cipher(EVP_aes_256_cfb8()); 191 EVP_add_cipher(EVP_aes_256_cfb8());
190 EVP_add_cipher(EVP_aes_256_ofb()); 192 EVP_add_cipher(EVP_aes_256_ofb());
191#if 0
192 EVP_add_cipher(EVP_aes_256_ctr()); 193 EVP_add_cipher(EVP_aes_256_ctr());
193#endif 194 EVP_add_cipher(EVP_aes_256_gcm());
195 EVP_add_cipher(EVP_aes_256_xts());
194 EVP_add_cipher_alias(SN_aes_256_cbc,"AES256"); 196 EVP_add_cipher_alias(SN_aes_256_cbc,"AES256");
195 EVP_add_cipher_alias(SN_aes_256_cbc,"aes256"); 197 EVP_add_cipher_alias(SN_aes_256_cbc,"aes256");
198#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
199 EVP_add_cipher(EVP_aes_128_cbc_hmac_sha1());
200 EVP_add_cipher(EVP_aes_256_cbc_hmac_sha1());
201#endif
196#endif 202#endif
197 203
198#ifndef OPENSSL_NO_CAMELLIA 204#ifndef OPENSSL_NO_CAMELLIA
diff --git a/src/lib/libcrypto/evp/digest.c b/src/lib/libcrypto/evp/digest.c
index 982ba2b136..467e6b5ae9 100644
--- a/src/lib/libcrypto/evp/digest.c
+++ b/src/lib/libcrypto/evp/digest.c
@@ -117,6 +117,10 @@
117#include <openssl/engine.h> 117#include <openssl/engine.h>
118#endif 118#endif
119 119
120#ifdef OPENSSL_FIPS
121#include <openssl/fips.h>
122#endif
123
120void EVP_MD_CTX_init(EVP_MD_CTX *ctx) 124void EVP_MD_CTX_init(EVP_MD_CTX *ctx)
121 { 125 {
122 memset(ctx,'\0',sizeof *ctx); 126 memset(ctx,'\0',sizeof *ctx);
@@ -225,12 +229,26 @@ skip_to_init:
225 } 229 }
226 if (ctx->flags & EVP_MD_CTX_FLAG_NO_INIT) 230 if (ctx->flags & EVP_MD_CTX_FLAG_NO_INIT)
227 return 1; 231 return 1;
232#ifdef OPENSSL_FIPS
233 if (FIPS_mode())
234 {
235 if (FIPS_digestinit(ctx, type))
236 return 1;
237 OPENSSL_free(ctx->md_data);
238 ctx->md_data = NULL;
239 return 0;
240 }
241#endif
228 return ctx->digest->init(ctx); 242 return ctx->digest->init(ctx);
229 } 243 }
230 244
231int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, size_t count) 245int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, size_t count)
232 { 246 {
247#ifdef OPENSSL_FIPS
248 return FIPS_digestupdate(ctx, data, count);
249#else
233 return ctx->update(ctx,data,count); 250 return ctx->update(ctx,data,count);
251#endif
234 } 252 }
235 253
236/* The caller can assume that this removes any secret data from the context */ 254/* The caller can assume that this removes any secret data from the context */
@@ -245,8 +263,10 @@ int EVP_DigestFinal(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size)
245/* The caller can assume that this removes any secret data from the context */ 263/* The caller can assume that this removes any secret data from the context */
246int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size) 264int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size)
247 { 265 {
266#ifdef OPENSSL_FIPS
267 return FIPS_digestfinal(ctx, md, size);
268#else
248 int ret; 269 int ret;
249
250 OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE); 270 OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE);
251 ret=ctx->digest->final(ctx,md); 271 ret=ctx->digest->final(ctx,md);
252 if (size != NULL) 272 if (size != NULL)
@@ -258,6 +278,7 @@ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size)
258 } 278 }
259 memset(ctx->md_data,0,ctx->digest->ctx_size); 279 memset(ctx->md_data,0,ctx->digest->ctx_size);
260 return ret; 280 return ret;
281#endif
261 } 282 }
262 283
263int EVP_MD_CTX_copy(EVP_MD_CTX *out, const EVP_MD_CTX *in) 284int EVP_MD_CTX_copy(EVP_MD_CTX *out, const EVP_MD_CTX *in)
@@ -351,6 +372,7 @@ void EVP_MD_CTX_destroy(EVP_MD_CTX *ctx)
351/* This call frees resources associated with the context */ 372/* This call frees resources associated with the context */
352int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx) 373int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx)
353 { 374 {
375#ifndef OPENSSL_FIPS
354 /* Don't assume ctx->md_data was cleaned in EVP_Digest_Final, 376 /* Don't assume ctx->md_data was cleaned in EVP_Digest_Final,
355 * because sometimes only copies of the context are ever finalised. 377 * because sometimes only copies of the context are ever finalised.
356 */ 378 */
@@ -363,6 +385,7 @@ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx)
363 OPENSSL_cleanse(ctx->md_data,ctx->digest->ctx_size); 385 OPENSSL_cleanse(ctx->md_data,ctx->digest->ctx_size);
364 OPENSSL_free(ctx->md_data); 386 OPENSSL_free(ctx->md_data);
365 } 387 }
388#endif
366 if (ctx->pctx) 389 if (ctx->pctx)
367 EVP_PKEY_CTX_free(ctx->pctx); 390 EVP_PKEY_CTX_free(ctx->pctx);
368#ifndef OPENSSL_NO_ENGINE 391#ifndef OPENSSL_NO_ENGINE
@@ -371,6 +394,9 @@ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx)
371 * functional reference we held for this reason. */ 394 * functional reference we held for this reason. */
372 ENGINE_finish(ctx->engine); 395 ENGINE_finish(ctx->engine);
373#endif 396#endif
397#ifdef OPENSSL_FIPS
398 FIPS_md_ctx_cleanup(ctx);
399#endif
374 memset(ctx,'\0',sizeof *ctx); 400 memset(ctx,'\0',sizeof *ctx);
375 401
376 return 1; 402 return 1;
diff --git a/src/lib/libcrypto/evp/e_aes.c b/src/lib/libcrypto/evp/e_aes.c
index bd6c0a3a62..1e4af0cb75 100644
--- a/src/lib/libcrypto/evp/e_aes.c
+++ b/src/lib/libcrypto/evp/e_aes.c
@@ -1,5 +1,5 @@
1/* ==================================================================== 1/* ====================================================================
2 * Copyright (c) 2001 The OpenSSL Project. All rights reserved. 2 * Copyright (c) 2001-2011 The OpenSSL Project. All rights reserved.
3 * 3 *
4 * Redistribution and use in source and binary forms, with or without 4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions 5 * modification, are permitted provided that the following conditions
@@ -56,57 +56,511 @@
56#include <assert.h> 56#include <assert.h>
57#include <openssl/aes.h> 57#include <openssl/aes.h>
58#include "evp_locl.h" 58#include "evp_locl.h"
59 59#ifndef OPENSSL_FIPS
60static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 60#include "modes_lcl.h"
61 const unsigned char *iv, int enc); 61#include <openssl/rand.h>
62 62
63typedef struct 63typedef struct
64 { 64 {
65 AES_KEY ks; 65 AES_KEY ks;
66 block128_f block;
67 union {
68 cbc128_f cbc;
69 ctr128_f ctr;
70 } stream;
66 } EVP_AES_KEY; 71 } EVP_AES_KEY;
67 72
68#define data(ctx) EVP_C_DATA(EVP_AES_KEY,ctx) 73typedef struct
69 74 {
70IMPLEMENT_BLOCK_CIPHER(aes_128, ks, AES, EVP_AES_KEY, 75 AES_KEY ks; /* AES key schedule to use */
71 NID_aes_128, 16, 16, 16, 128, 76 int key_set; /* Set if key initialised */
72 0, aes_init_key, NULL, 77 int iv_set; /* Set if an iv is set */
73 EVP_CIPHER_set_asn1_iv, 78 GCM128_CONTEXT gcm;
74 EVP_CIPHER_get_asn1_iv, 79 unsigned char *iv; /* Temporary IV store */
75 NULL) 80 int ivlen; /* IV length */
76IMPLEMENT_BLOCK_CIPHER(aes_192, ks, AES, EVP_AES_KEY, 81 int taglen;
77 NID_aes_192, 16, 24, 16, 128, 82 int iv_gen; /* It is OK to generate IVs */
78 0, aes_init_key, NULL, 83 int tls_aad_len; /* TLS AAD length */
79 EVP_CIPHER_set_asn1_iv, 84 ctr128_f ctr;
80 EVP_CIPHER_get_asn1_iv, 85 } EVP_AES_GCM_CTX;
81 NULL) 86
82IMPLEMENT_BLOCK_CIPHER(aes_256, ks, AES, EVP_AES_KEY, 87typedef struct
83 NID_aes_256, 16, 32, 16, 128, 88 {
84 0, aes_init_key, NULL, 89 AES_KEY ks1, ks2; /* AES key schedules to use */
85 EVP_CIPHER_set_asn1_iv, 90 XTS128_CONTEXT xts;
86 EVP_CIPHER_get_asn1_iv, 91 void (*stream)(const unsigned char *in,
87 NULL) 92 unsigned char *out, size_t length,
88 93 const AES_KEY *key1, const AES_KEY *key2,
89#define IMPLEMENT_AES_CFBR(ksize,cbits) IMPLEMENT_CFBR(aes,AES,EVP_AES_KEY,ks,ksize,cbits,16) 94 const unsigned char iv[16]);
90 95 } EVP_AES_XTS_CTX;
91IMPLEMENT_AES_CFBR(128,1) 96
92IMPLEMENT_AES_CFBR(192,1) 97typedef struct
93IMPLEMENT_AES_CFBR(256,1) 98 {
94 99 AES_KEY ks; /* AES key schedule to use */
95IMPLEMENT_AES_CFBR(128,8) 100 int key_set; /* Set if key initialised */
96IMPLEMENT_AES_CFBR(192,8) 101 int iv_set; /* Set if an iv is set */
97IMPLEMENT_AES_CFBR(256,8) 102 int tag_set; /* Set if tag is valid */
103 int len_set; /* Set if message length set */
104 int L, M; /* L and M parameters from RFC3610 */
105 CCM128_CONTEXT ccm;
106 ccm128_f str;
107 } EVP_AES_CCM_CTX;
108
109#define MAXBITCHUNK ((size_t)1<<(sizeof(size_t)*8-4))
110
111#ifdef VPAES_ASM
112int vpaes_set_encrypt_key(const unsigned char *userKey, int bits,
113 AES_KEY *key);
114int vpaes_set_decrypt_key(const unsigned char *userKey, int bits,
115 AES_KEY *key);
116
117void vpaes_encrypt(const unsigned char *in, unsigned char *out,
118 const AES_KEY *key);
119void vpaes_decrypt(const unsigned char *in, unsigned char *out,
120 const AES_KEY *key);
121
122void vpaes_cbc_encrypt(const unsigned char *in,
123 unsigned char *out,
124 size_t length,
125 const AES_KEY *key,
126 unsigned char *ivec, int enc);
127#endif
128#ifdef BSAES_ASM
129void bsaes_cbc_encrypt(const unsigned char *in, unsigned char *out,
130 size_t length, const AES_KEY *key,
131 unsigned char ivec[16], int enc);
132void bsaes_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out,
133 size_t len, const AES_KEY *key,
134 const unsigned char ivec[16]);
135void bsaes_xts_encrypt(const unsigned char *inp, unsigned char *out,
136 size_t len, const AES_KEY *key1,
137 const AES_KEY *key2, const unsigned char iv[16]);
138void bsaes_xts_decrypt(const unsigned char *inp, unsigned char *out,
139 size_t len, const AES_KEY *key1,
140 const AES_KEY *key2, const unsigned char iv[16]);
141#endif
142#ifdef AES_CTR_ASM
143void AES_ctr32_encrypt(const unsigned char *in, unsigned char *out,
144 size_t blocks, const AES_KEY *key,
145 const unsigned char ivec[AES_BLOCK_SIZE]);
146#endif
147#ifdef AES_XTS_ASM
148void AES_xts_encrypt(const char *inp,char *out,size_t len,
149 const AES_KEY *key1, const AES_KEY *key2,
150 const unsigned char iv[16]);
151void AES_xts_decrypt(const char *inp,char *out,size_t len,
152 const AES_KEY *key1, const AES_KEY *key2,
153 const unsigned char iv[16]);
154#endif
155
156#if defined(AES_ASM) && !defined(I386_ONLY) && ( \
157 ((defined(__i386) || defined(__i386__) || \
158 defined(_M_IX86)) && defined(OPENSSL_IA32_SSE2))|| \
159 defined(__x86_64) || defined(__x86_64__) || \
160 defined(_M_AMD64) || defined(_M_X64) || \
161 defined(__INTEL__) )
162
163extern unsigned int OPENSSL_ia32cap_P[2];
164
165#ifdef VPAES_ASM
166#define VPAES_CAPABLE (OPENSSL_ia32cap_P[1]&(1<<(41-32)))
167#endif
168#ifdef BSAES_ASM
169#define BSAES_CAPABLE VPAES_CAPABLE
170#endif
171/*
172 * AES-NI section
173 */
174#define AESNI_CAPABLE (OPENSSL_ia32cap_P[1]&(1<<(57-32)))
175
176int aesni_set_encrypt_key(const unsigned char *userKey, int bits,
177 AES_KEY *key);
178int aesni_set_decrypt_key(const unsigned char *userKey, int bits,
179 AES_KEY *key);
180
181void aesni_encrypt(const unsigned char *in, unsigned char *out,
182 const AES_KEY *key);
183void aesni_decrypt(const unsigned char *in, unsigned char *out,
184 const AES_KEY *key);
185
186void aesni_ecb_encrypt(const unsigned char *in,
187 unsigned char *out,
188 size_t length,
189 const AES_KEY *key,
190 int enc);
191void aesni_cbc_encrypt(const unsigned char *in,
192 unsigned char *out,
193 size_t length,
194 const AES_KEY *key,
195 unsigned char *ivec, int enc);
196
197void aesni_ctr32_encrypt_blocks(const unsigned char *in,
198 unsigned char *out,
199 size_t blocks,
200 const void *key,
201 const unsigned char *ivec);
202
203void aesni_xts_encrypt(const unsigned char *in,
204 unsigned char *out,
205 size_t length,
206 const AES_KEY *key1, const AES_KEY *key2,
207 const unsigned char iv[16]);
208
209void aesni_xts_decrypt(const unsigned char *in,
210 unsigned char *out,
211 size_t length,
212 const AES_KEY *key1, const AES_KEY *key2,
213 const unsigned char iv[16]);
214
215void aesni_ccm64_encrypt_blocks (const unsigned char *in,
216 unsigned char *out,
217 size_t blocks,
218 const void *key,
219 const unsigned char ivec[16],
220 unsigned char cmac[16]);
221
222void aesni_ccm64_decrypt_blocks (const unsigned char *in,
223 unsigned char *out,
224 size_t blocks,
225 const void *key,
226 const unsigned char ivec[16],
227 unsigned char cmac[16]);
228
229static int aesni_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
230 const unsigned char *iv, int enc)
231 {
232 int ret, mode;
233 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
234
235 mode = ctx->cipher->flags & EVP_CIPH_MODE;
236 if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE)
237 && !enc)
238 {
239 ret = aesni_set_decrypt_key(key, ctx->key_len*8, ctx->cipher_data);
240 dat->block = (block128_f)aesni_decrypt;
241 dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ?
242 (cbc128_f)aesni_cbc_encrypt :
243 NULL;
244 }
245 else {
246 ret = aesni_set_encrypt_key(key, ctx->key_len*8, ctx->cipher_data);
247 dat->block = (block128_f)aesni_encrypt;
248 if (mode==EVP_CIPH_CBC_MODE)
249 dat->stream.cbc = (cbc128_f)aesni_cbc_encrypt;
250 else if (mode==EVP_CIPH_CTR_MODE)
251 dat->stream.ctr = (ctr128_f)aesni_ctr32_encrypt_blocks;
252 else
253 dat->stream.cbc = NULL;
254 }
255
256 if(ret < 0)
257 {
258 EVPerr(EVP_F_AESNI_INIT_KEY,EVP_R_AES_KEY_SETUP_FAILED);
259 return 0;
260 }
261
262 return 1;
263 }
264
265static int aesni_cbc_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
266 const unsigned char *in, size_t len)
267{
268 aesni_cbc_encrypt(in,out,len,ctx->cipher_data,ctx->iv,ctx->encrypt);
269
270 return 1;
271}
272
273static int aesni_ecb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
274 const unsigned char *in, size_t len)
275{
276 size_t bl = ctx->cipher->block_size;
277
278 if (len<bl) return 1;
279
280 aesni_ecb_encrypt(in,out,len,ctx->cipher_data,ctx->encrypt);
281
282 return 1;
283}
284
285#define aesni_ofb_cipher aes_ofb_cipher
286static int aesni_ofb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
287 const unsigned char *in,size_t len);
288
289#define aesni_cfb_cipher aes_cfb_cipher
290static int aesni_cfb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
291 const unsigned char *in,size_t len);
292
293#define aesni_cfb8_cipher aes_cfb8_cipher
294static int aesni_cfb8_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
295 const unsigned char *in,size_t len);
296
297#define aesni_cfb1_cipher aes_cfb1_cipher
298static int aesni_cfb1_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
299 const unsigned char *in,size_t len);
300
301#define aesni_ctr_cipher aes_ctr_cipher
302static int aesni_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
303 const unsigned char *in, size_t len);
304
305static int aesni_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
306 const unsigned char *iv, int enc)
307 {
308 EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
309 if (!iv && !key)
310 return 1;
311 if (key)
312 {
313 aesni_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks);
314 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
315 (block128_f)aesni_encrypt);
316 gctx->ctr = (ctr128_f)aesni_ctr32_encrypt_blocks;
317 /* If we have an iv can set it directly, otherwise use
318 * saved IV.
319 */
320 if (iv == NULL && gctx->iv_set)
321 iv = gctx->iv;
322 if (iv)
323 {
324 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
325 gctx->iv_set = 1;
326 }
327 gctx->key_set = 1;
328 }
329 else
330 {
331 /* If key set use IV, otherwise copy */
332 if (gctx->key_set)
333 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
334 else
335 memcpy(gctx->iv, iv, gctx->ivlen);
336 gctx->iv_set = 1;
337 gctx->iv_gen = 0;
338 }
339 return 1;
340 }
341
342#define aesni_gcm_cipher aes_gcm_cipher
343static int aesni_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
344 const unsigned char *in, size_t len);
345
346static int aesni_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
347 const unsigned char *iv, int enc)
348 {
349 EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
350 if (!iv && !key)
351 return 1;
352
353 if (key)
354 {
355 /* key_len is two AES keys */
356 if (enc)
357 {
358 aesni_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1);
359 xctx->xts.block1 = (block128_f)aesni_encrypt;
360 xctx->stream = aesni_xts_encrypt;
361 }
362 else
363 {
364 aesni_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1);
365 xctx->xts.block1 = (block128_f)aesni_decrypt;
366 xctx->stream = aesni_xts_decrypt;
367 }
368
369 aesni_set_encrypt_key(key + ctx->key_len/2,
370 ctx->key_len * 4, &xctx->ks2);
371 xctx->xts.block2 = (block128_f)aesni_encrypt;
372
373 xctx->xts.key1 = &xctx->ks1;
374 }
375
376 if (iv)
377 {
378 xctx->xts.key2 = &xctx->ks2;
379 memcpy(ctx->iv, iv, 16);
380 }
381
382 return 1;
383 }
384
385#define aesni_xts_cipher aes_xts_cipher
386static int aesni_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
387 const unsigned char *in, size_t len);
388
389static int aesni_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
390 const unsigned char *iv, int enc)
391 {
392 EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
393 if (!iv && !key)
394 return 1;
395 if (key)
396 {
397 aesni_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks);
398 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
399 &cctx->ks, (block128_f)aesni_encrypt);
400 cctx->str = enc?(ccm128_f)aesni_ccm64_encrypt_blocks :
401 (ccm128_f)aesni_ccm64_decrypt_blocks;
402 cctx->key_set = 1;
403 }
404 if (iv)
405 {
406 memcpy(ctx->iv, iv, 15 - cctx->L);
407 cctx->iv_set = 1;
408 }
409 return 1;
410 }
411
412#define aesni_ccm_cipher aes_ccm_cipher
413static int aesni_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
414 const unsigned char *in, size_t len);
415
416#define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
417static const EVP_CIPHER aesni_##keylen##_##mode = { \
418 nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
419 flags|EVP_CIPH_##MODE##_MODE, \
420 aesni_init_key, \
421 aesni_##mode##_cipher, \
422 NULL, \
423 sizeof(EVP_AES_KEY), \
424 NULL,NULL,NULL,NULL }; \
425static const EVP_CIPHER aes_##keylen##_##mode = { \
426 nid##_##keylen##_##nmode,blocksize, \
427 keylen/8,ivlen, \
428 flags|EVP_CIPH_##MODE##_MODE, \
429 aes_init_key, \
430 aes_##mode##_cipher, \
431 NULL, \
432 sizeof(EVP_AES_KEY), \
433 NULL,NULL,NULL,NULL }; \
434const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
435{ return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; }
436
437#define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
438static const EVP_CIPHER aesni_##keylen##_##mode = { \
439 nid##_##keylen##_##mode,blocksize, \
440 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
441 flags|EVP_CIPH_##MODE##_MODE, \
442 aesni_##mode##_init_key, \
443 aesni_##mode##_cipher, \
444 aes_##mode##_cleanup, \
445 sizeof(EVP_AES_##MODE##_CTX), \
446 NULL,NULL,aes_##mode##_ctrl,NULL }; \
447static const EVP_CIPHER aes_##keylen##_##mode = { \
448 nid##_##keylen##_##mode,blocksize, \
449 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
450 flags|EVP_CIPH_##MODE##_MODE, \
451 aes_##mode##_init_key, \
452 aes_##mode##_cipher, \
453 aes_##mode##_cleanup, \
454 sizeof(EVP_AES_##MODE##_CTX), \
455 NULL,NULL,aes_##mode##_ctrl,NULL }; \
456const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
457{ return AESNI_CAPABLE?&aesni_##keylen##_##mode:&aes_##keylen##_##mode; }
458
459#else
460
461#define BLOCK_CIPHER_generic(nid,keylen,blocksize,ivlen,nmode,mode,MODE,flags) \
462static const EVP_CIPHER aes_##keylen##_##mode = { \
463 nid##_##keylen##_##nmode,blocksize,keylen/8,ivlen, \
464 flags|EVP_CIPH_##MODE##_MODE, \
465 aes_init_key, \
466 aes_##mode##_cipher, \
467 NULL, \
468 sizeof(EVP_AES_KEY), \
469 NULL,NULL,NULL,NULL }; \
470const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
471{ return &aes_##keylen##_##mode; }
472
473#define BLOCK_CIPHER_custom(nid,keylen,blocksize,ivlen,mode,MODE,flags) \
474static const EVP_CIPHER aes_##keylen##_##mode = { \
475 nid##_##keylen##_##mode,blocksize, \
476 (EVP_CIPH_##MODE##_MODE==EVP_CIPH_XTS_MODE?2:1)*keylen/8, ivlen, \
477 flags|EVP_CIPH_##MODE##_MODE, \
478 aes_##mode##_init_key, \
479 aes_##mode##_cipher, \
480 aes_##mode##_cleanup, \
481 sizeof(EVP_AES_##MODE##_CTX), \
482 NULL,NULL,aes_##mode##_ctrl,NULL }; \
483const EVP_CIPHER *EVP_aes_##keylen##_##mode(void) \
484{ return &aes_##keylen##_##mode; }
485#endif
486
487#define BLOCK_CIPHER_generic_pack(nid,keylen,flags) \
488 BLOCK_CIPHER_generic(nid,keylen,16,16,cbc,cbc,CBC,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \
489 BLOCK_CIPHER_generic(nid,keylen,16,0,ecb,ecb,ECB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \
490 BLOCK_CIPHER_generic(nid,keylen,1,16,ofb128,ofb,OFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \
491 BLOCK_CIPHER_generic(nid,keylen,1,16,cfb128,cfb,CFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \
492 BLOCK_CIPHER_generic(nid,keylen,1,16,cfb1,cfb1,CFB,flags) \
493 BLOCK_CIPHER_generic(nid,keylen,1,16,cfb8,cfb8,CFB,flags) \
494 BLOCK_CIPHER_generic(nid,keylen,1,16,ctr,ctr,CTR,flags)
98 495
99static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 496static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
100 const unsigned char *iv, int enc) 497 const unsigned char *iv, int enc)
101 { 498 {
102 int ret; 499 int ret, mode;
500 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
103 501
104 if ((ctx->cipher->flags & EVP_CIPH_MODE) == EVP_CIPH_CFB_MODE 502 mode = ctx->cipher->flags & EVP_CIPH_MODE;
105 || (ctx->cipher->flags & EVP_CIPH_MODE) == EVP_CIPH_OFB_MODE 503 if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE)
106 || enc) 504 && !enc)
107 ret=AES_set_encrypt_key(key, ctx->key_len * 8, ctx->cipher_data); 505#ifdef BSAES_CAPABLE
506 if (BSAES_CAPABLE && mode==EVP_CIPH_CBC_MODE)
507 {
508 ret = AES_set_decrypt_key(key,ctx->key_len*8,&dat->ks);
509 dat->block = (block128_f)AES_decrypt;
510 dat->stream.cbc = (cbc128_f)bsaes_cbc_encrypt;
511 }
512 else
513#endif
514#ifdef VPAES_CAPABLE
515 if (VPAES_CAPABLE)
516 {
517 ret = vpaes_set_decrypt_key(key,ctx->key_len*8,&dat->ks);
518 dat->block = (block128_f)vpaes_decrypt;
519 dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ?
520 (cbc128_f)vpaes_cbc_encrypt :
521 NULL;
522 }
523 else
524#endif
525 {
526 ret = AES_set_decrypt_key(key,ctx->key_len*8,&dat->ks);
527 dat->block = (block128_f)AES_decrypt;
528 dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ?
529 (cbc128_f)AES_cbc_encrypt :
530 NULL;
531 }
108 else 532 else
109 ret=AES_set_decrypt_key(key, ctx->key_len * 8, ctx->cipher_data); 533#ifdef BSAES_CAPABLE
534 if (BSAES_CAPABLE && mode==EVP_CIPH_CTR_MODE)
535 {
536 ret = AES_set_encrypt_key(key,ctx->key_len*8,&dat->ks);
537 dat->block = (block128_f)AES_encrypt;
538 dat->stream.ctr = (ctr128_f)bsaes_ctr32_encrypt_blocks;
539 }
540 else
541#endif
542#ifdef VPAES_CAPABLE
543 if (VPAES_CAPABLE)
544 {
545 ret = vpaes_set_encrypt_key(key,ctx->key_len*8,&dat->ks);
546 dat->block = (block128_f)vpaes_encrypt;
547 dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ?
548 (cbc128_f)vpaes_cbc_encrypt :
549 NULL;
550 }
551 else
552#endif
553 {
554 ret = AES_set_encrypt_key(key,ctx->key_len*8,&dat->ks);
555 dat->block = (block128_f)AES_encrypt;
556 dat->stream.cbc = mode==EVP_CIPH_CBC_MODE ?
557 (cbc128_f)AES_cbc_encrypt :
558 NULL;
559#ifdef AES_CTR_ASM
560 if (mode==EVP_CIPH_CTR_MODE)
561 dat->stream.ctr = (ctr128_f)AES_ctr32_encrypt;
562#endif
563 }
110 564
111 if(ret < 0) 565 if(ret < 0)
112 { 566 {
@@ -117,4 +571,743 @@ static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
117 return 1; 571 return 1;
118 } 572 }
119 573
574static int aes_cbc_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
575 const unsigned char *in, size_t len)
576{
577 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
578
579 if (dat->stream.cbc)
580 (*dat->stream.cbc)(in,out,len,&dat->ks,ctx->iv,ctx->encrypt);
581 else if (ctx->encrypt)
582 CRYPTO_cbc128_encrypt(in,out,len,&dat->ks,ctx->iv,dat->block);
583 else
584 CRYPTO_cbc128_encrypt(in,out,len,&dat->ks,ctx->iv,dat->block);
585
586 return 1;
587}
588
589static int aes_ecb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
590 const unsigned char *in, size_t len)
591{
592 size_t bl = ctx->cipher->block_size;
593 size_t i;
594 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
595
596 if (len<bl) return 1;
597
598 for (i=0,len-=bl;i<=len;i+=bl)
599 (*dat->block)(in+i,out+i,&dat->ks);
600
601 return 1;
602}
603
604static int aes_ofb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
605 const unsigned char *in,size_t len)
606{
607 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
608
609 CRYPTO_ofb128_encrypt(in,out,len,&dat->ks,
610 ctx->iv,&ctx->num,dat->block);
611 return 1;
612}
613
614static int aes_cfb_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
615 const unsigned char *in,size_t len)
616{
617 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
618
619 CRYPTO_cfb128_encrypt(in,out,len,&dat->ks,
620 ctx->iv,&ctx->num,ctx->encrypt,dat->block);
621 return 1;
622}
623
624static int aes_cfb8_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
625 const unsigned char *in,size_t len)
626{
627 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
628
629 CRYPTO_cfb128_8_encrypt(in,out,len,&dat->ks,
630 ctx->iv,&ctx->num,ctx->encrypt,dat->block);
631 return 1;
632}
633
634static int aes_cfb1_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
635 const unsigned char *in,size_t len)
636{
637 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
638
639 if (ctx->flags&EVP_CIPH_FLAG_LENGTH_BITS) {
640 CRYPTO_cfb128_1_encrypt(in,out,len,&dat->ks,
641 ctx->iv,&ctx->num,ctx->encrypt,dat->block);
642 return 1;
643 }
644
645 while (len>=MAXBITCHUNK) {
646 CRYPTO_cfb128_1_encrypt(in,out,MAXBITCHUNK*8,&dat->ks,
647 ctx->iv,&ctx->num,ctx->encrypt,dat->block);
648 len-=MAXBITCHUNK;
649 }
650 if (len)
651 CRYPTO_cfb128_1_encrypt(in,out,len*8,&dat->ks,
652 ctx->iv,&ctx->num,ctx->encrypt,dat->block);
653
654 return 1;
655}
656
657static int aes_ctr_cipher (EVP_CIPHER_CTX *ctx, unsigned char *out,
658 const unsigned char *in, size_t len)
659{
660 unsigned int num = ctx->num;
661 EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
662
663 if (dat->stream.ctr)
664 CRYPTO_ctr128_encrypt_ctr32(in,out,len,&dat->ks,
665 ctx->iv,ctx->buf,&num,dat->stream.ctr);
666 else
667 CRYPTO_ctr128_encrypt(in,out,len,&dat->ks,
668 ctx->iv,ctx->buf,&num,dat->block);
669 ctx->num = (size_t)num;
670 return 1;
671}
672
673BLOCK_CIPHER_generic_pack(NID_aes,128,EVP_CIPH_FLAG_FIPS)
674BLOCK_CIPHER_generic_pack(NID_aes,192,EVP_CIPH_FLAG_FIPS)
675BLOCK_CIPHER_generic_pack(NID_aes,256,EVP_CIPH_FLAG_FIPS)
676
677static int aes_gcm_cleanup(EVP_CIPHER_CTX *c)
678 {
679 EVP_AES_GCM_CTX *gctx = c->cipher_data;
680 OPENSSL_cleanse(&gctx->gcm, sizeof(gctx->gcm));
681 if (gctx->iv != c->iv)
682 OPENSSL_free(gctx->iv);
683 return 1;
684 }
685
686/* increment counter (64-bit int) by 1 */
687static void ctr64_inc(unsigned char *counter) {
688 int n=8;
689 unsigned char c;
690
691 do {
692 --n;
693 c = counter[n];
694 ++c;
695 counter[n] = c;
696 if (c) return;
697 } while (n);
698}
699
700static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
701 {
702 EVP_AES_GCM_CTX *gctx = c->cipher_data;
703 switch (type)
704 {
705 case EVP_CTRL_INIT:
706 gctx->key_set = 0;
707 gctx->iv_set = 0;
708 gctx->ivlen = c->cipher->iv_len;
709 gctx->iv = c->iv;
710 gctx->taglen = -1;
711 gctx->iv_gen = 0;
712 gctx->tls_aad_len = -1;
713 return 1;
714
715 case EVP_CTRL_GCM_SET_IVLEN:
716 if (arg <= 0)
717 return 0;
718#ifdef OPENSSL_FIPS
719 if (FIPS_module_mode() && !(c->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)
720 && arg < 12)
721 return 0;
722#endif
723 /* Allocate memory for IV if needed */
724 if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen))
725 {
726 if (gctx->iv != c->iv)
727 OPENSSL_free(gctx->iv);
728 gctx->iv = OPENSSL_malloc(arg);
729 if (!gctx->iv)
730 return 0;
731 }
732 gctx->ivlen = arg;
733 return 1;
734
735 case EVP_CTRL_GCM_SET_TAG:
736 if (arg <= 0 || arg > 16 || c->encrypt)
737 return 0;
738 memcpy(c->buf, ptr, arg);
739 gctx->taglen = arg;
740 return 1;
741
742 case EVP_CTRL_GCM_GET_TAG:
743 if (arg <= 0 || arg > 16 || !c->encrypt || gctx->taglen < 0)
744 return 0;
745 memcpy(ptr, c->buf, arg);
746 return 1;
747
748 case EVP_CTRL_GCM_SET_IV_FIXED:
749 /* Special case: -1 length restores whole IV */
750 if (arg == -1)
751 {
752 memcpy(gctx->iv, ptr, gctx->ivlen);
753 gctx->iv_gen = 1;
754 return 1;
755 }
756 /* Fixed field must be at least 4 bytes and invocation field
757 * at least 8.
758 */
759 if ((arg < 4) || (gctx->ivlen - arg) < 8)
760 return 0;
761 if (arg)
762 memcpy(gctx->iv, ptr, arg);
763 if (c->encrypt &&
764 RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0)
765 return 0;
766 gctx->iv_gen = 1;
767 return 1;
768
769 case EVP_CTRL_GCM_IV_GEN:
770 if (gctx->iv_gen == 0 || gctx->key_set == 0)
771 return 0;
772 CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
773 if (arg <= 0 || arg > gctx->ivlen)
774 arg = gctx->ivlen;
775 memcpy(ptr, gctx->iv + gctx->ivlen - arg, arg);
776 /* Invocation field will be at least 8 bytes in size and
777 * so no need to check wrap around or increment more than
778 * last 8 bytes.
779 */
780 ctr64_inc(gctx->iv + gctx->ivlen - 8);
781 gctx->iv_set = 1;
782 return 1;
783
784 case EVP_CTRL_GCM_SET_IV_INV:
785 if (gctx->iv_gen == 0 || gctx->key_set == 0 || c->encrypt)
786 return 0;
787 memcpy(gctx->iv + gctx->ivlen - arg, ptr, arg);
788 CRYPTO_gcm128_setiv(&gctx->gcm, gctx->iv, gctx->ivlen);
789 gctx->iv_set = 1;
790 return 1;
791
792 case EVP_CTRL_AEAD_TLS1_AAD:
793 /* Save the AAD for later use */
794 if (arg != 13)
795 return 0;
796 memcpy(c->buf, ptr, arg);
797 gctx->tls_aad_len = arg;
798 {
799 unsigned int len=c->buf[arg-2]<<8|c->buf[arg-1];
800 /* Correct length for explicit IV */
801 len -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
802 /* If decrypting correct for tag too */
803 if (!c->encrypt)
804 len -= EVP_GCM_TLS_TAG_LEN;
805 c->buf[arg-2] = len>>8;
806 c->buf[arg-1] = len & 0xff;
807 }
808 /* Extra padding: tag appended to record */
809 return EVP_GCM_TLS_TAG_LEN;
810
811 default:
812 return -1;
813
814 }
815 }
816
817static int aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
818 const unsigned char *iv, int enc)
819 {
820 EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
821 if (!iv && !key)
822 return 1;
823 if (key)
824 { do {
825#ifdef BSAES_CAPABLE
826 if (BSAES_CAPABLE)
827 {
828 AES_set_encrypt_key(key,ctx->key_len*8,&gctx->ks);
829 CRYPTO_gcm128_init(&gctx->gcm,&gctx->ks,
830 (block128_f)AES_encrypt);
831 gctx->ctr = (ctr128_f)bsaes_ctr32_encrypt_blocks;
832 break;
833 }
834 else
835#endif
836#ifdef VPAES_CAPABLE
837 if (VPAES_CAPABLE)
838 {
839 vpaes_set_encrypt_key(key,ctx->key_len*8,&gctx->ks);
840 CRYPTO_gcm128_init(&gctx->gcm,&gctx->ks,
841 (block128_f)vpaes_encrypt);
842 gctx->ctr = NULL;
843 break;
844 }
845#endif
846 AES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks);
847 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, (block128_f)AES_encrypt);
848#ifdef AES_CTR_ASM
849 gctx->ctr = (ctr128_f)AES_ctr32_encrypt;
850#else
851 gctx->ctr = NULL;
852#endif
853 } while (0);
854
855 /* If we have an iv can set it directly, otherwise use
856 * saved IV.
857 */
858 if (iv == NULL && gctx->iv_set)
859 iv = gctx->iv;
860 if (iv)
861 {
862 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
863 gctx->iv_set = 1;
864 }
865 gctx->key_set = 1;
866 }
867 else
868 {
869 /* If key set use IV, otherwise copy */
870 if (gctx->key_set)
871 CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
872 else
873 memcpy(gctx->iv, iv, gctx->ivlen);
874 gctx->iv_set = 1;
875 gctx->iv_gen = 0;
876 }
877 return 1;
878 }
879
880/* Handle TLS GCM packet format. This consists of the last portion of the IV
881 * followed by the payload and finally the tag. On encrypt generate IV,
882 * encrypt payload and write the tag. On verify retrieve IV, decrypt payload
883 * and verify tag.
884 */
885
886static int aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
887 const unsigned char *in, size_t len)
888 {
889 EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
890 int rv = -1;
891 /* Encrypt/decrypt must be performed in place */
892 if (out != in || len < (EVP_GCM_TLS_EXPLICIT_IV_LEN+EVP_GCM_TLS_TAG_LEN))
893 return -1;
894 /* Set IV from start of buffer or generate IV and write to start
895 * of buffer.
896 */
897 if (EVP_CIPHER_CTX_ctrl(ctx, ctx->encrypt ?
898 EVP_CTRL_GCM_IV_GEN : EVP_CTRL_GCM_SET_IV_INV,
899 EVP_GCM_TLS_EXPLICIT_IV_LEN, out) <= 0)
900 goto err;
901 /* Use saved AAD */
902 if (CRYPTO_gcm128_aad(&gctx->gcm, ctx->buf, gctx->tls_aad_len))
903 goto err;
904 /* Fix buffer and length to point to payload */
905 in += EVP_GCM_TLS_EXPLICIT_IV_LEN;
906 out += EVP_GCM_TLS_EXPLICIT_IV_LEN;
907 len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
908 if (ctx->encrypt)
909 {
910 /* Encrypt payload */
911 if (gctx->ctr)
912 {
913 if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm,
914 in, out, len,
915 gctx->ctr))
916 goto err;
917 }
918 else {
919 if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, len))
920 goto err;
921 }
922 out += len;
923 /* Finally write tag */
924 CRYPTO_gcm128_tag(&gctx->gcm, out, EVP_GCM_TLS_TAG_LEN);
925 rv = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
926 }
927 else
928 {
929 /* Decrypt */
930 if (gctx->ctr)
931 {
932 if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm,
933 in, out, len,
934 gctx->ctr))
935 goto err;
936 }
937 else {
938 if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, len))
939 goto err;
940 }
941 /* Retrieve tag */
942 CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf,
943 EVP_GCM_TLS_TAG_LEN);
944 /* If tag mismatch wipe buffer */
945 if (memcmp(ctx->buf, in + len, EVP_GCM_TLS_TAG_LEN))
946 {
947 OPENSSL_cleanse(out, len);
948 goto err;
949 }
950 rv = len;
951 }
952
953 err:
954 gctx->iv_set = 0;
955 gctx->tls_aad_len = -1;
956 return rv;
957 }
958
959static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
960 const unsigned char *in, size_t len)
961 {
962 EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
963 /* If not set up, return error */
964 if (!gctx->key_set)
965 return -1;
966
967 if (gctx->tls_aad_len >= 0)
968 return aes_gcm_tls_cipher(ctx, out, in, len);
969
970 if (!gctx->iv_set)
971 return -1;
972 if (!ctx->encrypt && gctx->taglen < 0)
973 return -1;
974 if (in)
975 {
976 if (out == NULL)
977 {
978 if (CRYPTO_gcm128_aad(&gctx->gcm, in, len))
979 return -1;
980 }
981 else if (ctx->encrypt)
982 {
983 if (gctx->ctr)
984 {
985 if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm,
986 in, out, len,
987 gctx->ctr))
988 return -1;
989 }
990 else {
991 if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, len))
992 return -1;
993 }
994 }
995 else
996 {
997 if (gctx->ctr)
998 {
999 if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm,
1000 in, out, len,
1001 gctx->ctr))
1002 return -1;
1003 }
1004 else {
1005 if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, len))
1006 return -1;
1007 }
1008 }
1009 return len;
1010 }
1011 else
1012 {
1013 if (!ctx->encrypt)
1014 {
1015 if (CRYPTO_gcm128_finish(&gctx->gcm,
1016 ctx->buf, gctx->taglen) != 0)
1017 return -1;
1018 gctx->iv_set = 0;
1019 return 0;
1020 }
1021 CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, 16);
1022 gctx->taglen = 16;
1023 /* Don't reuse the IV */
1024 gctx->iv_set = 0;
1025 return 0;
1026 }
1027
1028 }
1029
1030#define CUSTOM_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1 \
1031 | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
1032 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT)
1033
1034BLOCK_CIPHER_custom(NID_aes,128,1,12,gcm,GCM,
1035 EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS)
1036BLOCK_CIPHER_custom(NID_aes,192,1,12,gcm,GCM,
1037 EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS)
1038BLOCK_CIPHER_custom(NID_aes,256,1,12,gcm,GCM,
1039 EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS)
1040
1041static int aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
1042 {
1043 EVP_AES_XTS_CTX *xctx = c->cipher_data;
1044 if (type != EVP_CTRL_INIT)
1045 return -1;
1046 /* key1 and key2 are used as an indicator both key and IV are set */
1047 xctx->xts.key1 = NULL;
1048 xctx->xts.key2 = NULL;
1049 return 1;
1050 }
1051
1052static int aes_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
1053 const unsigned char *iv, int enc)
1054 {
1055 EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
1056 if (!iv && !key)
1057 return 1;
1058
1059 if (key) do
1060 {
1061#ifdef AES_XTS_ASM
1062 xctx->stream = enc ? AES_xts_encrypt : AES_xts_decrypt;
1063#else
1064 xctx->stream = NULL;
1065#endif
1066 /* key_len is two AES keys */
1067#ifdef BSAES_CAPABLE
1068 if (BSAES_CAPABLE)
1069 xctx->stream = enc ? bsaes_xts_encrypt : bsaes_xts_decrypt;
1070 else
1071#endif
1072#ifdef VPAES_CAPABLE
1073 if (VPAES_CAPABLE)
1074 {
1075 if (enc)
1076 {
1077 vpaes_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1);
1078 xctx->xts.block1 = (block128_f)vpaes_encrypt;
1079 }
1080 else
1081 {
1082 vpaes_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1);
1083 xctx->xts.block1 = (block128_f)vpaes_decrypt;
1084 }
1085
1086 vpaes_set_encrypt_key(key + ctx->key_len/2,
1087 ctx->key_len * 4, &xctx->ks2);
1088 xctx->xts.block2 = (block128_f)vpaes_encrypt;
1089
1090 xctx->xts.key1 = &xctx->ks1;
1091 break;
1092 }
1093#endif
1094 if (enc)
1095 {
1096 AES_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1);
1097 xctx->xts.block1 = (block128_f)AES_encrypt;
1098 }
1099 else
1100 {
1101 AES_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1);
1102 xctx->xts.block1 = (block128_f)AES_decrypt;
1103 }
1104
1105 AES_set_encrypt_key(key + ctx->key_len/2,
1106 ctx->key_len * 4, &xctx->ks2);
1107 xctx->xts.block2 = (block128_f)AES_encrypt;
1108
1109 xctx->xts.key1 = &xctx->ks1;
1110 } while (0);
1111
1112 if (iv)
1113 {
1114 xctx->xts.key2 = &xctx->ks2;
1115 memcpy(ctx->iv, iv, 16);
1116 }
1117
1118 return 1;
1119 }
1120
1121static int aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1122 const unsigned char *in, size_t len)
1123 {
1124 EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
1125 if (!xctx->xts.key1 || !xctx->xts.key2)
1126 return 0;
1127 if (!out || !in || len<AES_BLOCK_SIZE)
1128 return 0;
1129#ifdef OPENSSL_FIPS
1130 /* Requirement of SP800-38E */
1131 if (FIPS_module_mode() && !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) &&
1132 (len > (1UL<<20)*16))
1133 {
1134 EVPerr(EVP_F_AES_XTS_CIPHER, EVP_R_TOO_LARGE);
1135 return 0;
1136 }
1137#endif
1138 if (xctx->stream)
1139 (*xctx->stream)(in, out, len,
1140 xctx->xts.key1, xctx->xts.key2, ctx->iv);
1141 else if (CRYPTO_xts128_encrypt(&xctx->xts, ctx->iv, in, out, len,
1142 ctx->encrypt))
1143 return 0;
1144 return 1;
1145 }
1146
1147#define aes_xts_cleanup NULL
1148
1149#define XTS_FLAGS (EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV \
1150 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT)
1151
1152BLOCK_CIPHER_custom(NID_aes,128,1,16,xts,XTS,EVP_CIPH_FLAG_FIPS|XTS_FLAGS)
1153BLOCK_CIPHER_custom(NID_aes,256,1,16,xts,XTS,EVP_CIPH_FLAG_FIPS|XTS_FLAGS)
1154
1155static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
1156 {
1157 EVP_AES_CCM_CTX *cctx = c->cipher_data;
1158 switch (type)
1159 {
1160 case EVP_CTRL_INIT:
1161 cctx->key_set = 0;
1162 cctx->iv_set = 0;
1163 cctx->L = 8;
1164 cctx->M = 12;
1165 cctx->tag_set = 0;
1166 cctx->len_set = 0;
1167 return 1;
1168
1169 case EVP_CTRL_CCM_SET_IVLEN:
1170 arg = 15 - arg;
1171 case EVP_CTRL_CCM_SET_L:
1172 if (arg < 2 || arg > 8)
1173 return 0;
1174 cctx->L = arg;
1175 return 1;
1176
1177 case EVP_CTRL_CCM_SET_TAG:
1178 if ((arg & 1) || arg < 4 || arg > 16)
1179 return 0;
1180 if ((c->encrypt && ptr) || (!c->encrypt && !ptr))
1181 return 0;
1182 if (ptr)
1183 {
1184 cctx->tag_set = 1;
1185 memcpy(c->buf, ptr, arg);
1186 }
1187 cctx->M = arg;
1188 return 1;
1189
1190 case EVP_CTRL_CCM_GET_TAG:
1191 if (!c->encrypt || !cctx->tag_set)
1192 return 0;
1193 if(!CRYPTO_ccm128_tag(&cctx->ccm, ptr, (size_t)arg))
1194 return 0;
1195 cctx->tag_set = 0;
1196 cctx->iv_set = 0;
1197 cctx->len_set = 0;
1198 return 1;
1199
1200 default:
1201 return -1;
1202
1203 }
1204 }
1205
1206static int aes_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
1207 const unsigned char *iv, int enc)
1208 {
1209 EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
1210 if (!iv && !key)
1211 return 1;
1212 if (key) do
1213 {
1214#ifdef VPAES_CAPABLE
1215 if (VPAES_CAPABLE)
1216 {
1217 vpaes_set_encrypt_key(key, ctx->key_len*8, &cctx->ks);
1218 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
1219 &cctx->ks, (block128_f)vpaes_encrypt);
1220 cctx->key_set = 1;
1221 break;
1222 }
1223#endif
1224 AES_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks);
1225 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
1226 &cctx->ks, (block128_f)AES_encrypt);
1227 cctx->str = NULL;
1228 cctx->key_set = 1;
1229 } while (0);
1230 if (iv)
1231 {
1232 memcpy(ctx->iv, iv, 15 - cctx->L);
1233 cctx->iv_set = 1;
1234 }
1235 return 1;
1236 }
1237
1238static int aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1239 const unsigned char *in, size_t len)
1240 {
1241 EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
1242 CCM128_CONTEXT *ccm = &cctx->ccm;
1243 /* If not set up, return error */
1244 if (!cctx->iv_set && !cctx->key_set)
1245 return -1;
1246 if (!ctx->encrypt && !cctx->tag_set)
1247 return -1;
1248 if (!out)
1249 {
1250 if (!in)
1251 {
1252 if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L,len))
1253 return -1;
1254 cctx->len_set = 1;
1255 return len;
1256 }
1257 /* If have AAD need message length */
1258 if (!cctx->len_set && len)
1259 return -1;
1260 CRYPTO_ccm128_aad(ccm, in, len);
1261 return len;
1262 }
1263 /* EVP_*Final() doesn't return any data */
1264 if (!in)
1265 return 0;
1266 /* If not set length yet do it */
1267 if (!cctx->len_set)
1268 {
1269 if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L, len))
1270 return -1;
1271 cctx->len_set = 1;
1272 }
1273 if (ctx->encrypt)
1274 {
1275 if (cctx->str ? CRYPTO_ccm128_encrypt_ccm64(ccm, in, out, len,
1276 cctx->str) :
1277 CRYPTO_ccm128_encrypt(ccm, in, out, len))
1278 return -1;
1279 cctx->tag_set = 1;
1280 return len;
1281 }
1282 else
1283 {
1284 int rv = -1;
1285 if (cctx->str ? !CRYPTO_ccm128_decrypt_ccm64(ccm, in, out, len,
1286 cctx->str) :
1287 !CRYPTO_ccm128_decrypt(ccm, in, out, len))
1288 {
1289 unsigned char tag[16];
1290 if (CRYPTO_ccm128_tag(ccm, tag, cctx->M))
1291 {
1292 if (!memcmp(tag, ctx->buf, cctx->M))
1293 rv = len;
1294 }
1295 }
1296 if (rv == -1)
1297 OPENSSL_cleanse(out, len);
1298 cctx->iv_set = 0;
1299 cctx->tag_set = 0;
1300 cctx->len_set = 0;
1301 return rv;
1302 }
1303
1304 }
1305
1306#define aes_ccm_cleanup NULL
1307
1308BLOCK_CIPHER_custom(NID_aes,128,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
1309BLOCK_CIPHER_custom(NID_aes,192,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
1310BLOCK_CIPHER_custom(NID_aes,256,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
1311
1312#endif
120#endif 1313#endif
diff --git a/src/lib/libcrypto/evp/e_des3.c b/src/lib/libcrypto/evp/e_des3.c
index 3232cfe024..1e69972662 100644
--- a/src/lib/libcrypto/evp/e_des3.c
+++ b/src/lib/libcrypto/evp/e_des3.c
@@ -65,6 +65,8 @@
65#include <openssl/des.h> 65#include <openssl/des.h>
66#include <openssl/rand.h> 66#include <openssl/rand.h>
67 67
68#ifndef OPENSSL_FIPS
69
68static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 70static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
69 const unsigned char *iv,int enc); 71 const unsigned char *iv,int enc);
70 72
@@ -311,3 +313,4 @@ const EVP_CIPHER *EVP_des_ede3(void)
311 return &des_ede3_ecb; 313 return &des_ede3_ecb;
312} 314}
313#endif 315#endif
316#endif
diff --git a/src/lib/libcrypto/evp/e_null.c b/src/lib/libcrypto/evp/e_null.c
index 7cf50e1416..f0c1f78b5f 100644
--- a/src/lib/libcrypto/evp/e_null.c
+++ b/src/lib/libcrypto/evp/e_null.c
@@ -61,6 +61,8 @@
61#include <openssl/evp.h> 61#include <openssl/evp.h>
62#include <openssl/objects.h> 62#include <openssl/objects.h>
63 63
64#ifndef OPENSSL_FIPS
65
64static int null_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 66static int null_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
65 const unsigned char *iv,int enc); 67 const unsigned char *iv,int enc);
66static int null_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 68static int null_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
@@ -99,4 +101,4 @@ static int null_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
99 memcpy((char *)out,(const char *)in,inl); 101 memcpy((char *)out,(const char *)in,inl);
100 return 1; 102 return 1;
101 } 103 }
102 104#endif
diff --git a/src/lib/libcrypto/evp/e_rc2.c b/src/lib/libcrypto/evp/e_rc2.c
index f78d781129..d4c33b58d4 100644
--- a/src/lib/libcrypto/evp/e_rc2.c
+++ b/src/lib/libcrypto/evp/e_rc2.c
@@ -183,7 +183,8 @@ static int rc2_get_asn1_type_and_iv(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
183 key_bits =rc2_magic_to_meth((int)num); 183 key_bits =rc2_magic_to_meth((int)num);
184 if (!key_bits) 184 if (!key_bits)
185 return(-1); 185 return(-1);
186 if(i > 0) EVP_CipherInit_ex(c, NULL, NULL, NULL, iv, -1); 186 if(i > 0 && !EVP_CipherInit_ex(c, NULL, NULL, NULL, iv, -1))
187 return -1;
187 EVP_CIPHER_CTX_ctrl(c, EVP_CTRL_SET_RC2_KEY_BITS, key_bits, NULL); 188 EVP_CIPHER_CTX_ctrl(c, EVP_CTRL_SET_RC2_KEY_BITS, key_bits, NULL);
188 EVP_CIPHER_CTX_set_key_length(c, key_bits / 8); 189 EVP_CIPHER_CTX_set_key_length(c, key_bits / 8);
189 } 190 }
diff --git a/src/lib/libcrypto/evp/e_rc4.c b/src/lib/libcrypto/evp/e_rc4.c
index 8b5175e0fd..b4f6bda82d 100644
--- a/src/lib/libcrypto/evp/e_rc4.c
+++ b/src/lib/libcrypto/evp/e_rc4.c
@@ -62,6 +62,7 @@
62#ifndef OPENSSL_NO_RC4 62#ifndef OPENSSL_NO_RC4
63 63
64#include <openssl/evp.h> 64#include <openssl/evp.h>
65#include "evp_locl.h"
65#include <openssl/objects.h> 66#include <openssl/objects.h>
66#include <openssl/rc4.h> 67#include <openssl/rc4.h>
67 68
diff --git a/src/lib/libcrypto/evp/evp.h b/src/lib/libcrypto/evp/evp.h
index da93e945f5..aa9616e11b 100644
--- a/src/lib/libcrypto/evp/evp.h
+++ b/src/lib/libcrypto/evp/evp.h
@@ -83,7 +83,7 @@
83#define EVP_RC5_32_12_16_KEY_SIZE 16 83#define EVP_RC5_32_12_16_KEY_SIZE 16
84*/ 84*/
85#define EVP_MAX_MD_SIZE 64 /* longest known is SHA512 */ 85#define EVP_MAX_MD_SIZE 64 /* longest known is SHA512 */
86#define EVP_MAX_KEY_LENGTH 32 86#define EVP_MAX_KEY_LENGTH 64
87#define EVP_MAX_IV_LENGTH 16 87#define EVP_MAX_IV_LENGTH 16
88#define EVP_MAX_BLOCK_LENGTH 32 88#define EVP_MAX_BLOCK_LENGTH 32
89 89
@@ -116,6 +116,7 @@
116#define EVP_PKEY_DH NID_dhKeyAgreement 116#define EVP_PKEY_DH NID_dhKeyAgreement
117#define EVP_PKEY_EC NID_X9_62_id_ecPublicKey 117#define EVP_PKEY_EC NID_X9_62_id_ecPublicKey
118#define EVP_PKEY_HMAC NID_hmac 118#define EVP_PKEY_HMAC NID_hmac
119#define EVP_PKEY_CMAC NID_cmac
119 120
120#ifdef __cplusplus 121#ifdef __cplusplus
121extern "C" { 122extern "C" {
@@ -216,6 +217,8 @@ typedef int evp_verify_method(int type,const unsigned char *m,
216 217
217#define EVP_MD_FLAG_DIGALGID_CUSTOM 0x0018 218#define EVP_MD_FLAG_DIGALGID_CUSTOM 0x0018
218 219
220#define EVP_MD_FLAG_FIPS 0x0400 /* Note if suitable for use in FIPS mode */
221
219/* Digest ctrls */ 222/* Digest ctrls */
220 223
221#define EVP_MD_CTRL_DIGALGID 0x1 224#define EVP_MD_CTRL_DIGALGID 0x1
@@ -325,6 +328,10 @@ struct evp_cipher_st
325#define EVP_CIPH_CBC_MODE 0x2 328#define EVP_CIPH_CBC_MODE 0x2
326#define EVP_CIPH_CFB_MODE 0x3 329#define EVP_CIPH_CFB_MODE 0x3
327#define EVP_CIPH_OFB_MODE 0x4 330#define EVP_CIPH_OFB_MODE 0x4
331#define EVP_CIPH_CTR_MODE 0x5
332#define EVP_CIPH_GCM_MODE 0x6
333#define EVP_CIPH_CCM_MODE 0x7
334#define EVP_CIPH_XTS_MODE 0x10001
328#define EVP_CIPH_MODE 0xF0007 335#define EVP_CIPH_MODE 0xF0007
329/* Set if variable length cipher */ 336/* Set if variable length cipher */
330#define EVP_CIPH_VARIABLE_LENGTH 0x8 337#define EVP_CIPH_VARIABLE_LENGTH 0x8
@@ -346,6 +353,15 @@ struct evp_cipher_st
346#define EVP_CIPH_FLAG_DEFAULT_ASN1 0x1000 353#define EVP_CIPH_FLAG_DEFAULT_ASN1 0x1000
347/* Buffer length in bits not bytes: CFB1 mode only */ 354/* Buffer length in bits not bytes: CFB1 mode only */
348#define EVP_CIPH_FLAG_LENGTH_BITS 0x2000 355#define EVP_CIPH_FLAG_LENGTH_BITS 0x2000
356/* Note if suitable for use in FIPS mode */
357#define EVP_CIPH_FLAG_FIPS 0x4000
358/* Allow non FIPS cipher in FIPS mode */
359#define EVP_CIPH_FLAG_NON_FIPS_ALLOW 0x8000
360/* Cipher handles any and all padding logic as well
361 * as finalisation.
362 */
363#define EVP_CIPH_FLAG_CUSTOM_CIPHER 0x100000
364#define EVP_CIPH_FLAG_AEAD_CIPHER 0x200000
349 365
350/* ctrl() values */ 366/* ctrl() values */
351 367
@@ -358,7 +374,36 @@ struct evp_cipher_st
358#define EVP_CTRL_RAND_KEY 0x6 374#define EVP_CTRL_RAND_KEY 0x6
359#define EVP_CTRL_PBE_PRF_NID 0x7 375#define EVP_CTRL_PBE_PRF_NID 0x7
360#define EVP_CTRL_COPY 0x8 376#define EVP_CTRL_COPY 0x8
361#define EVP_CTRL_SET_ACSS_MODE 0x9 377#define EVP_CTRL_GCM_SET_IVLEN 0x9
378#define EVP_CTRL_GCM_GET_TAG 0x10
379#define EVP_CTRL_GCM_SET_TAG 0x11
380#define EVP_CTRL_GCM_SET_IV_FIXED 0x12
381#define EVP_CTRL_GCM_IV_GEN 0x13
382#define EVP_CTRL_CCM_SET_IVLEN EVP_CTRL_GCM_SET_IVLEN
383#define EVP_CTRL_CCM_GET_TAG EVP_CTRL_GCM_GET_TAG
384#define EVP_CTRL_CCM_SET_TAG EVP_CTRL_GCM_SET_TAG
385#define EVP_CTRL_CCM_SET_L 0x14
386#define EVP_CTRL_CCM_SET_MSGLEN 0x15
387/* AEAD cipher deduces payload length and returns number of bytes
388 * required to store MAC and eventual padding. Subsequent call to
389 * EVP_Cipher even appends/verifies MAC.
390 */
391#define EVP_CTRL_AEAD_TLS1_AAD 0x16
392/* Used by composite AEAD ciphers, no-op in GCM, CCM... */
393#define EVP_CTRL_AEAD_SET_MAC_KEY 0x17
394/* Set the GCM invocation field, decrypt only */
395#define EVP_CTRL_GCM_SET_IV_INV 0x18
396
397/* OpenBSD extension */
398#define EVP_CTRL_SET_ACSS_MODE 0x80
399
400/* GCM TLS constants */
401/* Length of fixed part of IV derived from PRF */
402#define EVP_GCM_TLS_FIXED_IV_LEN 4
403/* Length of explicit part of IV part of TLS records */
404#define EVP_GCM_TLS_EXPLICIT_IV_LEN 8
405/* Length of tag for TLS */
406#define EVP_GCM_TLS_TAG_LEN 16
362 407
363typedef struct evp_cipher_info_st 408typedef struct evp_cipher_info_st
364 { 409 {
@@ -376,7 +421,7 @@ struct evp_cipher_ctx_st
376 unsigned char oiv[EVP_MAX_IV_LENGTH]; /* original iv */ 421 unsigned char oiv[EVP_MAX_IV_LENGTH]; /* original iv */
377 unsigned char iv[EVP_MAX_IV_LENGTH]; /* working iv */ 422 unsigned char iv[EVP_MAX_IV_LENGTH]; /* working iv */
378 unsigned char buf[EVP_MAX_BLOCK_LENGTH];/* saved partial block */ 423 unsigned char buf[EVP_MAX_BLOCK_LENGTH];/* saved partial block */
379 int num; /* used by cfb/ofb mode */ 424 int num; /* used by cfb/ofb/ctr mode */
380 425
381 void *app_data; /* application stuff */ 426 void *app_data; /* application stuff */
382 int key_len; /* May change for variable length cipher */ 427 int key_len; /* May change for variable length cipher */
@@ -696,6 +741,9 @@ const EVP_MD *EVP_dev_crypto_md5(void);
696#ifndef OPENSSL_NO_RC4 741#ifndef OPENSSL_NO_RC4
697const EVP_CIPHER *EVP_rc4(void); 742const EVP_CIPHER *EVP_rc4(void);
698const EVP_CIPHER *EVP_rc4_40(void); 743const EVP_CIPHER *EVP_rc4_40(void);
744#ifndef OPENSSL_NO_MD5
745const EVP_CIPHER *EVP_rc4_hmac_md5(void);
746#endif
699#endif 747#endif
700#ifndef OPENSSL_NO_IDEA 748#ifndef OPENSSL_NO_IDEA
701const EVP_CIPHER *EVP_idea_ecb(void); 749const EVP_CIPHER *EVP_idea_ecb(void);
@@ -742,9 +790,10 @@ const EVP_CIPHER *EVP_aes_128_cfb8(void);
742const EVP_CIPHER *EVP_aes_128_cfb128(void); 790const EVP_CIPHER *EVP_aes_128_cfb128(void);
743# define EVP_aes_128_cfb EVP_aes_128_cfb128 791# define EVP_aes_128_cfb EVP_aes_128_cfb128
744const EVP_CIPHER *EVP_aes_128_ofb(void); 792const EVP_CIPHER *EVP_aes_128_ofb(void);
745#if 0
746const EVP_CIPHER *EVP_aes_128_ctr(void); 793const EVP_CIPHER *EVP_aes_128_ctr(void);
747#endif 794const EVP_CIPHER *EVP_aes_128_gcm(void);
795const EVP_CIPHER *EVP_aes_128_ccm(void);
796const EVP_CIPHER *EVP_aes_128_xts(void);
748const EVP_CIPHER *EVP_aes_192_ecb(void); 797const EVP_CIPHER *EVP_aes_192_ecb(void);
749const EVP_CIPHER *EVP_aes_192_cbc(void); 798const EVP_CIPHER *EVP_aes_192_cbc(void);
750const EVP_CIPHER *EVP_aes_192_cfb1(void); 799const EVP_CIPHER *EVP_aes_192_cfb1(void);
@@ -752,9 +801,9 @@ const EVP_CIPHER *EVP_aes_192_cfb8(void);
752const EVP_CIPHER *EVP_aes_192_cfb128(void); 801const EVP_CIPHER *EVP_aes_192_cfb128(void);
753# define EVP_aes_192_cfb EVP_aes_192_cfb128 802# define EVP_aes_192_cfb EVP_aes_192_cfb128
754const EVP_CIPHER *EVP_aes_192_ofb(void); 803const EVP_CIPHER *EVP_aes_192_ofb(void);
755#if 0
756const EVP_CIPHER *EVP_aes_192_ctr(void); 804const EVP_CIPHER *EVP_aes_192_ctr(void);
757#endif 805const EVP_CIPHER *EVP_aes_192_gcm(void);
806const EVP_CIPHER *EVP_aes_192_ccm(void);
758const EVP_CIPHER *EVP_aes_256_ecb(void); 807const EVP_CIPHER *EVP_aes_256_ecb(void);
759const EVP_CIPHER *EVP_aes_256_cbc(void); 808const EVP_CIPHER *EVP_aes_256_cbc(void);
760const EVP_CIPHER *EVP_aes_256_cfb1(void); 809const EVP_CIPHER *EVP_aes_256_cfb1(void);
@@ -762,8 +811,13 @@ const EVP_CIPHER *EVP_aes_256_cfb8(void);
762const EVP_CIPHER *EVP_aes_256_cfb128(void); 811const EVP_CIPHER *EVP_aes_256_cfb128(void);
763# define EVP_aes_256_cfb EVP_aes_256_cfb128 812# define EVP_aes_256_cfb EVP_aes_256_cfb128
764const EVP_CIPHER *EVP_aes_256_ofb(void); 813const EVP_CIPHER *EVP_aes_256_ofb(void);
765#if 0
766const EVP_CIPHER *EVP_aes_256_ctr(void); 814const EVP_CIPHER *EVP_aes_256_ctr(void);
815const EVP_CIPHER *EVP_aes_256_gcm(void);
816const EVP_CIPHER *EVP_aes_256_ccm(void);
817const EVP_CIPHER *EVP_aes_256_xts(void);
818#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
819const EVP_CIPHER *EVP_aes_128_cbc_hmac_sha1(void);
820const EVP_CIPHER *EVP_aes_256_cbc_hmac_sha1(void);
767#endif 821#endif
768#endif 822#endif
769#ifndef OPENSSL_NO_ACSS 823#ifndef OPENSSL_NO_ACSS
@@ -1051,13 +1105,22 @@ void EVP_PKEY_asn1_set_ctrl(EVP_PKEY_ASN1_METHOD *ameth,
1051#define EVP_PKEY_CTRL_CMS_DECRYPT 10 1105#define EVP_PKEY_CTRL_CMS_DECRYPT 10
1052#define EVP_PKEY_CTRL_CMS_SIGN 11 1106#define EVP_PKEY_CTRL_CMS_SIGN 11
1053 1107
1108#define EVP_PKEY_CTRL_CIPHER 12
1109
1054#define EVP_PKEY_ALG_CTRL 0x1000 1110#define EVP_PKEY_ALG_CTRL 0x1000
1055 1111
1056 1112
1057#define EVP_PKEY_FLAG_AUTOARGLEN 2 1113#define EVP_PKEY_FLAG_AUTOARGLEN 2
1114/* Method handles all operations: don't assume any digest related
1115 * defaults.
1116 */
1117#define EVP_PKEY_FLAG_SIGCTX_CUSTOM 4
1058 1118
1059const EVP_PKEY_METHOD *EVP_PKEY_meth_find(int type); 1119const EVP_PKEY_METHOD *EVP_PKEY_meth_find(int type);
1060EVP_PKEY_METHOD* EVP_PKEY_meth_new(int id, int flags); 1120EVP_PKEY_METHOD* EVP_PKEY_meth_new(int id, int flags);
1121void EVP_PKEY_meth_get0_info(int *ppkey_id, int *pflags,
1122 const EVP_PKEY_METHOD *meth);
1123void EVP_PKEY_meth_copy(EVP_PKEY_METHOD *dst, const EVP_PKEY_METHOD *src);
1061void EVP_PKEY_meth_free(EVP_PKEY_METHOD *pmeth); 1124void EVP_PKEY_meth_free(EVP_PKEY_METHOD *pmeth);
1062int EVP_PKEY_meth_add0(const EVP_PKEY_METHOD *pmeth); 1125int EVP_PKEY_meth_add0(const EVP_PKEY_METHOD *pmeth);
1063 1126
@@ -1075,7 +1138,7 @@ int EVP_PKEY_CTX_get_operation(EVP_PKEY_CTX *ctx);
1075void EVP_PKEY_CTX_set0_keygen_info(EVP_PKEY_CTX *ctx, int *dat, int datlen); 1138void EVP_PKEY_CTX_set0_keygen_info(EVP_PKEY_CTX *ctx, int *dat, int datlen);
1076 1139
1077EVP_PKEY *EVP_PKEY_new_mac_key(int type, ENGINE *e, 1140EVP_PKEY *EVP_PKEY_new_mac_key(int type, ENGINE *e,
1078 unsigned char *key, int keylen); 1141 const unsigned char *key, int keylen);
1079 1142
1080void EVP_PKEY_CTX_set_data(EVP_PKEY_CTX *ctx, void *data); 1143void EVP_PKEY_CTX_set_data(EVP_PKEY_CTX *ctx, void *data);
1081void *EVP_PKEY_CTX_get_data(EVP_PKEY_CTX *ctx); 1144void *EVP_PKEY_CTX_get_data(EVP_PKEY_CTX *ctx);
@@ -1194,9 +1257,13 @@ void ERR_load_EVP_strings(void);
1194/* Error codes for the EVP functions. */ 1257/* Error codes for the EVP functions. */
1195 1258
1196/* Function codes. */ 1259/* Function codes. */
1197#define EVP_F_AESNI_INIT_KEY 165 1260#define EVP_F_AESNI_INIT_KEY 165
1261#define EVP_F_AESNI_XTS_CIPHER 176
1198#define EVP_F_AES_INIT_KEY 133 1262#define EVP_F_AES_INIT_KEY 133
1263#define EVP_F_AES_XTS 172
1264#define EVP_F_AES_XTS_CIPHER 175
1199#define EVP_F_CAMELLIA_INIT_KEY 159 1265#define EVP_F_CAMELLIA_INIT_KEY 159
1266#define EVP_F_CMAC_INIT 173
1200#define EVP_F_D2I_PKEY 100 1267#define EVP_F_D2I_PKEY 100
1201#define EVP_F_DO_SIGVER_INIT 161 1268#define EVP_F_DO_SIGVER_INIT 161
1202#define EVP_F_DSAPKEY2PKCS8 134 1269#define EVP_F_DSAPKEY2PKCS8 134
@@ -1251,15 +1318,24 @@ void ERR_load_EVP_strings(void);
1251#define EVP_F_EVP_RIJNDAEL 126 1318#define EVP_F_EVP_RIJNDAEL 126
1252#define EVP_F_EVP_SIGNFINAL 107 1319#define EVP_F_EVP_SIGNFINAL 107
1253#define EVP_F_EVP_VERIFYFINAL 108 1320#define EVP_F_EVP_VERIFYFINAL 108
1321#define EVP_F_FIPS_CIPHERINIT 166
1322#define EVP_F_FIPS_CIPHER_CTX_COPY 170
1323#define EVP_F_FIPS_CIPHER_CTX_CTRL 167
1324#define EVP_F_FIPS_CIPHER_CTX_SET_KEY_LENGTH 171
1325#define EVP_F_FIPS_DIGESTINIT 168
1326#define EVP_F_FIPS_MD_CTX_COPY 169
1327#define EVP_F_HMAC_INIT_EX 174
1254#define EVP_F_INT_CTX_NEW 157 1328#define EVP_F_INT_CTX_NEW 157
1255#define EVP_F_PKCS5_PBE_KEYIVGEN 117 1329#define EVP_F_PKCS5_PBE_KEYIVGEN 117
1256#define EVP_F_PKCS5_V2_PBE_KEYIVGEN 118 1330#define EVP_F_PKCS5_V2_PBE_KEYIVGEN 118
1331#define EVP_F_PKCS5_V2_PBKDF2_KEYIVGEN 164
1257#define EVP_F_PKCS8_SET_BROKEN 112 1332#define EVP_F_PKCS8_SET_BROKEN 112
1258#define EVP_F_PKEY_SET_TYPE 158 1333#define EVP_F_PKEY_SET_TYPE 158
1259#define EVP_F_RC2_MAGIC_TO_METH 109 1334#define EVP_F_RC2_MAGIC_TO_METH 109
1260#define EVP_F_RC5_CTRL 125 1335#define EVP_F_RC5_CTRL 125
1261 1336
1262/* Reason codes. */ 1337/* Reason codes. */
1338#define EVP_R_AES_IV_SETUP_FAILED 162
1263#define EVP_R_AES_KEY_SETUP_FAILED 143 1339#define EVP_R_AES_KEY_SETUP_FAILED 143
1264#define EVP_R_ASN1_LIB 140 1340#define EVP_R_ASN1_LIB 140
1265#define EVP_R_BAD_BLOCK_LENGTH 136 1341#define EVP_R_BAD_BLOCK_LENGTH 136
@@ -1277,6 +1353,7 @@ void ERR_load_EVP_strings(void);
1277#define EVP_R_DECODE_ERROR 114 1353#define EVP_R_DECODE_ERROR 114
1278#define EVP_R_DIFFERENT_KEY_TYPES 101 1354#define EVP_R_DIFFERENT_KEY_TYPES 101
1279#define EVP_R_DIFFERENT_PARAMETERS 153 1355#define EVP_R_DIFFERENT_PARAMETERS 153
1356#define EVP_R_DISABLED_FOR_FIPS 163
1280#define EVP_R_ENCODE_ERROR 115 1357#define EVP_R_ENCODE_ERROR 115
1281#define EVP_R_EVP_PBE_CIPHERINIT_ERROR 119 1358#define EVP_R_EVP_PBE_CIPHERINIT_ERROR 119
1282#define EVP_R_EXPECTING_AN_RSA_KEY 127 1359#define EVP_R_EXPECTING_AN_RSA_KEY 127
@@ -1308,6 +1385,7 @@ void ERR_load_EVP_strings(void);
1308#define EVP_R_PRIVATE_KEY_DECODE_ERROR 145 1385#define EVP_R_PRIVATE_KEY_DECODE_ERROR 145
1309#define EVP_R_PRIVATE_KEY_ENCODE_ERROR 146 1386#define EVP_R_PRIVATE_KEY_ENCODE_ERROR 146
1310#define EVP_R_PUBLIC_KEY_NOT_RSA 106 1387#define EVP_R_PUBLIC_KEY_NOT_RSA 106
1388#define EVP_R_TOO_LARGE 164
1311#define EVP_R_UNKNOWN_CIPHER 160 1389#define EVP_R_UNKNOWN_CIPHER 160
1312#define EVP_R_UNKNOWN_DIGEST 161 1390#define EVP_R_UNKNOWN_DIGEST 161
1313#define EVP_R_UNKNOWN_PBE_ALGORITHM 121 1391#define EVP_R_UNKNOWN_PBE_ALGORITHM 121
diff --git a/src/lib/libcrypto/evp/evp_enc.c b/src/lib/libcrypto/evp/evp_enc.c
index c268d25cb4..0c54f05e6e 100644
--- a/src/lib/libcrypto/evp/evp_enc.c
+++ b/src/lib/libcrypto/evp/evp_enc.c
@@ -64,8 +64,18 @@
64#ifndef OPENSSL_NO_ENGINE 64#ifndef OPENSSL_NO_ENGINE
65#include <openssl/engine.h> 65#include <openssl/engine.h>
66#endif 66#endif
67#ifdef OPENSSL_FIPS
68#include <openssl/fips.h>
69#endif
67#include "evp_locl.h" 70#include "evp_locl.h"
68 71
72#ifdef OPENSSL_FIPS
73#define M_do_cipher(ctx, out, in, inl) FIPS_cipher(ctx, out, in, inl)
74#else
75#define M_do_cipher(ctx, out, in, inl) ctx->cipher->do_cipher(ctx, out, in, inl)
76#endif
77
78
69const char EVP_version[]="EVP" OPENSSL_VERSION_PTEXT; 79const char EVP_version[]="EVP" OPENSSL_VERSION_PTEXT;
70 80
71void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *ctx) 81void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *ctx)
@@ -115,10 +125,14 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp
115 /* Ensure a context left lying around from last time is cleared 125 /* Ensure a context left lying around from last time is cleared
116 * (the previous check attempted to avoid this if the same 126 * (the previous check attempted to avoid this if the same
117 * ENGINE and EVP_CIPHER could be used). */ 127 * ENGINE and EVP_CIPHER could be used). */
118 EVP_CIPHER_CTX_cleanup(ctx); 128 if (ctx->cipher)
119 129 {
120 /* Restore encrypt field: it is zeroed by cleanup */ 130 unsigned long flags = ctx->flags;
121 ctx->encrypt = enc; 131 EVP_CIPHER_CTX_cleanup(ctx);
132 /* Restore encrypt and flags */
133 ctx->encrypt = enc;
134 ctx->flags = flags;
135 }
122#ifndef OPENSSL_NO_ENGINE 136#ifndef OPENSSL_NO_ENGINE
123 if(impl) 137 if(impl)
124 { 138 {
@@ -155,6 +169,10 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp
155 ctx->engine = NULL; 169 ctx->engine = NULL;
156#endif 170#endif
157 171
172#ifdef OPENSSL_FIPS
173 if (FIPS_mode())
174 return FIPS_cipherinit(ctx, cipher, key, iv, enc);
175#endif
158 ctx->cipher=cipher; 176 ctx->cipher=cipher;
159 if (ctx->cipher->ctx_size) 177 if (ctx->cipher->ctx_size)
160 { 178 {
@@ -188,6 +206,10 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp
188#ifndef OPENSSL_NO_ENGINE 206#ifndef OPENSSL_NO_ENGINE
189skip_to_init: 207skip_to_init:
190#endif 208#endif
209#ifdef OPENSSL_FIPS
210 if (FIPS_mode())
211 return FIPS_cipherinit(ctx, cipher, key, iv, enc);
212#endif
191 /* we assume block size is a power of 2 in *cryptUpdate */ 213 /* we assume block size is a power of 2 in *cryptUpdate */
192 OPENSSL_assert(ctx->cipher->block_size == 1 214 OPENSSL_assert(ctx->cipher->block_size == 1
193 || ctx->cipher->block_size == 8 215 || ctx->cipher->block_size == 8
@@ -214,6 +236,13 @@ skip_to_init:
214 memcpy(ctx->iv, ctx->oiv, EVP_CIPHER_CTX_iv_length(ctx)); 236 memcpy(ctx->iv, ctx->oiv, EVP_CIPHER_CTX_iv_length(ctx));
215 break; 237 break;
216 238
239 case EVP_CIPH_CTR_MODE:
240 ctx->num = 0;
241 /* Don't reuse IV for CTR mode */
242 if(iv)
243 memcpy(ctx->iv, iv, EVP_CIPHER_CTX_iv_length(ctx));
244 break;
245
217 default: 246 default:
218 return 0; 247 return 0;
219 break; 248 break;
@@ -280,6 +309,16 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
280 { 309 {
281 int i,j,bl; 310 int i,j,bl;
282 311
312 if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER)
313 {
314 i = M_do_cipher(ctx, out, in, inl);
315 if (i < 0)
316 return 0;
317 else
318 *outl = i;
319 return 1;
320 }
321
283 if (inl <= 0) 322 if (inl <= 0)
284 { 323 {
285 *outl = 0; 324 *outl = 0;
@@ -288,7 +327,7 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
288 327
289 if(ctx->buf_len == 0 && (inl&(ctx->block_mask)) == 0) 328 if(ctx->buf_len == 0 && (inl&(ctx->block_mask)) == 0)
290 { 329 {
291 if(ctx->cipher->do_cipher(ctx,out,in,inl)) 330 if(M_do_cipher(ctx,out,in,inl))
292 { 331 {
293 *outl=inl; 332 *outl=inl;
294 return 1; 333 return 1;
@@ -315,7 +354,7 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
315 { 354 {
316 j=bl-i; 355 j=bl-i;
317 memcpy(&(ctx->buf[i]),in,j); 356 memcpy(&(ctx->buf[i]),in,j);
318 if(!ctx->cipher->do_cipher(ctx,out,ctx->buf,bl)) return 0; 357 if(!M_do_cipher(ctx,out,ctx->buf,bl)) return 0;
319 inl-=j; 358 inl-=j;
320 in+=j; 359 in+=j;
321 out+=bl; 360 out+=bl;
@@ -328,7 +367,7 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
328 inl-=i; 367 inl-=i;
329 if (inl > 0) 368 if (inl > 0)
330 { 369 {
331 if(!ctx->cipher->do_cipher(ctx,out,in,inl)) return 0; 370 if(!M_do_cipher(ctx,out,in,inl)) return 0;
332 *outl+=inl; 371 *outl+=inl;
333 } 372 }
334 373
@@ -350,6 +389,16 @@ int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
350 int n,ret; 389 int n,ret;
351 unsigned int i, b, bl; 390 unsigned int i, b, bl;
352 391
392 if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER)
393 {
394 ret = M_do_cipher(ctx, out, NULL, 0);
395 if (ret < 0)
396 return 0;
397 else
398 *outl = ret;
399 return 1;
400 }
401
353 b=ctx->cipher->block_size; 402 b=ctx->cipher->block_size;
354 OPENSSL_assert(b <= sizeof ctx->buf); 403 OPENSSL_assert(b <= sizeof ctx->buf);
355 if (b == 1) 404 if (b == 1)
@@ -372,7 +421,7 @@ int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
372 n=b-bl; 421 n=b-bl;
373 for (i=bl; i<b; i++) 422 for (i=bl; i<b; i++)
374 ctx->buf[i]=n; 423 ctx->buf[i]=n;
375 ret=ctx->cipher->do_cipher(ctx,out,ctx->buf,b); 424 ret=M_do_cipher(ctx,out,ctx->buf,b);
376 425
377 426
378 if(ret) 427 if(ret)
@@ -387,6 +436,19 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
387 int fix_len; 436 int fix_len;
388 unsigned int b; 437 unsigned int b;
389 438
439 if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER)
440 {
441 fix_len = M_do_cipher(ctx, out, in, inl);
442 if (fix_len < 0)
443 {
444 *outl = 0;
445 return 0;
446 }
447 else
448 *outl = fix_len;
449 return 1;
450 }
451
390 if (inl <= 0) 452 if (inl <= 0)
391 { 453 {
392 *outl = 0; 454 *outl = 0;
@@ -440,8 +502,18 @@ int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
440 { 502 {
441 int i,n; 503 int i,n;
442 unsigned int b; 504 unsigned int b;
443
444 *outl=0; 505 *outl=0;
506
507 if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER)
508 {
509 i = M_do_cipher(ctx, out, NULL, 0);
510 if (i < 0)
511 return 0;
512 else
513 *outl = i;
514 return 1;
515 }
516
445 b=ctx->cipher->block_size; 517 b=ctx->cipher->block_size;
446 if (ctx->flags & EVP_CIPH_NO_PADDING) 518 if (ctx->flags & EVP_CIPH_NO_PADDING)
447 { 519 {
@@ -496,6 +568,7 @@ void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx)
496 568
497int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *c) 569int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *c)
498 { 570 {
571#ifndef OPENSSL_FIPS
499 if (c->cipher != NULL) 572 if (c->cipher != NULL)
500 { 573 {
501 if(c->cipher->cleanup && !c->cipher->cleanup(c)) 574 if(c->cipher->cleanup && !c->cipher->cleanup(c))
@@ -506,12 +579,16 @@ int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *c)
506 } 579 }
507 if (c->cipher_data) 580 if (c->cipher_data)
508 OPENSSL_free(c->cipher_data); 581 OPENSSL_free(c->cipher_data);
582#endif
509#ifndef OPENSSL_NO_ENGINE 583#ifndef OPENSSL_NO_ENGINE
510 if (c->engine) 584 if (c->engine)
511 /* The EVP_CIPHER we used belongs to an ENGINE, release the 585 /* The EVP_CIPHER we used belongs to an ENGINE, release the
512 * functional reference we held for this reason. */ 586 * functional reference we held for this reason. */
513 ENGINE_finish(c->engine); 587 ENGINE_finish(c->engine);
514#endif 588#endif
589#ifdef OPENSSL_FIPS
590 FIPS_cipher_ctx_cleanup(c);
591#endif
515 memset(c,0,sizeof(EVP_CIPHER_CTX)); 592 memset(c,0,sizeof(EVP_CIPHER_CTX));
516 return 1; 593 return 1;
517 } 594 }
diff --git a/src/lib/libcrypto/evp/evp_err.c b/src/lib/libcrypto/evp/evp_err.c
index 6b585c7483..db0f76d59b 100644
--- a/src/lib/libcrypto/evp/evp_err.c
+++ b/src/lib/libcrypto/evp/evp_err.c
@@ -1,6 +1,6 @@
1/* crypto/evp/evp_err.c */ 1/* crypto/evp/evp_err.c */
2/* ==================================================================== 2/* ====================================================================
3 * Copyright (c) 1999-2008 The OpenSSL Project. All rights reserved. 3 * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved.
4 * 4 *
5 * Redistribution and use in source and binary forms, with or without 5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions 6 * modification, are permitted provided that the following conditions
@@ -71,8 +71,12 @@
71static ERR_STRING_DATA EVP_str_functs[]= 71static ERR_STRING_DATA EVP_str_functs[]=
72 { 72 {
73{ERR_FUNC(EVP_F_AESNI_INIT_KEY), "AESNI_INIT_KEY"}, 73{ERR_FUNC(EVP_F_AESNI_INIT_KEY), "AESNI_INIT_KEY"},
74{ERR_FUNC(EVP_F_AESNI_XTS_CIPHER), "AESNI_XTS_CIPHER"},
74{ERR_FUNC(EVP_F_AES_INIT_KEY), "AES_INIT_KEY"}, 75{ERR_FUNC(EVP_F_AES_INIT_KEY), "AES_INIT_KEY"},
76{ERR_FUNC(EVP_F_AES_XTS), "AES_XTS"},
77{ERR_FUNC(EVP_F_AES_XTS_CIPHER), "AES_XTS_CIPHER"},
75{ERR_FUNC(EVP_F_CAMELLIA_INIT_KEY), "CAMELLIA_INIT_KEY"}, 78{ERR_FUNC(EVP_F_CAMELLIA_INIT_KEY), "CAMELLIA_INIT_KEY"},
79{ERR_FUNC(EVP_F_CMAC_INIT), "CMAC_INIT"},
76{ERR_FUNC(EVP_F_D2I_PKEY), "D2I_PKEY"}, 80{ERR_FUNC(EVP_F_D2I_PKEY), "D2I_PKEY"},
77{ERR_FUNC(EVP_F_DO_SIGVER_INIT), "DO_SIGVER_INIT"}, 81{ERR_FUNC(EVP_F_DO_SIGVER_INIT), "DO_SIGVER_INIT"},
78{ERR_FUNC(EVP_F_DSAPKEY2PKCS8), "DSAPKEY2PKCS8"}, 82{ERR_FUNC(EVP_F_DSAPKEY2PKCS8), "DSAPKEY2PKCS8"},
@@ -87,7 +91,7 @@ static ERR_STRING_DATA EVP_str_functs[]=
87{ERR_FUNC(EVP_F_EVP_DIGESTINIT_EX), "EVP_DigestInit_ex"}, 91{ERR_FUNC(EVP_F_EVP_DIGESTINIT_EX), "EVP_DigestInit_ex"},
88{ERR_FUNC(EVP_F_EVP_ENCRYPTFINAL_EX), "EVP_EncryptFinal_ex"}, 92{ERR_FUNC(EVP_F_EVP_ENCRYPTFINAL_EX), "EVP_EncryptFinal_ex"},
89{ERR_FUNC(EVP_F_EVP_MD_CTX_COPY_EX), "EVP_MD_CTX_copy_ex"}, 93{ERR_FUNC(EVP_F_EVP_MD_CTX_COPY_EX), "EVP_MD_CTX_copy_ex"},
90{ERR_FUNC(EVP_F_EVP_MD_SIZE), "EVP_MD_SIZE"}, 94{ERR_FUNC(EVP_F_EVP_MD_SIZE), "EVP_MD_size"},
91{ERR_FUNC(EVP_F_EVP_OPENINIT), "EVP_OpenInit"}, 95{ERR_FUNC(EVP_F_EVP_OPENINIT), "EVP_OpenInit"},
92{ERR_FUNC(EVP_F_EVP_PBE_ALG_ADD), "EVP_PBE_alg_add"}, 96{ERR_FUNC(EVP_F_EVP_PBE_ALG_ADD), "EVP_PBE_alg_add"},
93{ERR_FUNC(EVP_F_EVP_PBE_ALG_ADD_TYPE), "EVP_PBE_alg_add_type"}, 97{ERR_FUNC(EVP_F_EVP_PBE_ALG_ADD_TYPE), "EVP_PBE_alg_add_type"},
@@ -127,9 +131,17 @@ static ERR_STRING_DATA EVP_str_functs[]=
127{ERR_FUNC(EVP_F_EVP_RIJNDAEL), "EVP_RIJNDAEL"}, 131{ERR_FUNC(EVP_F_EVP_RIJNDAEL), "EVP_RIJNDAEL"},
128{ERR_FUNC(EVP_F_EVP_SIGNFINAL), "EVP_SignFinal"}, 132{ERR_FUNC(EVP_F_EVP_SIGNFINAL), "EVP_SignFinal"},
129{ERR_FUNC(EVP_F_EVP_VERIFYFINAL), "EVP_VerifyFinal"}, 133{ERR_FUNC(EVP_F_EVP_VERIFYFINAL), "EVP_VerifyFinal"},
134{ERR_FUNC(EVP_F_FIPS_CIPHERINIT), "FIPS_CIPHERINIT"},
135{ERR_FUNC(EVP_F_FIPS_CIPHER_CTX_COPY), "FIPS_CIPHER_CTX_COPY"},
136{ERR_FUNC(EVP_F_FIPS_CIPHER_CTX_CTRL), "FIPS_CIPHER_CTX_CTRL"},
137{ERR_FUNC(EVP_F_FIPS_CIPHER_CTX_SET_KEY_LENGTH), "FIPS_CIPHER_CTX_SET_KEY_LENGTH"},
138{ERR_FUNC(EVP_F_FIPS_DIGESTINIT), "FIPS_DIGESTINIT"},
139{ERR_FUNC(EVP_F_FIPS_MD_CTX_COPY), "FIPS_MD_CTX_COPY"},
140{ERR_FUNC(EVP_F_HMAC_INIT_EX), "HMAC_Init_ex"},
130{ERR_FUNC(EVP_F_INT_CTX_NEW), "INT_CTX_NEW"}, 141{ERR_FUNC(EVP_F_INT_CTX_NEW), "INT_CTX_NEW"},
131{ERR_FUNC(EVP_F_PKCS5_PBE_KEYIVGEN), "PKCS5_PBE_keyivgen"}, 142{ERR_FUNC(EVP_F_PKCS5_PBE_KEYIVGEN), "PKCS5_PBE_keyivgen"},
132{ERR_FUNC(EVP_F_PKCS5_V2_PBE_KEYIVGEN), "PKCS5_v2_PBE_keyivgen"}, 143{ERR_FUNC(EVP_F_PKCS5_V2_PBE_KEYIVGEN), "PKCS5_v2_PBE_keyivgen"},
144{ERR_FUNC(EVP_F_PKCS5_V2_PBKDF2_KEYIVGEN), "PKCS5_V2_PBKDF2_KEYIVGEN"},
133{ERR_FUNC(EVP_F_PKCS8_SET_BROKEN), "PKCS8_set_broken"}, 145{ERR_FUNC(EVP_F_PKCS8_SET_BROKEN), "PKCS8_set_broken"},
134{ERR_FUNC(EVP_F_PKEY_SET_TYPE), "PKEY_SET_TYPE"}, 146{ERR_FUNC(EVP_F_PKEY_SET_TYPE), "PKEY_SET_TYPE"},
135{ERR_FUNC(EVP_F_RC2_MAGIC_TO_METH), "RC2_MAGIC_TO_METH"}, 147{ERR_FUNC(EVP_F_RC2_MAGIC_TO_METH), "RC2_MAGIC_TO_METH"},
@@ -139,6 +151,7 @@ static ERR_STRING_DATA EVP_str_functs[]=
139 151
140static ERR_STRING_DATA EVP_str_reasons[]= 152static ERR_STRING_DATA EVP_str_reasons[]=
141 { 153 {
154{ERR_REASON(EVP_R_AES_IV_SETUP_FAILED) ,"aes iv setup failed"},
142{ERR_REASON(EVP_R_AES_KEY_SETUP_FAILED) ,"aes key setup failed"}, 155{ERR_REASON(EVP_R_AES_KEY_SETUP_FAILED) ,"aes key setup failed"},
143{ERR_REASON(EVP_R_ASN1_LIB) ,"asn1 lib"}, 156{ERR_REASON(EVP_R_ASN1_LIB) ,"asn1 lib"},
144{ERR_REASON(EVP_R_BAD_BLOCK_LENGTH) ,"bad block length"}, 157{ERR_REASON(EVP_R_BAD_BLOCK_LENGTH) ,"bad block length"},
@@ -156,6 +169,7 @@ static ERR_STRING_DATA EVP_str_reasons[]=
156{ERR_REASON(EVP_R_DECODE_ERROR) ,"decode error"}, 169{ERR_REASON(EVP_R_DECODE_ERROR) ,"decode error"},
157{ERR_REASON(EVP_R_DIFFERENT_KEY_TYPES) ,"different key types"}, 170{ERR_REASON(EVP_R_DIFFERENT_KEY_TYPES) ,"different key types"},
158{ERR_REASON(EVP_R_DIFFERENT_PARAMETERS) ,"different parameters"}, 171{ERR_REASON(EVP_R_DIFFERENT_PARAMETERS) ,"different parameters"},
172{ERR_REASON(EVP_R_DISABLED_FOR_FIPS) ,"disabled for fips"},
159{ERR_REASON(EVP_R_ENCODE_ERROR) ,"encode error"}, 173{ERR_REASON(EVP_R_ENCODE_ERROR) ,"encode error"},
160{ERR_REASON(EVP_R_EVP_PBE_CIPHERINIT_ERROR),"evp pbe cipherinit error"}, 174{ERR_REASON(EVP_R_EVP_PBE_CIPHERINIT_ERROR),"evp pbe cipherinit error"},
161{ERR_REASON(EVP_R_EXPECTING_AN_RSA_KEY) ,"expecting an rsa key"}, 175{ERR_REASON(EVP_R_EXPECTING_AN_RSA_KEY) ,"expecting an rsa key"},
@@ -187,6 +201,7 @@ static ERR_STRING_DATA EVP_str_reasons[]=
187{ERR_REASON(EVP_R_PRIVATE_KEY_DECODE_ERROR),"private key decode error"}, 201{ERR_REASON(EVP_R_PRIVATE_KEY_DECODE_ERROR),"private key decode error"},
188{ERR_REASON(EVP_R_PRIVATE_KEY_ENCODE_ERROR),"private key encode error"}, 202{ERR_REASON(EVP_R_PRIVATE_KEY_ENCODE_ERROR),"private key encode error"},
189{ERR_REASON(EVP_R_PUBLIC_KEY_NOT_RSA) ,"public key not rsa"}, 203{ERR_REASON(EVP_R_PUBLIC_KEY_NOT_RSA) ,"public key not rsa"},
204{ERR_REASON(EVP_R_TOO_LARGE) ,"too large"},
190{ERR_REASON(EVP_R_UNKNOWN_CIPHER) ,"unknown cipher"}, 205{ERR_REASON(EVP_R_UNKNOWN_CIPHER) ,"unknown cipher"},
191{ERR_REASON(EVP_R_UNKNOWN_DIGEST) ,"unknown digest"}, 206{ERR_REASON(EVP_R_UNKNOWN_DIGEST) ,"unknown digest"},
192{ERR_REASON(EVP_R_UNKNOWN_PBE_ALGORITHM) ,"unknown pbe algorithm"}, 207{ERR_REASON(EVP_R_UNKNOWN_PBE_ALGORITHM) ,"unknown pbe algorithm"},
diff --git a/src/lib/libcrypto/evp/evp_key.c b/src/lib/libcrypto/evp/evp_key.c
index 839d6a3a16..7961fbebf2 100644
--- a/src/lib/libcrypto/evp/evp_key.c
+++ b/src/lib/libcrypto/evp/evp_key.c
@@ -120,7 +120,7 @@ int EVP_BytesToKey(const EVP_CIPHER *type, const EVP_MD *md,
120 unsigned char md_buf[EVP_MAX_MD_SIZE]; 120 unsigned char md_buf[EVP_MAX_MD_SIZE];
121 int niv,nkey,addmd=0; 121 int niv,nkey,addmd=0;
122 unsigned int mds=0,i; 122 unsigned int mds=0,i;
123 123 int rv = 0;
124 nkey=type->key_len; 124 nkey=type->key_len;
125 niv=type->iv_len; 125 niv=type->iv_len;
126 OPENSSL_assert(nkey <= EVP_MAX_KEY_LENGTH); 126 OPENSSL_assert(nkey <= EVP_MAX_KEY_LENGTH);
@@ -134,17 +134,24 @@ int EVP_BytesToKey(const EVP_CIPHER *type, const EVP_MD *md,
134 if (!EVP_DigestInit_ex(&c,md, NULL)) 134 if (!EVP_DigestInit_ex(&c,md, NULL))
135 return 0; 135 return 0;
136 if (addmd++) 136 if (addmd++)
137 EVP_DigestUpdate(&c,&(md_buf[0]),mds); 137 if (!EVP_DigestUpdate(&c,&(md_buf[0]),mds))
138 EVP_DigestUpdate(&c,data,datal); 138 goto err;
139 if (!EVP_DigestUpdate(&c,data,datal))
140 goto err;
139 if (salt != NULL) 141 if (salt != NULL)
140 EVP_DigestUpdate(&c,salt,PKCS5_SALT_LEN); 142 if (!EVP_DigestUpdate(&c,salt,PKCS5_SALT_LEN))
141 EVP_DigestFinal_ex(&c,&(md_buf[0]),&mds); 143 goto err;
144 if (!EVP_DigestFinal_ex(&c,&(md_buf[0]),&mds))
145 goto err;
142 146
143 for (i=1; i<(unsigned int)count; i++) 147 for (i=1; i<(unsigned int)count; i++)
144 { 148 {
145 EVP_DigestInit_ex(&c,md, NULL); 149 if (!EVP_DigestInit_ex(&c,md, NULL))
146 EVP_DigestUpdate(&c,&(md_buf[0]),mds); 150 goto err;
147 EVP_DigestFinal_ex(&c,&(md_buf[0]),&mds); 151 if (!EVP_DigestUpdate(&c,&(md_buf[0]),mds))
152 goto err;
153 if (!EVP_DigestFinal_ex(&c,&(md_buf[0]),&mds))
154 goto err;
148 } 155 }
149 i=0; 156 i=0;
150 if (nkey) 157 if (nkey)
@@ -173,8 +180,10 @@ int EVP_BytesToKey(const EVP_CIPHER *type, const EVP_MD *md,
173 } 180 }
174 if ((nkey == 0) && (niv == 0)) break; 181 if ((nkey == 0) && (niv == 0)) break;
175 } 182 }
183 rv = type->key_len;
184 err:
176 EVP_MD_CTX_cleanup(&c); 185 EVP_MD_CTX_cleanup(&c);
177 OPENSSL_cleanse(&(md_buf[0]),EVP_MAX_MD_SIZE); 186 OPENSSL_cleanse(&(md_buf[0]),EVP_MAX_MD_SIZE);
178 return(type->key_len); 187 return rv;
179 } 188 }
180 189
diff --git a/src/lib/libcrypto/evp/evp_lib.c b/src/lib/libcrypto/evp/evp_lib.c
index 40951a04f0..b180e4828a 100644
--- a/src/lib/libcrypto/evp/evp_lib.c
+++ b/src/lib/libcrypto/evp/evp_lib.c
@@ -67,6 +67,8 @@ int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
67 67
68 if (c->cipher->set_asn1_parameters != NULL) 68 if (c->cipher->set_asn1_parameters != NULL)
69 ret=c->cipher->set_asn1_parameters(c,type); 69 ret=c->cipher->set_asn1_parameters(c,type);
70 else if (c->cipher->flags & EVP_CIPH_FLAG_DEFAULT_ASN1)
71 ret=EVP_CIPHER_set_asn1_iv(c, type);
70 else 72 else
71 ret=-1; 73 ret=-1;
72 return(ret); 74 return(ret);
@@ -78,6 +80,8 @@ int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
78 80
79 if (c->cipher->get_asn1_parameters != NULL) 81 if (c->cipher->get_asn1_parameters != NULL)
80 ret=c->cipher->get_asn1_parameters(c,type); 82 ret=c->cipher->get_asn1_parameters(c,type);
83 else if (c->cipher->flags & EVP_CIPH_FLAG_DEFAULT_ASN1)
84 ret=EVP_CIPHER_get_asn1_iv(c, type);
81 else 85 else
82 ret=-1; 86 ret=-1;
83 return(ret); 87 return(ret);
diff --git a/src/lib/libcrypto/evp/evp_locl.h b/src/lib/libcrypto/evp/evp_locl.h
index 292d74c188..08c0a66d39 100644
--- a/src/lib/libcrypto/evp/evp_locl.h
+++ b/src/lib/libcrypto/evp/evp_locl.h
@@ -343,3 +343,43 @@ struct evp_pkey_method_st
343 } /* EVP_PKEY_METHOD */; 343 } /* EVP_PKEY_METHOD */;
344 344
345void evp_pkey_set_cb_translate(BN_GENCB *cb, EVP_PKEY_CTX *ctx); 345void evp_pkey_set_cb_translate(BN_GENCB *cb, EVP_PKEY_CTX *ctx);
346
347int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
348 ASN1_TYPE *param,
349 const EVP_CIPHER *c, const EVP_MD *md, int en_de);
350
351#ifdef OPENSSL_FIPS
352
353#ifdef OPENSSL_DOING_MAKEDEPEND
354#undef SHA1_Init
355#undef SHA1_Update
356#undef SHA224_Init
357#undef SHA256_Init
358#undef SHA384_Init
359#undef SHA512_Init
360#undef DES_set_key_unchecked
361#endif
362
363#define RIPEMD160_Init private_RIPEMD160_Init
364#define WHIRLPOOL_Init private_WHIRLPOOL_Init
365#define MD5_Init private_MD5_Init
366#define MD4_Init private_MD4_Init
367#define MD2_Init private_MD2_Init
368#define MDC2_Init private_MDC2_Init
369#define SHA_Init private_SHA_Init
370#define SHA1_Init private_SHA1_Init
371#define SHA224_Init private_SHA224_Init
372#define SHA256_Init private_SHA256_Init
373#define SHA384_Init private_SHA384_Init
374#define SHA512_Init private_SHA512_Init
375
376#define BF_set_key private_BF_set_key
377#define CAST_set_key private_CAST_set_key
378#define idea_set_encrypt_key private_idea_set_encrypt_key
379#define SEED_set_key private_SEED_set_key
380#define RC2_set_key private_RC2_set_key
381#define RC4_set_key private_RC4_set_key
382#define DES_set_key_unchecked private_DES_set_key_unchecked
383#define Camellia_set_key private_Camellia_set_key
384
385#endif
diff --git a/src/lib/libcrypto/evp/evp_pbe.c b/src/lib/libcrypto/evp/evp_pbe.c
index c9d932d205..f8c32d825e 100644
--- a/src/lib/libcrypto/evp/evp_pbe.c
+++ b/src/lib/libcrypto/evp/evp_pbe.c
@@ -61,6 +61,7 @@
61#include <openssl/evp.h> 61#include <openssl/evp.h>
62#include <openssl/pkcs12.h> 62#include <openssl/pkcs12.h>
63#include <openssl/x509.h> 63#include <openssl/x509.h>
64#include "evp_locl.h"
64 65
65/* Password based encryption (PBE) functions */ 66/* Password based encryption (PBE) functions */
66 67
@@ -87,6 +88,10 @@ static const EVP_PBE_CTL builtin_pbe[] =
87 {EVP_PBE_TYPE_OUTER, NID_pbeWithSHA1AndRC2_CBC, 88 {EVP_PBE_TYPE_OUTER, NID_pbeWithSHA1AndRC2_CBC,
88 NID_rc2_64_cbc, NID_sha1, PKCS5_PBE_keyivgen}, 89 NID_rc2_64_cbc, NID_sha1, PKCS5_PBE_keyivgen},
89 90
91#ifndef OPENSSL_NO_HMAC
92 {EVP_PBE_TYPE_OUTER, NID_id_pbkdf2, -1, -1, PKCS5_v2_PBKDF2_keyivgen},
93#endif
94
90 {EVP_PBE_TYPE_OUTER, NID_pbe_WithSHA1And128BitRC4, 95 {EVP_PBE_TYPE_OUTER, NID_pbe_WithSHA1And128BitRC4,
91 NID_rc4, NID_sha1, PKCS12_PBE_keyivgen}, 96 NID_rc4, NID_sha1, PKCS12_PBE_keyivgen},
92 {EVP_PBE_TYPE_OUTER, NID_pbe_WithSHA1And40BitRC4, 97 {EVP_PBE_TYPE_OUTER, NID_pbe_WithSHA1And40BitRC4,
diff --git a/src/lib/libcrypto/evp/evptests.txt b/src/lib/libcrypto/evp/evptests.txt
index beb12144b6..c273707c14 100644
--- a/src/lib/libcrypto/evp/evptests.txt
+++ b/src/lib/libcrypto/evp/evptests.txt
@@ -158,6 +158,19 @@ AES-256-OFB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:B7B
158AES-256-OFB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:E1C656305ED1A7A6563805746FE03EDC:30C81C46A35CE411E5FBC1191A0A52EF:71AB47A086E86EEDF39D1C5BBA97C408:0 158AES-256-OFB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:E1C656305ED1A7A6563805746FE03EDC:30C81C46A35CE411E5FBC1191A0A52EF:71AB47A086E86EEDF39D1C5BBA97C408:0
159AES-256-OFB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:41635BE625B48AFC1666DD42A09D96E7:F69F2445DF4F9B17AD2B417BE66C3710:0126141D67F37BE8538F5A8BE740E484:0 159AES-256-OFB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:41635BE625B48AFC1666DD42A09D96E7:F69F2445DF4F9B17AD2B417BE66C3710:0126141D67F37BE8538F5A8BE740E484:0
160 160
161# AES Counter test vectors from RFC3686
162aes-128-ctr:AE6852F8121067CC4BF7A5765577F39E:00000030000000000000000000000001:53696E676C6520626C6F636B206D7367:E4095D4FB7A7B3792D6175A3261311B8:1
163aes-128-ctr:7E24067817FAE0D743D6CE1F32539163:006CB6DBC0543B59DA48D90B00000001:000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F:5104A106168A72D9790D41EE8EDAD388EB2E1EFC46DA57C8FCE630DF9141BE28:1
164aes-128-ctr:7691BE035E5020A8AC6E618529F9A0DC:00E0017B27777F3F4A1786F000000001:000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F20212223:C1CF48A89F2FFDD9CF4652E9EFDB72D74540A42BDE6D7836D59A5CEAAEF3105325B2072F:1
165
166aes-192-ctr:16AF5B145FC9F579C175F93E3BFB0EED863D06CCFDB78515:0000004836733C147D6D93CB00000001:53696E676C6520626C6F636B206D7367:4B55384FE259C9C84E7935A003CBE928:1
167aes-192-ctr:7C5CB2401B3DC33C19E7340819E0F69C678C3DB8E6F6A91A:0096B03B020C6EADC2CB500D00000001:000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F:453243FC609B23327EDFAAFA7131CD9F8490701C5AD4A79CFC1FE0FF42F4FB00:1
168aes-192-ctr:02BF391EE8ECB159B959617B0965279BF59B60A786D3E0FE:0007BDFD5CBD60278DCC091200000001:000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F20212223:96893FC55E5C722F540B7DD1DDF7E758D288BC95C69165884536C811662F2188ABEE0935:1
169
170aes-256-ctr:776BEFF2851DB06F4C8A0542C8696F6C6A81AF1EEC96B4D37FC1D689E6C1C104:00000060DB5672C97AA8F0B200000001:53696E676C6520626C6F636B206D7367:145AD01DBF824EC7560863DC71E3E0C0:1
171aes-256-ctr:F6D66D6BD52D59BB0796365879EFF886C66DD51A5B6A99744B50590C87A23884:00FAAC24C1585EF15A43D87500000001:000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F:F05E231B3894612C49EE000B804EB2A9B8306B508F839D6A5530831D9344AF1C:1
172aes-256-ctr:FF7A617CE69148E4F1726E2F43581DE2AA62D9F805532EDFF1EED687FB54153D:001CC5B751A51D70A1C1114800000001:000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F20212223:EB6C52821D0BBBF7CE7594462ACA4FAAB407DF866569FD07F48CC0B583D6071F1EC0E6B8:1
173
161# DES ECB tests (from destest) 174# DES ECB tests (from destest)
162 175
163DES-ECB:0000000000000000::0000000000000000:8CA64DE9C1B123A7 176DES-ECB:0000000000000000::0000000000000000:8CA64DE9C1B123A7
diff --git a/src/lib/libcrypto/evp/m_dss.c b/src/lib/libcrypto/evp/m_dss.c
index 48c2689504..4ad63ada6f 100644
--- a/src/lib/libcrypto/evp/m_dss.c
+++ b/src/lib/libcrypto/evp/m_dss.c
@@ -66,6 +66,7 @@
66#endif 66#endif
67 67
68#ifndef OPENSSL_NO_SHA 68#ifndef OPENSSL_NO_SHA
69#ifndef OPENSSL_FIPS
69 70
70static int init(EVP_MD_CTX *ctx) 71static int init(EVP_MD_CTX *ctx)
71 { return SHA1_Init(ctx->md_data); } 72 { return SHA1_Init(ctx->md_data); }
@@ -97,3 +98,4 @@ const EVP_MD *EVP_dss(void)
97 return(&dsa_md); 98 return(&dsa_md);
98 } 99 }
99#endif 100#endif
101#endif
diff --git a/src/lib/libcrypto/evp/m_dss1.c b/src/lib/libcrypto/evp/m_dss1.c
index 4f03fb70e0..f80170efeb 100644
--- a/src/lib/libcrypto/evp/m_dss1.c
+++ b/src/lib/libcrypto/evp/m_dss1.c
@@ -68,6 +68,8 @@
68#include <openssl/dsa.h> 68#include <openssl/dsa.h>
69#endif 69#endif
70 70
71#ifndef OPENSSL_FIPS
72
71static int init(EVP_MD_CTX *ctx) 73static int init(EVP_MD_CTX *ctx)
72 { return SHA1_Init(ctx->md_data); } 74 { return SHA1_Init(ctx->md_data); }
73 75
@@ -98,3 +100,4 @@ const EVP_MD *EVP_dss1(void)
98 return(&dss1_md); 100 return(&dss1_md);
99 } 101 }
100#endif 102#endif
103#endif
diff --git a/src/lib/libcrypto/evp/m_md4.c b/src/lib/libcrypto/evp/m_md4.c
index 1e0b7c5b42..6d47f61b27 100644
--- a/src/lib/libcrypto/evp/m_md4.c
+++ b/src/lib/libcrypto/evp/m_md4.c
@@ -69,6 +69,8 @@
69#include <openssl/rsa.h> 69#include <openssl/rsa.h>
70#endif 70#endif
71 71
72#include "evp_locl.h"
73
72static int init(EVP_MD_CTX *ctx) 74static int init(EVP_MD_CTX *ctx)
73 { return MD4_Init(ctx->md_data); } 75 { return MD4_Init(ctx->md_data); }
74 76
diff --git a/src/lib/libcrypto/evp/m_md5.c b/src/lib/libcrypto/evp/m_md5.c
index 63c142119e..9a8bae0258 100644
--- a/src/lib/libcrypto/evp/m_md5.c
+++ b/src/lib/libcrypto/evp/m_md5.c
@@ -68,6 +68,7 @@
68#ifndef OPENSSL_NO_RSA 68#ifndef OPENSSL_NO_RSA
69#include <openssl/rsa.h> 69#include <openssl/rsa.h>
70#endif 70#endif
71#include "evp_locl.h"
71 72
72static int init(EVP_MD_CTX *ctx) 73static int init(EVP_MD_CTX *ctx)
73 { return MD5_Init(ctx->md_data); } 74 { return MD5_Init(ctx->md_data); }
diff --git a/src/lib/libcrypto/evp/m_mdc2.c b/src/lib/libcrypto/evp/m_mdc2.c
index b08d559803..3602bed316 100644
--- a/src/lib/libcrypto/evp/m_mdc2.c
+++ b/src/lib/libcrypto/evp/m_mdc2.c
@@ -69,6 +69,8 @@
69#include <openssl/rsa.h> 69#include <openssl/rsa.h>
70#endif 70#endif
71 71
72#include "evp_locl.h"
73
72static int init(EVP_MD_CTX *ctx) 74static int init(EVP_MD_CTX *ctx)
73 { return MDC2_Init(ctx->md_data); } 75 { return MDC2_Init(ctx->md_data); }
74 76
diff --git a/src/lib/libcrypto/evp/m_ripemd.c b/src/lib/libcrypto/evp/m_ripemd.c
index a1d60ee78d..7bf4804cf8 100644
--- a/src/lib/libcrypto/evp/m_ripemd.c
+++ b/src/lib/libcrypto/evp/m_ripemd.c
@@ -68,6 +68,7 @@
68#ifndef OPENSSL_NO_RSA 68#ifndef OPENSSL_NO_RSA
69#include <openssl/rsa.h> 69#include <openssl/rsa.h>
70#endif 70#endif
71#include "evp_locl.h"
71 72
72static int init(EVP_MD_CTX *ctx) 73static int init(EVP_MD_CTX *ctx)
73 { return RIPEMD160_Init(ctx->md_data); } 74 { return RIPEMD160_Init(ctx->md_data); }
diff --git a/src/lib/libcrypto/evp/m_sha.c b/src/lib/libcrypto/evp/m_sha.c
index acccc8f92d..8769cdd42f 100644
--- a/src/lib/libcrypto/evp/m_sha.c
+++ b/src/lib/libcrypto/evp/m_sha.c
@@ -67,6 +67,7 @@
67#ifndef OPENSSL_NO_RSA 67#ifndef OPENSSL_NO_RSA
68#include <openssl/rsa.h> 68#include <openssl/rsa.h>
69#endif 69#endif
70#include "evp_locl.h"
70 71
71static int init(EVP_MD_CTX *ctx) 72static int init(EVP_MD_CTX *ctx)
72 { return SHA_Init(ctx->md_data); } 73 { return SHA_Init(ctx->md_data); }
diff --git a/src/lib/libcrypto/evp/m_sha1.c b/src/lib/libcrypto/evp/m_sha1.c
index 9a2790fdea..3cb11f1ebb 100644
--- a/src/lib/libcrypto/evp/m_sha1.c
+++ b/src/lib/libcrypto/evp/m_sha1.c
@@ -59,6 +59,8 @@
59#include <stdio.h> 59#include <stdio.h>
60#include "cryptlib.h" 60#include "cryptlib.h"
61 61
62#ifndef OPENSSL_FIPS
63
62#ifndef OPENSSL_NO_SHA 64#ifndef OPENSSL_NO_SHA
63 65
64#include <openssl/evp.h> 66#include <openssl/evp.h>
@@ -68,6 +70,7 @@
68#include <openssl/rsa.h> 70#include <openssl/rsa.h>
69#endif 71#endif
70 72
73
71static int init(EVP_MD_CTX *ctx) 74static int init(EVP_MD_CTX *ctx)
72 { return SHA1_Init(ctx->md_data); } 75 { return SHA1_Init(ctx->md_data); }
73 76
@@ -202,3 +205,5 @@ static const EVP_MD sha512_md=
202const EVP_MD *EVP_sha512(void) 205const EVP_MD *EVP_sha512(void)
203 { return(&sha512_md); } 206 { return(&sha512_md); }
204#endif /* ifndef OPENSSL_NO_SHA512 */ 207#endif /* ifndef OPENSSL_NO_SHA512 */
208
209#endif
diff --git a/src/lib/libcrypto/evp/names.c b/src/lib/libcrypto/evp/names.c
index f2869f5c78..6311ad7cfb 100644
--- a/src/lib/libcrypto/evp/names.c
+++ b/src/lib/libcrypto/evp/names.c
@@ -66,6 +66,10 @@ int EVP_add_cipher(const EVP_CIPHER *c)
66 { 66 {
67 int r; 67 int r;
68 68
69 if (c == NULL) return 0;
70
71 OPENSSL_init();
72
69 r=OBJ_NAME_add(OBJ_nid2sn(c->nid),OBJ_NAME_TYPE_CIPHER_METH,(const char *)c); 73 r=OBJ_NAME_add(OBJ_nid2sn(c->nid),OBJ_NAME_TYPE_CIPHER_METH,(const char *)c);
70 if (r == 0) return(0); 74 if (r == 0) return(0);
71 check_defer(c->nid); 75 check_defer(c->nid);
@@ -78,6 +82,7 @@ int EVP_add_digest(const EVP_MD *md)
78 { 82 {
79 int r; 83 int r;
80 const char *name; 84 const char *name;
85 OPENSSL_init();
81 86
82 name=OBJ_nid2sn(md->type); 87 name=OBJ_nid2sn(md->type);
83 r=OBJ_NAME_add(name,OBJ_NAME_TYPE_MD_METH,(const char *)md); 88 r=OBJ_NAME_add(name,OBJ_NAME_TYPE_MD_METH,(const char *)md);
diff --git a/src/lib/libcrypto/evp/p5_crpt.c b/src/lib/libcrypto/evp/p5_crpt.c
index 7ecfa8dad9..294cc90d87 100644
--- a/src/lib/libcrypto/evp/p5_crpt.c
+++ b/src/lib/libcrypto/evp/p5_crpt.c
@@ -82,6 +82,8 @@ int PKCS5_PBE_keyivgen(EVP_CIPHER_CTX *cctx, const char *pass, int passlen,
82 unsigned char *salt; 82 unsigned char *salt;
83 const unsigned char *pbuf; 83 const unsigned char *pbuf;
84 int mdsize; 84 int mdsize;
85 int rv = 0;
86 EVP_MD_CTX_init(&ctx);
85 87
86 /* Extract useful info from parameter */ 88 /* Extract useful info from parameter */
87 if (param == NULL || param->type != V_ASN1_SEQUENCE || 89 if (param == NULL || param->type != V_ASN1_SEQUENCE ||
@@ -104,29 +106,38 @@ int PKCS5_PBE_keyivgen(EVP_CIPHER_CTX *cctx, const char *pass, int passlen,
104 if(!pass) passlen = 0; 106 if(!pass) passlen = 0;
105 else if(passlen == -1) passlen = strlen(pass); 107 else if(passlen == -1) passlen = strlen(pass);
106 108
107 EVP_MD_CTX_init(&ctx); 109 if (!EVP_DigestInit_ex(&ctx, md, NULL))
108 EVP_DigestInit_ex(&ctx, md, NULL); 110 goto err;
109 EVP_DigestUpdate(&ctx, pass, passlen); 111 if (!EVP_DigestUpdate(&ctx, pass, passlen))
110 EVP_DigestUpdate(&ctx, salt, saltlen); 112 goto err;
113 if (!EVP_DigestUpdate(&ctx, salt, saltlen))
114 goto err;
111 PBEPARAM_free(pbe); 115 PBEPARAM_free(pbe);
112 EVP_DigestFinal_ex(&ctx, md_tmp, NULL); 116 if (!EVP_DigestFinal_ex(&ctx, md_tmp, NULL))
117 goto err;
113 mdsize = EVP_MD_size(md); 118 mdsize = EVP_MD_size(md);
114 if (mdsize < 0) 119 if (mdsize < 0)
115 return 0; 120 return 0;
116 for (i = 1; i < iter; i++) { 121 for (i = 1; i < iter; i++) {
117 EVP_DigestInit_ex(&ctx, md, NULL); 122 if (!EVP_DigestInit_ex(&ctx, md, NULL))
118 EVP_DigestUpdate(&ctx, md_tmp, mdsize); 123 goto err;
119 EVP_DigestFinal_ex (&ctx, md_tmp, NULL); 124 if (!EVP_DigestUpdate(&ctx, md_tmp, mdsize))
125 goto err;
126 if (!EVP_DigestFinal_ex (&ctx, md_tmp, NULL))
127 goto err;
120 } 128 }
121 EVP_MD_CTX_cleanup(&ctx);
122 OPENSSL_assert(EVP_CIPHER_key_length(cipher) <= (int)sizeof(md_tmp)); 129 OPENSSL_assert(EVP_CIPHER_key_length(cipher) <= (int)sizeof(md_tmp));
123 memcpy(key, md_tmp, EVP_CIPHER_key_length(cipher)); 130 memcpy(key, md_tmp, EVP_CIPHER_key_length(cipher));
124 OPENSSL_assert(EVP_CIPHER_iv_length(cipher) <= 16); 131 OPENSSL_assert(EVP_CIPHER_iv_length(cipher) <= 16);
125 memcpy(iv, md_tmp + (16 - EVP_CIPHER_iv_length(cipher)), 132 memcpy(iv, md_tmp + (16 - EVP_CIPHER_iv_length(cipher)),
126 EVP_CIPHER_iv_length(cipher)); 133 EVP_CIPHER_iv_length(cipher));
127 EVP_CipherInit_ex(cctx, cipher, NULL, key, iv, en_de); 134 if (!EVP_CipherInit_ex(cctx, cipher, NULL, key, iv, en_de))
135 goto err;
128 OPENSSL_cleanse(md_tmp, EVP_MAX_MD_SIZE); 136 OPENSSL_cleanse(md_tmp, EVP_MAX_MD_SIZE);
129 OPENSSL_cleanse(key, EVP_MAX_KEY_LENGTH); 137 OPENSSL_cleanse(key, EVP_MAX_KEY_LENGTH);
130 OPENSSL_cleanse(iv, EVP_MAX_IV_LENGTH); 138 OPENSSL_cleanse(iv, EVP_MAX_IV_LENGTH);
131 return 1; 139 rv = 1;
140 err:
141 EVP_MD_CTX_cleanup(&ctx);
142 return rv;
132} 143}
diff --git a/src/lib/libcrypto/evp/p5_crpt2.c b/src/lib/libcrypto/evp/p5_crpt2.c
index 334379f310..975d004df4 100644
--- a/src/lib/libcrypto/evp/p5_crpt2.c
+++ b/src/lib/libcrypto/evp/p5_crpt2.c
@@ -62,6 +62,7 @@
62#include <openssl/x509.h> 62#include <openssl/x509.h>
63#include <openssl/evp.h> 63#include <openssl/evp.h>
64#include <openssl/hmac.h> 64#include <openssl/hmac.h>
65#include "evp_locl.h"
65 66
66/* set this to print out info about the keygen algorithm */ 67/* set this to print out info about the keygen algorithm */
67/* #define DEBUG_PKCS5V2 */ 68/* #define DEBUG_PKCS5V2 */
@@ -110,10 +111,14 @@ int PKCS5_PBKDF2_HMAC(const char *pass, int passlen,
110 itmp[1] = (unsigned char)((i >> 16) & 0xff); 111 itmp[1] = (unsigned char)((i >> 16) & 0xff);
111 itmp[2] = (unsigned char)((i >> 8) & 0xff); 112 itmp[2] = (unsigned char)((i >> 8) & 0xff);
112 itmp[3] = (unsigned char)(i & 0xff); 113 itmp[3] = (unsigned char)(i & 0xff);
113 HMAC_Init_ex(&hctx, pass, passlen, digest, NULL); 114 if (!HMAC_Init_ex(&hctx, pass, passlen, digest, NULL)
114 HMAC_Update(&hctx, salt, saltlen); 115 || !HMAC_Update(&hctx, salt, saltlen)
115 HMAC_Update(&hctx, itmp, 4); 116 || !HMAC_Update(&hctx, itmp, 4)
116 HMAC_Final(&hctx, digtmp, NULL); 117 || !HMAC_Final(&hctx, digtmp, NULL))
118 {
119 HMAC_CTX_cleanup(&hctx);
120 return 0;
121 }
117 memcpy(p, digtmp, cplen); 122 memcpy(p, digtmp, cplen);
118 for(j = 1; j < iter; j++) 123 for(j = 1; j < iter; j++)
119 { 124 {
@@ -168,27 +173,24 @@ int PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
168 ASN1_TYPE *param, const EVP_CIPHER *c, const EVP_MD *md, 173 ASN1_TYPE *param, const EVP_CIPHER *c, const EVP_MD *md,
169 int en_de) 174 int en_de)
170{ 175{
171 unsigned char *salt, key[EVP_MAX_KEY_LENGTH];
172 const unsigned char *pbuf; 176 const unsigned char *pbuf;
173 int saltlen, iter, plen; 177 int plen;
174 unsigned int keylen;
175 PBE2PARAM *pbe2 = NULL; 178 PBE2PARAM *pbe2 = NULL;
176 const EVP_CIPHER *cipher; 179 const EVP_CIPHER *cipher;
177 PBKDF2PARAM *kdf = NULL; 180
178 const EVP_MD *prfmd; 181 int rv = 0;
179 int prf_nid, hmac_md_nid;
180 182
181 if (param == NULL || param->type != V_ASN1_SEQUENCE || 183 if (param == NULL || param->type != V_ASN1_SEQUENCE ||
182 param->value.sequence == NULL) { 184 param->value.sequence == NULL) {
183 EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN,EVP_R_DECODE_ERROR); 185 EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN,EVP_R_DECODE_ERROR);
184 return 0; 186 goto err;
185 } 187 }
186 188
187 pbuf = param->value.sequence->data; 189 pbuf = param->value.sequence->data;
188 plen = param->value.sequence->length; 190 plen = param->value.sequence->length;
189 if(!(pbe2 = d2i_PBE2PARAM(NULL, &pbuf, plen))) { 191 if(!(pbe2 = d2i_PBE2PARAM(NULL, &pbuf, plen))) {
190 EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN,EVP_R_DECODE_ERROR); 192 EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN,EVP_R_DECODE_ERROR);
191 return 0; 193 goto err;
192 } 194 }
193 195
194 /* See if we recognise the key derivation function */ 196 /* See if we recognise the key derivation function */
@@ -211,38 +213,63 @@ int PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
211 } 213 }
212 214
213 /* Fixup cipher based on AlgorithmIdentifier */ 215 /* Fixup cipher based on AlgorithmIdentifier */
214 EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, en_de); 216 if (!EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, en_de))
217 goto err;
215 if(EVP_CIPHER_asn1_to_param(ctx, pbe2->encryption->parameter) < 0) { 218 if(EVP_CIPHER_asn1_to_param(ctx, pbe2->encryption->parameter) < 0) {
216 EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN, 219 EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN,
217 EVP_R_CIPHER_PARAMETER_ERROR); 220 EVP_R_CIPHER_PARAMETER_ERROR);
218 goto err; 221 goto err;
219 } 222 }
223 rv = PKCS5_v2_PBKDF2_keyivgen(ctx, pass, passlen,
224 pbe2->keyfunc->parameter, c, md, en_de);
225 err:
226 PBE2PARAM_free(pbe2);
227 return rv;
228}
229
230int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
231 ASN1_TYPE *param,
232 const EVP_CIPHER *c, const EVP_MD *md, int en_de)
233{
234 unsigned char *salt, key[EVP_MAX_KEY_LENGTH];
235 const unsigned char *pbuf;
236 int saltlen, iter, plen;
237 int rv = 0;
238 unsigned int keylen = 0;
239 int prf_nid, hmac_md_nid;
240 PBKDF2PARAM *kdf = NULL;
241 const EVP_MD *prfmd;
242
243 if (EVP_CIPHER_CTX_cipher(ctx) == NULL)
244 {
245 EVPerr(EVP_F_PKCS5_V2_PBKDF2_KEYIVGEN,EVP_R_NO_CIPHER_SET);
246 goto err;
247 }
220 keylen = EVP_CIPHER_CTX_key_length(ctx); 248 keylen = EVP_CIPHER_CTX_key_length(ctx);
221 OPENSSL_assert(keylen <= sizeof key); 249 OPENSSL_assert(keylen <= sizeof key);
222 250
223 /* Now decode key derivation function */ 251 /* Decode parameter */
224 252
225 if(!pbe2->keyfunc->parameter || 253 if(!param || (param->type != V_ASN1_SEQUENCE))
226 (pbe2->keyfunc->parameter->type != V_ASN1_SEQUENCE))
227 { 254 {
228 EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN,EVP_R_DECODE_ERROR); 255 EVPerr(EVP_F_PKCS5_V2_PBKDF2_KEYIVGEN,EVP_R_DECODE_ERROR);
229 goto err; 256 goto err;
230 } 257 }
231 258
232 pbuf = pbe2->keyfunc->parameter->value.sequence->data; 259 pbuf = param->value.sequence->data;
233 plen = pbe2->keyfunc->parameter->value.sequence->length; 260 plen = param->value.sequence->length;
261
234 if(!(kdf = d2i_PBKDF2PARAM(NULL, &pbuf, plen)) ) { 262 if(!(kdf = d2i_PBKDF2PARAM(NULL, &pbuf, plen)) ) {
235 EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN,EVP_R_DECODE_ERROR); 263 EVPerr(EVP_F_PKCS5_V2_PBKDF2_KEYIVGEN,EVP_R_DECODE_ERROR);
236 goto err; 264 goto err;
237 } 265 }
238 266
239 PBE2PARAM_free(pbe2); 267 keylen = EVP_CIPHER_CTX_key_length(ctx);
240 pbe2 = NULL;
241 268
242 /* Now check the parameters of the kdf */ 269 /* Now check the parameters of the kdf */
243 270
244 if(kdf->keylength && (ASN1_INTEGER_get(kdf->keylength) != (int)keylen)){ 271 if(kdf->keylength && (ASN1_INTEGER_get(kdf->keylength) != (int)keylen)){
245 EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN, 272 EVPerr(EVP_F_PKCS5_V2_PBKDF2_KEYIVGEN,
246 EVP_R_UNSUPPORTED_KEYLENGTH); 273 EVP_R_UNSUPPORTED_KEYLENGTH);
247 goto err; 274 goto err;
248 } 275 }
@@ -254,19 +281,19 @@ int PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
254 281
255 if (!EVP_PBE_find(EVP_PBE_TYPE_PRF, prf_nid, NULL, &hmac_md_nid, 0)) 282 if (!EVP_PBE_find(EVP_PBE_TYPE_PRF, prf_nid, NULL, &hmac_md_nid, 0))
256 { 283 {
257 EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN, EVP_R_UNSUPPORTED_PRF); 284 EVPerr(EVP_F_PKCS5_V2_PBKDF2_KEYIVGEN, EVP_R_UNSUPPORTED_PRF);
258 goto err; 285 goto err;
259 } 286 }
260 287
261 prfmd = EVP_get_digestbynid(hmac_md_nid); 288 prfmd = EVP_get_digestbynid(hmac_md_nid);
262 if (prfmd == NULL) 289 if (prfmd == NULL)
263 { 290 {
264 EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN, EVP_R_UNSUPPORTED_PRF); 291 EVPerr(EVP_F_PKCS5_V2_PBKDF2_KEYIVGEN, EVP_R_UNSUPPORTED_PRF);
265 goto err; 292 goto err;
266 } 293 }
267 294
268 if(kdf->salt->type != V_ASN1_OCTET_STRING) { 295 if(kdf->salt->type != V_ASN1_OCTET_STRING) {
269 EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN, 296 EVPerr(EVP_F_PKCS5_V2_PBKDF2_KEYIVGEN,
270 EVP_R_UNSUPPORTED_SALT_TYPE); 297 EVP_R_UNSUPPORTED_SALT_TYPE);
271 goto err; 298 goto err;
272 } 299 }
@@ -278,15 +305,11 @@ int PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
278 if(!PKCS5_PBKDF2_HMAC(pass, passlen, salt, saltlen, iter, prfmd, 305 if(!PKCS5_PBKDF2_HMAC(pass, passlen, salt, saltlen, iter, prfmd,
279 keylen, key)) 306 keylen, key))
280 goto err; 307 goto err;
281 EVP_CipherInit_ex(ctx, NULL, NULL, key, NULL, en_de); 308 rv = EVP_CipherInit_ex(ctx, NULL, NULL, key, NULL, en_de);
282 OPENSSL_cleanse(key, keylen);
283 PBKDF2PARAM_free(kdf);
284 return 1;
285
286 err: 309 err:
287 PBE2PARAM_free(pbe2); 310 OPENSSL_cleanse(key, keylen);
288 PBKDF2PARAM_free(kdf); 311 PBKDF2PARAM_free(kdf);
289 return 0; 312 return rv;
290} 313}
291 314
292#ifdef DEBUG_PKCS5V2 315#ifdef DEBUG_PKCS5V2
diff --git a/src/lib/libcrypto/evp/p_open.c b/src/lib/libcrypto/evp/p_open.c
index 53a59a295c..c748fbea87 100644
--- a/src/lib/libcrypto/evp/p_open.c
+++ b/src/lib/libcrypto/evp/p_open.c
@@ -115,7 +115,8 @@ int EVP_OpenFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
115 int i; 115 int i;
116 116
117 i=EVP_DecryptFinal_ex(ctx,out,outl); 117 i=EVP_DecryptFinal_ex(ctx,out,outl);
118 EVP_DecryptInit_ex(ctx,NULL,NULL,NULL,NULL); 118 if (i)
119 i = EVP_DecryptInit_ex(ctx,NULL,NULL,NULL,NULL);
119 return(i); 120 return(i);
120 } 121 }
121#else /* !OPENSSL_NO_RSA */ 122#else /* !OPENSSL_NO_RSA */
diff --git a/src/lib/libcrypto/evp/p_seal.c b/src/lib/libcrypto/evp/p_seal.c
index d8324526e7..e5919b0fbf 100644
--- a/src/lib/libcrypto/evp/p_seal.c
+++ b/src/lib/libcrypto/evp/p_seal.c
@@ -110,6 +110,7 @@ int EVP_SealFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
110 { 110 {
111 int i; 111 int i;
112 i = EVP_EncryptFinal_ex(ctx,out,outl); 112 i = EVP_EncryptFinal_ex(ctx,out,outl);
113 EVP_EncryptInit_ex(ctx,NULL,NULL,NULL,NULL); 113 if (i)
114 i = EVP_EncryptInit_ex(ctx,NULL,NULL,NULL,NULL);
114 return i; 115 return i;
115 } 116 }
diff --git a/src/lib/libcrypto/evp/p_sign.c b/src/lib/libcrypto/evp/p_sign.c
index bb893f5bde..dfa48c157c 100644
--- a/src/lib/libcrypto/evp/p_sign.c
+++ b/src/lib/libcrypto/evp/p_sign.c
@@ -80,18 +80,20 @@ int EVP_SignFinal(EVP_MD_CTX *ctx, unsigned char *sigret, unsigned int *siglen,
80 { 80 {
81 unsigned char m[EVP_MAX_MD_SIZE]; 81 unsigned char m[EVP_MAX_MD_SIZE];
82 unsigned int m_len; 82 unsigned int m_len;
83 int i,ok=0,v; 83 int i=0,ok=0,v;
84 EVP_MD_CTX tmp_ctx; 84 EVP_MD_CTX tmp_ctx;
85 EVP_PKEY_CTX *pkctx = NULL;
85 86
86 *siglen=0; 87 *siglen=0;
87 EVP_MD_CTX_init(&tmp_ctx); 88 EVP_MD_CTX_init(&tmp_ctx);
88 EVP_MD_CTX_copy_ex(&tmp_ctx,ctx); 89 if (!EVP_MD_CTX_copy_ex(&tmp_ctx,ctx))
89 EVP_DigestFinal_ex(&tmp_ctx,&(m[0]),&m_len); 90 goto err;
91 if (!EVP_DigestFinal_ex(&tmp_ctx,&(m[0]),&m_len))
92 goto err;
90 EVP_MD_CTX_cleanup(&tmp_ctx); 93 EVP_MD_CTX_cleanup(&tmp_ctx);
91 94
92 if (ctx->digest->flags & EVP_MD_FLAG_PKEY_METHOD_SIGNATURE) 95 if (ctx->digest->flags & EVP_MD_FLAG_PKEY_METHOD_SIGNATURE)
93 { 96 {
94 EVP_PKEY_CTX *pkctx = NULL;
95 size_t sltmp = (size_t)EVP_PKEY_size(pkey); 97 size_t sltmp = (size_t)EVP_PKEY_size(pkey);
96 i = 0; 98 i = 0;
97 pkctx = EVP_PKEY_CTX_new(pkey, NULL); 99 pkctx = EVP_PKEY_CTX_new(pkey, NULL);
diff --git a/src/lib/libcrypto/evp/p_verify.c b/src/lib/libcrypto/evp/p_verify.c
index 41d4b67130..5f5c409f45 100644
--- a/src/lib/libcrypto/evp/p_verify.c
+++ b/src/lib/libcrypto/evp/p_verify.c
@@ -67,17 +67,19 @@ int EVP_VerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sigbuf,
67 { 67 {
68 unsigned char m[EVP_MAX_MD_SIZE]; 68 unsigned char m[EVP_MAX_MD_SIZE];
69 unsigned int m_len; 69 unsigned int m_len;
70 int i,ok=0,v; 70 int i=-1,ok=0,v;
71 EVP_MD_CTX tmp_ctx; 71 EVP_MD_CTX tmp_ctx;
72 EVP_PKEY_CTX *pkctx = NULL;
72 73
73 EVP_MD_CTX_init(&tmp_ctx); 74 EVP_MD_CTX_init(&tmp_ctx);
74 EVP_MD_CTX_copy_ex(&tmp_ctx,ctx); 75 if (!EVP_MD_CTX_copy_ex(&tmp_ctx,ctx))
75 EVP_DigestFinal_ex(&tmp_ctx,&(m[0]),&m_len); 76 goto err;
77 if (!EVP_DigestFinal_ex(&tmp_ctx,&(m[0]),&m_len))
78 goto err;
76 EVP_MD_CTX_cleanup(&tmp_ctx); 79 EVP_MD_CTX_cleanup(&tmp_ctx);
77 80
78 if (ctx->digest->flags & EVP_MD_FLAG_PKEY_METHOD_SIGNATURE) 81 if (ctx->digest->flags & EVP_MD_FLAG_PKEY_METHOD_SIGNATURE)
79 { 82 {
80 EVP_PKEY_CTX *pkctx = NULL;
81 i = -1; 83 i = -1;
82 pkctx = EVP_PKEY_CTX_new(pkey, NULL); 84 pkctx = EVP_PKEY_CTX_new(pkey, NULL);
83 if (!pkctx) 85 if (!pkctx)
diff --git a/src/lib/libcrypto/hmac/hmac.c b/src/lib/libcrypto/hmac/hmac.c
index 6c98fc43a3..ba27cbf56f 100644
--- a/src/lib/libcrypto/hmac/hmac.c
+++ b/src/lib/libcrypto/hmac/hmac.c
@@ -61,12 +61,34 @@
61#include "cryptlib.h" 61#include "cryptlib.h"
62#include <openssl/hmac.h> 62#include <openssl/hmac.h>
63 63
64#ifdef OPENSSL_FIPS
65#include <openssl/fips.h>
66#endif
67
64int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len, 68int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,
65 const EVP_MD *md, ENGINE *impl) 69 const EVP_MD *md, ENGINE *impl)
66 { 70 {
67 int i,j,reset=0; 71 int i,j,reset=0;
68 unsigned char pad[HMAC_MAX_MD_CBLOCK]; 72 unsigned char pad[HMAC_MAX_MD_CBLOCK];
69 73
74#ifdef OPENSSL_FIPS
75 if (FIPS_mode())
76 {
77 /* If we have an ENGINE need to allow non FIPS */
78 if ((impl || ctx->i_ctx.engine)
79 && !(ctx->i_ctx.flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW))
80 {
81 EVPerr(EVP_F_HMAC_INIT_EX, EVP_R_DISABLED_FOR_FIPS);
82 return 0;
83 }
84 /* Other algorithm blocking will be done in FIPS_cmac_init,
85 * via FIPS_hmac_init_ex().
86 */
87 if (!impl && !ctx->i_ctx.engine)
88 return FIPS_hmac_init_ex(ctx, key, len, md, NULL);
89 }
90#endif
91
70 if (md != NULL) 92 if (md != NULL)
71 { 93 {
72 reset=1; 94 reset=1;
@@ -133,6 +155,10 @@ int HMAC_Init(HMAC_CTX *ctx, const void *key, int len, const EVP_MD *md)
133 155
134int HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, size_t len) 156int HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, size_t len)
135 { 157 {
158#ifdef OPENSSL_FIPS
159 if (FIPS_mode() && !ctx->i_ctx.engine)
160 return FIPS_hmac_update(ctx, data, len);
161#endif
136 return EVP_DigestUpdate(&ctx->md_ctx,data,len); 162 return EVP_DigestUpdate(&ctx->md_ctx,data,len);
137 } 163 }
138 164
@@ -140,6 +166,10 @@ int HMAC_Final(HMAC_CTX *ctx, unsigned char *md, unsigned int *len)
140 { 166 {
141 unsigned int i; 167 unsigned int i;
142 unsigned char buf[EVP_MAX_MD_SIZE]; 168 unsigned char buf[EVP_MAX_MD_SIZE];
169#ifdef OPENSSL_FIPS
170 if (FIPS_mode() && !ctx->i_ctx.engine)
171 return FIPS_hmac_final(ctx, md, len);
172#endif
143 173
144 if (!EVP_DigestFinal_ex(&ctx->md_ctx,buf,&i)) 174 if (!EVP_DigestFinal_ex(&ctx->md_ctx,buf,&i))
145 goto err; 175 goto err;
@@ -179,6 +209,13 @@ int HMAC_CTX_copy(HMAC_CTX *dctx, HMAC_CTX *sctx)
179 209
180void HMAC_CTX_cleanup(HMAC_CTX *ctx) 210void HMAC_CTX_cleanup(HMAC_CTX *ctx)
181 { 211 {
212#ifdef OPENSSL_FIPS
213 if (FIPS_mode() && !ctx->i_ctx.engine)
214 {
215 FIPS_hmac_ctx_cleanup(ctx);
216 return;
217 }
218#endif
182 EVP_MD_CTX_cleanup(&ctx->i_ctx); 219 EVP_MD_CTX_cleanup(&ctx->i_ctx);
183 EVP_MD_CTX_cleanup(&ctx->o_ctx); 220 EVP_MD_CTX_cleanup(&ctx->o_ctx);
184 EVP_MD_CTX_cleanup(&ctx->md_ctx); 221 EVP_MD_CTX_cleanup(&ctx->md_ctx);
diff --git a/src/lib/libcrypto/idea/idea.h b/src/lib/libcrypto/idea/idea.h
index 5782e54b0f..e9a1e7f1a5 100644
--- a/src/lib/libcrypto/idea/idea.h
+++ b/src/lib/libcrypto/idea/idea.h
@@ -83,6 +83,9 @@ typedef struct idea_key_st
83const char *idea_options(void); 83const char *idea_options(void);
84void idea_ecb_encrypt(const unsigned char *in, unsigned char *out, 84void idea_ecb_encrypt(const unsigned char *in, unsigned char *out,
85 IDEA_KEY_SCHEDULE *ks); 85 IDEA_KEY_SCHEDULE *ks);
86#ifdef OPENSSL_FIPS
87void private_idea_set_encrypt_key(const unsigned char *key, IDEA_KEY_SCHEDULE *ks);
88#endif
86void idea_set_encrypt_key(const unsigned char *key, IDEA_KEY_SCHEDULE *ks); 89void idea_set_encrypt_key(const unsigned char *key, IDEA_KEY_SCHEDULE *ks);
87void idea_set_decrypt_key(IDEA_KEY_SCHEDULE *ek, IDEA_KEY_SCHEDULE *dk); 90void idea_set_decrypt_key(IDEA_KEY_SCHEDULE *ek, IDEA_KEY_SCHEDULE *dk);
88void idea_cbc_encrypt(const unsigned char *in, unsigned char *out, 91void idea_cbc_encrypt(const unsigned char *in, unsigned char *out,
diff --git a/src/lib/libcrypto/md2/md2.h b/src/lib/libcrypto/md2/md2.h
index a46120e7d4..d59c9f2593 100644
--- a/src/lib/libcrypto/md2/md2.h
+++ b/src/lib/libcrypto/md2/md2.h
@@ -81,6 +81,9 @@ typedef struct MD2state_st
81 } MD2_CTX; 81 } MD2_CTX;
82 82
83const char *MD2_options(void); 83const char *MD2_options(void);
84#ifdef OPENSSL_FIPS
85int private_MD2_Init(MD2_CTX *c);
86#endif
84int MD2_Init(MD2_CTX *c); 87int MD2_Init(MD2_CTX *c);
85int MD2_Update(MD2_CTX *c, const unsigned char *data, size_t len); 88int MD2_Update(MD2_CTX *c, const unsigned char *data, size_t len);
86int MD2_Final(unsigned char *md, MD2_CTX *c); 89int MD2_Final(unsigned char *md, MD2_CTX *c);
diff --git a/src/lib/libcrypto/md2/md2_dgst.c b/src/lib/libcrypto/md2/md2_dgst.c
index c57b3da288..bf89def73e 100644
--- a/src/lib/libcrypto/md2/md2_dgst.c
+++ b/src/lib/libcrypto/md2/md2_dgst.c
@@ -116,7 +116,7 @@ const char *MD2_options(void)
116 return("md2(int)"); 116 return("md2(int)");
117 } 117 }
118 118
119int MD2_Init(MD2_CTX *c) 119fips_md_init(MD2)
120 { 120 {
121 c->num=0; 121 c->num=0;
122 memset(c->state,0,sizeof c->state); 122 memset(c->state,0,sizeof c->state);
diff --git a/src/lib/libcrypto/md4/md4.h b/src/lib/libcrypto/md4/md4.h
index c3ed9b3f75..a55368a790 100644
--- a/src/lib/libcrypto/md4/md4.h
+++ b/src/lib/libcrypto/md4/md4.h
@@ -105,6 +105,9 @@ typedef struct MD4state_st
105 unsigned int num; 105 unsigned int num;
106 } MD4_CTX; 106 } MD4_CTX;
107 107
108#ifdef OPENSSL_FIPS
109int private_MD4_Init(MD4_CTX *c);
110#endif
108int MD4_Init(MD4_CTX *c); 111int MD4_Init(MD4_CTX *c);
109int MD4_Update(MD4_CTX *c, const void *data, size_t len); 112int MD4_Update(MD4_CTX *c, const void *data, size_t len);
110int MD4_Final(unsigned char *md, MD4_CTX *c); 113int MD4_Final(unsigned char *md, MD4_CTX *c);
diff --git a/src/lib/libcrypto/md4/md4_dgst.c b/src/lib/libcrypto/md4/md4_dgst.c
index e0c42e8596..82c2cb2d98 100644
--- a/src/lib/libcrypto/md4/md4_dgst.c
+++ b/src/lib/libcrypto/md4/md4_dgst.c
@@ -57,8 +57,9 @@
57 */ 57 */
58 58
59#include <stdio.h> 59#include <stdio.h>
60#include "md4_locl.h"
61#include <openssl/opensslv.h> 60#include <openssl/opensslv.h>
61#include <openssl/crypto.h>
62#include "md4_locl.h"
62 63
63const char MD4_version[]="MD4" OPENSSL_VERSION_PTEXT; 64const char MD4_version[]="MD4" OPENSSL_VERSION_PTEXT;
64 65
@@ -70,7 +71,7 @@ const char MD4_version[]="MD4" OPENSSL_VERSION_PTEXT;
70#define INIT_DATA_C (unsigned long)0x98badcfeL 71#define INIT_DATA_C (unsigned long)0x98badcfeL
71#define INIT_DATA_D (unsigned long)0x10325476L 72#define INIT_DATA_D (unsigned long)0x10325476L
72 73
73int MD4_Init(MD4_CTX *c) 74fips_md_init(MD4)
74 { 75 {
75 memset (c,0,sizeof(*c)); 76 memset (c,0,sizeof(*c));
76 c->A=INIT_DATA_A; 77 c->A=INIT_DATA_A;
diff --git a/src/lib/libcrypto/md5/md5.h b/src/lib/libcrypto/md5/md5.h
index 4cbf84386b..541cc925fe 100644
--- a/src/lib/libcrypto/md5/md5.h
+++ b/src/lib/libcrypto/md5/md5.h
@@ -105,6 +105,9 @@ typedef struct MD5state_st
105 unsigned int num; 105 unsigned int num;
106 } MD5_CTX; 106 } MD5_CTX;
107 107
108#ifdef OPENSSL_FIPS
109int private_MD5_Init(MD5_CTX *c);
110#endif
108int MD5_Init(MD5_CTX *c); 111int MD5_Init(MD5_CTX *c);
109int MD5_Update(MD5_CTX *c, const void *data, size_t len); 112int MD5_Update(MD5_CTX *c, const void *data, size_t len);
110int MD5_Final(unsigned char *md, MD5_CTX *c); 113int MD5_Final(unsigned char *md, MD5_CTX *c);
diff --git a/src/lib/libcrypto/md5/md5_dgst.c b/src/lib/libcrypto/md5/md5_dgst.c
index beace632e3..265890de52 100644
--- a/src/lib/libcrypto/md5/md5_dgst.c
+++ b/src/lib/libcrypto/md5/md5_dgst.c
@@ -59,6 +59,7 @@
59#include <stdio.h> 59#include <stdio.h>
60#include "md5_locl.h" 60#include "md5_locl.h"
61#include <openssl/opensslv.h> 61#include <openssl/opensslv.h>
62#include <openssl/crypto.h>
62 63
63const char MD5_version[]="MD5" OPENSSL_VERSION_PTEXT; 64const char MD5_version[]="MD5" OPENSSL_VERSION_PTEXT;
64 65
@@ -70,7 +71,7 @@ const char MD5_version[]="MD5" OPENSSL_VERSION_PTEXT;
70#define INIT_DATA_C (unsigned long)0x98badcfeL 71#define INIT_DATA_C (unsigned long)0x98badcfeL
71#define INIT_DATA_D (unsigned long)0x10325476L 72#define INIT_DATA_D (unsigned long)0x10325476L
72 73
73int MD5_Init(MD5_CTX *c) 74fips_md_init(MD5)
74 { 75 {
75 memset (c,0,sizeof(*c)); 76 memset (c,0,sizeof(*c));
76 c->A=INIT_DATA_A; 77 c->A=INIT_DATA_A;
diff --git a/src/lib/libcrypto/mdc2/Makefile b/src/lib/libcrypto/mdc2/Makefile
index 1d064f17a6..141553149d 100644
--- a/src/lib/libcrypto/mdc2/Makefile
+++ b/src/lib/libcrypto/mdc2/Makefile
@@ -84,10 +84,10 @@ mdc2_one.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
84mdc2_one.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h 84mdc2_one.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
85mdc2_one.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h 85mdc2_one.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
86mdc2_one.o: ../../include/openssl/ui_compat.h ../cryptlib.h mdc2_one.c 86mdc2_one.o: ../../include/openssl/ui_compat.h ../cryptlib.h mdc2_one.c
87mdc2dgst.o: ../../include/openssl/des.h ../../include/openssl/des_old.h 87mdc2dgst.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
88mdc2dgst.o: ../../include/openssl/e_os2.h ../../include/openssl/mdc2.h 88mdc2dgst.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h
89mdc2dgst.o: ../../include/openssl/opensslconf.h 89mdc2dgst.o: ../../include/openssl/mdc2.h ../../include/openssl/opensslconf.h
90mdc2dgst.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h 90mdc2dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
91mdc2dgst.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h 91mdc2dgst.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
92mdc2dgst.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h 92mdc2dgst.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
93mdc2dgst.o: mdc2dgst.c 93mdc2dgst.o: ../../include/openssl/ui_compat.h mdc2dgst.c
diff --git a/src/lib/libcrypto/mdc2/mdc2.h b/src/lib/libcrypto/mdc2/mdc2.h
index 72778a5212..f3e8e579d2 100644
--- a/src/lib/libcrypto/mdc2/mdc2.h
+++ b/src/lib/libcrypto/mdc2/mdc2.h
@@ -81,6 +81,9 @@ typedef struct mdc2_ctx_st
81 } MDC2_CTX; 81 } MDC2_CTX;
82 82
83 83
84#ifdef OPENSSL_FIPS
85int private_MDC2_Init(MDC2_CTX *c);
86#endif
84int MDC2_Init(MDC2_CTX *c); 87int MDC2_Init(MDC2_CTX *c);
85int MDC2_Update(MDC2_CTX *c, const unsigned char *data, size_t len); 88int MDC2_Update(MDC2_CTX *c, const unsigned char *data, size_t len);
86int MDC2_Final(unsigned char *md, MDC2_CTX *c); 89int MDC2_Final(unsigned char *md, MDC2_CTX *c);
diff --git a/src/lib/libcrypto/mem.c b/src/lib/libcrypto/mem.c
index 9ecb8d26b1..24ccf729ca 100644
--- a/src/lib/libcrypto/mem.c
+++ b/src/lib/libcrypto/mem.c
@@ -125,6 +125,7 @@ static long (*get_debug_options_func)(void) = NULL;
125int CRYPTO_set_mem_functions(void *(*m)(size_t), void *(*r)(void *, size_t), 125int CRYPTO_set_mem_functions(void *(*m)(size_t), void *(*r)(void *, size_t),
126 void (*f)(void *)) 126 void (*f)(void *))
127 { 127 {
128 OPENSSL_init();
128 if (!allow_customize) 129 if (!allow_customize)
129 return 0; 130 return 0;
130 if ((m == 0) || (r == 0) || (f == 0)) 131 if ((m == 0) || (r == 0) || (f == 0))
@@ -186,6 +187,7 @@ int CRYPTO_set_mem_debug_functions(void (*m)(void *,int,const char *,int,int),
186 { 187 {
187 if (!allow_customize_debug) 188 if (!allow_customize_debug)
188 return 0; 189 return 0;
190 OPENSSL_init();
189 malloc_debug_func=m; 191 malloc_debug_func=m;
190 realloc_debug_func=r; 192 realloc_debug_func=r;
191 free_debug_func=f; 193 free_debug_func=f;
diff --git a/src/lib/libcrypto/objects/obj_mac.num b/src/lib/libcrypto/objects/obj_mac.num
index 8c50aac27f..1d0a7c802d 100644
--- a/src/lib/libcrypto/objects/obj_mac.num
+++ b/src/lib/libcrypto/objects/obj_mac.num
@@ -890,3 +890,30 @@ houseIdentifier 889
890supportedAlgorithms 890 890supportedAlgorithms 890
891deltaRevocationList 891 891deltaRevocationList 891
892dmdName 892 892dmdName 892
893id_alg_PWRI_KEK 893
894cmac 894
895aes_128_gcm 895
896aes_128_ccm 896
897id_aes128_wrap_pad 897
898aes_192_gcm 898
899aes_192_ccm 899
900id_aes192_wrap_pad 900
901aes_256_gcm 901
902aes_256_ccm 902
903id_aes256_wrap_pad 903
904aes_128_ctr 904
905aes_192_ctr 905
906aes_256_ctr 906
907id_camellia128_wrap 907
908id_camellia192_wrap 908
909id_camellia256_wrap 909
910anyExtendedKeyUsage 910
911mgf1 911
912rsassaPss 912
913aes_128_xts 913
914aes_256_xts 914
915rc4_hmac_md5 915
916aes_128_cbc_hmac_sha1 916
917aes_192_cbc_hmac_sha1 917
918aes_256_cbc_hmac_sha1 918
919rsaesOaep 919
diff --git a/src/lib/libcrypto/objects/objects.txt b/src/lib/libcrypto/objects/objects.txt
index e61fe60cbf..d3bfad72a2 100644
--- a/src/lib/libcrypto/objects/objects.txt
+++ b/src/lib/libcrypto/objects/objects.txt
@@ -166,6 +166,10 @@ pkcs1 3 : RSA-MD4 : md4WithRSAEncryption
166pkcs1 4 : RSA-MD5 : md5WithRSAEncryption 166pkcs1 4 : RSA-MD5 : md5WithRSAEncryption
167pkcs1 5 : RSA-SHA1 : sha1WithRSAEncryption 167pkcs1 5 : RSA-SHA1 : sha1WithRSAEncryption
168# According to PKCS #1 version 2.1 168# According to PKCS #1 version 2.1
169pkcs1 7 : RSAES-OAEP : rsaesOaep
170pkcs1 8 : MGF1 : mgf1
171pkcs1 10 : RSASSA-PSS : rsassaPss
172
169pkcs1 11 : RSA-SHA256 : sha256WithRSAEncryption 173pkcs1 11 : RSA-SHA256 : sha256WithRSAEncryption
170pkcs1 12 : RSA-SHA384 : sha384WithRSAEncryption 174pkcs1 12 : RSA-SHA384 : sha384WithRSAEncryption
171pkcs1 13 : RSA-SHA512 : sha512WithRSAEncryption 175pkcs1 13 : RSA-SHA512 : sha512WithRSAEncryption
@@ -299,6 +303,7 @@ id-smime-alg 4 : id-smime-alg-RC2wrap
299id-smime-alg 5 : id-smime-alg-ESDH 303id-smime-alg 5 : id-smime-alg-ESDH
300id-smime-alg 6 : id-smime-alg-CMS3DESwrap 304id-smime-alg 6 : id-smime-alg-CMS3DESwrap
301id-smime-alg 7 : id-smime-alg-CMSRC2wrap 305id-smime-alg 7 : id-smime-alg-CMSRC2wrap
306id-smime-alg 9 : id-alg-PWRI-KEK
302 307
303# S/MIME Certificate Distribution 308# S/MIME Certificate Distribution
304id-smime-cd 1 : id-smime-cd-ldap 309id-smime-cd 1 : id-smime-cd-ldap
@@ -770,6 +775,10 @@ id-ce 55 : targetInformation : X509v3 AC Targeting
770!Cname no-rev-avail 775!Cname no-rev-avail
771id-ce 56 : noRevAvail : X509v3 No Revocation Available 776id-ce 56 : noRevAvail : X509v3 No Revocation Available
772 777
778# From RFC5280
779ext-key-usage 0 : anyExtendedKeyUsage : Any Extended Key Usage
780
781
773!Cname netscape 782!Cname netscape
7742 16 840 1 113730 : Netscape : Netscape Communications Corp. 7832 16 840 1 113730 : Netscape : Netscape Communications Corp.
775!Cname netscape-cert-extension 784!Cname netscape-cert-extension
@@ -846,6 +855,10 @@ aes 2 : AES-128-CBC : aes-128-cbc
846aes 3 : AES-128-OFB : aes-128-ofb 855aes 3 : AES-128-OFB : aes-128-ofb
847!Cname aes-128-cfb128 856!Cname aes-128-cfb128
848aes 4 : AES-128-CFB : aes-128-cfb 857aes 4 : AES-128-CFB : aes-128-cfb
858aes 5 : id-aes128-wrap
859aes 6 : id-aes128-GCM : aes-128-gcm
860aes 7 : id-aes128-CCM : aes-128-ccm
861aes 8 : id-aes128-wrap-pad
849 862
850aes 21 : AES-192-ECB : aes-192-ecb 863aes 21 : AES-192-ECB : aes-192-ecb
851aes 22 : AES-192-CBC : aes-192-cbc 864aes 22 : AES-192-CBC : aes-192-cbc
@@ -853,6 +866,10 @@ aes 22 : AES-192-CBC : aes-192-cbc
853aes 23 : AES-192-OFB : aes-192-ofb 866aes 23 : AES-192-OFB : aes-192-ofb
854!Cname aes-192-cfb128 867!Cname aes-192-cfb128
855aes 24 : AES-192-CFB : aes-192-cfb 868aes 24 : AES-192-CFB : aes-192-cfb
869aes 25 : id-aes192-wrap
870aes 26 : id-aes192-GCM : aes-192-gcm
871aes 27 : id-aes192-CCM : aes-192-ccm
872aes 28 : id-aes192-wrap-pad
856 873
857aes 41 : AES-256-ECB : aes-256-ecb 874aes 41 : AES-256-ECB : aes-256-ecb
858aes 42 : AES-256-CBC : aes-256-cbc 875aes 42 : AES-256-CBC : aes-256-cbc
@@ -860,6 +877,10 @@ aes 42 : AES-256-CBC : aes-256-cbc
860aes 43 : AES-256-OFB : aes-256-ofb 877aes 43 : AES-256-OFB : aes-256-ofb
861!Cname aes-256-cfb128 878!Cname aes-256-cfb128
862aes 44 : AES-256-CFB : aes-256-cfb 879aes 44 : AES-256-CFB : aes-256-cfb
880aes 45 : id-aes256-wrap
881aes 46 : id-aes256-GCM : aes-256-gcm
882aes 47 : id-aes256-CCM : aes-256-ccm
883aes 48 : id-aes256-wrap-pad
863 884
864# There are no OIDs for these modes... 885# There are no OIDs for these modes...
865 886
@@ -869,15 +890,16 @@ aes 44 : AES-256-CFB : aes-256-cfb
869 : AES-128-CFB8 : aes-128-cfb8 890 : AES-128-CFB8 : aes-128-cfb8
870 : AES-192-CFB8 : aes-192-cfb8 891 : AES-192-CFB8 : aes-192-cfb8
871 : AES-256-CFB8 : aes-256-cfb8 892 : AES-256-CFB8 : aes-256-cfb8
893 : AES-128-CTR : aes-128-ctr
894 : AES-192-CTR : aes-192-ctr
895 : AES-256-CTR : aes-256-ctr
896 : AES-128-XTS : aes-128-xts
897 : AES-256-XTS : aes-256-xts
872 : DES-CFB1 : des-cfb1 898 : DES-CFB1 : des-cfb1
873 : DES-CFB8 : des-cfb8 899 : DES-CFB8 : des-cfb8
874 : DES-EDE3-CFB1 : des-ede3-cfb1 900 : DES-EDE3-CFB1 : des-ede3-cfb1
875 : DES-EDE3-CFB8 : des-ede3-cfb8 901 : DES-EDE3-CFB8 : des-ede3-cfb8
876 902
877aes 5 : id-aes128-wrap
878aes 25 : id-aes192-wrap
879aes 45 : id-aes256-wrap
880
881# OIDs for SHA224, SHA256, SHA385 and SHA512, according to x9.84. 903# OIDs for SHA224, SHA256, SHA385 and SHA512, according to x9.84.
882!Alias nist_hashalgs nistAlgorithms 2 904!Alias nist_hashalgs nistAlgorithms 2
883nist_hashalgs 1 : SHA256 : sha256 905nist_hashalgs 1 : SHA256 : sha256
@@ -1211,6 +1233,9 @@ cryptocom 1 8 1 : id-GostR3410-2001-ParamSet-cc : GOST R 3410-2001 Parameter Se
12111 2 392 200011 61 1 1 1 2 : CAMELLIA-128-CBC : camellia-128-cbc 12331 2 392 200011 61 1 1 1 2 : CAMELLIA-128-CBC : camellia-128-cbc
12121 2 392 200011 61 1 1 1 3 : CAMELLIA-192-CBC : camellia-192-cbc 12341 2 392 200011 61 1 1 1 3 : CAMELLIA-192-CBC : camellia-192-cbc
12131 2 392 200011 61 1 1 1 4 : CAMELLIA-256-CBC : camellia-256-cbc 12351 2 392 200011 61 1 1 1 4 : CAMELLIA-256-CBC : camellia-256-cbc
12361 2 392 200011 61 1 1 3 2 : id-camellia128-wrap
12371 2 392 200011 61 1 1 3 3 : id-camellia192-wrap
12381 2 392 200011 61 1 1 3 4 : id-camellia256-wrap
1214 1239
1215# Definitions for Camellia cipher - ECB, CFB, OFB MODE 1240# Definitions for Camellia cipher - ECB, CFB, OFB MODE
1216 1241
@@ -1257,3 +1282,11 @@ kisa 1 6 : SEED-OFB : seed-ofb
1257# There is no OID that just denotes "HMAC" oddly enough... 1282# There is no OID that just denotes "HMAC" oddly enough...
1258 1283
1259 : HMAC : hmac 1284 : HMAC : hmac
1285# Nor CMAC either
1286 : CMAC : cmac
1287
1288# Synthetic composite ciphersuites
1289 : RC4-HMAC-MD5 : rc4-hmac-md5
1290 : AES-128-CBC-HMAC-SHA1 : aes-128-cbc-hmac-sha1
1291 : AES-192-CBC-HMAC-SHA1 : aes-192-cbc-hmac-sha1
1292 : AES-256-CBC-HMAC-SHA1 : aes-256-cbc-hmac-sha1
diff --git a/src/lib/libcrypto/ocsp/ocsp_lib.c b/src/lib/libcrypto/ocsp/ocsp_lib.c
index e92b86c060..a94dc838ee 100644
--- a/src/lib/libcrypto/ocsp/ocsp_lib.c
+++ b/src/lib/libcrypto/ocsp/ocsp_lib.c
@@ -124,7 +124,8 @@ OCSP_CERTID *OCSP_cert_id_new(const EVP_MD *dgst,
124 if (!(ASN1_OCTET_STRING_set(cid->issuerNameHash, md, i))) goto err; 124 if (!(ASN1_OCTET_STRING_set(cid->issuerNameHash, md, i))) goto err;
125 125
126 /* Calculate the issuerKey hash, excluding tag and length */ 126 /* Calculate the issuerKey hash, excluding tag and length */
127 EVP_Digest(issuerKey->data, issuerKey->length, md, &i, dgst, NULL); 127 if (!EVP_Digest(issuerKey->data, issuerKey->length, md, &i, dgst, NULL))
128 goto err;
128 129
129 if (!(ASN1_OCTET_STRING_set(cid->issuerKeyHash, md, i))) goto err; 130 if (!(ASN1_OCTET_STRING_set(cid->issuerKeyHash, md, i))) goto err;
130 131
diff --git a/src/lib/libcrypto/opensslv.h b/src/lib/libcrypto/opensslv.h
index d6d61a0c7d..71be3590af 100644
--- a/src/lib/libcrypto/opensslv.h
+++ b/src/lib/libcrypto/opensslv.h
@@ -25,11 +25,11 @@
25 * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for 25 * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
26 * major minor fix final patch/beta) 26 * major minor fix final patch/beta)
27 */ 27 */
28#define OPENSSL_VERSION_NUMBER 0x1000006fL 28#define OPENSSL_VERSION_NUMBER 0x1000103fL
29#ifdef OPENSSL_FIPS 29#ifdef OPENSSL_FIPS
30#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0f-fips 4 Jan 2012" 30#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1c-fips 10 May 2012"
31#else 31#else
32#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0f 4 Jan 2012" 32#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1c 10 May 2012"
33#endif 33#endif
34#define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT 34#define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT
35 35
diff --git a/src/lib/libcrypto/ossl_typ.h b/src/lib/libcrypto/ossl_typ.h
index 12bd7014de..ea9227f6f9 100644
--- a/src/lib/libcrypto/ossl_typ.h
+++ b/src/lib/libcrypto/ossl_typ.h
@@ -91,10 +91,12 @@ typedef struct asn1_string_st ASN1_TIME;
91typedef struct asn1_string_st ASN1_GENERALIZEDTIME; 91typedef struct asn1_string_st ASN1_GENERALIZEDTIME;
92typedef struct asn1_string_st ASN1_VISIBLESTRING; 92typedef struct asn1_string_st ASN1_VISIBLESTRING;
93typedef struct asn1_string_st ASN1_UTF8STRING; 93typedef struct asn1_string_st ASN1_UTF8STRING;
94typedef struct asn1_string_st ASN1_STRING;
94typedef int ASN1_BOOLEAN; 95typedef int ASN1_BOOLEAN;
95typedef int ASN1_NULL; 96typedef int ASN1_NULL;
96#endif 97#endif
97 98
99typedef struct ASN1_ITEM_st ASN1_ITEM;
98typedef struct asn1_pctx_st ASN1_PCTX; 100typedef struct asn1_pctx_st ASN1_PCTX;
99 101
100#ifdef OPENSSL_SYS_WIN32 102#ifdef OPENSSL_SYS_WIN32
diff --git a/src/lib/libcrypto/perlasm/x86_64-xlate.pl b/src/lib/libcrypto/perlasm/x86_64-xlate.pl
index 68b4c1ca80..50ff91e2f0 100755
--- a/src/lib/libcrypto/perlasm/x86_64-xlate.pl
+++ b/src/lib/libcrypto/perlasm/x86_64-xlate.pl
@@ -62,12 +62,8 @@ my $flavour = shift;
62my $output = shift; 62my $output = shift;
63if ($flavour =~ /\./) { $output = $flavour; undef $flavour; } 63if ($flavour =~ /\./) { $output = $flavour; undef $flavour; }
64 64
65{ my ($stddev,$stdino,@junk)=stat(STDOUT); 65open STDOUT,">$output" || die "can't open $output: $!"
66 my ($outdev,$outino,@junk)=stat($output); 66 if (defined($output));
67
68 open STDOUT,">$output" || die "can't open $output: $!"
69 if (1 || $stddev!=$outdev || $stdino!=$outino);
70}
71 67
72my $gas=1; $gas=0 if ($output =~ /\.asm$/); 68my $gas=1; $gas=0 if ($output =~ /\.asm$/);
73my $elf=1; $elf=0 if (!$gas); 69my $elf=1; $elf=0 if (!$gas);
@@ -116,12 +112,16 @@ my %globals;
116 $line = substr($line,@+[0]); $line =~ s/^\s+//; 112 $line = substr($line,@+[0]); $line =~ s/^\s+//;
117 113
118 undef $self->{sz}; 114 undef $self->{sz};
119 if ($self->{op} =~ /^(movz)b.*/) { # movz is pain... 115 if ($self->{op} =~ /^(movz)x?([bw]).*/) { # movz is pain...
120 $self->{op} = $1; 116 $self->{op} = $1;
121 $self->{sz} = "b"; 117 $self->{sz} = $2;
122 } elsif ($self->{op} =~ /call|jmp/) { 118 } elsif ($self->{op} =~ /call|jmp/) {
123 $self->{sz} = ""; 119 $self->{sz} = "";
124 } elsif ($self->{op} =~ /^p/ && $' !~ /^(ush|op)/) { # SSEn 120 } elsif ($self->{op} =~ /^p/ && $' !~ /^(ush|op|insrw)/) { # SSEn
121 $self->{sz} = "";
122 } elsif ($self->{op} =~ /^v/) { # VEX
123 $self->{sz} = "";
124 } elsif ($self->{op} =~ /movq/ && $line =~ /%xmm/) {
125 $self->{sz} = ""; 125 $self->{sz} = "";
126 } elsif ($self->{op} =~ /([a-z]{3,})([qlwb])$/) { 126 } elsif ($self->{op} =~ /([a-z]{3,})([qlwb])$/) {
127 $self->{op} = $1; 127 $self->{op} = $1;
@@ -247,35 +247,39 @@ my %globals;
247 $self->{index} =~ s/^[er](.?[0-9xpi])[d]?$/r\1/; 247 $self->{index} =~ s/^[er](.?[0-9xpi])[d]?$/r\1/;
248 $self->{base} =~ s/^[er](.?[0-9xpi])[d]?$/r\1/; 248 $self->{base} =~ s/^[er](.?[0-9xpi])[d]?$/r\1/;
249 249
250 # Solaris /usr/ccs/bin/as can't handle multiplications
251 # in $self->{label}, new gas requires sign extension...
252 use integer;
253 $self->{label} =~ s/(?<![\w\$\.])(0x?[0-9a-f]+)/oct($1)/egi;
254 $self->{label} =~ s/([0-9]+\s*[\*\/\%]\s*[0-9]+)/eval($1)/eg;
255 $self->{label} =~ s/([0-9]+)/$1<<32>>32/eg;
256
250 if ($gas) { 257 if ($gas) {
251 # Solaris /usr/ccs/bin/as can't handle multiplications
252 # in $self->{label}, new gas requires sign extension...
253 use integer;
254 $self->{label} =~ s/(?<![\w\$\.])(0x?[0-9a-f]+)/oct($1)/egi;
255 $self->{label} =~ s/([0-9]+\s*[\*\/\%]\s*[0-9]+)/eval($1)/eg;
256 $self->{label} =~ s/([0-9]+)/$1<<32>>32/eg;
257 $self->{label} =~ s/^___imp_/__imp__/ if ($flavour eq "mingw64"); 258 $self->{label} =~ s/^___imp_/__imp__/ if ($flavour eq "mingw64");
258 259
259 if (defined($self->{index})) { 260 if (defined($self->{index})) {
260 sprintf "%s%s(%%%s,%%%s,%d)",$self->{asterisk}, 261 sprintf "%s%s(%s,%%%s,%d)",$self->{asterisk},
261 $self->{label},$self->{base}, 262 $self->{label},
263 $self->{base}?"%$self->{base}":"",
262 $self->{index},$self->{scale}; 264 $self->{index},$self->{scale};
263 } else { 265 } else {
264 sprintf "%s%s(%%%s)", $self->{asterisk},$self->{label},$self->{base}; 266 sprintf "%s%s(%%%s)", $self->{asterisk},$self->{label},$self->{base};
265 } 267 }
266 } else { 268 } else {
267 %szmap = ( b=>"BYTE$PTR", w=>"WORD$PTR", l=>"DWORD$PTR", q=>"QWORD$PTR" ); 269 %szmap = ( b=>"BYTE$PTR", w=>"WORD$PTR", l=>"DWORD$PTR",
270 q=>"QWORD$PTR",o=>"OWORD$PTR",x=>"XMMWORD$PTR" );
268 271
269 $self->{label} =~ s/\./\$/g; 272 $self->{label} =~ s/\./\$/g;
270 $self->{label} =~ s/(?<![\w\$\.])0x([0-9a-f]+)/0$1h/ig; 273 $self->{label} =~ s/(?<![\w\$\.])0x([0-9a-f]+)/0$1h/ig;
271 $self->{label} = "($self->{label})" if ($self->{label} =~ /[\*\+\-\/]/); 274 $self->{label} = "($self->{label})" if ($self->{label} =~ /[\*\+\-\/]/);
272 $sz="q" if ($self->{asterisk}); 275 $sz="q" if ($self->{asterisk} || opcode->mnemonic() eq "movq");
276 $sz="l" if (opcode->mnemonic() eq "movd");
273 277
274 if (defined($self->{index})) { 278 if (defined($self->{index})) {
275 sprintf "%s[%s%s*%d+%s]",$szmap{$sz}, 279 sprintf "%s[%s%s*%d%s]",$szmap{$sz},
276 $self->{label}?"$self->{label}+":"", 280 $self->{label}?"$self->{label}+":"",
277 $self->{index},$self->{scale}, 281 $self->{index},$self->{scale},
278 $self->{base}; 282 $self->{base}?"+$self->{base}":"";
279 } elsif ($self->{base} eq "rip") { 283 } elsif ($self->{base} eq "rip") {
280 sprintf "%s[%s]",$szmap{$sz},$self->{label}; 284 sprintf "%s[%s]",$szmap{$sz},$self->{label};
281 } else { 285 } else {
@@ -507,6 +511,12 @@ my %globals;
507 } 511 }
508 } elsif ($dir =~ /\.(text|data)/) { 512 } elsif ($dir =~ /\.(text|data)/) {
509 $current_segment=".$1"; 513 $current_segment=".$1";
514 } elsif ($dir =~ /\.hidden/) {
515 if ($flavour eq "macosx") { $self->{value} = ".private_extern\t$prefix$line"; }
516 elsif ($flavour eq "mingw64") { $self->{value} = ""; }
517 } elsif ($dir =~ /\.comm/) {
518 $self->{value} = "$dir\t$prefix$line";
519 $self->{value} =~ s|,([0-9]+),([0-9]+)$|",$1,".log($2)/log(2)|e if ($flavour eq "macosx");
510 } 520 }
511 $line = ""; 521 $line = "";
512 return $self; 522 return $self;
@@ -556,7 +566,8 @@ my %globals;
556 $v.=" READONLY"; 566 $v.=" READONLY";
557 $v.=" ALIGN(".($1 eq "p" ? 4 : 8).")" if ($masm>=$masmref); 567 $v.=" ALIGN(".($1 eq "p" ? 4 : 8).")" if ($masm>=$masmref);
558 } elsif ($line=~/\.CRT\$/i) { 568 } elsif ($line=~/\.CRT\$/i) {
559 $v.=" READONLY DWORD"; 569 $v.=" READONLY ";
570 $v.=$masm>=$masmref ? "ALIGN(8)" : "DWORD";
560 } 571 }
561 } 572 }
562 $current_segment = $line; 573 $current_segment = $line;
@@ -578,7 +589,7 @@ my %globals;
578 $self->{value}="${decor}SEH_end_$current_function->{name}:"; 589 $self->{value}="${decor}SEH_end_$current_function->{name}:";
579 $self->{value}.=":\n" if($masm); 590 $self->{value}.=":\n" if($masm);
580 } 591 }
581 $self->{value}.="$current_function->{name}\tENDP" if($masm); 592 $self->{value}.="$current_function->{name}\tENDP" if($masm && $current_function->{name});
582 undef $current_function; 593 undef $current_function;
583 } 594 }
584 last; 595 last;
@@ -614,6 +625,19 @@ my %globals;
614 .join(",",@str) if (@str); 625 .join(",",@str) if (@str);
615 last; 626 last;
616 }; 627 };
628 /\.comm/ && do { my @str=split(/,\s*/,$line);
629 my $v=undef;
630 if ($nasm) {
631 $v.="common $prefix@str[0] @str[1]";
632 } else {
633 $v="$current_segment\tENDS\n" if ($current_segment);
634 $current_segment = "_DATA";
635 $v.="$current_segment\tSEGMENT\n";
636 $v.="COMM @str[0]:DWORD:".@str[1]/4;
637 }
638 $self->{value} = $v;
639 last;
640 };
617 } 641 }
618 $line = ""; 642 $line = "";
619 } 643 }
@@ -626,11 +650,135 @@ my %globals;
626 } 650 }
627} 651}
628 652
653sub rex {
654 local *opcode=shift;
655 my ($dst,$src,$rex)=@_;
656
657 $rex|=0x04 if($dst>=8);
658 $rex|=0x01 if($src>=8);
659 push @opcode,($rex|0x40) if ($rex);
660}
661
662# older gas and ml64 don't handle SSE>2 instructions
663my %regrm = ( "%eax"=>0, "%ecx"=>1, "%edx"=>2, "%ebx"=>3,
664 "%esp"=>4, "%ebp"=>5, "%esi"=>6, "%edi"=>7 );
665
666my $movq = sub { # elderly gas can't handle inter-register movq
667 my $arg = shift;
668 my @opcode=(0x66);
669 if ($arg =~ /%xmm([0-9]+),\s*%r(\w+)/) {
670 my ($src,$dst)=($1,$2);
671 if ($dst !~ /[0-9]+/) { $dst = $regrm{"%e$dst"}; }
672 rex(\@opcode,$src,$dst,0x8);
673 push @opcode,0x0f,0x7e;
674 push @opcode,0xc0|(($src&7)<<3)|($dst&7); # ModR/M
675 @opcode;
676 } elsif ($arg =~ /%r(\w+),\s*%xmm([0-9]+)/) {
677 my ($src,$dst)=($2,$1);
678 if ($dst !~ /[0-9]+/) { $dst = $regrm{"%e$dst"}; }
679 rex(\@opcode,$src,$dst,0x8);
680 push @opcode,0x0f,0x6e;
681 push @opcode,0xc0|(($src&7)<<3)|($dst&7); # ModR/M
682 @opcode;
683 } else {
684 ();
685 }
686};
687
688my $pextrd = sub {
689 if (shift =~ /\$([0-9]+),\s*%xmm([0-9]+),\s*(%\w+)/) {
690 my @opcode=(0x66);
691 $imm=$1;
692 $src=$2;
693 $dst=$3;
694 if ($dst =~ /%r([0-9]+)d/) { $dst = $1; }
695 elsif ($dst =~ /%e/) { $dst = $regrm{$dst}; }
696 rex(\@opcode,$src,$dst);
697 push @opcode,0x0f,0x3a,0x16;
698 push @opcode,0xc0|(($src&7)<<3)|($dst&7); # ModR/M
699 push @opcode,$imm;
700 @opcode;
701 } else {
702 ();
703 }
704};
705
706my $pinsrd = sub {
707 if (shift =~ /\$([0-9]+),\s*(%\w+),\s*%xmm([0-9]+)/) {
708 my @opcode=(0x66);
709 $imm=$1;
710 $src=$2;
711 $dst=$3;
712 if ($src =~ /%r([0-9]+)/) { $src = $1; }
713 elsif ($src =~ /%e/) { $src = $regrm{$src}; }
714 rex(\@opcode,$dst,$src);
715 push @opcode,0x0f,0x3a,0x22;
716 push @opcode,0xc0|(($dst&7)<<3)|($src&7); # ModR/M
717 push @opcode,$imm;
718 @opcode;
719 } else {
720 ();
721 }
722};
723
724my $pshufb = sub {
725 if (shift =~ /%xmm([0-9]+),\s*%xmm([0-9]+)/) {
726 my @opcode=(0x66);
727 rex(\@opcode,$2,$1);
728 push @opcode,0x0f,0x38,0x00;
729 push @opcode,0xc0|($1&7)|(($2&7)<<3); # ModR/M
730 @opcode;
731 } else {
732 ();
733 }
734};
735
736my $palignr = sub {
737 if (shift =~ /\$([0-9]+),\s*%xmm([0-9]+),\s*%xmm([0-9]+)/) {
738 my @opcode=(0x66);
739 rex(\@opcode,$3,$2);
740 push @opcode,0x0f,0x3a,0x0f;
741 push @opcode,0xc0|($2&7)|(($3&7)<<3); # ModR/M
742 push @opcode,$1;
743 @opcode;
744 } else {
745 ();
746 }
747};
748
749my $pclmulqdq = sub {
750 if (shift =~ /\$([x0-9a-f]+),\s*%xmm([0-9]+),\s*%xmm([0-9]+)/) {
751 my @opcode=(0x66);
752 rex(\@opcode,$3,$2);
753 push @opcode,0x0f,0x3a,0x44;
754 push @opcode,0xc0|($2&7)|(($3&7)<<3); # ModR/M
755 my $c=$1;
756 push @opcode,$c=~/^0/?oct($c):$c;
757 @opcode;
758 } else {
759 ();
760 }
761};
762
763my $rdrand = sub {
764 if (shift =~ /%[er](\w+)/) {
765 my @opcode=();
766 my $dst=$1;
767 if ($dst !~ /[0-9]+/) { $dst = $regrm{"%e$dst"}; }
768 rex(\@opcode,0,$1,8);
769 push @opcode,0x0f,0xc7,0xf0|($dst&7);
770 @opcode;
771 } else {
772 ();
773 }
774};
775
629print "#include <machine/asm.h>\n"; 776print "#include <machine/asm.h>\n";
630 777
631if ($nasm) { 778if ($nasm) {
632 print <<___; 779 print <<___;
633default rel 780default rel
781%define XMMWORD
634___ 782___
635} elsif ($masm) { 783} elsif ($masm) {
636 print <<___; 784 print <<___;
@@ -647,14 +795,22 @@ while($line=<>) {
647 795
648 undef $label; 796 undef $label;
649 undef $opcode; 797 undef $opcode;
650 undef $sz;
651 undef @args; 798 undef @args;
652 799
653 if ($label=label->re(\$line)) { print $label->out(); } 800 if ($label=label->re(\$line)) { print $label->out(); }
654 801
655 if (directive->re(\$line)) { 802 if (directive->re(\$line)) {
656 printf "%s",directive->out(); 803 printf "%s",directive->out();
657 } elsif ($opcode=opcode->re(\$line)) { ARGUMENT: while (1) { 804 } elsif ($opcode=opcode->re(\$line)) {
805 my $asm = eval("\$".$opcode->mnemonic());
806 undef @bytes;
807
808 if ((ref($asm) eq 'CODE') && scalar(@bytes=&$asm($line))) {
809 print $gas?".byte\t":"DB\t",join(',',@bytes),"\n";
810 next;
811 }
812
813 ARGUMENT: while (1) {
658 my $arg; 814 my $arg;
659 815
660 if ($arg=register->re(\$line)) { opcode->size($arg->size()); } 816 if ($arg=register->re(\$line)) { opcode->size($arg->size()); }
@@ -670,19 +826,26 @@ while($line=<>) {
670 $line =~ s/^,\s*//; 826 $line =~ s/^,\s*//;
671 } # ARGUMENT: 827 } # ARGUMENT:
672 828
673 $sz=opcode->size();
674
675 if ($#args>=0) { 829 if ($#args>=0) {
676 my $insn; 830 my $insn;
831 my $sz=opcode->size();
832
677 if ($gas) { 833 if ($gas) {
678 $insn = $opcode->out($#args>=1?$args[$#args]->size():$sz); 834 $insn = $opcode->out($#args>=1?$args[$#args]->size():$sz);
835 @args = map($_->out($sz),@args);
836 printf "\t%s\t%s",$insn,join(",",@args);
679 } else { 837 } else {
680 $insn = $opcode->out(); 838 $insn = $opcode->out();
681 $insn .= $sz if (map($_->out() =~ /x?mm/,@args)); 839 foreach (@args) {
840 my $arg = $_->out();
841 # $insn.=$sz compensates for movq, pinsrw, ...
842 if ($arg =~ /^xmm[0-9]+$/) { $insn.=$sz; $sz="x" if(!$sz); last; }
843 if ($arg =~ /^mm[0-9]+$/) { $insn.=$sz; $sz="q" if(!$sz); last; }
844 }
682 @args = reverse(@args); 845 @args = reverse(@args);
683 undef $sz if ($nasm && $opcode->mnemonic() eq "lea"); 846 undef $sz if ($nasm && $opcode->mnemonic() eq "lea");
847 printf "\t%s\t%s",$insn,join(",",map($_->out($sz),@args));
684 } 848 }
685 printf "\t%s\t%s",$insn,join(",",map($_->out($sz),@args));
686 } else { 849 } else {
687 printf "\t%s",$opcode->out(); 850 printf "\t%s",$opcode->out();
688 } 851 }
diff --git a/src/lib/libcrypto/perlasm/x86asm.pl b/src/lib/libcrypto/perlasm/x86asm.pl
index 4756a28e59..bf783cff26 100644
--- a/src/lib/libcrypto/perlasm/x86asm.pl
+++ b/src/lib/libcrypto/perlasm/x86asm.pl
@@ -87,6 +87,57 @@ sub ::movq
87 { &::generic("movq",@_); } 87 { &::generic("movq",@_); }
88} 88}
89 89
90# SSE>2 instructions
91my %regrm = ( "eax"=>0, "ecx"=>1, "edx"=>2, "ebx"=>3,
92 "esp"=>4, "ebp"=>5, "esi"=>6, "edi"=>7 );
93sub ::pextrd
94{ my($dst,$src,$imm)=@_;
95 if ("$dst:$src" =~ /(e[a-dsd][ixp]):xmm([0-7])/)
96 { &::data_byte(0x66,0x0f,0x3a,0x16,0xc0|($2<<3)|$regrm{$1},$imm); }
97 else
98 { &::generic("pextrd",@_); }
99}
100
101sub ::pinsrd
102{ my($dst,$src,$imm)=@_;
103 if ("$dst:$src" =~ /xmm([0-7]):(e[a-dsd][ixp])/)
104 { &::data_byte(0x66,0x0f,0x3a,0x22,0xc0|($1<<3)|$regrm{$2},$imm); }
105 else
106 { &::generic("pinsrd",@_); }
107}
108
109sub ::pshufb
110{ my($dst,$src)=@_;
111 if ("$dst:$src" =~ /xmm([0-7]):xmm([0-7])/)
112 { &data_byte(0x66,0x0f,0x38,0x00,0xc0|($1<<3)|$2); }
113 else
114 { &::generic("pshufb",@_); }
115}
116
117sub ::palignr
118{ my($dst,$src,$imm)=@_;
119 if ("$dst:$src" =~ /xmm([0-7]):xmm([0-7])/)
120 { &::data_byte(0x66,0x0f,0x3a,0x0f,0xc0|($1<<3)|$2,$imm); }
121 else
122 { &::generic("palignr",@_); }
123}
124
125sub ::pclmulqdq
126{ my($dst,$src,$imm)=@_;
127 if ("$dst:$src" =~ /xmm([0-7]):xmm([0-7])/)
128 { &::data_byte(0x66,0x0f,0x3a,0x44,0xc0|($1<<3)|$2,$imm); }
129 else
130 { &::generic("pclmulqdq",@_); }
131}
132
133sub ::rdrand
134{ my ($dst)=@_;
135 if ($dst =~ /(e[a-dsd][ixp])/)
136 { &::data_byte(0x0f,0xc7,0xf0|$regrm{$dst}); }
137 else
138 { &::generic("rdrand",@_); }
139}
140
90# label management 141# label management
91$lbdecor="L"; # local label decoration, set by package 142$lbdecor="L"; # local label decoration, set by package
92$label="000"; 143$label="000";
@@ -174,7 +225,7 @@ sub ::asm_init
174 $filename=$fn; 225 $filename=$fn;
175 $i386=$cpu; 226 $i386=$cpu;
176 227
177 $elf=$cpp=$coff=$aout=$macosx=$win32=$netware=$mwerks=$openbsd=0; 228 $elf=$cpp=$coff=$aout=$macosx=$win32=$netware=$mwerks=$openbsd=$android=0;
178 if (($type eq "elf")) 229 if (($type eq "elf"))
179 { $elf=1; require "x86gas.pl"; } 230 { $elf=1; require "x86gas.pl"; }
180 elsif (($type eq "a\.out")) 231 elsif (($type eq "a\.out"))
@@ -195,6 +246,8 @@ sub ::asm_init
195 { $openbsd=$elf=1; require "x86gas.pl"; } 246 { $openbsd=$elf=1; require "x86gas.pl"; }
196 elsif (($type eq "openbsd-a.out")) 247 elsif (($type eq "openbsd-a.out"))
197 { $openbsd=1; require "x86gas.pl"; } 248 { $openbsd=1; require "x86gas.pl"; }
249 elsif (($type eq "android"))
250 { $elf=1; $android=1; require "x86gas.pl"; }
198 else 251 else
199 { print STDERR <<"EOF"; 252 { print STDERR <<"EOF";
200Pick one target type from 253Pick one target type from
diff --git a/src/lib/libcrypto/perlasm/x86gas.pl b/src/lib/libcrypto/perlasm/x86gas.pl
index 9a1cce026e..d4baea514b 100644
--- a/src/lib/libcrypto/perlasm/x86gas.pl
+++ b/src/lib/libcrypto/perlasm/x86gas.pl
@@ -45,9 +45,8 @@ sub ::generic
45 undef $suffix if ($dst =~ m/^%[xm]/o || $src =~ m/^%[xm]/o); 45 undef $suffix if ($dst =~ m/^%[xm]/o || $src =~ m/^%[xm]/o);
46 46
47 if ($#_==0) { &::emit($opcode); } 47 if ($#_==0) { &::emit($opcode); }
48 elsif ($opcode =~ m/^j/o && $#_==1) { &::emit($opcode,@arg); } 48 elsif ($#_==1 && $opcode =~ m/^(call|clflush|j|loop|set)/o)
49 elsif ($opcode eq "call" && $#_==1) { &::emit($opcode,@arg); } 49 { &::emit($opcode,@arg); }
50 elsif ($opcode =~ m/^set/&& $#_==1) { &::emit($opcode,@arg); }
51 else { &::emit($opcode.$suffix,@arg);} 50 else { &::emit($opcode.$suffix,@arg);}
52 51
53 1; 52 1;
@@ -91,6 +90,7 @@ sub ::DWP
91} 90}
92sub ::QWP { &::DWP(@_); } 91sub ::QWP { &::DWP(@_); }
93sub ::BP { &::DWP(@_); } 92sub ::BP { &::DWP(@_); }
93sub ::WP { &::DWP(@_); }
94sub ::BC { @_; } 94sub ::BC { @_; }
95sub ::DWC { @_; } 95sub ::DWC { @_; }
96 96
@@ -149,22 +149,24 @@ sub ::public_label
149{ push(@out,".globl\t".&::LABEL($_[0],$nmdecor.$_[0])."\n"); } 149{ push(@out,".globl\t".&::LABEL($_[0],$nmdecor.$_[0])."\n"); }
150 150
151sub ::file_end 151sub ::file_end
152{ if (grep {/\b${nmdecor}OPENSSL_ia32cap_P\b/i} @out) { 152{ if ($::macosx)
153 my $tmp=".comm\t${nmdecor}OPENSSL_ia32cap_P,4";
154 if ($::elf) { push (@out,"$tmp,4\n"); }
155 else { push (@out,"$tmp\n"); }
156 }
157 if ($::macosx)
158 { if (%non_lazy_ptr) 153 { if (%non_lazy_ptr)
159 { push(@out,".section __IMPORT,__pointers,non_lazy_symbol_pointers\n"); 154 { push(@out,".section __IMPORT,__pointers,non_lazy_symbol_pointers\n");
160 foreach $i (keys %non_lazy_ptr) 155 foreach $i (keys %non_lazy_ptr)
161 { push(@out,"$non_lazy_ptr{$i}:\n.indirect_symbol\t$i\n.long\t0\n"); } 156 { push(@out,"$non_lazy_ptr{$i}:\n.indirect_symbol\t$i\n.long\t0\n"); }
162 } 157 }
163 } 158 }
159 if (grep {/\b${nmdecor}OPENSSL_ia32cap_P\b/i} @out) {
160 my $tmp=".comm\t${nmdecor}OPENSSL_ia32cap_P,8";
161 if ($::macosx) { push (@out,"$tmp,2\n"); }
162 elsif ($::elf) { push (@out,"$tmp,4\n"); }
163 else { push (@out,"$tmp\n"); }
164 }
164 push(@out,$initseg) if ($initseg); 165 push(@out,$initseg) if ($initseg);
165} 166}
166 167
167sub ::data_byte { push(@out,".byte\t".join(',',@_)."\n"); } 168sub ::data_byte { push(@out,".byte\t".join(',',@_)."\n"); }
169sub ::data_short{ push(@out,".value\t".join(',',@_)."\n"); }
168sub ::data_word { push(@out,".long\t".join(',',@_)."\n"); } 170sub ::data_word { push(@out,".long\t".join(',',@_)."\n"); }
169 171
170sub ::align 172sub ::align
@@ -189,7 +191,7 @@ sub ::picmeup
189 &::lea($dst,&::DWP($sym)); 191 &::lea($dst,&::DWP($sym));
190 &::emitraw("#endif /* PIC */"); 192 &::emitraw("#endif /* PIC */");
191 } 193 }
192 elsif ($::pic && ($::elf || $::aout)) 194 if (($::pic && ($::elf || $::aout)) || $::macosx)
193 { if (!defined($base)) 195 { if (!defined($base))
194 { &::call(&::label("PIC_me_up")); 196 { &::call(&::label("PIC_me_up"));
195 &::set_label("PIC_me_up"); 197 &::set_label("PIC_me_up");
@@ -225,14 +227,17 @@ PIC_EPILOGUE
225.align $align 227.align $align
226.Linitalign: 228.Linitalign:
227___ 229___
230 } elsif ($::android)
231 { $initseg.=<<___;
232.section .init_array
233.align 4
234.long $f
235___
228 } 236 }
229 elsif ($::elf) 237 elsif ($::elf)
230 { $initseg.=<<___; 238 { $initseg.=<<___;
231.section .init 239.section .init
232 call $f 240 call $f
233 jmp .Linitalign
234.align $align
235.Linitalign:
236___ 241___
237 } 242 }
238 elsif ($::coff) 243 elsif ($::coff)
diff --git a/src/lib/libcrypto/perlasm/x86nasm.pl b/src/lib/libcrypto/perlasm/x86nasm.pl
index ce2bed9bb2..ca2511c9eb 100644
--- a/src/lib/libcrypto/perlasm/x86nasm.pl
+++ b/src/lib/libcrypto/perlasm/x86nasm.pl
@@ -19,6 +19,8 @@ sub ::generic
19 { $_[0] = "NEAR $_[0]"; } 19 { $_[0] = "NEAR $_[0]"; }
20 elsif ($opcode eq "lea" && $#_==1) # wipe storage qualifier from lea 20 elsif ($opcode eq "lea" && $#_==1) # wipe storage qualifier from lea
21 { $_[1] =~ s/^[^\[]*\[/\[/o; } 21 { $_[1] =~ s/^[^\[]*\[/\[/o; }
22 elsif ($opcode eq "clflush" && $#_==0)
23 { $_[0] =~ s/^[^\[]*\[/\[/o; }
22 } 24 }
23 &::emit($opcode,@_); 25 &::emit($opcode,@_);
24 1; 26 1;
@@ -67,6 +69,7 @@ sub get_mem
67} 69}
68sub ::BP { &get_mem("BYTE",@_); } 70sub ::BP { &get_mem("BYTE",@_); }
69sub ::DWP { &get_mem("DWORD",@_); } 71sub ::DWP { &get_mem("DWORD",@_); }
72sub ::WP { &get_mem("WORD",@_); }
70sub ::QWP { &get_mem("",@_); } 73sub ::QWP { &get_mem("",@_); }
71sub ::BC { (($::mwerks)?"":"BYTE ")."@_"; } 74sub ::BC { (($::mwerks)?"":"BYTE ")."@_"; }
72sub ::DWC { (($::mwerks)?"":"DWORD ")."@_"; } 75sub ::DWC { (($::mwerks)?"":"DWORD ")."@_"; }
@@ -114,7 +117,7 @@ sub ::file_end
114{ if (grep {/\b${nmdecor}OPENSSL_ia32cap_P\b/i} @out) 117{ if (grep {/\b${nmdecor}OPENSSL_ia32cap_P\b/i} @out)
115 { my $comm=<<___; 118 { my $comm=<<___;
116${drdecor}segment .bss 119${drdecor}segment .bss
117${drdecor}common ${nmdecor}OPENSSL_ia32cap_P 4 120${drdecor}common ${nmdecor}OPENSSL_ia32cap_P 8
118___ 121___
119 # comment out OPENSSL_ia32cap_P declarations 122 # comment out OPENSSL_ia32cap_P declarations
120 grep {s/(^extern\s+${nmdecor}OPENSSL_ia32cap_P)/\;$1/} @out; 123 grep {s/(^extern\s+${nmdecor}OPENSSL_ia32cap_P)/\;$1/} @out;
@@ -135,7 +138,8 @@ sub ::public_label
135 138
136sub ::data_byte 139sub ::data_byte
137{ push(@out,(($::mwerks)?".byte\t":"db\t").join(',',@_)."\n"); } 140{ push(@out,(($::mwerks)?".byte\t":"db\t").join(',',@_)."\n"); }
138 141sub ::data_short
142{ push(@out,(($::mwerks)?".word\t":"dw\t").join(',',@_)."\n"); }
139sub ::data_word 143sub ::data_word
140{ push(@out,(($::mwerks)?".long\t":"dd\t").join(',',@_)."\n"); } 144{ push(@out,(($::mwerks)?".long\t":"dd\t").join(',',@_)."\n"); }
141 145
@@ -163,4 +167,11 @@ sub ::dataseg
163 else { push(@out,"section\t.data align=4\n"); } 167 else { push(@out,"section\t.data align=4\n"); }
164} 168}
165 169
170sub ::safeseh
171{ my $nm=shift;
172 push(@out,"%if __NASM_VERSION_ID__ >= 0x02030000\n");
173 push(@out,"safeseh ".&::LABEL($nm,$nmdecor.$nm)."\n");
174 push(@out,"%endif\n");
175}
176
1661; 1771;
diff --git a/src/lib/libcrypto/pkcs12/p12_decr.c b/src/lib/libcrypto/pkcs12/p12_decr.c
index ba77dbbe32..9d3557e8d7 100644
--- a/src/lib/libcrypto/pkcs12/p12_decr.c
+++ b/src/lib/libcrypto/pkcs12/p12_decr.c
@@ -89,7 +89,14 @@ unsigned char * PKCS12_pbe_crypt(X509_ALGOR *algor, const char *pass,
89 goto err; 89 goto err;
90 } 90 }
91 91
92 EVP_CipherUpdate(&ctx, out, &i, in, inlen); 92 if (!EVP_CipherUpdate(&ctx, out, &i, in, inlen))
93 {
94 OPENSSL_free(out);
95 out = NULL;
96 PKCS12err(PKCS12_F_PKCS12_PBE_CRYPT,ERR_R_EVP_LIB);
97 goto err;
98 }
99
93 outlen = i; 100 outlen = i;
94 if(!EVP_CipherFinal_ex(&ctx, out + i, &i)) { 101 if(!EVP_CipherFinal_ex(&ctx, out + i, &i)) {
95 OPENSSL_free(out); 102 OPENSSL_free(out);
diff --git a/src/lib/libcrypto/pkcs12/p12_key.c b/src/lib/libcrypto/pkcs12/p12_key.c
index 424203f648..c55c7b60b3 100644
--- a/src/lib/libcrypto/pkcs12/p12_key.c
+++ b/src/lib/libcrypto/pkcs12/p12_key.c
@@ -152,14 +152,16 @@ int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt,
152 for (i = 0; i < Slen; i++) *p++ = salt[i % saltlen]; 152 for (i = 0; i < Slen; i++) *p++ = salt[i % saltlen];
153 for (i = 0; i < Plen; i++) *p++ = pass[i % passlen]; 153 for (i = 0; i < Plen; i++) *p++ = pass[i % passlen];
154 for (;;) { 154 for (;;) {
155 EVP_DigestInit_ex(&ctx, md_type, NULL); 155 if (!EVP_DigestInit_ex(&ctx, md_type, NULL)
156 EVP_DigestUpdate(&ctx, D, v); 156 || !EVP_DigestUpdate(&ctx, D, v)
157 EVP_DigestUpdate(&ctx, I, Ilen); 157 || !EVP_DigestUpdate(&ctx, I, Ilen)
158 EVP_DigestFinal_ex(&ctx, Ai, NULL); 158 || !EVP_DigestFinal_ex(&ctx, Ai, NULL))
159 goto err;
159 for (j = 1; j < iter; j++) { 160 for (j = 1; j < iter; j++) {
160 EVP_DigestInit_ex(&ctx, md_type, NULL); 161 if (!EVP_DigestInit_ex(&ctx, md_type, NULL)
161 EVP_DigestUpdate(&ctx, Ai, u); 162 || !EVP_DigestUpdate(&ctx, Ai, u)
162 EVP_DigestFinal_ex(&ctx, Ai, NULL); 163 || !EVP_DigestFinal_ex(&ctx, Ai, NULL))
164 goto err;
163 } 165 }
164 memcpy (out, Ai, min (n, u)); 166 memcpy (out, Ai, min (n, u));
165 if (u >= n) { 167 if (u >= n) {
diff --git a/src/lib/libcrypto/pkcs12/p12_kiss.c b/src/lib/libcrypto/pkcs12/p12_kiss.c
index 292cc3ed4a..206b1b0b18 100644
--- a/src/lib/libcrypto/pkcs12/p12_kiss.c
+++ b/src/lib/libcrypto/pkcs12/p12_kiss.c
@@ -167,7 +167,7 @@ int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert,
167 if (cert && *cert) 167 if (cert && *cert)
168 X509_free(*cert); 168 X509_free(*cert);
169 if (x) 169 if (x)
170 X509_free(*cert); 170 X509_free(x);
171 if (ocerts) 171 if (ocerts)
172 sk_X509_pop_free(ocerts, X509_free); 172 sk_X509_pop_free(ocerts, X509_free);
173 return 0; 173 return 0;
diff --git a/src/lib/libcrypto/pkcs12/p12_mutl.c b/src/lib/libcrypto/pkcs12/p12_mutl.c
index 9ab740d51f..96de1bd11e 100644
--- a/src/lib/libcrypto/pkcs12/p12_mutl.c
+++ b/src/lib/libcrypto/pkcs12/p12_mutl.c
@@ -97,10 +97,14 @@ int PKCS12_gen_mac(PKCS12 *p12, const char *pass, int passlen,
97 return 0; 97 return 0;
98 } 98 }
99 HMAC_CTX_init(&hmac); 99 HMAC_CTX_init(&hmac);
100 HMAC_Init_ex(&hmac, key, md_size, md_type, NULL); 100 if (!HMAC_Init_ex(&hmac, key, md_size, md_type, NULL)
101 HMAC_Update(&hmac, p12->authsafes->d.data->data, 101 || !HMAC_Update(&hmac, p12->authsafes->d.data->data,
102 p12->authsafes->d.data->length); 102 p12->authsafes->d.data->length)
103 HMAC_Final(&hmac, mac, maclen); 103 || !HMAC_Final(&hmac, mac, maclen))
104 {
105 HMAC_CTX_cleanup(&hmac);
106 return 0;
107 }
104 HMAC_CTX_cleanup(&hmac); 108 HMAC_CTX_cleanup(&hmac);
105 return 1; 109 return 1;
106} 110}
diff --git a/src/lib/libcrypto/pkcs7/pk7_doit.c b/src/lib/libcrypto/pkcs7/pk7_doit.c
index 3bf1a367bb..77fda3b82a 100644
--- a/src/lib/libcrypto/pkcs7/pk7_doit.c
+++ b/src/lib/libcrypto/pkcs7/pk7_doit.c
@@ -204,11 +204,11 @@ static int pkcs7_decrypt_rinfo(unsigned char **pek, int *peklen,
204 unsigned char *ek = NULL; 204 unsigned char *ek = NULL;
205 size_t eklen; 205 size_t eklen;
206 206
207 int ret = 0; 207 int ret = -1;
208 208
209 pctx = EVP_PKEY_CTX_new(pkey, NULL); 209 pctx = EVP_PKEY_CTX_new(pkey, NULL);
210 if (!pctx) 210 if (!pctx)
211 return 0; 211 return -1;
212 212
213 if (EVP_PKEY_decrypt_init(pctx) <= 0) 213 if (EVP_PKEY_decrypt_init(pctx) <= 0)
214 goto err; 214 goto err;
@@ -235,12 +235,19 @@ static int pkcs7_decrypt_rinfo(unsigned char **pek, int *peklen,
235 if (EVP_PKEY_decrypt(pctx, ek, &eklen, 235 if (EVP_PKEY_decrypt(pctx, ek, &eklen,
236 ri->enc_key->data, ri->enc_key->length) <= 0) 236 ri->enc_key->data, ri->enc_key->length) <= 0)
237 { 237 {
238 ret = 0;
238 PKCS7err(PKCS7_F_PKCS7_DECRYPT_RINFO, ERR_R_EVP_LIB); 239 PKCS7err(PKCS7_F_PKCS7_DECRYPT_RINFO, ERR_R_EVP_LIB);
239 goto err; 240 goto err;
240 } 241 }
241 242
242 ret = 1; 243 ret = 1;
243 244
245 if (*pek)
246 {
247 OPENSSL_cleanse(*pek, *peklen);
248 OPENSSL_free(*pek);
249 }
250
244 *pek = ek; 251 *pek = ek;
245 *peklen = eklen; 252 *peklen = eklen;
246 253
@@ -423,6 +430,8 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
423 STACK_OF(X509_ALGOR) *md_sk=NULL; 430 STACK_OF(X509_ALGOR) *md_sk=NULL;
424 STACK_OF(PKCS7_RECIP_INFO) *rsk=NULL; 431 STACK_OF(PKCS7_RECIP_INFO) *rsk=NULL;
425 PKCS7_RECIP_INFO *ri=NULL; 432 PKCS7_RECIP_INFO *ri=NULL;
433 unsigned char *ek = NULL, *tkey = NULL;
434 int eklen = 0, tkeylen = 0;
426 435
427 i=OBJ_obj2nid(p7->type); 436 i=OBJ_obj2nid(p7->type);
428 p7->state=PKCS7_S_HEADER; 437 p7->state=PKCS7_S_HEADER;
@@ -500,8 +509,6 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
500 int max; 509 int max;
501 X509_OBJECT ret; 510 X509_OBJECT ret;
502#endif 511#endif
503 unsigned char *ek = NULL;
504 int eklen;
505 512
506 if ((etmp=BIO_new(BIO_f_cipher())) == NULL) 513 if ((etmp=BIO_new(BIO_f_cipher())) == NULL)
507 { 514 {
@@ -534,29 +541,28 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
534 } 541 }
535 542
536 /* If we haven't got a certificate try each ri in turn */ 543 /* If we haven't got a certificate try each ri in turn */
537
538 if (pcert == NULL) 544 if (pcert == NULL)
539 { 545 {
546 /* Always attempt to decrypt all rinfo even
547 * after sucess as a defence against MMA timing
548 * attacks.
549 */
540 for (i=0; i<sk_PKCS7_RECIP_INFO_num(rsk); i++) 550 for (i=0; i<sk_PKCS7_RECIP_INFO_num(rsk); i++)
541 { 551 {
542 ri=sk_PKCS7_RECIP_INFO_value(rsk,i); 552 ri=sk_PKCS7_RECIP_INFO_value(rsk,i);
553
543 if (pkcs7_decrypt_rinfo(&ek, &eklen, 554 if (pkcs7_decrypt_rinfo(&ek, &eklen,
544 ri, pkey) > 0) 555 ri, pkey) < 0)
545 break; 556 goto err;
546 ERR_clear_error(); 557 ERR_clear_error();
547 ri = NULL;
548 }
549 if (ri == NULL)
550 {
551 PKCS7err(PKCS7_F_PKCS7_DATADECODE,
552 PKCS7_R_NO_RECIPIENT_MATCHES_KEY);
553 goto err;
554 } 558 }
555 } 559 }
556 else 560 else
557 { 561 {
558 if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey) <= 0) 562 /* Only exit on fatal errors, not decrypt failure */
563 if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey) < 0)
559 goto err; 564 goto err;
565 ERR_clear_error();
560 } 566 }
561 567
562 evp_ctx=NULL; 568 evp_ctx=NULL;
@@ -565,6 +571,19 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
565 goto err; 571 goto err;
566 if (EVP_CIPHER_asn1_to_param(evp_ctx,enc_alg->parameter) < 0) 572 if (EVP_CIPHER_asn1_to_param(evp_ctx,enc_alg->parameter) < 0)
567 goto err; 573 goto err;
574 /* Generate random key as MMA defence */
575 tkeylen = EVP_CIPHER_CTX_key_length(evp_ctx);
576 tkey = OPENSSL_malloc(tkeylen);
577 if (!tkey)
578 goto err;
579 if (EVP_CIPHER_CTX_rand_key(evp_ctx, tkey) <= 0)
580 goto err;
581 if (ek == NULL)
582 {
583 ek = tkey;
584 eklen = tkeylen;
585 tkey = NULL;
586 }
568 587
569 if (eklen != EVP_CIPHER_CTX_key_length(evp_ctx)) { 588 if (eklen != EVP_CIPHER_CTX_key_length(evp_ctx)) {
570 /* Some S/MIME clients don't use the same key 589 /* Some S/MIME clients don't use the same key
@@ -573,11 +592,16 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
573 */ 592 */
574 if(!EVP_CIPHER_CTX_set_key_length(evp_ctx, eklen)) 593 if(!EVP_CIPHER_CTX_set_key_length(evp_ctx, eklen))
575 { 594 {
576 PKCS7err(PKCS7_F_PKCS7_DATADECODE, 595 /* Use random key as MMA defence */
577 PKCS7_R_DECRYPTED_KEY_IS_WRONG_LENGTH); 596 OPENSSL_cleanse(ek, eklen);
578 goto err; 597 OPENSSL_free(ek);
598 ek = tkey;
599 eklen = tkeylen;
600 tkey = NULL;
579 } 601 }
580 } 602 }
603 /* Clear errors so we don't leak information useful in MMA */
604 ERR_clear_error();
581 if (EVP_CipherInit_ex(evp_ctx,NULL,NULL,ek,NULL,0) <= 0) 605 if (EVP_CipherInit_ex(evp_ctx,NULL,NULL,ek,NULL,0) <= 0)
582 goto err; 606 goto err;
583 607
@@ -585,6 +609,13 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
585 { 609 {
586 OPENSSL_cleanse(ek,eklen); 610 OPENSSL_cleanse(ek,eklen);
587 OPENSSL_free(ek); 611 OPENSSL_free(ek);
612 ek = NULL;
613 }
614 if (tkey)
615 {
616 OPENSSL_cleanse(tkey,tkeylen);
617 OPENSSL_free(tkey);
618 tkey = NULL;
588 } 619 }
589 620
590 if (out == NULL) 621 if (out == NULL)
@@ -627,6 +658,16 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
627 if (0) 658 if (0)
628 { 659 {
629err: 660err:
661 if (ek)
662 {
663 OPENSSL_cleanse(ek,eklen);
664 OPENSSL_free(ek);
665 }
666 if (tkey)
667 {
668 OPENSSL_cleanse(tkey,tkeylen);
669 OPENSSL_free(tkey);
670 }
630 if (out != NULL) BIO_free_all(out); 671 if (out != NULL) BIO_free_all(out);
631 if (btmp != NULL) BIO_free_all(btmp); 672 if (btmp != NULL) BIO_free_all(btmp);
632 if (etmp != NULL) BIO_free_all(etmp); 673 if (etmp != NULL) BIO_free_all(etmp);
@@ -676,7 +717,11 @@ static int do_pkcs7_signed_attrib(PKCS7_SIGNER_INFO *si, EVP_MD_CTX *mctx)
676 } 717 }
677 718
678 /* Add digest */ 719 /* Add digest */
679 EVP_DigestFinal_ex(mctx, md_data,&md_len); 720 if (!EVP_DigestFinal_ex(mctx, md_data,&md_len))
721 {
722 PKCS7err(PKCS7_F_DO_PKCS7_SIGNED_ATTRIB, ERR_R_EVP_LIB);
723 return 0;
724 }
680 if (!PKCS7_add1_attrib_digest(si, md_data, md_len)) 725 if (!PKCS7_add1_attrib_digest(si, md_data, md_len))
681 { 726 {
682 PKCS7err(PKCS7_F_DO_PKCS7_SIGNED_ATTRIB, ERR_R_MALLOC_FAILURE); 727 PKCS7err(PKCS7_F_DO_PKCS7_SIGNED_ATTRIB, ERR_R_MALLOC_FAILURE);
@@ -784,7 +829,8 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
784 829
785 /* We now have the EVP_MD_CTX, lets do the 830 /* We now have the EVP_MD_CTX, lets do the
786 * signing. */ 831 * signing. */
787 EVP_MD_CTX_copy_ex(&ctx_tmp,mdc); 832 if (!EVP_MD_CTX_copy_ex(&ctx_tmp,mdc))
833 goto err;
788 834
789 sk=si->auth_attr; 835 sk=si->auth_attr;
790 836
@@ -822,7 +868,8 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
822 if (!PKCS7_find_digest(&mdc, bio, 868 if (!PKCS7_find_digest(&mdc, bio,
823 OBJ_obj2nid(p7->d.digest->md->algorithm))) 869 OBJ_obj2nid(p7->d.digest->md->algorithm)))
824 goto err; 870 goto err;
825 EVP_DigestFinal_ex(mdc,md_data,&md_len); 871 if (!EVP_DigestFinal_ex(mdc,md_data,&md_len))
872 goto err;
826 M_ASN1_OCTET_STRING_set(p7->d.digest->digest, md_data, md_len); 873 M_ASN1_OCTET_STRING_set(p7->d.digest->digest, md_data, md_len);
827 } 874 }
828 875
@@ -1015,7 +1062,8 @@ int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si,
1015 1062
1016 /* mdc is the digest ctx that we want, unless there are attributes, 1063 /* mdc is the digest ctx that we want, unless there are attributes,
1017 * in which case the digest is the signed attributes */ 1064 * in which case the digest is the signed attributes */
1018 EVP_MD_CTX_copy_ex(&mdc_tmp,mdc); 1065 if (!EVP_MD_CTX_copy_ex(&mdc_tmp,mdc))
1066 goto err;
1019 1067
1020 sk=si->auth_attr; 1068 sk=si->auth_attr;
1021 if ((sk != NULL) && (sk_X509_ATTRIBUTE_num(sk) != 0)) 1069 if ((sk != NULL) && (sk_X509_ATTRIBUTE_num(sk) != 0))
@@ -1025,7 +1073,8 @@ int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si,
1025 int alen; 1073 int alen;
1026 ASN1_OCTET_STRING *message_digest; 1074 ASN1_OCTET_STRING *message_digest;
1027 1075
1028 EVP_DigestFinal_ex(&mdc_tmp,md_dat,&md_len); 1076 if (!EVP_DigestFinal_ex(&mdc_tmp,md_dat,&md_len))
1077 goto err;
1029 message_digest=PKCS7_digest_from_attributes(sk); 1078 message_digest=PKCS7_digest_from_attributes(sk);
1030 if (!message_digest) 1079 if (!message_digest)
1031 { 1080 {
@@ -1050,7 +1099,8 @@ for (ii=0; ii<md_len; ii++) printf("%02X",md_dat[ii]); printf(" calc\n");
1050 goto err; 1099 goto err;
1051 } 1100 }
1052 1101
1053 EVP_VerifyInit_ex(&mdc_tmp,EVP_get_digestbynid(md_type), NULL); 1102 if (!EVP_VerifyInit_ex(&mdc_tmp,EVP_get_digestbynid(md_type), NULL))
1103 goto err;
1054 1104
1055 alen = ASN1_item_i2d((ASN1_VALUE *)sk, &abuf, 1105 alen = ASN1_item_i2d((ASN1_VALUE *)sk, &abuf,
1056 ASN1_ITEM_rptr(PKCS7_ATTR_VERIFY)); 1106 ASN1_ITEM_rptr(PKCS7_ATTR_VERIFY));
@@ -1060,7 +1110,8 @@ for (ii=0; ii<md_len; ii++) printf("%02X",md_dat[ii]); printf(" calc\n");
1060 ret = -1; 1110 ret = -1;
1061 goto err; 1111 goto err;
1062 } 1112 }
1063 EVP_VerifyUpdate(&mdc_tmp, abuf, alen); 1113 if (!EVP_VerifyUpdate(&mdc_tmp, abuf, alen))
1114 goto err;
1064 1115
1065 OPENSSL_free(abuf); 1116 OPENSSL_free(abuf);
1066 } 1117 }
diff --git a/src/lib/libcrypto/pkcs7/pk7_smime.c b/src/lib/libcrypto/pkcs7/pk7_smime.c
index 86742d0dcd..a5104f8d05 100644
--- a/src/lib/libcrypto/pkcs7/pk7_smime.c
+++ b/src/lib/libcrypto/pkcs7/pk7_smime.c
@@ -573,15 +573,34 @@ int PKCS7_decrypt(PKCS7 *p7, EVP_PKEY *pkey, X509 *cert, BIO *data, int flags)
573 return 0; 573 return 0;
574 } 574 }
575 ret = SMIME_text(bread, data); 575 ret = SMIME_text(bread, data);
576 if (ret > 0 && BIO_method_type(tmpmem) == BIO_TYPE_CIPHER)
577 {
578 if (!BIO_get_cipher_status(tmpmem))
579 ret = 0;
580 }
576 BIO_free_all(bread); 581 BIO_free_all(bread);
577 return ret; 582 return ret;
578 } else { 583 } else {
579 for(;;) { 584 for(;;) {
580 i = BIO_read(tmpmem, buf, sizeof(buf)); 585 i = BIO_read(tmpmem, buf, sizeof(buf));
581 if(i <= 0) break; 586 if(i <= 0)
582 BIO_write(data, buf, i); 587 {
588 ret = 1;
589 if (BIO_method_type(tmpmem) == BIO_TYPE_CIPHER)
590 {
591 if (!BIO_get_cipher_status(tmpmem))
592 ret = 0;
593 }
594
595 break;
596 }
597 if (BIO_write(data, buf, i) != i)
598 {
599 ret = 0;
600 break;
601 }
583 } 602 }
584 BIO_free_all(tmpmem); 603 BIO_free_all(tmpmem);
585 return 1; 604 return ret;
586 } 605 }
587} 606}
diff --git a/src/lib/libcrypto/rand/md_rand.c b/src/lib/libcrypto/rand/md_rand.c
index b2f04ff13e..fcdd3f2a84 100644
--- a/src/lib/libcrypto/rand/md_rand.c
+++ b/src/lib/libcrypto/rand/md_rand.c
@@ -109,6 +109,8 @@
109 * 109 *
110 */ 110 */
111 111
112#define OPENSSL_FIPSEVP
113
112#ifdef MD_RAND_DEBUG 114#ifdef MD_RAND_DEBUG
113# ifndef NDEBUG 115# ifndef NDEBUG
114# define NDEBUG 116# define NDEBUG
@@ -157,13 +159,14 @@ const char RAND_version[]="RAND" OPENSSL_VERSION_PTEXT;
157static void ssleay_rand_cleanup(void); 159static void ssleay_rand_cleanup(void);
158static void ssleay_rand_seed(const void *buf, int num); 160static void ssleay_rand_seed(const void *buf, int num);
159static void ssleay_rand_add(const void *buf, int num, double add_entropy); 161static void ssleay_rand_add(const void *buf, int num, double add_entropy);
160static int ssleay_rand_bytes(unsigned char *buf, int num); 162static int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo);
163static int ssleay_rand_nopseudo_bytes(unsigned char *buf, int num);
161static int ssleay_rand_pseudo_bytes(unsigned char *buf, int num); 164static int ssleay_rand_pseudo_bytes(unsigned char *buf, int num);
162static int ssleay_rand_status(void); 165static int ssleay_rand_status(void);
163 166
164RAND_METHOD rand_ssleay_meth={ 167RAND_METHOD rand_ssleay_meth={
165 ssleay_rand_seed, 168 ssleay_rand_seed,
166 ssleay_rand_bytes, 169 ssleay_rand_nopseudo_bytes,
167 ssleay_rand_cleanup, 170 ssleay_rand_cleanup,
168 ssleay_rand_add, 171 ssleay_rand_add,
169 ssleay_rand_pseudo_bytes, 172 ssleay_rand_pseudo_bytes,
@@ -328,7 +331,7 @@ static void ssleay_rand_seed(const void *buf, int num)
328 ssleay_rand_add(buf, num, (double)num); 331 ssleay_rand_add(buf, num, (double)num);
329 } 332 }
330 333
331static int ssleay_rand_bytes(unsigned char *buf, int num) 334static int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo)
332 { 335 {
333 static volatile int stirred_pool = 0; 336 static volatile int stirred_pool = 0;
334 int i,j,k,st_num,st_idx; 337 int i,j,k,st_num,st_idx;
@@ -517,7 +520,9 @@ static int ssleay_rand_bytes(unsigned char *buf, int num)
517 EVP_MD_CTX_cleanup(&m); 520 EVP_MD_CTX_cleanup(&m);
518 if (ok) 521 if (ok)
519 return(1); 522 return(1);
520 else 523 else if (pseudo)
524 return 0;
525 else
521 { 526 {
522 RANDerr(RAND_F_SSLEAY_RAND_BYTES,RAND_R_PRNG_NOT_SEEDED); 527 RANDerr(RAND_F_SSLEAY_RAND_BYTES,RAND_R_PRNG_NOT_SEEDED);
523 ERR_add_error_data(1, "You need to read the OpenSSL FAQ, " 528 ERR_add_error_data(1, "You need to read the OpenSSL FAQ, "
@@ -526,22 +531,16 @@ static int ssleay_rand_bytes(unsigned char *buf, int num)
526 } 531 }
527 } 532 }
528 533
534static int ssleay_rand_nopseudo_bytes(unsigned char *buf, int num)
535 {
536 return ssleay_rand_bytes(buf, num, 0);
537 }
538
529/* pseudo-random bytes that are guaranteed to be unique but not 539/* pseudo-random bytes that are guaranteed to be unique but not
530 unpredictable */ 540 unpredictable */
531static int ssleay_rand_pseudo_bytes(unsigned char *buf, int num) 541static int ssleay_rand_pseudo_bytes(unsigned char *buf, int num)
532 { 542 {
533 int ret; 543 return ssleay_rand_bytes(buf, num, 1);
534 unsigned long err;
535
536 ret = RAND_bytes(buf, num);
537 if (ret == 0)
538 {
539 err = ERR_peek_error();
540 if (ERR_GET_LIB(err) == ERR_LIB_RAND &&
541 ERR_GET_REASON(err) == RAND_R_PRNG_NOT_SEEDED)
542 ERR_clear_error();
543 }
544 return (ret);
545 } 544 }
546 545
547static int ssleay_rand_status(void) 546static int ssleay_rand_status(void)
diff --git a/src/lib/libcrypto/rand/rand.h b/src/lib/libcrypto/rand/rand.h
index ac6c021763..dc8fcf94c5 100644
--- a/src/lib/libcrypto/rand/rand.h
+++ b/src/lib/libcrypto/rand/rand.h
@@ -119,6 +119,11 @@ int RAND_event(UINT, WPARAM, LPARAM);
119 119
120#endif 120#endif
121 121
122#ifdef OPENSSL_FIPS
123void RAND_set_fips_drbg_type(int type, int flags);
124int RAND_init_fips(void);
125#endif
126
122/* BEGIN ERROR CODES */ 127/* BEGIN ERROR CODES */
123/* The following lines are auto generated by the script mkerr.pl. Any changes 128/* The following lines are auto generated by the script mkerr.pl. Any changes
124 * made after this point may be overwritten when the script is next run. 129 * made after this point may be overwritten when the script is next run.
@@ -129,9 +134,13 @@ void ERR_load_RAND_strings(void);
129 134
130/* Function codes. */ 135/* Function codes. */
131#define RAND_F_RAND_GET_RAND_METHOD 101 136#define RAND_F_RAND_GET_RAND_METHOD 101
137#define RAND_F_RAND_INIT_FIPS 102
132#define RAND_F_SSLEAY_RAND_BYTES 100 138#define RAND_F_SSLEAY_RAND_BYTES 100
133 139
134/* Reason codes. */ 140/* Reason codes. */
141#define RAND_R_ERROR_INITIALISING_DRBG 102
142#define RAND_R_ERROR_INSTANTIATING_DRBG 103
143#define RAND_R_NO_FIPS_RANDOM_METHOD_SET 101
135#define RAND_R_PRNG_NOT_SEEDED 100 144#define RAND_R_PRNG_NOT_SEEDED 100
136 145
137#ifdef __cplusplus 146#ifdef __cplusplus
diff --git a/src/lib/libcrypto/rand/rand_err.c b/src/lib/libcrypto/rand/rand_err.c
index 03cda4dd92..b8586c8f4a 100644
--- a/src/lib/libcrypto/rand/rand_err.c
+++ b/src/lib/libcrypto/rand/rand_err.c
@@ -1,6 +1,6 @@
1/* crypto/rand/rand_err.c */ 1/* crypto/rand/rand_err.c */
2/* ==================================================================== 2/* ====================================================================
3 * Copyright (c) 1999-2006 The OpenSSL Project. All rights reserved. 3 * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved.
4 * 4 *
5 * Redistribution and use in source and binary forms, with or without 5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions 6 * modification, are permitted provided that the following conditions
@@ -71,12 +71,16 @@
71static ERR_STRING_DATA RAND_str_functs[]= 71static ERR_STRING_DATA RAND_str_functs[]=
72 { 72 {
73{ERR_FUNC(RAND_F_RAND_GET_RAND_METHOD), "RAND_get_rand_method"}, 73{ERR_FUNC(RAND_F_RAND_GET_RAND_METHOD), "RAND_get_rand_method"},
74{ERR_FUNC(RAND_F_RAND_INIT_FIPS), "RAND_init_fips"},
74{ERR_FUNC(RAND_F_SSLEAY_RAND_BYTES), "SSLEAY_RAND_BYTES"}, 75{ERR_FUNC(RAND_F_SSLEAY_RAND_BYTES), "SSLEAY_RAND_BYTES"},
75{0,NULL} 76{0,NULL}
76 }; 77 };
77 78
78static ERR_STRING_DATA RAND_str_reasons[]= 79static ERR_STRING_DATA RAND_str_reasons[]=
79 { 80 {
81{ERR_REASON(RAND_R_ERROR_INITIALISING_DRBG),"error initialising drbg"},
82{ERR_REASON(RAND_R_ERROR_INSTANTIATING_DRBG),"error instantiating drbg"},
83{ERR_REASON(RAND_R_NO_FIPS_RANDOM_METHOD_SET),"no fips random method set"},
80{ERR_REASON(RAND_R_PRNG_NOT_SEEDED) ,"PRNG not seeded"}, 84{ERR_REASON(RAND_R_PRNG_NOT_SEEDED) ,"PRNG not seeded"},
81{0,NULL} 85{0,NULL}
82 }; 86 };
diff --git a/src/lib/libcrypto/rand/rand_lib.c b/src/lib/libcrypto/rand/rand_lib.c
index 513e338985..daf1dab973 100644
--- a/src/lib/libcrypto/rand/rand_lib.c
+++ b/src/lib/libcrypto/rand/rand_lib.c
@@ -60,10 +60,16 @@
60#include <time.h> 60#include <time.h>
61#include "cryptlib.h" 61#include "cryptlib.h"
62#include <openssl/rand.h> 62#include <openssl/rand.h>
63
63#ifndef OPENSSL_NO_ENGINE 64#ifndef OPENSSL_NO_ENGINE
64#include <openssl/engine.h> 65#include <openssl/engine.h>
65#endif 66#endif
66 67
68#ifdef OPENSSL_FIPS
69#include <openssl/fips.h>
70#include <openssl/fips_rand.h>
71#endif
72
67#ifndef OPENSSL_NO_ENGINE 73#ifndef OPENSSL_NO_ENGINE
68/* non-NULL if default_RAND_meth is ENGINE-provided */ 74/* non-NULL if default_RAND_meth is ENGINE-provided */
69static ENGINE *funct_ref =NULL; 75static ENGINE *funct_ref =NULL;
@@ -174,3 +180,116 @@ int RAND_status(void)
174 return meth->status(); 180 return meth->status();
175 return 0; 181 return 0;
176 } 182 }
183
184#ifdef OPENSSL_FIPS
185
186/* FIPS DRBG initialisation code. This sets up the DRBG for use by the
187 * rest of OpenSSL.
188 */
189
190/* Entropy gatherer: use standard OpenSSL PRNG to seed (this will gather
191 * entropy internally through RAND_poll().
192 */
193
194static size_t drbg_get_entropy(DRBG_CTX *ctx, unsigned char **pout,
195 int entropy, size_t min_len, size_t max_len)
196 {
197 /* Round up request to multiple of block size */
198 min_len = ((min_len + 19) / 20) * 20;
199 *pout = OPENSSL_malloc(min_len);
200 if (!*pout)
201 return 0;
202 if (RAND_SSLeay()->bytes(*pout, min_len) <= 0)
203 {
204 OPENSSL_free(*pout);
205 *pout = NULL;
206 return 0;
207 }
208 return min_len;
209 }
210
211static void drbg_free_entropy(DRBG_CTX *ctx, unsigned char *out, size_t olen)
212 {
213 OPENSSL_cleanse(out, olen);
214 OPENSSL_free(out);
215 }
216
217/* Set "additional input" when generating random data. This uses the
218 * current PID, a time value and a counter.
219 */
220
221static size_t drbg_get_adin(DRBG_CTX *ctx, unsigned char **pout)
222 {
223 /* Use of static variables is OK as this happens under a lock */
224 static unsigned char buf[16];
225 static unsigned long counter;
226 FIPS_get_timevec(buf, &counter);
227 *pout = buf;
228 return sizeof(buf);
229 }
230
231/* RAND_add() and RAND_seed() pass through to OpenSSL PRNG so it is
232 * correctly seeded by RAND_poll().
233 */
234
235static int drbg_rand_add(DRBG_CTX *ctx, const void *in, int inlen,
236 double entropy)
237 {
238 RAND_SSLeay()->add(in, inlen, entropy);
239 return 1;
240 }
241
242static int drbg_rand_seed(DRBG_CTX *ctx, const void *in, int inlen)
243 {
244 RAND_SSLeay()->seed(in, inlen);
245 return 1;
246 }
247
248#ifndef OPENSSL_DRBG_DEFAULT_TYPE
249#define OPENSSL_DRBG_DEFAULT_TYPE NID_aes_256_ctr
250#endif
251#ifndef OPENSSL_DRBG_DEFAULT_FLAGS
252#define OPENSSL_DRBG_DEFAULT_FLAGS DRBG_FLAG_CTR_USE_DF
253#endif
254
255static int fips_drbg_type = OPENSSL_DRBG_DEFAULT_TYPE;
256static int fips_drbg_flags = OPENSSL_DRBG_DEFAULT_FLAGS;
257
258void RAND_set_fips_drbg_type(int type, int flags)
259 {
260 fips_drbg_type = type;
261 fips_drbg_flags = flags;
262 }
263
264int RAND_init_fips(void)
265 {
266 DRBG_CTX *dctx;
267 size_t plen;
268 unsigned char pers[32], *p;
269 dctx = FIPS_get_default_drbg();
270 if (FIPS_drbg_init(dctx, fips_drbg_type, fips_drbg_flags) <= 0)
271 {
272 RANDerr(RAND_F_RAND_INIT_FIPS, RAND_R_ERROR_INITIALISING_DRBG);
273 return 0;
274 }
275
276 FIPS_drbg_set_callbacks(dctx,
277 drbg_get_entropy, drbg_free_entropy, 20,
278 drbg_get_entropy, drbg_free_entropy);
279 FIPS_drbg_set_rand_callbacks(dctx, drbg_get_adin, 0,
280 drbg_rand_seed, drbg_rand_add);
281 /* Personalisation string: a string followed by date time vector */
282 strcpy((char *)pers, "OpenSSL DRBG2.0");
283 plen = drbg_get_adin(dctx, &p);
284 memcpy(pers + 16, p, plen);
285
286 if (FIPS_drbg_instantiate(dctx, pers, sizeof(pers)) <= 0)
287 {
288 RANDerr(RAND_F_RAND_INIT_FIPS, RAND_R_ERROR_INSTANTIATING_DRBG);
289 return 0;
290 }
291 FIPS_rand_set_method(FIPS_drbg_method());
292 return 1;
293 }
294
295#endif
diff --git a/src/lib/libcrypto/rand/randfile.c b/src/lib/libcrypto/rand/randfile.c
index bc7d9c5804..030e07f418 100644
--- a/src/lib/libcrypto/rand/randfile.c
+++ b/src/lib/libcrypto/rand/randfile.c
@@ -137,7 +137,7 @@ int RAND_load_file(const char *file, long bytes)
137 in=fopen(file,"rb"); 137 in=fopen(file,"rb");
138#endif 138#endif
139 if (in == NULL) goto err; 139 if (in == NULL) goto err;
140#if defined(S_IFBLK) && defined(S_IFCHR) && !defined(OPNESSL_NO_POSIX_IO) 140#if defined(S_IFBLK) && defined(S_IFCHR) && !defined(OPENSSL_NO_POSIX_IO)
141 if (sb.st_mode & (S_IFBLK | S_IFCHR)) { 141 if (sb.st_mode & (S_IFBLK | S_IFCHR)) {
142 /* this file is a device. we don't want read an infinite number 142 /* this file is a device. we don't want read an infinite number
143 * of bytes from a random device, nor do we want to use buffered 143 * of bytes from a random device, nor do we want to use buffered
diff --git a/src/lib/libcrypto/rc2/rc2.h b/src/lib/libcrypto/rc2/rc2.h
index 34c8362317..e542ec94ff 100644
--- a/src/lib/libcrypto/rc2/rc2.h
+++ b/src/lib/libcrypto/rc2/rc2.h
@@ -79,7 +79,9 @@ typedef struct rc2_key_st
79 RC2_INT data[64]; 79 RC2_INT data[64];
80 } RC2_KEY; 80 } RC2_KEY;
81 81
82 82#ifdef OPENSSL_FIPS
83void private_RC2_set_key(RC2_KEY *key, int len, const unsigned char *data,int bits);
84#endif
83void RC2_set_key(RC2_KEY *key, int len, const unsigned char *data,int bits); 85void RC2_set_key(RC2_KEY *key, int len, const unsigned char *data,int bits);
84void RC2_ecb_encrypt(const unsigned char *in,unsigned char *out,RC2_KEY *key, 86void RC2_ecb_encrypt(const unsigned char *in,unsigned char *out,RC2_KEY *key,
85 int enc); 87 int enc);
diff --git a/src/lib/libcrypto/rc2/rc2_skey.c b/src/lib/libcrypto/rc2/rc2_skey.c
index 0150b0e035..6668ac011f 100644
--- a/src/lib/libcrypto/rc2/rc2_skey.c
+++ b/src/lib/libcrypto/rc2/rc2_skey.c
@@ -56,6 +56,7 @@
56 * [including the GNU Public Licence.] 56 * [including the GNU Public Licence.]
57 */ 57 */
58 58
59#include <openssl/crypto.h>
59#include <openssl/rc2.h> 60#include <openssl/rc2.h>
60#include "rc2_locl.h" 61#include "rc2_locl.h"
61 62
@@ -95,6 +96,13 @@ static const unsigned char key_table[256]={
95 * the same as specifying 1024 for the 'bits' parameter. Bsafe uses 96 * the same as specifying 1024 for the 'bits' parameter. Bsafe uses
96 * a version where the bits parameter is the same as len*8 */ 97 * a version where the bits parameter is the same as len*8 */
97void RC2_set_key(RC2_KEY *key, int len, const unsigned char *data, int bits) 98void RC2_set_key(RC2_KEY *key, int len, const unsigned char *data, int bits)
99#ifdef OPENSSL_FIPS
100 {
101 fips_cipher_abort(RC2);
102 private_RC2_set_key(key, len, data, bits);
103 }
104void private_RC2_set_key(RC2_KEY *key, int len, const unsigned char *data, int bits)
105#endif
98 { 106 {
99 int i,j; 107 int i,j;
100 unsigned char *k; 108 unsigned char *k;
diff --git a/src/lib/libcrypto/rc4/asm/rc4-586.pl b/src/lib/libcrypto/rc4/asm/rc4-586.pl
index 38a44a70ef..5c9ac6ad28 100644
--- a/src/lib/libcrypto/rc4/asm/rc4-586.pl
+++ b/src/lib/libcrypto/rc4/asm/rc4-586.pl
@@ -28,6 +28,34 @@
28# 28#
29# <appro@fy.chalmers.se> 29# <appro@fy.chalmers.se>
30 30
31# May 2011
32#
33# Optimize for Core2 and Westmere [and incidentally Opteron]. Current
34# performance in cycles per processed byte (less is better) and
35# improvement relative to previous version of this module is:
36#
37# Pentium 10.2 # original numbers
38# Pentium III 7.8(*)
39# Intel P4 7.5
40#
41# Opteron 6.1/+20% # new MMX numbers
42# Core2 5.3/+67%(**)
43# Westmere 5.1/+94%(**)
44# Sandy Bridge 5.0/+8%
45# Atom 12.6/+6%
46#
47# (*) PIII can actually deliver 6.6 cycles per byte with MMX code,
48# but this specific code performs poorly on Core2. And vice
49# versa, below MMX/SSE code delivering 5.8/7.1 on Core2 performs
50# poorly on PIII, at 8.0/14.5:-( As PIII is not a "hot" CPU
51# [anymore], I chose to discard PIII-specific code path and opt
52# for original IALU-only code, which is why MMX/SSE code path
53# is guarded by SSE2 bit (see below), not MMX/SSE.
54# (**) Performance vs. block size on Core2 and Westmere had a maximum
55# at ... 64 bytes block size. And it was quite a maximum, 40-60%
56# in comparison to largest 8KB block size. Above improvement
57# coefficients are for the largest block size.
58
31$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; 59$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
32push(@INC,"${dir}","${dir}../../perlasm"); 60push(@INC,"${dir}","${dir}../../perlasm");
33require "x86asm.pl"; 61require "x86asm.pl";
@@ -62,6 +90,68 @@ sub RC4_loop {
62 &$func ($out,&DWP(0,$dat,$ty,4)); 90 &$func ($out,&DWP(0,$dat,$ty,4));
63} 91}
64 92
93if ($alt=0) {
94 # >20% faster on Atom and Sandy Bridge[!], 8% faster on Opteron,
95 # but ~40% slower on Core2 and Westmere... Attempt to add movz
96 # brings down Opteron by 25%, Atom and Sandy Bridge by 15%, yet
97 # on Core2 with movz it's almost 20% slower than below alternative
98 # code... Yes, it's a total mess...
99 my @XX=($xx,$out);
100 $RC4_loop_mmx = sub { # SSE actually...
101 my $i=shift;
102 my $j=$i<=0?0:$i>>1;
103 my $mm=$i<=0?"mm0":"mm".($i&1);
104
105 &add (&LB($yy),&LB($tx));
106 &lea (@XX[1],&DWP(1,@XX[0]));
107 &pxor ("mm2","mm0") if ($i==0);
108 &psllq ("mm1",8) if ($i==0);
109 &and (@XX[1],0xff);
110 &pxor ("mm0","mm0") if ($i<=0);
111 &mov ($ty,&DWP(0,$dat,$yy,4));
112 &mov (&DWP(0,$dat,$yy,4),$tx);
113 &pxor ("mm1","mm2") if ($i==0);
114 &mov (&DWP(0,$dat,$XX[0],4),$ty);
115 &add (&LB($ty),&LB($tx));
116 &movd (@XX[0],"mm7") if ($i==0);
117 &mov ($tx,&DWP(0,$dat,@XX[1],4));
118 &pxor ("mm1","mm1") if ($i==1);
119 &movq ("mm2",&QWP(0,$inp)) if ($i==1);
120 &movq (&QWP(-8,(@XX[0],$inp)),"mm1") if ($i==0);
121 &pinsrw ($mm,&DWP(0,$dat,$ty,4),$j);
122
123 push (@XX,shift(@XX)) if ($i>=0);
124 }
125} else {
126 # Using pinsrw here improves performane on Intel CPUs by 2-3%, but
127 # brings down AMD by 7%...
128 $RC4_loop_mmx = sub {
129 my $i=shift;
130
131 &add (&LB($yy),&LB($tx));
132 &psllq ("mm1",8*(($i-1)&7)) if (abs($i)!=1);
133 &mov ($ty,&DWP(0,$dat,$yy,4));
134 &mov (&DWP(0,$dat,$yy,4),$tx);
135 &mov (&DWP(0,$dat,$xx,4),$ty);
136 &inc ($xx);
137 &add ($ty,$tx);
138 &movz ($xx,&LB($xx)); # (*)
139 &movz ($ty,&LB($ty)); # (*)
140 &pxor ("mm2",$i==1?"mm0":"mm1") if ($i>=0);
141 &movq ("mm0",&QWP(0,$inp)) if ($i<=0);
142 &movq (&QWP(-8,($out,$inp)),"mm2") if ($i==0);
143 &mov ($tx,&DWP(0,$dat,$xx,4));
144 &movd ($i>0?"mm1":"mm2",&DWP(0,$dat,$ty,4));
145
146 # (*) This is the key to Core2 and Westmere performance.
147 # Whithout movz out-of-order execution logic confuses
148 # itself and fails to reorder loads and stores. Problem
149 # appears to be fixed in Sandy Bridge...
150 }
151}
152
153&external_label("OPENSSL_ia32cap_P");
154
65# void RC4(RC4_KEY *key,size_t len,const unsigned char *inp,unsigned char *out); 155# void RC4(RC4_KEY *key,size_t len,const unsigned char *inp,unsigned char *out);
66&function_begin("RC4"); 156&function_begin("RC4");
67 &mov ($dat,&wparam(0)); # load key schedule pointer 157 &mov ($dat,&wparam(0)); # load key schedule pointer
@@ -94,11 +184,56 @@ sub RC4_loop {
94 &and ($ty,-4); # how many 4-byte chunks? 184 &and ($ty,-4); # how many 4-byte chunks?
95 &jz (&label("loop1")); 185 &jz (&label("loop1"));
96 186
187 &test ($ty,-8);
188 &mov (&wparam(3),$out); # $out as accumulator in these loops
189 &jz (&label("go4loop4"));
190
191 &picmeup($out,"OPENSSL_ia32cap_P");
192 &bt (&DWP(0,$out),26); # check SSE2 bit [could have been MMX]
193 &jnc (&label("go4loop4"));
194
195 &mov ($out,&wparam(3)) if (!$alt);
196 &movd ("mm7",&wparam(3)) if ($alt);
197 &and ($ty,-8);
198 &lea ($ty,&DWP(-8,$inp,$ty));
199 &mov (&DWP(-4,$dat),$ty); # save input+(len/8)*8-8
200
201 &$RC4_loop_mmx(-1);
202 &jmp(&label("loop_mmx_enter"));
203
204 &set_label("loop_mmx",16);
205 &$RC4_loop_mmx(0);
206 &set_label("loop_mmx_enter");
207 for ($i=1;$i<8;$i++) { &$RC4_loop_mmx($i); }
208 &mov ($ty,$yy);
209 &xor ($yy,$yy); # this is second key to Core2
210 &mov (&LB($yy),&LB($ty)); # and Westmere performance...
211 &cmp ($inp,&DWP(-4,$dat));
212 &lea ($inp,&DWP(8,$inp));
213 &jb (&label("loop_mmx"));
214
215 if ($alt) {
216 &movd ($out,"mm7");
217 &pxor ("mm2","mm0");
218 &psllq ("mm1",8);
219 &pxor ("mm1","mm2");
220 &movq (&QWP(-8,$out,$inp),"mm1");
221 } else {
222 &psllq ("mm1",56);
223 &pxor ("mm2","mm1");
224 &movq (&QWP(-8,$out,$inp),"mm2");
225 }
226 &emms ();
227
228 &cmp ($inp,&wparam(1)); # compare to input+len
229 &je (&label("done"));
230 &jmp (&label("loop1"));
231
232&set_label("go4loop4",16);
97 &lea ($ty,&DWP(-4,$inp,$ty)); 233 &lea ($ty,&DWP(-4,$inp,$ty));
98 &mov (&wparam(2),$ty); # save input+(len/4)*4-4 234 &mov (&wparam(2),$ty); # save input+(len/4)*4-4
99 &mov (&wparam(3),$out); # $out as accumulator in this loop
100 235
101 &set_label("loop4",16); 236 &set_label("loop4");
102 for ($i=0;$i<4;$i++) { RC4_loop($i); } 237 for ($i=0;$i<4;$i++) { RC4_loop($i); }
103 &ror ($out,8); 238 &ror ($out,8);
104 &xor ($out,&DWP(0,$inp)); 239 &xor ($out,&DWP(0,$inp));
@@ -151,7 +286,7 @@ sub RC4_loop {
151 286
152&set_label("done"); 287&set_label("done");
153 &dec (&LB($xx)); 288 &dec (&LB($xx));
154 &mov (&BP(-4,$dat),&LB($yy)); # save key->y 289 &mov (&DWP(-4,$dat),$yy); # save key->y
155 &mov (&BP(-8,$dat),&LB($xx)); # save key->x 290 &mov (&BP(-8,$dat),&LB($xx)); # save key->x
156&set_label("abort"); 291&set_label("abort");
157&function_end("RC4"); 292&function_end("RC4");
@@ -164,10 +299,8 @@ $idi="ebp";
164$ido="ecx"; 299$ido="ecx";
165$idx="edx"; 300$idx="edx";
166 301
167&external_label("OPENSSL_ia32cap_P");
168
169# void RC4_set_key(RC4_KEY *key,int len,const unsigned char *data); 302# void RC4_set_key(RC4_KEY *key,int len,const unsigned char *data);
170&function_begin("RC4_set_key"); 303&function_begin("private_RC4_set_key");
171 &mov ($out,&wparam(0)); # load key 304 &mov ($out,&wparam(0)); # load key
172 &mov ($idi,&wparam(1)); # load len 305 &mov ($idi,&wparam(1)); # load len
173 &mov ($inp,&wparam(2)); # load data 306 &mov ($inp,&wparam(2)); # load data
@@ -245,7 +378,7 @@ $idx="edx";
245 &xor ("eax","eax"); 378 &xor ("eax","eax");
246 &mov (&DWP(-8,$out),"eax"); # key->x=0; 379 &mov (&DWP(-8,$out),"eax"); # key->x=0;
247 &mov (&DWP(-4,$out),"eax"); # key->y=0; 380 &mov (&DWP(-4,$out),"eax"); # key->y=0;
248&function_end("RC4_set_key"); 381&function_end("private_RC4_set_key");
249 382
250# const char *RC4_options(void); 383# const char *RC4_options(void);
251&function_begin_B("RC4_options"); 384&function_begin_B("RC4_options");
@@ -254,14 +387,21 @@ $idx="edx";
254 &blindpop("eax"); 387 &blindpop("eax");
255 &lea ("eax",&DWP(&label("opts")."-".&label("pic_point"),"eax")); 388 &lea ("eax",&DWP(&label("opts")."-".&label("pic_point"),"eax"));
256 &picmeup("edx","OPENSSL_ia32cap_P"); 389 &picmeup("edx","OPENSSL_ia32cap_P");
257 &bt (&DWP(0,"edx"),20); 390 &mov ("edx",&DWP(0,"edx"));
258 &jnc (&label("skip")); 391 &bt ("edx",20);
259 &add ("eax",12); 392 &jc (&label("1xchar"));
260 &set_label("skip"); 393 &bt ("edx",26);
394 &jnc (&label("ret"));
395 &add ("eax",25);
396 &ret ();
397&set_label("1xchar");
398 &add ("eax",12);
399&set_label("ret");
261 &ret (); 400 &ret ();
262&set_label("opts",64); 401&set_label("opts",64);
263&asciz ("rc4(4x,int)"); 402&asciz ("rc4(4x,int)");
264&asciz ("rc4(1x,char)"); 403&asciz ("rc4(1x,char)");
404&asciz ("rc4(8x,mmx)");
265&asciz ("RC4 for x86, CRYPTOGAMS by <appro\@openssl.org>"); 405&asciz ("RC4 for x86, CRYPTOGAMS by <appro\@openssl.org>");
266&align (64); 406&align (64);
267&function_end_B("RC4_options"); 407&function_end_B("RC4_options");
diff --git a/src/lib/libcrypto/rc4/asm/rc4-x86_64.pl b/src/lib/libcrypto/rc4/asm/rc4-x86_64.pl
index 544386bf53..ac2c05074e 100755
--- a/src/lib/libcrypto/rc4/asm/rc4-x86_64.pl
+++ b/src/lib/libcrypto/rc4/asm/rc4-x86_64.pl
@@ -7,6 +7,8 @@
7# details see http://www.openssl.org/~appro/cryptogams/. 7# details see http://www.openssl.org/~appro/cryptogams/.
8# ==================================================================== 8# ====================================================================
9# 9#
10# July 2004
11#
10# 2.22x RC4 tune-up:-) It should be noted though that my hand [as in 12# 2.22x RC4 tune-up:-) It should be noted though that my hand [as in
11# "hand-coded assembler"] doesn't stand for the whole improvement 13# "hand-coded assembler"] doesn't stand for the whole improvement
12# coefficient. It turned out that eliminating RC4_CHAR from config 14# coefficient. It turned out that eliminating RC4_CHAR from config
@@ -19,6 +21,8 @@
19# to operate on partial registers, it turned out to be the best bet. 21# to operate on partial registers, it turned out to be the best bet.
20# At least for AMD... How IA32E would perform remains to be seen... 22# At least for AMD... How IA32E would perform remains to be seen...
21 23
24# November 2004
25#
22# As was shown by Marc Bevand reordering of couple of load operations 26# As was shown by Marc Bevand reordering of couple of load operations
23# results in even higher performance gain of 3.3x:-) At least on 27# results in even higher performance gain of 3.3x:-) At least on
24# Opteron... For reference, 1x in this case is RC4_CHAR C-code 28# Opteron... For reference, 1x in this case is RC4_CHAR C-code
@@ -26,6 +30,8 @@
26# Latter means that if you want to *estimate* what to expect from 30# Latter means that if you want to *estimate* what to expect from
27# *your* Opteron, then multiply 54 by 3.3 and clock frequency in GHz. 31# *your* Opteron, then multiply 54 by 3.3 and clock frequency in GHz.
28 32
33# November 2004
34#
29# Intel P4 EM64T core was found to run the AMD64 code really slow... 35# Intel P4 EM64T core was found to run the AMD64 code really slow...
30# The only way to achieve comparable performance on P4 was to keep 36# The only way to achieve comparable performance on P4 was to keep
31# RC4_CHAR. Kind of ironic, huh? As it's apparently impossible to 37# RC4_CHAR. Kind of ironic, huh? As it's apparently impossible to
@@ -33,10 +39,14 @@
33# on either AMD and Intel platforms, I implement both cases. See 39# on either AMD and Intel platforms, I implement both cases. See
34# rc4_skey.c for further details... 40# rc4_skey.c for further details...
35 41
42# April 2005
43#
36# P4 EM64T core appears to be "allergic" to 64-bit inc/dec. Replacing 44# P4 EM64T core appears to be "allergic" to 64-bit inc/dec. Replacing
37# those with add/sub results in 50% performance improvement of folded 45# those with add/sub results in 50% performance improvement of folded
38# loop... 46# loop...
39 47
48# May 2005
49#
40# As was shown by Zou Nanhai loop unrolling can improve Intel EM64T 50# As was shown by Zou Nanhai loop unrolling can improve Intel EM64T
41# performance by >30% [unlike P4 32-bit case that is]. But this is 51# performance by >30% [unlike P4 32-bit case that is]. But this is
42# provided that loads are reordered even more aggressively! Both code 52# provided that loads are reordered even more aggressively! Both code
@@ -50,6 +60,8 @@
50# is not implemented, then this final RC4_CHAR code-path should be 60# is not implemented, then this final RC4_CHAR code-path should be
51# preferred, as it provides better *all-round* performance]. 61# preferred, as it provides better *all-round* performance].
52 62
63# March 2007
64#
53# Intel Core2 was observed to perform poorly on both code paths:-( It 65# Intel Core2 was observed to perform poorly on both code paths:-( It
54# apparently suffers from some kind of partial register stall, which 66# apparently suffers from some kind of partial register stall, which
55# occurs in 64-bit mode only [as virtually identical 32-bit loop was 67# occurs in 64-bit mode only [as virtually identical 32-bit loop was
@@ -58,6 +70,37 @@
58# fit for Core2 and therefore the code was modified to skip cloop8 on 70# fit for Core2 and therefore the code was modified to skip cloop8 on
59# this CPU. 71# this CPU.
60 72
73# May 2010
74#
75# Intel Westmere was observed to perform suboptimally. Adding yet
76# another movzb to cloop1 improved performance by almost 50%! Core2
77# performance is improved too, but nominally...
78
79# May 2011
80#
81# The only code path that was not modified is P4-specific one. Non-P4
82# Intel code path optimization is heavily based on submission by Maxim
83# Perminov, Maxim Locktyukhin and Jim Guilford of Intel. I've used
84# some of the ideas even in attempt to optmize the original RC4_INT
85# code path... Current performance in cycles per processed byte (less
86# is better) and improvement coefficients relative to previous
87# version of this module are:
88#
89# Opteron 5.3/+0%(*)
90# P4 6.5
91# Core2 6.2/+15%(**)
92# Westmere 4.2/+60%
93# Sandy Bridge 4.2/+120%
94# Atom 9.3/+80%
95#
96# (*) But corresponding loop has less instructions, which should have
97# positive effect on upcoming Bulldozer, which has one less ALU.
98# For reference, Intel code runs at 6.8 cpb rate on Opteron.
99# (**) Note that Core2 result is ~15% lower than corresponding result
100# for 32-bit code, meaning that it's possible to improve it,
101# but more than likely at the cost of the others (see rc4-586.pl
102# to get the idea)...
103
61$flavour = shift; 104$flavour = shift;
62$output = shift; 105$output = shift;
63if ($flavour =~ /\./) { $output = $flavour; undef $flavour; } 106if ($flavour =~ /\./) { $output = $flavour; undef $flavour; }
@@ -76,13 +119,10 @@ $len="%rsi"; # arg2
76$inp="%rdx"; # arg3 119$inp="%rdx"; # arg3
77$out="%rcx"; # arg4 120$out="%rcx"; # arg4
78 121
79@XX=("%r8","%r10"); 122{
80@TX=("%r9","%r11");
81$YY="%r12";
82$TY="%r13";
83
84$code=<<___; 123$code=<<___;
85.text 124.text
125.extern OPENSSL_ia32cap_P
86 126
87.globl RC4 127.globl RC4
88.type RC4,\@function,4 128.type RC4,\@function,4
@@ -95,48 +135,173 @@ RC4: or $len,$len
95 push %r12 135 push %r12
96 push %r13 136 push %r13
97.Lprologue: 137.Lprologue:
138 mov $len,%r11
139 mov $inp,%r12
140 mov $out,%r13
141___
142my $len="%r11"; # reassign input arguments
143my $inp="%r12";
144my $out="%r13";
98 145
99 add \$8,$dat 146my @XX=("%r10","%rsi");
100 movl -8($dat),$XX[0]#d 147my @TX=("%rax","%rbx");
101 movl -4($dat),$YY#d 148my $YY="%rcx";
149my $TY="%rdx";
150
151$code.=<<___;
152 xor $XX[0],$XX[0]
153 xor $YY,$YY
154
155 lea 8($dat),$dat
156 mov -8($dat),$XX[0]#b
157 mov -4($dat),$YY#b
102 cmpl \$-1,256($dat) 158 cmpl \$-1,256($dat)
103 je .LRC4_CHAR 159 je .LRC4_CHAR
160 mov OPENSSL_ia32cap_P(%rip),%r8d
161 xor $TX[1],$TX[1]
104 inc $XX[0]#b 162 inc $XX[0]#b
163 sub $XX[0],$TX[1]
164 sub $inp,$out
105 movl ($dat,$XX[0],4),$TX[0]#d 165 movl ($dat,$XX[0],4),$TX[0]#d
106 test \$-8,$len 166 test \$-16,$len
107 jz .Lloop1 167 jz .Lloop1
108 jmp .Lloop8 168 bt \$30,%r8d # Intel CPU?
169 jc .Lintel
170 and \$7,$TX[1]
171 lea 1($XX[0]),$XX[1]
172 jz .Loop8
173 sub $TX[1],$len
174.Loop8_warmup:
175 add $TX[0]#b,$YY#b
176 movl ($dat,$YY,4),$TY#d
177 movl $TX[0]#d,($dat,$YY,4)
178 movl $TY#d,($dat,$XX[0],4)
179 add $TY#b,$TX[0]#b
180 inc $XX[0]#b
181 movl ($dat,$TX[0],4),$TY#d
182 movl ($dat,$XX[0],4),$TX[0]#d
183 xorb ($inp),$TY#b
184 movb $TY#b,($out,$inp)
185 lea 1($inp),$inp
186 dec $TX[1]
187 jnz .Loop8_warmup
188
189 lea 1($XX[0]),$XX[1]
190 jmp .Loop8
109.align 16 191.align 16
110.Lloop8: 192.Loop8:
111___ 193___
112for ($i=0;$i<8;$i++) { 194for ($i=0;$i<8;$i++) {
195$code.=<<___ if ($i==7);
196 add \$8,$XX[1]#b
197___
113$code.=<<___; 198$code.=<<___;
114 add $TX[0]#b,$YY#b 199 add $TX[0]#b,$YY#b
115 mov $XX[0],$XX[1]
116 movl ($dat,$YY,4),$TY#d 200 movl ($dat,$YY,4),$TY#d
117 ror \$8,%rax # ror is redundant when $i=0
118 inc $XX[1]#b
119 movl ($dat,$XX[1],4),$TX[1]#d
120 cmp $XX[1],$YY
121 movl $TX[0]#d,($dat,$YY,4) 201 movl $TX[0]#d,($dat,$YY,4)
122 cmove $TX[0],$TX[1] 202 movl `4*($i==7?-1:$i)`($dat,$XX[1],4),$TX[1]#d
123 movl $TY#d,($dat,$XX[0],4) 203 ror \$8,%r8 # ror is redundant when $i=0
204 movl $TY#d,4*$i($dat,$XX[0],4)
124 add $TX[0]#b,$TY#b 205 add $TX[0]#b,$TY#b
125 movb ($dat,$TY,4),%al 206 movb ($dat,$TY,4),%r8b
126___ 207___
127push(@TX,shift(@TX)); push(@XX,shift(@XX)); # "rotate" registers 208push(@TX,shift(@TX)); #push(@XX,shift(@XX)); # "rotate" registers
128} 209}
129$code.=<<___; 210$code.=<<___;
130 ror \$8,%rax 211 add \$8,$XX[0]#b
212 ror \$8,%r8
131 sub \$8,$len 213 sub \$8,$len
132 214
133 xor ($inp),%rax 215 xor ($inp),%r8
134 add \$8,$inp 216 mov %r8,($out,$inp)
135 mov %rax,($out) 217 lea 8($inp),$inp
136 add \$8,$out
137 218
138 test \$-8,$len 219 test \$-8,$len
139 jnz .Lloop8 220 jnz .Loop8
221 cmp \$0,$len
222 jne .Lloop1
223 jmp .Lexit
224
225.align 16
226.Lintel:
227 test \$-32,$len
228 jz .Lloop1
229 and \$15,$TX[1]
230 jz .Loop16_is_hot
231 sub $TX[1],$len
232.Loop16_warmup:
233 add $TX[0]#b,$YY#b
234 movl ($dat,$YY,4),$TY#d
235 movl $TX[0]#d,($dat,$YY,4)
236 movl $TY#d,($dat,$XX[0],4)
237 add $TY#b,$TX[0]#b
238 inc $XX[0]#b
239 movl ($dat,$TX[0],4),$TY#d
240 movl ($dat,$XX[0],4),$TX[0]#d
241 xorb ($inp),$TY#b
242 movb $TY#b,($out,$inp)
243 lea 1($inp),$inp
244 dec $TX[1]
245 jnz .Loop16_warmup
246
247 mov $YY,$TX[1]
248 xor $YY,$YY
249 mov $TX[1]#b,$YY#b
250
251.Loop16_is_hot:
252 lea ($dat,$XX[0],4),$XX[1]
253___
254sub RC4_loop {
255 my $i=shift;
256 my $j=$i<0?0:$i;
257 my $xmm="%xmm".($j&1);
258
259 $code.=" add \$16,$XX[0]#b\n" if ($i==15);
260 $code.=" movdqu ($inp),%xmm2\n" if ($i==15);
261 $code.=" add $TX[0]#b,$YY#b\n" if ($i<=0);
262 $code.=" movl ($dat,$YY,4),$TY#d\n";
263 $code.=" pxor %xmm0,%xmm2\n" if ($i==0);
264 $code.=" psllq \$8,%xmm1\n" if ($i==0);
265 $code.=" pxor $xmm,$xmm\n" if ($i<=1);
266 $code.=" movl $TX[0]#d,($dat,$YY,4)\n";
267 $code.=" add $TY#b,$TX[0]#b\n";
268 $code.=" movl `4*($j+1)`($XX[1]),$TX[1]#d\n" if ($i<15);
269 $code.=" movz $TX[0]#b,$TX[0]#d\n";
270 $code.=" movl $TY#d,4*$j($XX[1])\n";
271 $code.=" pxor %xmm1,%xmm2\n" if ($i==0);
272 $code.=" lea ($dat,$XX[0],4),$XX[1]\n" if ($i==15);
273 $code.=" add $TX[1]#b,$YY#b\n" if ($i<15);
274 $code.=" pinsrw \$`($j>>1)&7`,($dat,$TX[0],4),$xmm\n";
275 $code.=" movdqu %xmm2,($out,$inp)\n" if ($i==0);
276 $code.=" lea 16($inp),$inp\n" if ($i==0);
277 $code.=" movl ($XX[1]),$TX[1]#d\n" if ($i==15);
278}
279 RC4_loop(-1);
280$code.=<<___;
281 jmp .Loop16_enter
282.align 16
283.Loop16:
284___
285
286for ($i=0;$i<16;$i++) {
287 $code.=".Loop16_enter:\n" if ($i==1);
288 RC4_loop($i);
289 push(@TX,shift(@TX)); # "rotate" registers
290}
291$code.=<<___;
292 mov $YY,$TX[1]
293 xor $YY,$YY # keyword to partial register
294 sub \$16,$len
295 mov $TX[1]#b,$YY#b
296 test \$-16,$len
297 jnz .Loop16
298
299 psllq \$8,%xmm1
300 pxor %xmm0,%xmm2
301 pxor %xmm1,%xmm2
302 movdqu %xmm2,($out,$inp)
303 lea 16($inp),$inp
304
140 cmp \$0,$len 305 cmp \$0,$len
141 jne .Lloop1 306 jne .Lloop1
142 jmp .Lexit 307 jmp .Lexit
@@ -152,9 +317,8 @@ $code.=<<___;
152 movl ($dat,$TX[0],4),$TY#d 317 movl ($dat,$TX[0],4),$TY#d
153 movl ($dat,$XX[0],4),$TX[0]#d 318 movl ($dat,$XX[0],4),$TX[0]#d
154 xorb ($inp),$TY#b 319 xorb ($inp),$TY#b
155 inc $inp 320 movb $TY#b,($out,$inp)
156 movb $TY#b,($out) 321 lea 1($inp),$inp
157 inc $out
158 dec $len 322 dec $len
159 jnz .Lloop1 323 jnz .Lloop1
160 jmp .Lexit 324 jmp .Lexit
@@ -165,13 +329,11 @@ $code.=<<___;
165 movzb ($dat,$XX[0]),$TX[0]#d 329 movzb ($dat,$XX[0]),$TX[0]#d
166 test \$-8,$len 330 test \$-8,$len
167 jz .Lcloop1 331 jz .Lcloop1
168 cmpl \$0,260($dat)
169 jnz .Lcloop1
170 jmp .Lcloop8 332 jmp .Lcloop8
171.align 16 333.align 16
172.Lcloop8: 334.Lcloop8:
173 mov ($inp),%eax 335 mov ($inp),%r8d
174 mov 4($inp),%ebx 336 mov 4($inp),%r9d
175___ 337___
176# unroll 2x4-wise, because 64-bit rotates kill Intel P4... 338# unroll 2x4-wise, because 64-bit rotates kill Intel P4...
177for ($i=0;$i<4;$i++) { 339for ($i=0;$i<4;$i++) {
@@ -188,8 +350,8 @@ $code.=<<___;
188 mov $TX[0],$TX[1] 350 mov $TX[0],$TX[1]
189.Lcmov$i: 351.Lcmov$i:
190 add $TX[0]#b,$TY#b 352 add $TX[0]#b,$TY#b
191 xor ($dat,$TY),%al 353 xor ($dat,$TY),%r8b
192 ror \$8,%eax 354 ror \$8,%r8d
193___ 355___
194push(@TX,shift(@TX)); push(@XX,shift(@XX)); # "rotate" registers 356push(@TX,shift(@TX)); push(@XX,shift(@XX)); # "rotate" registers
195} 357}
@@ -207,16 +369,16 @@ $code.=<<___;
207 mov $TX[0],$TX[1] 369 mov $TX[0],$TX[1]
208.Lcmov$i: 370.Lcmov$i:
209 add $TX[0]#b,$TY#b 371 add $TX[0]#b,$TY#b
210 xor ($dat,$TY),%bl 372 xor ($dat,$TY),%r9b
211 ror \$8,%ebx 373 ror \$8,%r9d
212___ 374___
213push(@TX,shift(@TX)); push(@XX,shift(@XX)); # "rotate" registers 375push(@TX,shift(@TX)); push(@XX,shift(@XX)); # "rotate" registers
214} 376}
215$code.=<<___; 377$code.=<<___;
216 lea -8($len),$len 378 lea -8($len),$len
217 mov %eax,($out) 379 mov %r8d,($out)
218 lea 8($inp),$inp 380 lea 8($inp),$inp
219 mov %ebx,4($out) 381 mov %r9d,4($out)
220 lea 8($out),$out 382 lea 8($out),$out
221 383
222 test \$-8,$len 384 test \$-8,$len
@@ -229,6 +391,7 @@ $code.=<<___;
229.align 16 391.align 16
230.Lcloop1: 392.Lcloop1:
231 add $TX[0]#b,$YY#b 393 add $TX[0]#b,$YY#b
394 movzb $YY#b,$YY#d
232 movzb ($dat,$YY),$TY#d 395 movzb ($dat,$YY),$TY#d
233 movb $TX[0]#b,($dat,$YY) 396 movb $TX[0]#b,($dat,$YY)
234 movb $TY#b,($dat,$XX[0]) 397 movb $TY#b,($dat,$XX[0])
@@ -260,16 +423,16 @@ $code.=<<___;
260 ret 423 ret
261.size RC4,.-RC4 424.size RC4,.-RC4
262___ 425___
426}
263 427
264$idx="%r8"; 428$idx="%r8";
265$ido="%r9"; 429$ido="%r9";
266 430
267$code.=<<___; 431$code.=<<___;
268.extern OPENSSL_ia32cap_P 432.globl private_RC4_set_key
269.globl RC4_set_key 433.type private_RC4_set_key,\@function,3
270.type RC4_set_key,\@function,3
271.align 16 434.align 16
272RC4_set_key: 435private_RC4_set_key:
273 lea 8($dat),$dat 436 lea 8($dat),$dat
274 lea ($inp,$len),$inp 437 lea ($inp,$len),$inp
275 neg $len 438 neg $len
@@ -280,12 +443,9 @@ RC4_set_key:
280 xor %r11,%r11 443 xor %r11,%r11
281 444
282 mov PIC_GOT(OPENSSL_ia32cap_P),$idx#d 445 mov PIC_GOT(OPENSSL_ia32cap_P),$idx#d
283 bt \$20,$idx#d 446 bt \$20,$idx#d # RC4_CHAR?
284 jnc .Lw1stloop 447 jc .Lc1stloop
285 bt \$30,$idx#d 448 jmp .Lw1stloop
286 setc $ido#b
287 mov $ido#d,260($dat)
288 jmp .Lc1stloop
289 449
290.align 16 450.align 16
291.Lw1stloop: 451.Lw1stloop:
@@ -339,7 +499,7 @@ RC4_set_key:
339 mov %eax,-8($dat) 499 mov %eax,-8($dat)
340 mov %eax,-4($dat) 500 mov %eax,-4($dat)
341 ret 501 ret
342.size RC4_set_key,.-RC4_set_key 502.size private_RC4_set_key,.-private_RC4_set_key
343 503
344.globl RC4_options 504.globl RC4_options
345.type RC4_options,\@abi-omnipotent 505.type RC4_options,\@abi-omnipotent
@@ -348,18 +508,20 @@ RC4_options:
348 lea .Lopts(%rip),%rax 508 lea .Lopts(%rip),%rax
349 mov PIC_GOT(OPENSSL_ia32cap_P),%edx 509 mov PIC_GOT(OPENSSL_ia32cap_P),%edx
350 bt \$20,%edx 510 bt \$20,%edx
351 jnc .Ldone 511 jc .L8xchar
352 add \$12,%rax
353 bt \$30,%edx 512 bt \$30,%edx
354 jnc .Ldone 513 jnc .Ldone
355 add \$13,%rax 514 add \$25,%rax
515 ret
516.L8xchar:
517 add \$12,%rax
356.Ldone: 518.Ldone:
357 ret 519 ret
358.align 64 520.align 64
359.Lopts: 521.Lopts:
360.asciz "rc4(8x,int)" 522.asciz "rc4(8x,int)"
361.asciz "rc4(8x,char)" 523.asciz "rc4(8x,char)"
362.asciz "rc4(1x,char)" 524.asciz "rc4(16x,int)"
363.asciz "RC4 for x86_64, CRYPTOGAMS by <appro\@openssl.org>" 525.asciz "RC4 for x86_64, CRYPTOGAMS by <appro\@openssl.org>"
364.align 64 526.align 64
365.size RC4_options,.-RC4_options 527.size RC4_options,.-RC4_options
@@ -482,22 +644,32 @@ key_se_handler:
482 .rva .LSEH_end_RC4 644 .rva .LSEH_end_RC4
483 .rva .LSEH_info_RC4 645 .rva .LSEH_info_RC4
484 646
485 .rva .LSEH_begin_RC4_set_key 647 .rva .LSEH_begin_private_RC4_set_key
486 .rva .LSEH_end_RC4_set_key 648 .rva .LSEH_end_private_RC4_set_key
487 .rva .LSEH_info_RC4_set_key 649 .rva .LSEH_info_private_RC4_set_key
488 650
489.section .xdata 651.section .xdata
490.align 8 652.align 8
491.LSEH_info_RC4: 653.LSEH_info_RC4:
492 .byte 9,0,0,0 654 .byte 9,0,0,0
493 .rva stream_se_handler 655 .rva stream_se_handler
494.LSEH_info_RC4_set_key: 656.LSEH_info_private_RC4_set_key:
495 .byte 9,0,0,0 657 .byte 9,0,0,0
496 .rva key_se_handler 658 .rva key_se_handler
497___ 659___
498} 660}
499 661
500$code =~ s/#([bwd])/$1/gm; 662sub reg_part {
663my ($reg,$conv)=@_;
664 if ($reg =~ /%r[0-9]+/) { $reg .= $conv; }
665 elsif ($conv eq "b") { $reg =~ s/%[er]([^x]+)x?/%$1l/; }
666 elsif ($conv eq "w") { $reg =~ s/%[er](.+)/%$1/; }
667 elsif ($conv eq "d") { $reg =~ s/%[er](.+)/%e$1/; }
668 return $reg;
669}
670
671$code =~ s/(%[a-z0-9]+)#([bwd])/reg_part($1,$2)/gem;
672$code =~ s/\`([^\`]*)\`/eval $1/gem;
501 673
502print $code; 674print $code;
503 675
diff --git a/src/lib/libcrypto/rc4/rc4.h b/src/lib/libcrypto/rc4/rc4.h
index 29d1acccf5..88ceb46bc5 100644
--- a/src/lib/libcrypto/rc4/rc4.h
+++ b/src/lib/libcrypto/rc4/rc4.h
@@ -79,6 +79,7 @@ typedef struct rc4_key_st
79 79
80const char *RC4_options(void); 80const char *RC4_options(void);
81void RC4_set_key(RC4_KEY *key, int len, const unsigned char *data); 81void RC4_set_key(RC4_KEY *key, int len, const unsigned char *data);
82void private_RC4_set_key(RC4_KEY *key, int len, const unsigned char *data);
82void RC4(RC4_KEY *key, size_t len, const unsigned char *indata, 83void RC4(RC4_KEY *key, size_t len, const unsigned char *indata,
83 unsigned char *outdata); 84 unsigned char *outdata);
84 85
diff --git a/src/lib/libcrypto/rc4/rc4_skey.c b/src/lib/libcrypto/rc4/rc4_skey.c
index b22c40b0bd..fda27636e7 100644
--- a/src/lib/libcrypto/rc4/rc4_skey.c
+++ b/src/lib/libcrypto/rc4/rc4_skey.c
@@ -85,7 +85,7 @@ const char *RC4_options(void)
85 * Date: Wed, 14 Sep 1994 06:35:31 GMT 85 * Date: Wed, 14 Sep 1994 06:35:31 GMT
86 */ 86 */
87 87
88void RC4_set_key(RC4_KEY *key, int len, const unsigned char *data) 88void private_RC4_set_key(RC4_KEY *key, int len, const unsigned char *data)
89 { 89 {
90 register RC4_INT tmp; 90 register RC4_INT tmp;
91 register int id1,id2; 91 register int id1,id2;
@@ -104,40 +104,6 @@ void RC4_set_key(RC4_KEY *key, int len, const unsigned char *data)
104 d[(n)]=d[id2]; \ 104 d[(n)]=d[id2]; \
105 d[id2]=tmp; } 105 d[id2]=tmp; }
106 106
107#if defined(OPENSSL_CPUID_OBJ) && !defined(OPENSSL_NO_ASM)
108# if defined(__i386) || defined(__i386__) || defined(_M_IX86) || \
109 defined(__INTEL__) || \
110 defined(__x86_64) || defined(__x86_64__) || defined(_M_AMD64)
111 if (sizeof(RC4_INT) > 1) {
112 /*
113 * Unlike all other x86 [and x86_64] implementations,
114 * Intel P4 core [including EM64T] was found to perform
115 * poorly with wider RC4_INT. Performance improvement
116 * for IA-32 hand-coded assembler turned out to be 2.8x
117 * if re-coded for RC4_CHAR! It's however inappropriate
118 * to just switch to RC4_CHAR for x86[_64], as non-P4
119 * implementations suffer from significant performance
120 * losses then, e.g. PIII exhibits >2x deterioration,
121 * and so does Opteron. In order to assure optimal
122 * all-round performance, let us [try to] detect P4 at
123 * run-time by checking upon HTT bit in CPU capability
124 * vector and set up compressed key schedule, which is
125 * recognized by correspondingly updated assembler
126 * module...
127 * <appro@fy.chalmers.se>
128 */
129 if (OPENSSL_ia32cap_P & (1<<28)) {
130 unsigned char *cp=(unsigned char *)d;
131
132 for (i=0;i<256;i++) cp[i]=i;
133 for (i=0;i<256;i++) SK_LOOP(cp,i);
134 /* mark schedule as compressed! */
135 d[256/sizeof(RC4_INT)]=-1;
136 return;
137 }
138 }
139# endif
140#endif
141 for (i=0; i < 256; i++) d[i]=i; 107 for (i=0; i < 256; i++) d[i]=i;
142 for (i=0; i < 256; i+=4) 108 for (i=0; i < 256; i+=4)
143 { 109 {
diff --git a/src/lib/libcrypto/ripemd/ripemd.h b/src/lib/libcrypto/ripemd/ripemd.h
index 5942eb6180..189bd8c90e 100644
--- a/src/lib/libcrypto/ripemd/ripemd.h
+++ b/src/lib/libcrypto/ripemd/ripemd.h
@@ -91,6 +91,9 @@ typedef struct RIPEMD160state_st
91 unsigned int num; 91 unsigned int num;
92 } RIPEMD160_CTX; 92 } RIPEMD160_CTX;
93 93
94#ifdef OPENSSL_FIPS
95int private_RIPEMD160_Init(RIPEMD160_CTX *c);
96#endif
94int RIPEMD160_Init(RIPEMD160_CTX *c); 97int RIPEMD160_Init(RIPEMD160_CTX *c);
95int RIPEMD160_Update(RIPEMD160_CTX *c, const void *data, size_t len); 98int RIPEMD160_Update(RIPEMD160_CTX *c, const void *data, size_t len);
96int RIPEMD160_Final(unsigned char *md, RIPEMD160_CTX *c); 99int RIPEMD160_Final(unsigned char *md, RIPEMD160_CTX *c);
diff --git a/src/lib/libcrypto/ripemd/rmd_dgst.c b/src/lib/libcrypto/ripemd/rmd_dgst.c
index 2097a66c03..9ff1a0705e 100644
--- a/src/lib/libcrypto/ripemd/rmd_dgst.c
+++ b/src/lib/libcrypto/ripemd/rmd_dgst.c
@@ -59,6 +59,7 @@
59#include <stdio.h> 59#include <stdio.h>
60#include "rmd_locl.h" 60#include "rmd_locl.h"
61#include <openssl/opensslv.h> 61#include <openssl/opensslv.h>
62#include <openssl/crypto.h>
62 63
63const char RMD160_version[]="RIPE-MD160" OPENSSL_VERSION_PTEXT; 64const char RMD160_version[]="RIPE-MD160" OPENSSL_VERSION_PTEXT;
64 65
@@ -69,7 +70,7 @@ const char RMD160_version[]="RIPE-MD160" OPENSSL_VERSION_PTEXT;
69 void ripemd160_block(RIPEMD160_CTX *c, unsigned long *p,size_t num); 70 void ripemd160_block(RIPEMD160_CTX *c, unsigned long *p,size_t num);
70# endif 71# endif
71 72
72int RIPEMD160_Init(RIPEMD160_CTX *c) 73fips_md_init(RIPEMD160)
73 { 74 {
74 memset (c,0,sizeof(*c)); 75 memset (c,0,sizeof(*c));
75 c->A=RIPEMD160_A; 76 c->A=RIPEMD160_A;
diff --git a/src/lib/libcrypto/rsa/Makefile b/src/lib/libcrypto/rsa/Makefile
index bb64223e05..f798d2f749 100644
--- a/src/lib/libcrypto/rsa/Makefile
+++ b/src/lib/libcrypto/rsa/Makefile
@@ -20,11 +20,11 @@ LIB=$(TOP)/libcrypto.a
20LIBSRC= rsa_eay.c rsa_gen.c rsa_lib.c rsa_sign.c rsa_saos.c rsa_err.c \ 20LIBSRC= rsa_eay.c rsa_gen.c rsa_lib.c rsa_sign.c rsa_saos.c rsa_err.c \
21 rsa_pk1.c rsa_ssl.c rsa_none.c rsa_oaep.c rsa_chk.c rsa_null.c \ 21 rsa_pk1.c rsa_ssl.c rsa_none.c rsa_oaep.c rsa_chk.c rsa_null.c \
22 rsa_pss.c rsa_x931.c rsa_asn1.c rsa_depr.c rsa_ameth.c rsa_prn.c \ 22 rsa_pss.c rsa_x931.c rsa_asn1.c rsa_depr.c rsa_ameth.c rsa_prn.c \
23 rsa_pmeth.c 23 rsa_pmeth.c rsa_crpt.c
24LIBOBJ= rsa_eay.o rsa_gen.o rsa_lib.o rsa_sign.o rsa_saos.o rsa_err.o \ 24LIBOBJ= rsa_eay.o rsa_gen.o rsa_lib.o rsa_sign.o rsa_saos.o rsa_err.o \
25 rsa_pk1.o rsa_ssl.o rsa_none.o rsa_oaep.o rsa_chk.o rsa_null.o \ 25 rsa_pk1.o rsa_ssl.o rsa_none.o rsa_oaep.o rsa_chk.o rsa_null.o \
26 rsa_pss.o rsa_x931.o rsa_asn1.o rsa_depr.o rsa_ameth.o rsa_prn.o \ 26 rsa_pss.o rsa_x931.o rsa_asn1.o rsa_depr.o rsa_ameth.o rsa_prn.o \
27 rsa_pmeth.o 27 rsa_pmeth.o rsa_crpt.o
28 28
29SRC= $(LIBSRC) 29SRC= $(LIBSRC)
30 30
@@ -100,11 +100,16 @@ rsa_asn1.o: ../../e_os.h ../../include/openssl/asn1.h
100rsa_asn1.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h 100rsa_asn1.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
101rsa_asn1.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h 101rsa_asn1.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
102rsa_asn1.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h 102rsa_asn1.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
103rsa_asn1.o: ../../include/openssl/err.h ../../include/openssl/lhash.h 103rsa_asn1.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
104rsa_asn1.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
105rsa_asn1.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
106rsa_asn1.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
104rsa_asn1.o: ../../include/openssl/opensslconf.h 107rsa_asn1.o: ../../include/openssl/opensslconf.h
105rsa_asn1.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h 108rsa_asn1.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
106rsa_asn1.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h 109rsa_asn1.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
110rsa_asn1.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
107rsa_asn1.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h 111rsa_asn1.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
112rsa_asn1.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
108rsa_asn1.o: ../cryptlib.h rsa_asn1.c 113rsa_asn1.o: ../cryptlib.h rsa_asn1.c
109rsa_chk.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h 114rsa_chk.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
110rsa_chk.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h 115rsa_chk.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
@@ -114,6 +119,21 @@ rsa_chk.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
114rsa_chk.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h 119rsa_chk.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
115rsa_chk.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h 120rsa_chk.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
116rsa_chk.o: rsa_chk.c 121rsa_chk.o: rsa_chk.c
122rsa_crpt.o: ../../e_os.h ../../include/openssl/asn1.h
123rsa_crpt.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
124rsa_crpt.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
125rsa_crpt.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
126rsa_crpt.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
127rsa_crpt.o: ../../include/openssl/engine.h ../../include/openssl/err.h
128rsa_crpt.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
129rsa_crpt.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
130rsa_crpt.o: ../../include/openssl/opensslconf.h
131rsa_crpt.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
132rsa_crpt.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
133rsa_crpt.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
134rsa_crpt.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
135rsa_crpt.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
136rsa_crpt.o: ../../include/openssl/x509_vfy.h ../cryptlib.h rsa_crpt.c
117rsa_depr.o: ../../e_os.h ../../include/openssl/asn1.h 137rsa_depr.o: ../../e_os.h ../../include/openssl/asn1.h
118rsa_depr.o: ../../include/openssl/bio.h ../../include/openssl/bn.h 138rsa_depr.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
119rsa_depr.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h 139rsa_depr.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
@@ -205,11 +225,12 @@ rsa_pk1.o: ../../include/openssl/symhacks.h ../cryptlib.h rsa_pk1.c
205rsa_pmeth.o: ../../e_os.h ../../include/openssl/asn1.h 225rsa_pmeth.o: ../../e_os.h ../../include/openssl/asn1.h
206rsa_pmeth.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h 226rsa_pmeth.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
207rsa_pmeth.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h 227rsa_pmeth.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
208rsa_pmeth.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h 228rsa_pmeth.o: ../../include/openssl/cms.h ../../include/openssl/crypto.h
209rsa_pmeth.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h 229rsa_pmeth.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
210rsa_pmeth.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h 230rsa_pmeth.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
211rsa_pmeth.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h 231rsa_pmeth.o: ../../include/openssl/err.h ../../include/openssl/evp.h
212rsa_pmeth.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h 232rsa_pmeth.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
233rsa_pmeth.o: ../../include/openssl/objects.h
213rsa_pmeth.o: ../../include/openssl/opensslconf.h 234rsa_pmeth.o: ../../include/openssl/opensslconf.h
214rsa_pmeth.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h 235rsa_pmeth.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
215rsa_pmeth.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h 236rsa_pmeth.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
diff --git a/src/lib/libcrypto/rsa/rsa.h b/src/lib/libcrypto/rsa/rsa.h
index cf74343657..4814a2fc15 100644
--- a/src/lib/libcrypto/rsa/rsa.h
+++ b/src/lib/libcrypto/rsa/rsa.h
@@ -222,12 +222,22 @@ struct rsa_st
222 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, -1, EVP_PKEY_CTRL_RSA_PADDING, \ 222 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, -1, EVP_PKEY_CTRL_RSA_PADDING, \
223 pad, NULL) 223 pad, NULL)
224 224
225#define EVP_PKEY_CTX_get_rsa_padding(ctx, ppad) \
226 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, -1, \
227 EVP_PKEY_CTRL_GET_RSA_PADDING, 0, ppad)
228
225#define EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, len) \ 229#define EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, len) \
226 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, \ 230 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, \
227 (EVP_PKEY_OP_SIGN|EVP_PKEY_OP_VERIFY), \ 231 (EVP_PKEY_OP_SIGN|EVP_PKEY_OP_VERIFY), \
228 EVP_PKEY_CTRL_RSA_PSS_SALTLEN, \ 232 EVP_PKEY_CTRL_RSA_PSS_SALTLEN, \
229 len, NULL) 233 len, NULL)
230 234
235#define EVP_PKEY_CTX_get_rsa_pss_saltlen(ctx, plen) \
236 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, \
237 (EVP_PKEY_OP_SIGN|EVP_PKEY_OP_VERIFY), \
238 EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN, \
239 0, plen)
240
231#define EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, bits) \ 241#define EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, bits) \
232 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_KEYGEN, \ 242 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_KEYGEN, \
233 EVP_PKEY_CTRL_RSA_KEYGEN_BITS, bits, NULL) 243 EVP_PKEY_CTRL_RSA_KEYGEN_BITS, bits, NULL)
@@ -236,11 +246,24 @@ struct rsa_st
236 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_KEYGEN, \ 246 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_KEYGEN, \
237 EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP, 0, pubexp) 247 EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP, 0, pubexp)
238 248
249#define EVP_PKEY_CTX_set_rsa_mgf1_md(ctx, md) \
250 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_SIG, \
251 EVP_PKEY_CTRL_RSA_MGF1_MD, 0, (void *)md)
252
253#define EVP_PKEY_CTX_get_rsa_mgf1_md(ctx, pmd) \
254 EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_SIG, \
255 EVP_PKEY_CTRL_GET_RSA_MGF1_MD, 0, (void *)pmd)
256
239#define EVP_PKEY_CTRL_RSA_PADDING (EVP_PKEY_ALG_CTRL + 1) 257#define EVP_PKEY_CTRL_RSA_PADDING (EVP_PKEY_ALG_CTRL + 1)
240#define EVP_PKEY_CTRL_RSA_PSS_SALTLEN (EVP_PKEY_ALG_CTRL + 2) 258#define EVP_PKEY_CTRL_RSA_PSS_SALTLEN (EVP_PKEY_ALG_CTRL + 2)
241 259
242#define EVP_PKEY_CTRL_RSA_KEYGEN_BITS (EVP_PKEY_ALG_CTRL + 3) 260#define EVP_PKEY_CTRL_RSA_KEYGEN_BITS (EVP_PKEY_ALG_CTRL + 3)
243#define EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP (EVP_PKEY_ALG_CTRL + 4) 261#define EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP (EVP_PKEY_ALG_CTRL + 4)
262#define EVP_PKEY_CTRL_RSA_MGF1_MD (EVP_PKEY_ALG_CTRL + 5)
263
264#define EVP_PKEY_CTRL_GET_RSA_PADDING (EVP_PKEY_ALG_CTRL + 6)
265#define EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN (EVP_PKEY_ALG_CTRL + 7)
266#define EVP_PKEY_CTRL_GET_RSA_MGF1_MD (EVP_PKEY_ALG_CTRL + 8)
244 267
245#define RSA_PKCS1_PADDING 1 268#define RSA_PKCS1_PADDING 1
246#define RSA_SSLV23_PADDING 2 269#define RSA_SSLV23_PADDING 2
@@ -300,6 +323,16 @@ const RSA_METHOD *RSA_null_method(void);
300DECLARE_ASN1_ENCODE_FUNCTIONS_const(RSA, RSAPublicKey) 323DECLARE_ASN1_ENCODE_FUNCTIONS_const(RSA, RSAPublicKey)
301DECLARE_ASN1_ENCODE_FUNCTIONS_const(RSA, RSAPrivateKey) 324DECLARE_ASN1_ENCODE_FUNCTIONS_const(RSA, RSAPrivateKey)
302 325
326typedef struct rsa_pss_params_st
327 {
328 X509_ALGOR *hashAlgorithm;
329 X509_ALGOR *maskGenAlgorithm;
330 ASN1_INTEGER *saltLength;
331 ASN1_INTEGER *trailerField;
332 } RSA_PSS_PARAMS;
333
334DECLARE_ASN1_FUNCTIONS(RSA_PSS_PARAMS)
335
303#ifndef OPENSSL_NO_FP_API 336#ifndef OPENSSL_NO_FP_API
304int RSA_print_fp(FILE *fp, const RSA *r,int offset); 337int RSA_print_fp(FILE *fp, const RSA *r,int offset);
305#endif 338#endif
@@ -380,6 +413,14 @@ int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM,
380 const unsigned char *mHash, 413 const unsigned char *mHash,
381 const EVP_MD *Hash, int sLen); 414 const EVP_MD *Hash, int sLen);
382 415
416int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
417 const EVP_MD *Hash, const EVP_MD *mgf1Hash,
418 const unsigned char *EM, int sLen);
419
420int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
421 const unsigned char *mHash,
422 const EVP_MD *Hash, const EVP_MD *mgf1Hash, int sLen);
423
383int RSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, 424int RSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
384 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func); 425 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
385int RSA_set_ex_data(RSA *r,int idx,void *arg); 426int RSA_set_ex_data(RSA *r,int idx,void *arg);
@@ -388,6 +429,25 @@ void *RSA_get_ex_data(const RSA *r, int idx);
388RSA *RSAPublicKey_dup(RSA *rsa); 429RSA *RSAPublicKey_dup(RSA *rsa);
389RSA *RSAPrivateKey_dup(RSA *rsa); 430RSA *RSAPrivateKey_dup(RSA *rsa);
390 431
432/* If this flag is set the RSA method is FIPS compliant and can be used
433 * in FIPS mode. This is set in the validated module method. If an
434 * application sets this flag in its own methods it is its responsibility
435 * to ensure the result is compliant.
436 */
437
438#define RSA_FLAG_FIPS_METHOD 0x0400
439
440/* If this flag is set the operations normally disabled in FIPS mode are
441 * permitted it is then the applications responsibility to ensure that the
442 * usage is compliant.
443 */
444
445#define RSA_FLAG_NON_FIPS_ALLOW 0x0400
446/* Application has decided PRNG is good enough to generate a key: don't
447 * check.
448 */
449#define RSA_FLAG_CHECKED 0x0800
450
391/* BEGIN ERROR CODES */ 451/* BEGIN ERROR CODES */
392/* The following lines are auto generated by the script mkerr.pl. Any changes 452/* The following lines are auto generated by the script mkerr.pl. Any changes
393 * made after this point may be overwritten when the script is next run. 453 * made after this point may be overwritten when the script is next run.
@@ -405,6 +465,7 @@ void ERR_load_RSA_strings(void);
405#define RSA_F_PKEY_RSA_CTRL 143 465#define RSA_F_PKEY_RSA_CTRL 143
406#define RSA_F_PKEY_RSA_CTRL_STR 144 466#define RSA_F_PKEY_RSA_CTRL_STR 144
407#define RSA_F_PKEY_RSA_SIGN 142 467#define RSA_F_PKEY_RSA_SIGN 142
468#define RSA_F_PKEY_RSA_VERIFY 154
408#define RSA_F_PKEY_RSA_VERIFYRECOVER 141 469#define RSA_F_PKEY_RSA_VERIFYRECOVER 141
409#define RSA_F_RSA_BUILTIN_KEYGEN 129 470#define RSA_F_RSA_BUILTIN_KEYGEN 129
410#define RSA_F_RSA_CHECK_KEY 123 471#define RSA_F_RSA_CHECK_KEY 123
@@ -413,6 +474,8 @@ void ERR_load_RSA_strings(void);
413#define RSA_F_RSA_EAY_PUBLIC_DECRYPT 103 474#define RSA_F_RSA_EAY_PUBLIC_DECRYPT 103
414#define RSA_F_RSA_EAY_PUBLIC_ENCRYPT 104 475#define RSA_F_RSA_EAY_PUBLIC_ENCRYPT 104
415#define RSA_F_RSA_GENERATE_KEY 105 476#define RSA_F_RSA_GENERATE_KEY 105
477#define RSA_F_RSA_GENERATE_KEY_EX 155
478#define RSA_F_RSA_ITEM_VERIFY 156
416#define RSA_F_RSA_MEMORY_LOCK 130 479#define RSA_F_RSA_MEMORY_LOCK 130
417#define RSA_F_RSA_NEW_METHOD 106 480#define RSA_F_RSA_NEW_METHOD 106
418#define RSA_F_RSA_NULL 124 481#define RSA_F_RSA_NULL 124
@@ -424,6 +487,7 @@ void ERR_load_RSA_strings(void);
424#define RSA_F_RSA_PADDING_ADD_NONE 107 487#define RSA_F_RSA_PADDING_ADD_NONE 107
425#define RSA_F_RSA_PADDING_ADD_PKCS1_OAEP 121 488#define RSA_F_RSA_PADDING_ADD_PKCS1_OAEP 121
426#define RSA_F_RSA_PADDING_ADD_PKCS1_PSS 125 489#define RSA_F_RSA_PADDING_ADD_PKCS1_PSS 125
490#define RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1 148
427#define RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1 108 491#define RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1 108
428#define RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2 109 492#define RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2 109
429#define RSA_F_RSA_PADDING_ADD_SSLV23 110 493#define RSA_F_RSA_PADDING_ADD_SSLV23 110
@@ -436,8 +500,12 @@ void ERR_load_RSA_strings(void);
436#define RSA_F_RSA_PADDING_CHECK_X931 128 500#define RSA_F_RSA_PADDING_CHECK_X931 128
437#define RSA_F_RSA_PRINT 115 501#define RSA_F_RSA_PRINT 115
438#define RSA_F_RSA_PRINT_FP 116 502#define RSA_F_RSA_PRINT_FP 116
503#define RSA_F_RSA_PRIVATE_DECRYPT 150
504#define RSA_F_RSA_PRIVATE_ENCRYPT 151
439#define RSA_F_RSA_PRIV_DECODE 137 505#define RSA_F_RSA_PRIV_DECODE 137
440#define RSA_F_RSA_PRIV_ENCODE 138 506#define RSA_F_RSA_PRIV_ENCODE 138
507#define RSA_F_RSA_PUBLIC_DECRYPT 152
508#define RSA_F_RSA_PUBLIC_ENCRYPT 153
441#define RSA_F_RSA_PUB_DECODE 139 509#define RSA_F_RSA_PUB_DECODE 139
442#define RSA_F_RSA_SETUP_BLINDING 136 510#define RSA_F_RSA_SETUP_BLINDING 136
443#define RSA_F_RSA_SIGN 117 511#define RSA_F_RSA_SIGN 117
@@ -445,6 +513,7 @@ void ERR_load_RSA_strings(void);
445#define RSA_F_RSA_VERIFY 119 513#define RSA_F_RSA_VERIFY 119
446#define RSA_F_RSA_VERIFY_ASN1_OCTET_STRING 120 514#define RSA_F_RSA_VERIFY_ASN1_OCTET_STRING 120
447#define RSA_F_RSA_VERIFY_PKCS1_PSS 126 515#define RSA_F_RSA_VERIFY_PKCS1_PSS 126
516#define RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1 149
448 517
449/* Reason codes. */ 518/* Reason codes. */
450#define RSA_R_ALGORITHM_MISMATCH 100 519#define RSA_R_ALGORITHM_MISMATCH 100
@@ -470,19 +539,24 @@ void ERR_load_RSA_strings(void);
470#define RSA_R_INVALID_HEADER 137 539#define RSA_R_INVALID_HEADER 137
471#define RSA_R_INVALID_KEYBITS 145 540#define RSA_R_INVALID_KEYBITS 145
472#define RSA_R_INVALID_MESSAGE_LENGTH 131 541#define RSA_R_INVALID_MESSAGE_LENGTH 131
542#define RSA_R_INVALID_MGF1_MD 156
473#define RSA_R_INVALID_PADDING 138 543#define RSA_R_INVALID_PADDING 138
474#define RSA_R_INVALID_PADDING_MODE 141 544#define RSA_R_INVALID_PADDING_MODE 141
545#define RSA_R_INVALID_PSS_PARAMETERS 149
475#define RSA_R_INVALID_PSS_SALTLEN 146 546#define RSA_R_INVALID_PSS_SALTLEN 146
547#define RSA_R_INVALID_SALT_LENGTH 150
476#define RSA_R_INVALID_TRAILER 139 548#define RSA_R_INVALID_TRAILER 139
477#define RSA_R_INVALID_X931_DIGEST 142 549#define RSA_R_INVALID_X931_DIGEST 142
478#define RSA_R_IQMP_NOT_INVERSE_OF_Q 126 550#define RSA_R_IQMP_NOT_INVERSE_OF_Q 126
479#define RSA_R_KEY_SIZE_TOO_SMALL 120 551#define RSA_R_KEY_SIZE_TOO_SMALL 120
480#define RSA_R_LAST_OCTET_INVALID 134 552#define RSA_R_LAST_OCTET_INVALID 134
481#define RSA_R_MODULUS_TOO_LARGE 105 553#define RSA_R_MODULUS_TOO_LARGE 105
554#define RSA_R_NON_FIPS_RSA_METHOD 157
482#define RSA_R_NO_PUBLIC_EXPONENT 140 555#define RSA_R_NO_PUBLIC_EXPONENT 140
483#define RSA_R_NULL_BEFORE_BLOCK_MISSING 113 556#define RSA_R_NULL_BEFORE_BLOCK_MISSING 113
484#define RSA_R_N_DOES_NOT_EQUAL_P_Q 127 557#define RSA_R_N_DOES_NOT_EQUAL_P_Q 127
485#define RSA_R_OAEP_DECODING_ERROR 121 558#define RSA_R_OAEP_DECODING_ERROR 121
559#define RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE 158
486#define RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 148 560#define RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 148
487#define RSA_R_PADDING_CHECK_FAILED 114 561#define RSA_R_PADDING_CHECK_FAILED 114
488#define RSA_R_P_NOT_PRIME 128 562#define RSA_R_P_NOT_PRIME 128
@@ -493,7 +567,12 @@ void ERR_load_RSA_strings(void);
493#define RSA_R_SSLV3_ROLLBACK_ATTACK 115 567#define RSA_R_SSLV3_ROLLBACK_ATTACK 115
494#define RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD 116 568#define RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD 116
495#define RSA_R_UNKNOWN_ALGORITHM_TYPE 117 569#define RSA_R_UNKNOWN_ALGORITHM_TYPE 117
570#define RSA_R_UNKNOWN_MASK_DIGEST 151
496#define RSA_R_UNKNOWN_PADDING_TYPE 118 571#define RSA_R_UNKNOWN_PADDING_TYPE 118
572#define RSA_R_UNKNOWN_PSS_DIGEST 152
573#define RSA_R_UNSUPPORTED_MASK_ALGORITHM 153
574#define RSA_R_UNSUPPORTED_MASK_PARAMETER 154
575#define RSA_R_UNSUPPORTED_SIGNATURE_TYPE 155
497#define RSA_R_VALUE_MISSING 147 576#define RSA_R_VALUE_MISSING 147
498#define RSA_R_WRONG_SIGNATURE_LENGTH 119 577#define RSA_R_WRONG_SIGNATURE_LENGTH 119
499 578
diff --git a/src/lib/libcrypto/rsa/rsa_asn1.c b/src/lib/libcrypto/rsa/rsa_asn1.c
index 4efca8cdc8..6ed5de3db4 100644
--- a/src/lib/libcrypto/rsa/rsa_asn1.c
+++ b/src/lib/libcrypto/rsa/rsa_asn1.c
@@ -60,6 +60,7 @@
60#include "cryptlib.h" 60#include "cryptlib.h"
61#include <openssl/bn.h> 61#include <openssl/bn.h>
62#include <openssl/rsa.h> 62#include <openssl/rsa.h>
63#include <openssl/x509.h>
63#include <openssl/asn1t.h> 64#include <openssl/asn1t.h>
64 65
65/* Override the default free and new methods */ 66/* Override the default free and new methods */
@@ -96,6 +97,15 @@ ASN1_SEQUENCE_cb(RSAPublicKey, rsa_cb) = {
96 ASN1_SIMPLE(RSA, e, BIGNUM), 97 ASN1_SIMPLE(RSA, e, BIGNUM),
97} ASN1_SEQUENCE_END_cb(RSA, RSAPublicKey) 98} ASN1_SEQUENCE_END_cb(RSA, RSAPublicKey)
98 99
100ASN1_SEQUENCE(RSA_PSS_PARAMS) = {
101 ASN1_EXP_OPT(RSA_PSS_PARAMS, hashAlgorithm, X509_ALGOR,0),
102 ASN1_EXP_OPT(RSA_PSS_PARAMS, maskGenAlgorithm, X509_ALGOR,1),
103 ASN1_EXP_OPT(RSA_PSS_PARAMS, saltLength, ASN1_INTEGER,2),
104 ASN1_EXP_OPT(RSA_PSS_PARAMS, trailerField, ASN1_INTEGER,3)
105} ASN1_SEQUENCE_END(RSA_PSS_PARAMS)
106
107IMPLEMENT_ASN1_FUNCTIONS(RSA_PSS_PARAMS)
108
99IMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(RSA, RSAPrivateKey, RSAPrivateKey) 109IMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(RSA, RSAPrivateKey, RSAPrivateKey)
100 110
101IMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(RSA, RSAPublicKey, RSAPublicKey) 111IMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(RSA, RSAPublicKey, RSAPublicKey)
diff --git a/src/lib/libcrypto/rsa/rsa_err.c b/src/lib/libcrypto/rsa/rsa_err.c
index cf9f1106b0..46e0bf9980 100644
--- a/src/lib/libcrypto/rsa/rsa_err.c
+++ b/src/lib/libcrypto/rsa/rsa_err.c
@@ -1,6 +1,6 @@
1/* crypto/rsa/rsa_err.c */ 1/* crypto/rsa/rsa_err.c */
2/* ==================================================================== 2/* ====================================================================
3 * Copyright (c) 1999-2008 The OpenSSL Project. All rights reserved. 3 * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved.
4 * 4 *
5 * Redistribution and use in source and binary forms, with or without 5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions 6 * modification, are permitted provided that the following conditions
@@ -78,6 +78,7 @@ static ERR_STRING_DATA RSA_str_functs[]=
78{ERR_FUNC(RSA_F_PKEY_RSA_CTRL), "PKEY_RSA_CTRL"}, 78{ERR_FUNC(RSA_F_PKEY_RSA_CTRL), "PKEY_RSA_CTRL"},
79{ERR_FUNC(RSA_F_PKEY_RSA_CTRL_STR), "PKEY_RSA_CTRL_STR"}, 79{ERR_FUNC(RSA_F_PKEY_RSA_CTRL_STR), "PKEY_RSA_CTRL_STR"},
80{ERR_FUNC(RSA_F_PKEY_RSA_SIGN), "PKEY_RSA_SIGN"}, 80{ERR_FUNC(RSA_F_PKEY_RSA_SIGN), "PKEY_RSA_SIGN"},
81{ERR_FUNC(RSA_F_PKEY_RSA_VERIFY), "PKEY_RSA_VERIFY"},
81{ERR_FUNC(RSA_F_PKEY_RSA_VERIFYRECOVER), "PKEY_RSA_VERIFYRECOVER"}, 82{ERR_FUNC(RSA_F_PKEY_RSA_VERIFYRECOVER), "PKEY_RSA_VERIFYRECOVER"},
82{ERR_FUNC(RSA_F_RSA_BUILTIN_KEYGEN), "RSA_BUILTIN_KEYGEN"}, 83{ERR_FUNC(RSA_F_RSA_BUILTIN_KEYGEN), "RSA_BUILTIN_KEYGEN"},
83{ERR_FUNC(RSA_F_RSA_CHECK_KEY), "RSA_check_key"}, 84{ERR_FUNC(RSA_F_RSA_CHECK_KEY), "RSA_check_key"},
@@ -86,6 +87,8 @@ static ERR_STRING_DATA RSA_str_functs[]=
86{ERR_FUNC(RSA_F_RSA_EAY_PUBLIC_DECRYPT), "RSA_EAY_PUBLIC_DECRYPT"}, 87{ERR_FUNC(RSA_F_RSA_EAY_PUBLIC_DECRYPT), "RSA_EAY_PUBLIC_DECRYPT"},
87{ERR_FUNC(RSA_F_RSA_EAY_PUBLIC_ENCRYPT), "RSA_EAY_PUBLIC_ENCRYPT"}, 88{ERR_FUNC(RSA_F_RSA_EAY_PUBLIC_ENCRYPT), "RSA_EAY_PUBLIC_ENCRYPT"},
88{ERR_FUNC(RSA_F_RSA_GENERATE_KEY), "RSA_generate_key"}, 89{ERR_FUNC(RSA_F_RSA_GENERATE_KEY), "RSA_generate_key"},
90{ERR_FUNC(RSA_F_RSA_GENERATE_KEY_EX), "RSA_generate_key_ex"},
91{ERR_FUNC(RSA_F_RSA_ITEM_VERIFY), "RSA_ITEM_VERIFY"},
89{ERR_FUNC(RSA_F_RSA_MEMORY_LOCK), "RSA_memory_lock"}, 92{ERR_FUNC(RSA_F_RSA_MEMORY_LOCK), "RSA_memory_lock"},
90{ERR_FUNC(RSA_F_RSA_NEW_METHOD), "RSA_new_method"}, 93{ERR_FUNC(RSA_F_RSA_NEW_METHOD), "RSA_new_method"},
91{ERR_FUNC(RSA_F_RSA_NULL), "RSA_NULL"}, 94{ERR_FUNC(RSA_F_RSA_NULL), "RSA_NULL"},
@@ -97,6 +100,7 @@ static ERR_STRING_DATA RSA_str_functs[]=
97{ERR_FUNC(RSA_F_RSA_PADDING_ADD_NONE), "RSA_padding_add_none"}, 100{ERR_FUNC(RSA_F_RSA_PADDING_ADD_NONE), "RSA_padding_add_none"},
98{ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP), "RSA_padding_add_PKCS1_OAEP"}, 101{ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP), "RSA_padding_add_PKCS1_OAEP"},
99{ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_PSS), "RSA_padding_add_PKCS1_PSS"}, 102{ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_PSS), "RSA_padding_add_PKCS1_PSS"},
103{ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1), "RSA_padding_add_PKCS1_PSS_mgf1"},
100{ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1), "RSA_padding_add_PKCS1_type_1"}, 104{ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1), "RSA_padding_add_PKCS1_type_1"},
101{ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2), "RSA_padding_add_PKCS1_type_2"}, 105{ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_2), "RSA_padding_add_PKCS1_type_2"},
102{ERR_FUNC(RSA_F_RSA_PADDING_ADD_SSLV23), "RSA_padding_add_SSLv23"}, 106{ERR_FUNC(RSA_F_RSA_PADDING_ADD_SSLV23), "RSA_padding_add_SSLv23"},
@@ -109,8 +113,12 @@ static ERR_STRING_DATA RSA_str_functs[]=
109{ERR_FUNC(RSA_F_RSA_PADDING_CHECK_X931), "RSA_padding_check_X931"}, 113{ERR_FUNC(RSA_F_RSA_PADDING_CHECK_X931), "RSA_padding_check_X931"},
110{ERR_FUNC(RSA_F_RSA_PRINT), "RSA_print"}, 114{ERR_FUNC(RSA_F_RSA_PRINT), "RSA_print"},
111{ERR_FUNC(RSA_F_RSA_PRINT_FP), "RSA_print_fp"}, 115{ERR_FUNC(RSA_F_RSA_PRINT_FP), "RSA_print_fp"},
116{ERR_FUNC(RSA_F_RSA_PRIVATE_DECRYPT), "RSA_private_decrypt"},
117{ERR_FUNC(RSA_F_RSA_PRIVATE_ENCRYPT), "RSA_private_encrypt"},
112{ERR_FUNC(RSA_F_RSA_PRIV_DECODE), "RSA_PRIV_DECODE"}, 118{ERR_FUNC(RSA_F_RSA_PRIV_DECODE), "RSA_PRIV_DECODE"},
113{ERR_FUNC(RSA_F_RSA_PRIV_ENCODE), "RSA_PRIV_ENCODE"}, 119{ERR_FUNC(RSA_F_RSA_PRIV_ENCODE), "RSA_PRIV_ENCODE"},
120{ERR_FUNC(RSA_F_RSA_PUBLIC_DECRYPT), "RSA_public_decrypt"},
121{ERR_FUNC(RSA_F_RSA_PUBLIC_ENCRYPT), "RSA_public_encrypt"},
114{ERR_FUNC(RSA_F_RSA_PUB_DECODE), "RSA_PUB_DECODE"}, 122{ERR_FUNC(RSA_F_RSA_PUB_DECODE), "RSA_PUB_DECODE"},
115{ERR_FUNC(RSA_F_RSA_SETUP_BLINDING), "RSA_setup_blinding"}, 123{ERR_FUNC(RSA_F_RSA_SETUP_BLINDING), "RSA_setup_blinding"},
116{ERR_FUNC(RSA_F_RSA_SIGN), "RSA_sign"}, 124{ERR_FUNC(RSA_F_RSA_SIGN), "RSA_sign"},
@@ -118,6 +126,7 @@ static ERR_STRING_DATA RSA_str_functs[]=
118{ERR_FUNC(RSA_F_RSA_VERIFY), "RSA_verify"}, 126{ERR_FUNC(RSA_F_RSA_VERIFY), "RSA_verify"},
119{ERR_FUNC(RSA_F_RSA_VERIFY_ASN1_OCTET_STRING), "RSA_verify_ASN1_OCTET_STRING"}, 127{ERR_FUNC(RSA_F_RSA_VERIFY_ASN1_OCTET_STRING), "RSA_verify_ASN1_OCTET_STRING"},
120{ERR_FUNC(RSA_F_RSA_VERIFY_PKCS1_PSS), "RSA_verify_PKCS1_PSS"}, 128{ERR_FUNC(RSA_F_RSA_VERIFY_PKCS1_PSS), "RSA_verify_PKCS1_PSS"},
129{ERR_FUNC(RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1), "RSA_verify_PKCS1_PSS_mgf1"},
121{0,NULL} 130{0,NULL}
122 }; 131 };
123 132
@@ -146,19 +155,24 @@ static ERR_STRING_DATA RSA_str_reasons[]=
146{ERR_REASON(RSA_R_INVALID_HEADER) ,"invalid header"}, 155{ERR_REASON(RSA_R_INVALID_HEADER) ,"invalid header"},
147{ERR_REASON(RSA_R_INVALID_KEYBITS) ,"invalid keybits"}, 156{ERR_REASON(RSA_R_INVALID_KEYBITS) ,"invalid keybits"},
148{ERR_REASON(RSA_R_INVALID_MESSAGE_LENGTH),"invalid message length"}, 157{ERR_REASON(RSA_R_INVALID_MESSAGE_LENGTH),"invalid message length"},
158{ERR_REASON(RSA_R_INVALID_MGF1_MD) ,"invalid mgf1 md"},
149{ERR_REASON(RSA_R_INVALID_PADDING) ,"invalid padding"}, 159{ERR_REASON(RSA_R_INVALID_PADDING) ,"invalid padding"},
150{ERR_REASON(RSA_R_INVALID_PADDING_MODE) ,"invalid padding mode"}, 160{ERR_REASON(RSA_R_INVALID_PADDING_MODE) ,"invalid padding mode"},
161{ERR_REASON(RSA_R_INVALID_PSS_PARAMETERS),"invalid pss parameters"},
151{ERR_REASON(RSA_R_INVALID_PSS_SALTLEN) ,"invalid pss saltlen"}, 162{ERR_REASON(RSA_R_INVALID_PSS_SALTLEN) ,"invalid pss saltlen"},
163{ERR_REASON(RSA_R_INVALID_SALT_LENGTH) ,"invalid salt length"},
152{ERR_REASON(RSA_R_INVALID_TRAILER) ,"invalid trailer"}, 164{ERR_REASON(RSA_R_INVALID_TRAILER) ,"invalid trailer"},
153{ERR_REASON(RSA_R_INVALID_X931_DIGEST) ,"invalid x931 digest"}, 165{ERR_REASON(RSA_R_INVALID_X931_DIGEST) ,"invalid x931 digest"},
154{ERR_REASON(RSA_R_IQMP_NOT_INVERSE_OF_Q) ,"iqmp not inverse of q"}, 166{ERR_REASON(RSA_R_IQMP_NOT_INVERSE_OF_Q) ,"iqmp not inverse of q"},
155{ERR_REASON(RSA_R_KEY_SIZE_TOO_SMALL) ,"key size too small"}, 167{ERR_REASON(RSA_R_KEY_SIZE_TOO_SMALL) ,"key size too small"},
156{ERR_REASON(RSA_R_LAST_OCTET_INVALID) ,"last octet invalid"}, 168{ERR_REASON(RSA_R_LAST_OCTET_INVALID) ,"last octet invalid"},
157{ERR_REASON(RSA_R_MODULUS_TOO_LARGE) ,"modulus too large"}, 169{ERR_REASON(RSA_R_MODULUS_TOO_LARGE) ,"modulus too large"},
170{ERR_REASON(RSA_R_NON_FIPS_RSA_METHOD) ,"non fips rsa method"},
158{ERR_REASON(RSA_R_NO_PUBLIC_EXPONENT) ,"no public exponent"}, 171{ERR_REASON(RSA_R_NO_PUBLIC_EXPONENT) ,"no public exponent"},
159{ERR_REASON(RSA_R_NULL_BEFORE_BLOCK_MISSING),"null before block missing"}, 172{ERR_REASON(RSA_R_NULL_BEFORE_BLOCK_MISSING),"null before block missing"},
160{ERR_REASON(RSA_R_N_DOES_NOT_EQUAL_P_Q) ,"n does not equal p q"}, 173{ERR_REASON(RSA_R_N_DOES_NOT_EQUAL_P_Q) ,"n does not equal p q"},
161{ERR_REASON(RSA_R_OAEP_DECODING_ERROR) ,"oaep decoding error"}, 174{ERR_REASON(RSA_R_OAEP_DECODING_ERROR) ,"oaep decoding error"},
175{ERR_REASON(RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE),"operation not allowed in fips mode"},
162{ERR_REASON(RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE),"operation not supported for this keytype"}, 176{ERR_REASON(RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE),"operation not supported for this keytype"},
163{ERR_REASON(RSA_R_PADDING_CHECK_FAILED) ,"padding check failed"}, 177{ERR_REASON(RSA_R_PADDING_CHECK_FAILED) ,"padding check failed"},
164{ERR_REASON(RSA_R_P_NOT_PRIME) ,"p not prime"}, 178{ERR_REASON(RSA_R_P_NOT_PRIME) ,"p not prime"},
@@ -169,7 +183,12 @@ static ERR_STRING_DATA RSA_str_reasons[]=
169{ERR_REASON(RSA_R_SSLV3_ROLLBACK_ATTACK) ,"sslv3 rollback attack"}, 183{ERR_REASON(RSA_R_SSLV3_ROLLBACK_ATTACK) ,"sslv3 rollback attack"},
170{ERR_REASON(RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD),"the asn1 object identifier is not known for this md"}, 184{ERR_REASON(RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD),"the asn1 object identifier is not known for this md"},
171{ERR_REASON(RSA_R_UNKNOWN_ALGORITHM_TYPE),"unknown algorithm type"}, 185{ERR_REASON(RSA_R_UNKNOWN_ALGORITHM_TYPE),"unknown algorithm type"},
186{ERR_REASON(RSA_R_UNKNOWN_MASK_DIGEST) ,"unknown mask digest"},
172{ERR_REASON(RSA_R_UNKNOWN_PADDING_TYPE) ,"unknown padding type"}, 187{ERR_REASON(RSA_R_UNKNOWN_PADDING_TYPE) ,"unknown padding type"},
188{ERR_REASON(RSA_R_UNKNOWN_PSS_DIGEST) ,"unknown pss digest"},
189{ERR_REASON(RSA_R_UNSUPPORTED_MASK_ALGORITHM),"unsupported mask algorithm"},
190{ERR_REASON(RSA_R_UNSUPPORTED_MASK_PARAMETER),"unsupported mask parameter"},
191{ERR_REASON(RSA_R_UNSUPPORTED_SIGNATURE_TYPE),"unsupported signature type"},
173{ERR_REASON(RSA_R_VALUE_MISSING) ,"value missing"}, 192{ERR_REASON(RSA_R_VALUE_MISSING) ,"value missing"},
174{ERR_REASON(RSA_R_WRONG_SIGNATURE_LENGTH),"wrong signature length"}, 193{ERR_REASON(RSA_R_WRONG_SIGNATURE_LENGTH),"wrong signature length"},
175{0,NULL} 194{0,NULL}
diff --git a/src/lib/libcrypto/rsa/rsa_gen.c b/src/lib/libcrypto/rsa/rsa_gen.c
index 767f7ab682..42290cce66 100644
--- a/src/lib/libcrypto/rsa/rsa_gen.c
+++ b/src/lib/libcrypto/rsa/rsa_gen.c
@@ -67,6 +67,9 @@
67#include "cryptlib.h" 67#include "cryptlib.h"
68#include <openssl/bn.h> 68#include <openssl/bn.h>
69#include <openssl/rsa.h> 69#include <openssl/rsa.h>
70#ifdef OPENSSL_FIPS
71#include <openssl/fips.h>
72#endif
70 73
71static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb); 74static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb);
72 75
@@ -77,8 +80,20 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
77 * now just because key-generation is part of RSA_METHOD. */ 80 * now just because key-generation is part of RSA_METHOD. */
78int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) 81int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
79 { 82 {
83#ifdef OPENSSL_FIPS
84 if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
85 && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
86 {
87 RSAerr(RSA_F_RSA_GENERATE_KEY_EX, RSA_R_NON_FIPS_RSA_METHOD);
88 return 0;
89 }
90#endif
80 if(rsa->meth->rsa_keygen) 91 if(rsa->meth->rsa_keygen)
81 return rsa->meth->rsa_keygen(rsa, bits, e_value, cb); 92 return rsa->meth->rsa_keygen(rsa, bits, e_value, cb);
93#ifdef OPENSSL_FIPS
94 if (FIPS_mode())
95 return FIPS_rsa_generate_key_ex(rsa, bits, e_value, cb);
96#endif
82 return rsa_builtin_keygen(rsa, bits, e_value, cb); 97 return rsa_builtin_keygen(rsa, bits, e_value, cb);
83 } 98 }
84 99
diff --git a/src/lib/libcrypto/rsa/rsa_lib.c b/src/lib/libcrypto/rsa/rsa_lib.c
index de45088d76..c95ceafc82 100644
--- a/src/lib/libcrypto/rsa/rsa_lib.c
+++ b/src/lib/libcrypto/rsa/rsa_lib.c
@@ -67,6 +67,10 @@
67#include <openssl/engine.h> 67#include <openssl/engine.h>
68#endif 68#endif
69 69
70#ifdef OPENSSL_FIPS
71#include <openssl/fips.h>
72#endif
73
70const char RSA_version[]="RSA" OPENSSL_VERSION_PTEXT; 74const char RSA_version[]="RSA" OPENSSL_VERSION_PTEXT;
71 75
72static const RSA_METHOD *default_RSA_meth=NULL; 76static const RSA_METHOD *default_RSA_meth=NULL;
@@ -87,12 +91,15 @@ const RSA_METHOD *RSA_get_default_method(void)
87 { 91 {
88 if (default_RSA_meth == NULL) 92 if (default_RSA_meth == NULL)
89 { 93 {
94#ifdef OPENSSL_FIPS
95 if (FIPS_mode())
96 return FIPS_rsa_pkcs1_ssleay();
97 else
98 return RSA_PKCS1_SSLeay();
99#else
90#ifdef RSA_NULL 100#ifdef RSA_NULL
91 default_RSA_meth=RSA_null_method(); 101 default_RSA_meth=RSA_null_method();
92#else 102#else
93#if 0 /* was: #ifdef RSAref */
94 default_RSA_meth=RSA_PKCS1_RSAref();
95#else
96 default_RSA_meth=RSA_PKCS1_SSLeay(); 103 default_RSA_meth=RSA_PKCS1_SSLeay();
97#endif 104#endif
98#endif 105#endif
@@ -181,7 +188,7 @@ RSA *RSA_new_method(ENGINE *engine)
181 ret->blinding=NULL; 188 ret->blinding=NULL;
182 ret->mt_blinding=NULL; 189 ret->mt_blinding=NULL;
183 ret->bignum_data=NULL; 190 ret->bignum_data=NULL;
184 ret->flags=ret->meth->flags; 191 ret->flags=ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW;
185 if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data)) 192 if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data))
186 { 193 {
187#ifndef OPENSSL_NO_ENGINE 194#ifndef OPENSSL_NO_ENGINE
@@ -280,163 +287,6 @@ void *RSA_get_ex_data(const RSA *r, int idx)
280 return(CRYPTO_get_ex_data(&r->ex_data,idx)); 287 return(CRYPTO_get_ex_data(&r->ex_data,idx));
281 } 288 }
282 289
283int RSA_size(const RSA *r)
284 {
285 return(BN_num_bytes(r->n));
286 }
287
288int RSA_public_encrypt(int flen, const unsigned char *from, unsigned char *to,
289 RSA *rsa, int padding)
290 {
291 return(rsa->meth->rsa_pub_enc(flen, from, to, rsa, padding));
292 }
293
294int RSA_private_encrypt(int flen, const unsigned char *from, unsigned char *to,
295 RSA *rsa, int padding)
296 {
297 return(rsa->meth->rsa_priv_enc(flen, from, to, rsa, padding));
298 }
299
300int RSA_private_decrypt(int flen, const unsigned char *from, unsigned char *to,
301 RSA *rsa, int padding)
302 {
303 return(rsa->meth->rsa_priv_dec(flen, from, to, rsa, padding));
304 }
305
306int RSA_public_decrypt(int flen, const unsigned char *from, unsigned char *to,
307 RSA *rsa, int padding)
308 {
309 return(rsa->meth->rsa_pub_dec(flen, from, to, rsa, padding));
310 }
311
312int RSA_flags(const RSA *r)
313 {
314 return((r == NULL)?0:r->meth->flags);
315 }
316
317void RSA_blinding_off(RSA *rsa)
318 {
319 if (rsa->blinding != NULL)
320 {
321 BN_BLINDING_free(rsa->blinding);
322 rsa->blinding=NULL;
323 }
324 rsa->flags &= ~RSA_FLAG_BLINDING;
325 rsa->flags |= RSA_FLAG_NO_BLINDING;
326 }
327
328int RSA_blinding_on(RSA *rsa, BN_CTX *ctx)
329 {
330 int ret=0;
331
332 if (rsa->blinding != NULL)
333 RSA_blinding_off(rsa);
334
335 rsa->blinding = RSA_setup_blinding(rsa, ctx);
336 if (rsa->blinding == NULL)
337 goto err;
338
339 rsa->flags |= RSA_FLAG_BLINDING;
340 rsa->flags &= ~RSA_FLAG_NO_BLINDING;
341 ret=1;
342err:
343 return(ret);
344 }
345
346static BIGNUM *rsa_get_public_exp(const BIGNUM *d, const BIGNUM *p,
347 const BIGNUM *q, BN_CTX *ctx)
348{
349 BIGNUM *ret = NULL, *r0, *r1, *r2;
350
351 if (d == NULL || p == NULL || q == NULL)
352 return NULL;
353
354 BN_CTX_start(ctx);
355 r0 = BN_CTX_get(ctx);
356 r1 = BN_CTX_get(ctx);
357 r2 = BN_CTX_get(ctx);
358 if (r2 == NULL)
359 goto err;
360
361 if (!BN_sub(r1, p, BN_value_one())) goto err;
362 if (!BN_sub(r2, q, BN_value_one())) goto err;
363 if (!BN_mul(r0, r1, r2, ctx)) goto err;
364
365 ret = BN_mod_inverse(NULL, d, r0, ctx);
366err:
367 BN_CTX_end(ctx);
368 return ret;
369}
370
371BN_BLINDING *RSA_setup_blinding(RSA *rsa, BN_CTX *in_ctx)
372{
373 BIGNUM local_n;
374 BIGNUM *e,*n;
375 BN_CTX *ctx;
376 BN_BLINDING *ret = NULL;
377
378 if (in_ctx == NULL)
379 {
380 if ((ctx = BN_CTX_new()) == NULL) return 0;
381 }
382 else
383 ctx = in_ctx;
384
385 BN_CTX_start(ctx);
386 e = BN_CTX_get(ctx);
387 if (e == NULL)
388 {
389 RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_MALLOC_FAILURE);
390 goto err;
391 }
392
393 if (rsa->e == NULL)
394 {
395 e = rsa_get_public_exp(rsa->d, rsa->p, rsa->q, ctx);
396 if (e == NULL)
397 {
398 RSAerr(RSA_F_RSA_SETUP_BLINDING, RSA_R_NO_PUBLIC_EXPONENT);
399 goto err;
400 }
401 }
402 else
403 e = rsa->e;
404
405
406 if ((RAND_status() == 0) && rsa->d != NULL && rsa->d->d != NULL)
407 {
408 /* if PRNG is not properly seeded, resort to secret
409 * exponent as unpredictable seed */
410 RAND_add(rsa->d->d, rsa->d->dmax * sizeof rsa->d->d[0], 0.0);
411 }
412
413 if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
414 {
415 /* Set BN_FLG_CONSTTIME flag */
416 n = &local_n;
417 BN_with_flags(n, rsa->n, BN_FLG_CONSTTIME);
418 }
419 else
420 n = rsa->n;
421
422 ret = BN_BLINDING_create_param(NULL, e, n, ctx,
423 rsa->meth->bn_mod_exp, rsa->_method_mod_n);
424 if (ret == NULL)
425 {
426 RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_BN_LIB);
427 goto err;
428 }
429 CRYPTO_THREADID_current(BN_BLINDING_thread_id(ret));
430err:
431 BN_CTX_end(ctx);
432 if (in_ctx == NULL)
433 BN_CTX_free(ctx);
434 if(rsa->e == NULL)
435 BN_free(e);
436
437 return ret;
438}
439
440int RSA_memory_lock(RSA *r) 290int RSA_memory_lock(RSA *r)
441 { 291 {
442 int i,j,k,off; 292 int i,j,k,off;
diff --git a/src/lib/libcrypto/rsa/rsa_oaep.c b/src/lib/libcrypto/rsa/rsa_oaep.c
index 18d307ea9e..553d212ebe 100644
--- a/src/lib/libcrypto/rsa/rsa_oaep.c
+++ b/src/lib/libcrypto/rsa/rsa_oaep.c
@@ -56,7 +56,8 @@ int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
56 seed = to + 1; 56 seed = to + 1;
57 db = to + SHA_DIGEST_LENGTH + 1; 57 db = to + SHA_DIGEST_LENGTH + 1;
58 58
59 EVP_Digest((void *)param, plen, db, NULL, EVP_sha1(), NULL); 59 if (!EVP_Digest((void *)param, plen, db, NULL, EVP_sha1(), NULL))
60 return 0;
60 memset(db + SHA_DIGEST_LENGTH, 0, 61 memset(db + SHA_DIGEST_LENGTH, 0,
61 emlen - flen - 2 * SHA_DIGEST_LENGTH - 1); 62 emlen - flen - 2 * SHA_DIGEST_LENGTH - 1);
62 db[emlen - flen - SHA_DIGEST_LENGTH - 1] = 0x01; 63 db[emlen - flen - SHA_DIGEST_LENGTH - 1] = 0x01;
@@ -145,7 +146,8 @@ int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
145 for (i = 0; i < dblen; i++) 146 for (i = 0; i < dblen; i++)
146 db[i] ^= maskeddb[i]; 147 db[i] ^= maskeddb[i];
147 148
148 EVP_Digest((void *)param, plen, phash, NULL, EVP_sha1(), NULL); 149 if (!EVP_Digest((void *)param, plen, phash, NULL, EVP_sha1(), NULL))
150 return -1;
149 151
150 if (memcmp(db, phash, SHA_DIGEST_LENGTH) != 0 || bad) 152 if (memcmp(db, phash, SHA_DIGEST_LENGTH) != 0 || bad)
151 goto decoding_err; 153 goto decoding_err;
diff --git a/src/lib/libcrypto/rsa/rsa_sign.c b/src/lib/libcrypto/rsa/rsa_sign.c
index 0be4ec7fb0..b6f6037ae0 100644
--- a/src/lib/libcrypto/rsa/rsa_sign.c
+++ b/src/lib/libcrypto/rsa/rsa_sign.c
@@ -77,6 +77,14 @@ int RSA_sign(int type, const unsigned char *m, unsigned int m_len,
77 const unsigned char *s = NULL; 77 const unsigned char *s = NULL;
78 X509_ALGOR algor; 78 X509_ALGOR algor;
79 ASN1_OCTET_STRING digest; 79 ASN1_OCTET_STRING digest;
80#ifdef OPENSSL_FIPS
81 if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
82 && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
83 {
84 RSAerr(RSA_F_RSA_SIGN, RSA_R_NON_FIPS_RSA_METHOD);
85 return 0;
86 }
87#endif
80 if((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_sign) 88 if((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_sign)
81 { 89 {
82 return rsa->meth->rsa_sign(type, m, m_len, 90 return rsa->meth->rsa_sign(type, m, m_len,
@@ -153,6 +161,15 @@ int int_rsa_verify(int dtype, const unsigned char *m,
153 unsigned char *s; 161 unsigned char *s;
154 X509_SIG *sig=NULL; 162 X509_SIG *sig=NULL;
155 163
164#ifdef OPENSSL_FIPS
165 if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
166 && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
167 {
168 RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_NON_FIPS_RSA_METHOD);
169 return 0;
170 }
171#endif
172
156 if (siglen != (unsigned int)RSA_size(rsa)) 173 if (siglen != (unsigned int)RSA_size(rsa))
157 { 174 {
158 RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_WRONG_SIGNATURE_LENGTH); 175 RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_WRONG_SIGNATURE_LENGTH);
@@ -182,6 +199,22 @@ int int_rsa_verify(int dtype, const unsigned char *m,
182 i=RSA_public_decrypt((int)siglen,sigbuf,s,rsa,RSA_PKCS1_PADDING); 199 i=RSA_public_decrypt((int)siglen,sigbuf,s,rsa,RSA_PKCS1_PADDING);
183 200
184 if (i <= 0) goto err; 201 if (i <= 0) goto err;
202 /* Oddball MDC2 case: signature can be OCTET STRING.
203 * check for correct tag and length octets.
204 */
205 if (dtype == NID_mdc2 && i == 18 && s[0] == 0x04 && s[1] == 0x10)
206 {
207 if (rm)
208 {
209 memcpy(rm, s + 2, 16);
210 *prm_len = 16;
211 ret = 1;
212 }
213 else if(memcmp(m, s + 2, 16))
214 RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
215 else
216 ret = 1;
217 }
185 218
186 /* Special case: SSL signature */ 219 /* Special case: SSL signature */
187 if(dtype == NID_md5_sha1) { 220 if(dtype == NID_md5_sha1) {
diff --git a/src/lib/libcrypto/sha/asm/sha1-586.pl b/src/lib/libcrypto/sha/asm/sha1-586.pl
index a1f876281a..1084d227fe 100644
--- a/src/lib/libcrypto/sha/asm/sha1-586.pl
+++ b/src/lib/libcrypto/sha/asm/sha1-586.pl
@@ -12,6 +12,8 @@
12# commentary below], and in 2006 the rest was rewritten in order to 12# commentary below], and in 2006 the rest was rewritten in order to
13# gain freedom to liberate licensing terms. 13# gain freedom to liberate licensing terms.
14 14
15# January, September 2004.
16#
15# It was noted that Intel IA-32 C compiler generates code which 17# It was noted that Intel IA-32 C compiler generates code which
16# performs ~30% *faster* on P4 CPU than original *hand-coded* 18# performs ~30% *faster* on P4 CPU than original *hand-coded*
17# SHA1 assembler implementation. To address this problem (and 19# SHA1 assembler implementation. To address this problem (and
@@ -31,12 +33,92 @@
31# ---------------------------------------------------------------- 33# ----------------------------------------------------------------
32# <appro@fy.chalmers.se> 34# <appro@fy.chalmers.se>
33 35
36# August 2009.
37#
38# George Spelvin has tipped that F_40_59(b,c,d) can be rewritten as
39# '(c&d) + (b&(c^d))', which allows to accumulate partial results
40# and lighten "pressure" on scratch registers. This resulted in
41# >12% performance improvement on contemporary AMD cores (with no
42# degradation on other CPUs:-). Also, the code was revised to maximize
43# "distance" between instructions producing input to 'lea' instruction
44# and the 'lea' instruction itself, which is essential for Intel Atom
45# core and resulted in ~15% improvement.
46
47# October 2010.
48#
49# Add SSSE3, Supplemental[!] SSE3, implementation. The idea behind it
50# is to offload message schedule denoted by Wt in NIST specification,
51# or Xupdate in OpenSSL source, to SIMD unit. The idea is not novel,
52# and in SSE2 context was first explored by Dean Gaudet in 2004, see
53# http://arctic.org/~dean/crypto/sha1.html. Since then several things
54# have changed that made it interesting again:
55#
56# a) XMM units became faster and wider;
57# b) instruction set became more versatile;
58# c) an important observation was made by Max Locktykhin, which made
59# it possible to reduce amount of instructions required to perform
60# the operation in question, for further details see
61# http://software.intel.com/en-us/articles/improving-the-performance-of-the-secure-hash-algorithm-1/.
62
63# April 2011.
64#
65# Add AVX code path, probably most controversial... The thing is that
66# switch to AVX alone improves performance by as little as 4% in
67# comparison to SSSE3 code path. But below result doesn't look like
68# 4% improvement... Trouble is that Sandy Bridge decodes 'ro[rl]' as
69# pair of µ-ops, and it's the additional µ-ops, two per round, that
70# make it run slower than Core2 and Westmere. But 'sh[rl]d' is decoded
71# as single µ-op by Sandy Bridge and it's replacing 'ro[rl]' with
72# equivalent 'sh[rl]d' that is responsible for the impressive 5.1
73# cycles per processed byte. But 'sh[rl]d' is not something that used
74# to be fast, nor does it appear to be fast in upcoming Bulldozer
75# [according to its optimization manual]. Which is why AVX code path
76# is guarded by *both* AVX and synthetic bit denoting Intel CPUs.
77# One can argue that it's unfair to AMD, but without 'sh[rl]d' it
78# makes no sense to keep the AVX code path. If somebody feels that
79# strongly, it's probably more appropriate to discuss possibility of
80# using vector rotate XOP on AMD...
81
82######################################################################
83# Current performance is summarized in following table. Numbers are
84# CPU clock cycles spent to process single byte (less is better).
85#
86# x86 SSSE3 AVX
87# Pentium 15.7 -
88# PIII 11.5 -
89# P4 10.6 -
90# AMD K8 7.1 -
91# Core2 7.3 6.1/+20% -
92# Atom 12.5 9.5(*)/+32% -
93# Westmere 7.3 5.6/+30% -
94# Sandy Bridge 8.8 6.2/+40% 5.1(**)/+70%
95#
96# (*) Loop is 1056 instructions long and expected result is ~8.25.
97# It remains mystery [to me] why ILP is limited to 1.7.
98#
99# (**) As per above comment, the result is for AVX *plus* sh[rl]d.
100
34$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; 101$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
35push(@INC,"${dir}","${dir}../../perlasm"); 102push(@INC,"${dir}","${dir}../../perlasm");
36require "x86asm.pl"; 103require "x86asm.pl";
37 104
38&asm_init($ARGV[0],"sha1-586.pl",$ARGV[$#ARGV] eq "386"); 105&asm_init($ARGV[0],"sha1-586.pl",$ARGV[$#ARGV] eq "386");
39 106
107$xmm=$ymm=0;
108for (@ARGV) { $xmm=1 if (/-DOPENSSL_IA32_SSE2/); }
109
110$ymm=1 if ($xmm &&
111 `$ENV{CC} -Wa,-v -c -o /dev/null -x assembler /dev/null 2>&1`
112 =~ /GNU assembler version ([2-9]\.[0-9]+)/ &&
113 $1>=2.19); # first version supporting AVX
114
115$ymm=1 if ($xmm && !$ymm && $ARGV[0] eq "win32n" &&
116 `nasm -v 2>&1` =~ /NASM version ([2-9]\.[0-9]+)/ &&
117 $1>=2.03); # first version supporting AVX
118
119&external_label("OPENSSL_ia32cap_P") if ($xmm);
120
121
40$A="eax"; 122$A="eax";
41$B="ebx"; 123$B="ebx";
42$C="ecx"; 124$C="ecx";
@@ -47,6 +129,10 @@ $tmp1="ebp";
47 129
48@V=($A,$B,$C,$D,$E,$T); 130@V=($A,$B,$C,$D,$E,$T);
49 131
132$alt=0; # 1 denotes alternative IALU implementation, which performs
133 # 8% *worse* on P4, same on Westmere and Atom, 2% better on
134 # Sandy Bridge...
135
50sub BODY_00_15 136sub BODY_00_15
51 { 137 {
52 local($n,$a,$b,$c,$d,$e,$f)=@_; 138 local($n,$a,$b,$c,$d,$e,$f)=@_;
@@ -59,16 +145,18 @@ sub BODY_00_15
59 &rotl($tmp1,5); # tmp1=ROTATE(a,5) 145 &rotl($tmp1,5); # tmp1=ROTATE(a,5)
60 &xor($f,$d); 146 &xor($f,$d);
61 &add($tmp1,$e); # tmp1+=e; 147 &add($tmp1,$e); # tmp1+=e;
62 &and($f,$b); 148 &mov($e,&swtmp($n%16)); # e becomes volatile and is loaded
63 &mov($e,&swtmp($n%16)); # e becomes volatile and is loaded
64 # with xi, also note that e becomes 149 # with xi, also note that e becomes
65 # f in next round... 150 # f in next round...
66 &xor($f,$d); # f holds F_00_19(b,c,d) 151 &and($f,$b);
67 &rotr($b,2); # b=ROTATE(b,30) 152 &rotr($b,2); # b=ROTATE(b,30)
68 &lea($tmp1,&DWP(0x5a827999,$tmp1,$e)); # tmp1+=K_00_19+xi 153 &xor($f,$d); # f holds F_00_19(b,c,d)
154 &lea($tmp1,&DWP(0x5a827999,$tmp1,$e)); # tmp1+=K_00_19+xi
69 155
70 if ($n==15) { &add($f,$tmp1); } # f+=tmp1 156 if ($n==15) { &mov($e,&swtmp(($n+1)%16));# pre-fetch f for next round
157 &add($f,$tmp1); } # f+=tmp1
71 else { &add($tmp1,$f); } # f becomes a in next round 158 else { &add($tmp1,$f); } # f becomes a in next round
159 &mov($tmp1,$a) if ($alt && $n==15);
72 } 160 }
73 161
74sub BODY_16_19 162sub BODY_16_19
@@ -77,22 +165,41 @@ sub BODY_16_19
77 165
78 &comment("16_19 $n"); 166 &comment("16_19 $n");
79 167
80 &mov($f,&swtmp($n%16)); # f to hold Xupdate(xi,xa,xb,xc,xd) 168if ($alt) {
81 &mov($tmp1,$c); # tmp1 to hold F_00_19(b,c,d) 169 &xor($c,$d);
82 &xor($f,&swtmp(($n+2)%16)); 170 &xor($f,&swtmp(($n+2)%16)); # f to hold Xupdate(xi,xa,xb,xc,xd)
83 &xor($tmp1,$d); 171 &and($tmp1,$c); # tmp1 to hold F_00_19(b,c,d), b&=c^d
84 &xor($f,&swtmp(($n+8)%16)); 172 &xor($f,&swtmp(($n+8)%16));
85 &and($tmp1,$b); # tmp1 holds F_00_19(b,c,d) 173 &xor($tmp1,$d); # tmp1=F_00_19(b,c,d)
86 &rotr($b,2); # b=ROTATE(b,30) 174 &xor($f,&swtmp(($n+13)%16)); # f holds xa^xb^xc^xd
175 &rotl($f,1); # f=ROTATE(f,1)
176 &add($e,$tmp1); # e+=F_00_19(b,c,d)
177 &xor($c,$d); # restore $c
178 &mov($tmp1,$a); # b in next round
179 &rotr($b,$n==16?2:7); # b=ROTATE(b,30)
180 &mov(&swtmp($n%16),$f); # xi=f
181 &rotl($a,5); # ROTATE(a,5)
182 &lea($f,&DWP(0x5a827999,$f,$e));# f+=F_00_19(b,c,d)+e
183 &mov($e,&swtmp(($n+1)%16)); # pre-fetch f for next round
184 &add($f,$a); # f+=ROTATE(a,5)
185} else {
186 &mov($tmp1,$c); # tmp1 to hold F_00_19(b,c,d)
187 &xor($f,&swtmp(($n+2)%16)); # f to hold Xupdate(xi,xa,xb,xc,xd)
188 &xor($tmp1,$d);
189 &xor($f,&swtmp(($n+8)%16));
190 &and($tmp1,$b);
87 &xor($f,&swtmp(($n+13)%16)); # f holds xa^xb^xc^xd 191 &xor($f,&swtmp(($n+13)%16)); # f holds xa^xb^xc^xd
88 &rotl($f,1); # f=ROTATE(f,1) 192 &rotl($f,1); # f=ROTATE(f,1)
89 &xor($tmp1,$d); # tmp1=F_00_19(b,c,d) 193 &xor($tmp1,$d); # tmp1=F_00_19(b,c,d)
90 &mov(&swtmp($n%16),$f); # xi=f 194 &add($e,$tmp1); # e+=F_00_19(b,c,d)
91 &lea($f,&DWP(0x5a827999,$f,$e));# f+=K_00_19+e 195 &mov($tmp1,$a);
92 &mov($e,$a); # e becomes volatile 196 &rotr($b,2); # b=ROTATE(b,30)
93 &rotl($e,5); # e=ROTATE(a,5) 197 &mov(&swtmp($n%16),$f); # xi=f
94 &add($f,$tmp1); # f+=F_00_19(b,c,d) 198 &rotl($tmp1,5); # ROTATE(a,5)
95 &add($f,$e); # f+=ROTATE(a,5) 199 &lea($f,&DWP(0x5a827999,$f,$e));# f+=F_00_19(b,c,d)+e
200 &mov($e,&swtmp(($n+1)%16)); # pre-fetch f for next round
201 &add($f,$tmp1); # f+=ROTATE(a,5)
202}
96 } 203 }
97 204
98sub BODY_20_39 205sub BODY_20_39
@@ -102,21 +209,41 @@ sub BODY_20_39
102 209
103 &comment("20_39 $n"); 210 &comment("20_39 $n");
104 211
212if ($alt) {
213 &xor($tmp1,$c); # tmp1 to hold F_20_39(b,c,d), b^=c
214 &xor($f,&swtmp(($n+2)%16)); # f to hold Xupdate(xi,xa,xb,xc,xd)
215 &xor($tmp1,$d); # tmp1 holds F_20_39(b,c,d)
216 &xor($f,&swtmp(($n+8)%16));
217 &add($e,$tmp1); # e+=F_20_39(b,c,d)
218 &xor($f,&swtmp(($n+13)%16)); # f holds xa^xb^xc^xd
219 &rotl($f,1); # f=ROTATE(f,1)
220 &mov($tmp1,$a); # b in next round
221 &rotr($b,7); # b=ROTATE(b,30)
222 &mov(&swtmp($n%16),$f) if($n<77);# xi=f
223 &rotl($a,5); # ROTATE(a,5)
224 &xor($b,$c) if($n==39);# warm up for BODY_40_59
225 &and($tmp1,$b) if($n==39);
226 &lea($f,&DWP($K,$f,$e)); # f+=e+K_XX_YY
227 &mov($e,&swtmp(($n+1)%16)) if($n<79);# pre-fetch f for next round
228 &add($f,$a); # f+=ROTATE(a,5)
229 &rotr($a,5) if ($n==79);
230} else {
105 &mov($tmp1,$b); # tmp1 to hold F_20_39(b,c,d) 231 &mov($tmp1,$b); # tmp1 to hold F_20_39(b,c,d)
106 &mov($f,&swtmp($n%16)); # f to hold Xupdate(xi,xa,xb,xc,xd) 232 &xor($f,&swtmp(($n+2)%16)); # f to hold Xupdate(xi,xa,xb,xc,xd)
107 &rotr($b,2); # b=ROTATE(b,30)
108 &xor($f,&swtmp(($n+2)%16));
109 &xor($tmp1,$c); 233 &xor($tmp1,$c);
110 &xor($f,&swtmp(($n+8)%16)); 234 &xor($f,&swtmp(($n+8)%16));
111 &xor($tmp1,$d); # tmp1 holds F_20_39(b,c,d) 235 &xor($tmp1,$d); # tmp1 holds F_20_39(b,c,d)
112 &xor($f,&swtmp(($n+13)%16)); # f holds xa^xb^xc^xd 236 &xor($f,&swtmp(($n+13)%16)); # f holds xa^xb^xc^xd
113 &rotl($f,1); # f=ROTATE(f,1) 237 &rotl($f,1); # f=ROTATE(f,1)
114 &add($tmp1,$e); 238 &add($e,$tmp1); # e+=F_20_39(b,c,d)
115 &mov(&swtmp($n%16),$f); # xi=f 239 &rotr($b,2); # b=ROTATE(b,30)
116 &mov($e,$a); # e becomes volatile 240 &mov($tmp1,$a);
117 &rotl($e,5); # e=ROTATE(a,5) 241 &rotl($tmp1,5); # ROTATE(a,5)
118 &lea($f,&DWP($K,$f,$tmp1)); # f+=K_20_39+e 242 &mov(&swtmp($n%16),$f) if($n<77);# xi=f
119 &add($f,$e); # f+=ROTATE(a,5) 243 &lea($f,&DWP($K,$f,$e)); # f+=e+K_XX_YY
244 &mov($e,&swtmp(($n+1)%16)) if($n<79);# pre-fetch f for next round
245 &add($f,$tmp1); # f+=ROTATE(a,5)
246}
120 } 247 }
121 248
122sub BODY_40_59 249sub BODY_40_59
@@ -125,41 +252,86 @@ sub BODY_40_59
125 252
126 &comment("40_59 $n"); 253 &comment("40_59 $n");
127 254
128 &mov($f,&swtmp($n%16)); # f to hold Xupdate(xi,xa,xb,xc,xd) 255if ($alt) {
129 &mov($tmp1,&swtmp(($n+2)%16)); 256 &add($e,$tmp1); # e+=b&(c^d)
130 &xor($f,$tmp1); 257 &xor($f,&swtmp(($n+2)%16)); # f to hold Xupdate(xi,xa,xb,xc,xd)
131 &mov($tmp1,&swtmp(($n+8)%16)); 258 &mov($tmp1,$d);
132 &xor($f,$tmp1); 259 &xor($f,&swtmp(($n+8)%16));
133 &mov($tmp1,&swtmp(($n+13)%16)); 260 &xor($c,$d); # restore $c
134 &xor($f,$tmp1); # f holds xa^xb^xc^xd 261 &xor($f,&swtmp(($n+13)%16)); # f holds xa^xb^xc^xd
135 &mov($tmp1,$b); # tmp1 to hold F_40_59(b,c,d)
136 &rotl($f,1); # f=ROTATE(f,1) 262 &rotl($f,1); # f=ROTATE(f,1)
137 &or($tmp1,$c); 263 &and($tmp1,$c);
138 &mov(&swtmp($n%16),$f); # xi=f 264 &rotr($b,7); # b=ROTATE(b,30)
139 &and($tmp1,$d); 265 &add($e,$tmp1); # e+=c&d
140 &lea($f,&DWP(0x8f1bbcdc,$f,$e));# f+=K_40_59+e 266 &mov($tmp1,$a); # b in next round
141 &mov($e,$b); # e becomes volatile and is used 267 &mov(&swtmp($n%16),$f); # xi=f
142 # to calculate F_40_59(b,c,d) 268 &rotl($a,5); # ROTATE(a,5)
269 &xor($b,$c) if ($n<59);
270 &and($tmp1,$b) if ($n<59);# tmp1 to hold F_40_59(b,c,d)
271 &lea($f,&DWP(0x8f1bbcdc,$f,$e));# f+=K_40_59+e+(b&(c^d))
272 &mov($e,&swtmp(($n+1)%16)); # pre-fetch f for next round
273 &add($f,$a); # f+=ROTATE(a,5)
274} else {
275 &mov($tmp1,$c); # tmp1 to hold F_40_59(b,c,d)
276 &xor($f,&swtmp(($n+2)%16)); # f to hold Xupdate(xi,xa,xb,xc,xd)
277 &xor($tmp1,$d);
278 &xor($f,&swtmp(($n+8)%16));
279 &and($tmp1,$b);
280 &xor($f,&swtmp(($n+13)%16)); # f holds xa^xb^xc^xd
281 &rotl($f,1); # f=ROTATE(f,1)
282 &add($tmp1,$e); # b&(c^d)+=e
143 &rotr($b,2); # b=ROTATE(b,30) 283 &rotr($b,2); # b=ROTATE(b,30)
144 &and($e,$c); 284 &mov($e,$a); # e becomes volatile
145 &or($tmp1,$e); # tmp1 holds F_40_59(b,c,d) 285 &rotl($e,5); # ROTATE(a,5)
146 &mov($e,$a); 286 &mov(&swtmp($n%16),$f); # xi=f
147 &rotl($e,5); # e=ROTATE(a,5) 287 &lea($f,&DWP(0x8f1bbcdc,$f,$tmp1));# f+=K_40_59+e+(b&(c^d))
148 &add($f,$tmp1); # f+=tmp1; 288 &mov($tmp1,$c);
149 &add($f,$e); # f+=ROTATE(a,5) 289 &add($f,$e); # f+=ROTATE(a,5)
290 &and($tmp1,$d);
291 &mov($e,&swtmp(($n+1)%16)); # pre-fetch f for next round
292 &add($f,$tmp1); # f+=c&d
293}
150 } 294 }
151 295
152&function_begin("sha1_block_data_order"); 296&function_begin("sha1_block_data_order");
297if ($xmm) {
298 &static_label("ssse3_shortcut");
299 &static_label("avx_shortcut") if ($ymm);
300 &static_label("K_XX_XX");
301
302 &call (&label("pic_point")); # make it PIC!
303 &set_label("pic_point");
304 &blindpop($tmp1);
305 &picmeup($T,"OPENSSL_ia32cap_P",$tmp1,&label("pic_point"));
306 &lea ($tmp1,&DWP(&label("K_XX_XX")."-".&label("pic_point"),$tmp1));
307
308 &mov ($A,&DWP(0,$T));
309 &mov ($D,&DWP(4,$T));
310 &test ($D,1<<9); # check SSSE3 bit
311 &jz (&label("x86"));
312 &test ($A,1<<24); # check FXSR bit
313 &jz (&label("x86"));
314 if ($ymm) {
315 &and ($D,1<<28); # mask AVX bit
316 &and ($A,1<<30); # mask "Intel CPU" bit
317 &or ($A,$D);
318 &cmp ($A,1<<28|1<<30);
319 &je (&label("avx_shortcut"));
320 }
321 &jmp (&label("ssse3_shortcut"));
322 &set_label("x86",16);
323}
153 &mov($tmp1,&wparam(0)); # SHA_CTX *c 324 &mov($tmp1,&wparam(0)); # SHA_CTX *c
154 &mov($T,&wparam(1)); # const void *input 325 &mov($T,&wparam(1)); # const void *input
155 &mov($A,&wparam(2)); # size_t num 326 &mov($A,&wparam(2)); # size_t num
156 &stack_push(16); # allocate X[16] 327 &stack_push(16+3); # allocate X[16]
157 &shl($A,6); 328 &shl($A,6);
158 &add($A,$T); 329 &add($A,$T);
159 &mov(&wparam(2),$A); # pointer beyond the end of input 330 &mov(&wparam(2),$A); # pointer beyond the end of input
160 &mov($E,&DWP(16,$tmp1));# pre-load E 331 &mov($E,&DWP(16,$tmp1));# pre-load E
332 &jmp(&label("loop"));
161 333
162 &set_label("loop",16); 334&set_label("loop",16);
163 335
164 # copy input chunk to X, but reversing byte order! 336 # copy input chunk to X, but reversing byte order!
165 for ($i=0; $i<16; $i+=4) 337 for ($i=0; $i<16; $i+=4)
@@ -213,8 +385,845 @@ sub BODY_40_59
213 &mov(&DWP(16,$tmp1),$C); 385 &mov(&DWP(16,$tmp1),$C);
214 &jb(&label("loop")); 386 &jb(&label("loop"));
215 387
216 &stack_pop(16); 388 &stack_pop(16+3);
217&function_end("sha1_block_data_order"); 389&function_end("sha1_block_data_order");
390
391if ($xmm) {
392######################################################################
393# The SSSE3 implementation.
394#
395# %xmm[0-7] are used as ring @X[] buffer containing quadruples of last
396# 32 elements of the message schedule or Xupdate outputs. First 4
397# quadruples are simply byte-swapped input, next 4 are calculated
398# according to method originally suggested by Dean Gaudet (modulo
399# being implemented in SSSE3). Once 8 quadruples or 32 elements are
400# collected, it switches to routine proposed by Max Locktyukhin.
401#
402# Calculations inevitably require temporary reqisters, and there are
403# no %xmm registers left to spare. For this reason part of the ring
404# buffer, X[2..4] to be specific, is offloaded to 3 quadriples ring
405# buffer on the stack. Keep in mind that X[2] is alias X[-6], X[3] -
406# X[-5], and X[4] - X[-4]...
407#
408# Another notable optimization is aggressive stack frame compression
409# aiming to minimize amount of 9-byte instructions...
410#
411# Yet another notable optimization is "jumping" $B variable. It means
412# that there is no register permanently allocated for $B value. This
413# allowed to eliminate one instruction from body_20_39...
414#
415my $Xi=4; # 4xSIMD Xupdate round, start pre-seeded
416my @X=map("xmm$_",(4..7,0..3)); # pre-seeded for $Xi=4
417my @V=($A,$B,$C,$D,$E);
418my $j=0; # hash round
419my @T=($T,$tmp1);
420my $inp;
421
422my $_rol=sub { &rol(@_) };
423my $_ror=sub { &ror(@_) };
424
425&function_begin("_sha1_block_data_order_ssse3");
426 &call (&label("pic_point")); # make it PIC!
427 &set_label("pic_point");
428 &blindpop($tmp1);
429 &lea ($tmp1,&DWP(&label("K_XX_XX")."-".&label("pic_point"),$tmp1));
430&set_label("ssse3_shortcut");
431
432 &movdqa (@X[3],&QWP(0,$tmp1)); # K_00_19
433 &movdqa (@X[4],&QWP(16,$tmp1)); # K_20_39
434 &movdqa (@X[5],&QWP(32,$tmp1)); # K_40_59
435 &movdqa (@X[6],&QWP(48,$tmp1)); # K_60_79
436 &movdqa (@X[2],&QWP(64,$tmp1)); # pbswap mask
437
438 &mov ($E,&wparam(0)); # load argument block
439 &mov ($inp=@T[1],&wparam(1));
440 &mov ($D,&wparam(2));
441 &mov (@T[0],"esp");
442
443 # stack frame layout
444 #
445 # +0 X[0]+K X[1]+K X[2]+K X[3]+K # XMM->IALU xfer area
446 # X[4]+K X[5]+K X[6]+K X[7]+K
447 # X[8]+K X[9]+K X[10]+K X[11]+K
448 # X[12]+K X[13]+K X[14]+K X[15]+K
449 #
450 # +64 X[0] X[1] X[2] X[3] # XMM->XMM backtrace area
451 # X[4] X[5] X[6] X[7]
452 # X[8] X[9] X[10] X[11] # even borrowed for K_00_19
453 #
454 # +112 K_20_39 K_20_39 K_20_39 K_20_39 # constants
455 # K_40_59 K_40_59 K_40_59 K_40_59
456 # K_60_79 K_60_79 K_60_79 K_60_79
457 # K_00_19 K_00_19 K_00_19 K_00_19
458 # pbswap mask
459 #
460 # +192 ctx # argument block
461 # +196 inp
462 # +200 end
463 # +204 esp
464 &sub ("esp",208);
465 &and ("esp",-64);
466
467 &movdqa (&QWP(112+0,"esp"),@X[4]); # copy constants
468 &movdqa (&QWP(112+16,"esp"),@X[5]);
469 &movdqa (&QWP(112+32,"esp"),@X[6]);
470 &shl ($D,6); # len*64
471 &movdqa (&QWP(112+48,"esp"),@X[3]);
472 &add ($D,$inp); # end of input
473 &movdqa (&QWP(112+64,"esp"),@X[2]);
474 &add ($inp,64);
475 &mov (&DWP(192+0,"esp"),$E); # save argument block
476 &mov (&DWP(192+4,"esp"),$inp);
477 &mov (&DWP(192+8,"esp"),$D);
478 &mov (&DWP(192+12,"esp"),@T[0]); # save original %esp
479
480 &mov ($A,&DWP(0,$E)); # load context
481 &mov ($B,&DWP(4,$E));
482 &mov ($C,&DWP(8,$E));
483 &mov ($D,&DWP(12,$E));
484 &mov ($E,&DWP(16,$E));
485 &mov (@T[0],$B); # magic seed
486
487 &movdqu (@X[-4&7],&QWP(-64,$inp)); # load input to %xmm[0-3]
488 &movdqu (@X[-3&7],&QWP(-48,$inp));
489 &movdqu (@X[-2&7],&QWP(-32,$inp));
490 &movdqu (@X[-1&7],&QWP(-16,$inp));
491 &pshufb (@X[-4&7],@X[2]); # byte swap
492 &pshufb (@X[-3&7],@X[2]);
493 &pshufb (@X[-2&7],@X[2]);
494 &movdqa (&QWP(112-16,"esp"),@X[3]); # borrow last backtrace slot
495 &pshufb (@X[-1&7],@X[2]);
496 &paddd (@X[-4&7],@X[3]); # add K_00_19
497 &paddd (@X[-3&7],@X[3]);
498 &paddd (@X[-2&7],@X[3]);
499 &movdqa (&QWP(0,"esp"),@X[-4&7]); # X[]+K xfer to IALU
500 &psubd (@X[-4&7],@X[3]); # restore X[]
501 &movdqa (&QWP(0+16,"esp"),@X[-3&7]);
502 &psubd (@X[-3&7],@X[3]);
503 &movdqa (&QWP(0+32,"esp"),@X[-2&7]);
504 &psubd (@X[-2&7],@X[3]);
505 &movdqa (@X[0],@X[-3&7]);
506 &jmp (&label("loop"));
507
508######################################################################
509# SSE instruction sequence is first broken to groups of indepentent
510# instructions, independent in respect to their inputs and shifter
511# (not all architectures have more than one). Then IALU instructions
512# are "knitted in" between the SSE groups. Distance is maintained for
513# SSE latency of 2 in hope that it fits better upcoming AMD Bulldozer
514# [which allegedly also implements SSSE3]...
515#
516# Temporary registers usage. X[2] is volatile at the entry and at the
517# end is restored from backtrace ring buffer. X[3] is expected to
518# contain current K_XX_XX constant and is used to caclulate X[-1]+K
519# from previous round, it becomes volatile the moment the value is
520# saved to stack for transfer to IALU. X[4] becomes volatile whenever
521# X[-4] is accumulated and offloaded to backtrace ring buffer, at the
522# end it is loaded with next K_XX_XX [which becomes X[3] in next
523# round]...
524#
525sub Xupdate_ssse3_16_31() # recall that $Xi starts wtih 4
526{ use integer;
527 my $body = shift;
528 my @insns = (&$body,&$body,&$body,&$body); # 40 instructions
529 my ($a,$b,$c,$d,$e);
530
531 eval(shift(@insns));
532 eval(shift(@insns));
533 &palignr(@X[0],@X[-4&7],8); # compose "X[-14]" in "X[0]"
534 &movdqa (@X[2],@X[-1&7]);
535 eval(shift(@insns));
536 eval(shift(@insns));
537
538 &paddd (@X[3],@X[-1&7]);
539 &movdqa (&QWP(64+16*(($Xi-4)%3),"esp"),@X[-4&7]);# save X[] to backtrace buffer
540 eval(shift(@insns));
541 eval(shift(@insns));
542 &psrldq (@X[2],4); # "X[-3]", 3 dwords
543 eval(shift(@insns));
544 eval(shift(@insns));
545 &pxor (@X[0],@X[-4&7]); # "X[0]"^="X[-16]"
546 eval(shift(@insns));
547 eval(shift(@insns));
548
549 &pxor (@X[2],@X[-2&7]); # "X[-3]"^"X[-8]"
550 eval(shift(@insns));
551 eval(shift(@insns));
552 eval(shift(@insns));
553 eval(shift(@insns));
554
555 &pxor (@X[0],@X[2]); # "X[0]"^="X[-3]"^"X[-8]"
556 eval(shift(@insns));
557 eval(shift(@insns));
558 &movdqa (&QWP(0+16*(($Xi-1)&3),"esp"),@X[3]); # X[]+K xfer to IALU
559 eval(shift(@insns));
560 eval(shift(@insns));
561
562 &movdqa (@X[4],@X[0]);
563 &movdqa (@X[2],@X[0]);
564 eval(shift(@insns));
565 eval(shift(@insns));
566 eval(shift(@insns));
567 eval(shift(@insns));
568
569 &pslldq (@X[4],12); # "X[0]"<<96, extract one dword
570 &paddd (@X[0],@X[0]);
571 eval(shift(@insns));
572 eval(shift(@insns));
573 eval(shift(@insns));
574 eval(shift(@insns));
575
576 &psrld (@X[2],31);
577 eval(shift(@insns));
578 eval(shift(@insns));
579 &movdqa (@X[3],@X[4]);
580 eval(shift(@insns));
581 eval(shift(@insns));
582
583 &psrld (@X[4],30);
584 &por (@X[0],@X[2]); # "X[0]"<<<=1
585 eval(shift(@insns));
586 eval(shift(@insns));
587 &movdqa (@X[2],&QWP(64+16*(($Xi-6)%3),"esp")) if ($Xi>5); # restore X[] from backtrace buffer
588 eval(shift(@insns));
589 eval(shift(@insns));
590
591 &pslld (@X[3],2);
592 &pxor (@X[0],@X[4]);
593 eval(shift(@insns));
594 eval(shift(@insns));
595 &movdqa (@X[4],&QWP(112-16+16*(($Xi)/5),"esp")); # K_XX_XX
596 eval(shift(@insns));
597 eval(shift(@insns));
598
599 &pxor (@X[0],@X[3]); # "X[0]"^=("X[0]"<<96)<<<2
600 &movdqa (@X[1],@X[-2&7]) if ($Xi<7);
601 eval(shift(@insns));
602 eval(shift(@insns));
603
604 foreach (@insns) { eval; } # remaining instructions [if any]
605
606 $Xi++; push(@X,shift(@X)); # "rotate" X[]
607}
608
609sub Xupdate_ssse3_32_79()
610{ use integer;
611 my $body = shift;
612 my @insns = (&$body,&$body,&$body,&$body); # 32 to 48 instructions
613 my ($a,$b,$c,$d,$e);
614
615 &movdqa (@X[2],@X[-1&7]) if ($Xi==8);
616 eval(shift(@insns)); # body_20_39
617 &pxor (@X[0],@X[-4&7]); # "X[0]"="X[-32]"^"X[-16]"
618 &palignr(@X[2],@X[-2&7],8); # compose "X[-6]"
619 eval(shift(@insns));
620 eval(shift(@insns));
621 eval(shift(@insns)); # rol
622
623 &pxor (@X[0],@X[-7&7]); # "X[0]"^="X[-28]"
624 &movdqa (&QWP(64+16*(($Xi-4)%3),"esp"),@X[-4&7]); # save X[] to backtrace buffer
625 eval(shift(@insns));
626 eval(shift(@insns));
627 if ($Xi%5) {
628 &movdqa (@X[4],@X[3]); # "perpetuate" K_XX_XX...
629 } else { # ... or load next one
630 &movdqa (@X[4],&QWP(112-16+16*($Xi/5),"esp"));
631 }
632 &paddd (@X[3],@X[-1&7]);
633 eval(shift(@insns)); # ror
634 eval(shift(@insns));
635
636 &pxor (@X[0],@X[2]); # "X[0]"^="X[-6]"
637 eval(shift(@insns)); # body_20_39
638 eval(shift(@insns));
639 eval(shift(@insns));
640 eval(shift(@insns)); # rol
641
642 &movdqa (@X[2],@X[0]);
643 &movdqa (&QWP(0+16*(($Xi-1)&3),"esp"),@X[3]); # X[]+K xfer to IALU
644 eval(shift(@insns));
645 eval(shift(@insns));
646 eval(shift(@insns)); # ror
647 eval(shift(@insns));
648
649 &pslld (@X[0],2);
650 eval(shift(@insns)); # body_20_39
651 eval(shift(@insns));
652 &psrld (@X[2],30);
653 eval(shift(@insns));
654 eval(shift(@insns)); # rol
655 eval(shift(@insns));
656 eval(shift(@insns));
657 eval(shift(@insns)); # ror
658 eval(shift(@insns));
659
660 &por (@X[0],@X[2]); # "X[0]"<<<=2
661 eval(shift(@insns)); # body_20_39
662 eval(shift(@insns));
663 &movdqa (@X[2],&QWP(64+16*(($Xi-6)%3),"esp")) if($Xi<19); # restore X[] from backtrace buffer
664 eval(shift(@insns));
665 eval(shift(@insns)); # rol
666 eval(shift(@insns));
667 eval(shift(@insns));
668 eval(shift(@insns)); # ror
669 &movdqa (@X[3],@X[0]) if ($Xi<19);
670 eval(shift(@insns));
671
672 foreach (@insns) { eval; } # remaining instructions
673
674 $Xi++; push(@X,shift(@X)); # "rotate" X[]
675}
676
677sub Xuplast_ssse3_80()
678{ use integer;
679 my $body = shift;
680 my @insns = (&$body,&$body,&$body,&$body); # 32 instructions
681 my ($a,$b,$c,$d,$e);
682
683 eval(shift(@insns));
684 &paddd (@X[3],@X[-1&7]);
685 eval(shift(@insns));
686 eval(shift(@insns));
687 eval(shift(@insns));
688 eval(shift(@insns));
689
690 &movdqa (&QWP(0+16*(($Xi-1)&3),"esp"),@X[3]); # X[]+K xfer IALU
691
692 foreach (@insns) { eval; } # remaining instructions
693
694 &mov ($inp=@T[1],&DWP(192+4,"esp"));
695 &cmp ($inp,&DWP(192+8,"esp"));
696 &je (&label("done"));
697
698 &movdqa (@X[3],&QWP(112+48,"esp")); # K_00_19
699 &movdqa (@X[2],&QWP(112+64,"esp")); # pbswap mask
700 &movdqu (@X[-4&7],&QWP(0,$inp)); # load input
701 &movdqu (@X[-3&7],&QWP(16,$inp));
702 &movdqu (@X[-2&7],&QWP(32,$inp));
703 &movdqu (@X[-1&7],&QWP(48,$inp));
704 &add ($inp,64);
705 &pshufb (@X[-4&7],@X[2]); # byte swap
706 &mov (&DWP(192+4,"esp"),$inp);
707 &movdqa (&QWP(112-16,"esp"),@X[3]); # borrow last backtrace slot
708
709 $Xi=0;
710}
711
712sub Xloop_ssse3()
713{ use integer;
714 my $body = shift;
715 my @insns = (&$body,&$body,&$body,&$body); # 32 instructions
716 my ($a,$b,$c,$d,$e);
717
718 eval(shift(@insns));
719 eval(shift(@insns));
720 &pshufb (@X[($Xi-3)&7],@X[2]);
721 eval(shift(@insns));
722 eval(shift(@insns));
723 &paddd (@X[($Xi-4)&7],@X[3]);
724 eval(shift(@insns));
725 eval(shift(@insns));
726 eval(shift(@insns));
727 eval(shift(@insns));
728 &movdqa (&QWP(0+16*$Xi,"esp"),@X[($Xi-4)&7]); # X[]+K xfer to IALU
729 eval(shift(@insns));
730 eval(shift(@insns));
731 &psubd (@X[($Xi-4)&7],@X[3]);
732
733 foreach (@insns) { eval; }
734 $Xi++;
735}
736
737sub Xtail_ssse3()
738{ use integer;
739 my $body = shift;
740 my @insns = (&$body,&$body,&$body,&$body); # 32 instructions
741 my ($a,$b,$c,$d,$e);
742
743 foreach (@insns) { eval; }
744}
745
746sub body_00_19 () {
747 (
748 '($a,$b,$c,$d,$e)=@V;'.
749 '&add ($e,&DWP(4*($j&15),"esp"));', # X[]+K xfer
750 '&xor ($c,$d);',
751 '&mov (@T[1],$a);', # $b in next round
752 '&$_rol ($a,5);',
753 '&and (@T[0],$c);', # ($b&($c^$d))
754 '&xor ($c,$d);', # restore $c
755 '&xor (@T[0],$d);',
756 '&add ($e,$a);',
757 '&$_ror ($b,$j?7:2);', # $b>>>2
758 '&add ($e,@T[0]);' .'$j++; unshift(@V,pop(@V)); unshift(@T,pop(@T));'
759 );
760}
761
762sub body_20_39 () {
763 (
764 '($a,$b,$c,$d,$e)=@V;'.
765 '&add ($e,&DWP(4*($j++&15),"esp"));', # X[]+K xfer
766 '&xor (@T[0],$d);', # ($b^$d)
767 '&mov (@T[1],$a);', # $b in next round
768 '&$_rol ($a,5);',
769 '&xor (@T[0],$c);', # ($b^$d^$c)
770 '&add ($e,$a);',
771 '&$_ror ($b,7);', # $b>>>2
772 '&add ($e,@T[0]);' .'unshift(@V,pop(@V)); unshift(@T,pop(@T));'
773 );
774}
775
776sub body_40_59 () {
777 (
778 '($a,$b,$c,$d,$e)=@V;'.
779 '&mov (@T[1],$c);',
780 '&xor ($c,$d);',
781 '&add ($e,&DWP(4*($j++&15),"esp"));', # X[]+K xfer
782 '&and (@T[1],$d);',
783 '&and (@T[0],$c);', # ($b&($c^$d))
784 '&$_ror ($b,7);', # $b>>>2
785 '&add ($e,@T[1]);',
786 '&mov (@T[1],$a);', # $b in next round
787 '&$_rol ($a,5);',
788 '&add ($e,@T[0]);',
789 '&xor ($c,$d);', # restore $c
790 '&add ($e,$a);' .'unshift(@V,pop(@V)); unshift(@T,pop(@T));'
791 );
792}
793
794&set_label("loop",16);
795 &Xupdate_ssse3_16_31(\&body_00_19);
796 &Xupdate_ssse3_16_31(\&body_00_19);
797 &Xupdate_ssse3_16_31(\&body_00_19);
798 &Xupdate_ssse3_16_31(\&body_00_19);
799 &Xupdate_ssse3_32_79(\&body_00_19);
800 &Xupdate_ssse3_32_79(\&body_20_39);
801 &Xupdate_ssse3_32_79(\&body_20_39);
802 &Xupdate_ssse3_32_79(\&body_20_39);
803 &Xupdate_ssse3_32_79(\&body_20_39);
804 &Xupdate_ssse3_32_79(\&body_20_39);
805 &Xupdate_ssse3_32_79(\&body_40_59);
806 &Xupdate_ssse3_32_79(\&body_40_59);
807 &Xupdate_ssse3_32_79(\&body_40_59);
808 &Xupdate_ssse3_32_79(\&body_40_59);
809 &Xupdate_ssse3_32_79(\&body_40_59);
810 &Xupdate_ssse3_32_79(\&body_20_39);
811 &Xuplast_ssse3_80(\&body_20_39); # can jump to "done"
812
813 $saved_j=$j; @saved_V=@V;
814
815 &Xloop_ssse3(\&body_20_39);
816 &Xloop_ssse3(\&body_20_39);
817 &Xloop_ssse3(\&body_20_39);
818
819 &mov (@T[1],&DWP(192,"esp")); # update context
820 &add ($A,&DWP(0,@T[1]));
821 &add (@T[0],&DWP(4,@T[1])); # $b
822 &add ($C,&DWP(8,@T[1]));
823 &mov (&DWP(0,@T[1]),$A);
824 &add ($D,&DWP(12,@T[1]));
825 &mov (&DWP(4,@T[1]),@T[0]);
826 &add ($E,&DWP(16,@T[1]));
827 &mov (&DWP(8,@T[1]),$C);
828 &mov ($B,@T[0]);
829 &mov (&DWP(12,@T[1]),$D);
830 &mov (&DWP(16,@T[1]),$E);
831 &movdqa (@X[0],@X[-3&7]);
832
833 &jmp (&label("loop"));
834
835&set_label("done",16); $j=$saved_j; @V=@saved_V;
836
837 &Xtail_ssse3(\&body_20_39);
838 &Xtail_ssse3(\&body_20_39);
839 &Xtail_ssse3(\&body_20_39);
840
841 &mov (@T[1],&DWP(192,"esp")); # update context
842 &add ($A,&DWP(0,@T[1]));
843 &mov ("esp",&DWP(192+12,"esp")); # restore %esp
844 &add (@T[0],&DWP(4,@T[1])); # $b
845 &add ($C,&DWP(8,@T[1]));
846 &mov (&DWP(0,@T[1]),$A);
847 &add ($D,&DWP(12,@T[1]));
848 &mov (&DWP(4,@T[1]),@T[0]);
849 &add ($E,&DWP(16,@T[1]));
850 &mov (&DWP(8,@T[1]),$C);
851 &mov (&DWP(12,@T[1]),$D);
852 &mov (&DWP(16,@T[1]),$E);
853
854&function_end("_sha1_block_data_order_ssse3");
855
856if ($ymm) {
857my $Xi=4; # 4xSIMD Xupdate round, start pre-seeded
858my @X=map("xmm$_",(4..7,0..3)); # pre-seeded for $Xi=4
859my @V=($A,$B,$C,$D,$E);
860my $j=0; # hash round
861my @T=($T,$tmp1);
862my $inp;
863
864my $_rol=sub { &shld(@_[0],@_) };
865my $_ror=sub { &shrd(@_[0],@_) };
866
867&function_begin("_sha1_block_data_order_avx");
868 &call (&label("pic_point")); # make it PIC!
869 &set_label("pic_point");
870 &blindpop($tmp1);
871 &lea ($tmp1,&DWP(&label("K_XX_XX")."-".&label("pic_point"),$tmp1));
872&set_label("avx_shortcut");
873 &vzeroall();
874
875 &vmovdqa(@X[3],&QWP(0,$tmp1)); # K_00_19
876 &vmovdqa(@X[4],&QWP(16,$tmp1)); # K_20_39
877 &vmovdqa(@X[5],&QWP(32,$tmp1)); # K_40_59
878 &vmovdqa(@X[6],&QWP(48,$tmp1)); # K_60_79
879 &vmovdqa(@X[2],&QWP(64,$tmp1)); # pbswap mask
880
881 &mov ($E,&wparam(0)); # load argument block
882 &mov ($inp=@T[1],&wparam(1));
883 &mov ($D,&wparam(2));
884 &mov (@T[0],"esp");
885
886 # stack frame layout
887 #
888 # +0 X[0]+K X[1]+K X[2]+K X[3]+K # XMM->IALU xfer area
889 # X[4]+K X[5]+K X[6]+K X[7]+K
890 # X[8]+K X[9]+K X[10]+K X[11]+K
891 # X[12]+K X[13]+K X[14]+K X[15]+K
892 #
893 # +64 X[0] X[1] X[2] X[3] # XMM->XMM backtrace area
894 # X[4] X[5] X[6] X[7]
895 # X[8] X[9] X[10] X[11] # even borrowed for K_00_19
896 #
897 # +112 K_20_39 K_20_39 K_20_39 K_20_39 # constants
898 # K_40_59 K_40_59 K_40_59 K_40_59
899 # K_60_79 K_60_79 K_60_79 K_60_79
900 # K_00_19 K_00_19 K_00_19 K_00_19
901 # pbswap mask
902 #
903 # +192 ctx # argument block
904 # +196 inp
905 # +200 end
906 # +204 esp
907 &sub ("esp",208);
908 &and ("esp",-64);
909
910 &vmovdqa(&QWP(112+0,"esp"),@X[4]); # copy constants
911 &vmovdqa(&QWP(112+16,"esp"),@X[5]);
912 &vmovdqa(&QWP(112+32,"esp"),@X[6]);
913 &shl ($D,6); # len*64
914 &vmovdqa(&QWP(112+48,"esp"),@X[3]);
915 &add ($D,$inp); # end of input
916 &vmovdqa(&QWP(112+64,"esp"),@X[2]);
917 &add ($inp,64);
918 &mov (&DWP(192+0,"esp"),$E); # save argument block
919 &mov (&DWP(192+4,"esp"),$inp);
920 &mov (&DWP(192+8,"esp"),$D);
921 &mov (&DWP(192+12,"esp"),@T[0]); # save original %esp
922
923 &mov ($A,&DWP(0,$E)); # load context
924 &mov ($B,&DWP(4,$E));
925 &mov ($C,&DWP(8,$E));
926 &mov ($D,&DWP(12,$E));
927 &mov ($E,&DWP(16,$E));
928 &mov (@T[0],$B); # magic seed
929
930 &vmovdqu(@X[-4&7],&QWP(-64,$inp)); # load input to %xmm[0-3]
931 &vmovdqu(@X[-3&7],&QWP(-48,$inp));
932 &vmovdqu(@X[-2&7],&QWP(-32,$inp));
933 &vmovdqu(@X[-1&7],&QWP(-16,$inp));
934 &vpshufb(@X[-4&7],@X[-4&7],@X[2]); # byte swap
935 &vpshufb(@X[-3&7],@X[-3&7],@X[2]);
936 &vpshufb(@X[-2&7],@X[-2&7],@X[2]);
937 &vmovdqa(&QWP(112-16,"esp"),@X[3]); # borrow last backtrace slot
938 &vpshufb(@X[-1&7],@X[-1&7],@X[2]);
939 &vpaddd (@X[0],@X[-4&7],@X[3]); # add K_00_19
940 &vpaddd (@X[1],@X[-3&7],@X[3]);
941 &vpaddd (@X[2],@X[-2&7],@X[3]);
942 &vmovdqa(&QWP(0,"esp"),@X[0]); # X[]+K xfer to IALU
943 &vmovdqa(&QWP(0+16,"esp"),@X[1]);
944 &vmovdqa(&QWP(0+32,"esp"),@X[2]);
945 &jmp (&label("loop"));
946
947sub Xupdate_avx_16_31() # recall that $Xi starts wtih 4
948{ use integer;
949 my $body = shift;
950 my @insns = (&$body,&$body,&$body,&$body); # 40 instructions
951 my ($a,$b,$c,$d,$e);
952
953 eval(shift(@insns));
954 eval(shift(@insns));
955 &vpalignr(@X[0],@X[-3&7],@X[-4&7],8); # compose "X[-14]" in "X[0]"
956 eval(shift(@insns));
957 eval(shift(@insns));
958
959 &vpaddd (@X[3],@X[3],@X[-1&7]);
960 &vmovdqa (&QWP(64+16*(($Xi-4)%3),"esp"),@X[-4&7]);# save X[] to backtrace buffer
961 eval(shift(@insns));
962 eval(shift(@insns));
963 &vpsrldq(@X[2],@X[-1&7],4); # "X[-3]", 3 dwords
964 eval(shift(@insns));
965 eval(shift(@insns));
966 &vpxor (@X[0],@X[0],@X[-4&7]); # "X[0]"^="X[-16]"
967 eval(shift(@insns));
968 eval(shift(@insns));
969
970 &vpxor (@X[2],@X[2],@X[-2&7]); # "X[-3]"^"X[-8]"
971 eval(shift(@insns));
972 eval(shift(@insns));
973 &vmovdqa (&QWP(0+16*(($Xi-1)&3),"esp"),@X[3]); # X[]+K xfer to IALU
974 eval(shift(@insns));
975 eval(shift(@insns));
976
977 &vpxor (@X[0],@X[0],@X[2]); # "X[0]"^="X[-3]"^"X[-8]"
978 eval(shift(@insns));
979 eval(shift(@insns));
980 eval(shift(@insns));
981 eval(shift(@insns));
982
983 &vpsrld (@X[2],@X[0],31);
984 eval(shift(@insns));
985 eval(shift(@insns));
986 eval(shift(@insns));
987 eval(shift(@insns));
988
989 &vpslldq(@X[4],@X[0],12); # "X[0]"<<96, extract one dword
990 &vpaddd (@X[0],@X[0],@X[0]);
991 eval(shift(@insns));
992 eval(shift(@insns));
993 eval(shift(@insns));
994 eval(shift(@insns));
995
996 &vpsrld (@X[3],@X[4],30);
997 &vpor (@X[0],@X[0],@X[2]); # "X[0]"<<<=1
998 eval(shift(@insns));
999 eval(shift(@insns));
1000 eval(shift(@insns));
1001 eval(shift(@insns));
1002
1003 &vpslld (@X[4],@X[4],2);
1004 &vmovdqa (@X[2],&QWP(64+16*(($Xi-6)%3),"esp")) if ($Xi>5); # restore X[] from backtrace buffer
1005 eval(shift(@insns));
1006 eval(shift(@insns));
1007 &vpxor (@X[0],@X[0],@X[3]);
1008 eval(shift(@insns));
1009 eval(shift(@insns));
1010 eval(shift(@insns));
1011 eval(shift(@insns));
1012
1013 &vpxor (@X[0],@X[0],@X[4]); # "X[0]"^=("X[0]"<<96)<<<2
1014 eval(shift(@insns));
1015 eval(shift(@insns));
1016 &vmovdqa (@X[4],&QWP(112-16+16*(($Xi)/5),"esp")); # K_XX_XX
1017 eval(shift(@insns));
1018 eval(shift(@insns));
1019
1020 foreach (@insns) { eval; } # remaining instructions [if any]
1021
1022 $Xi++; push(@X,shift(@X)); # "rotate" X[]
1023}
1024
1025sub Xupdate_avx_32_79()
1026{ use integer;
1027 my $body = shift;
1028 my @insns = (&$body,&$body,&$body,&$body); # 32 to 48 instructions
1029 my ($a,$b,$c,$d,$e);
1030
1031 &vpalignr(@X[2],@X[-1&7],@X[-2&7],8); # compose "X[-6]"
1032 &vpxor (@X[0],@X[0],@X[-4&7]); # "X[0]"="X[-32]"^"X[-16]"
1033 eval(shift(@insns)); # body_20_39
1034 eval(shift(@insns));
1035 eval(shift(@insns));
1036 eval(shift(@insns)); # rol
1037
1038 &vpxor (@X[0],@X[0],@X[-7&7]); # "X[0]"^="X[-28]"
1039 &vmovdqa (&QWP(64+16*(($Xi-4)%3),"esp"),@X[-4&7]); # save X[] to backtrace buffer
1040 eval(shift(@insns));
1041 eval(shift(@insns));
1042 if ($Xi%5) {
1043 &vmovdqa (@X[4],@X[3]); # "perpetuate" K_XX_XX...
1044 } else { # ... or load next one
1045 &vmovdqa (@X[4],&QWP(112-16+16*($Xi/5),"esp"));
1046 }
1047 &vpaddd (@X[3],@X[3],@X[-1&7]);
1048 eval(shift(@insns)); # ror
1049 eval(shift(@insns));
1050
1051 &vpxor (@X[0],@X[0],@X[2]); # "X[0]"^="X[-6]"
1052 eval(shift(@insns)); # body_20_39
1053 eval(shift(@insns));
1054 eval(shift(@insns));
1055 eval(shift(@insns)); # rol
1056
1057 &vpsrld (@X[2],@X[0],30);
1058 &vmovdqa (&QWP(0+16*(($Xi-1)&3),"esp"),@X[3]); # X[]+K xfer to IALU
1059 eval(shift(@insns));
1060 eval(shift(@insns));
1061 eval(shift(@insns)); # ror
1062 eval(shift(@insns));
1063
1064 &vpslld (@X[0],@X[0],2);
1065 eval(shift(@insns)); # body_20_39
1066 eval(shift(@insns));
1067 eval(shift(@insns));
1068 eval(shift(@insns)); # rol
1069 eval(shift(@insns));
1070 eval(shift(@insns));
1071 eval(shift(@insns)); # ror
1072 eval(shift(@insns));
1073
1074 &vpor (@X[0],@X[0],@X[2]); # "X[0]"<<<=2
1075 eval(shift(@insns)); # body_20_39
1076 eval(shift(@insns));
1077 &vmovdqa (@X[2],&QWP(64+16*(($Xi-6)%3),"esp")) if($Xi<19); # restore X[] from backtrace buffer
1078 eval(shift(@insns));
1079 eval(shift(@insns)); # rol
1080 eval(shift(@insns));
1081 eval(shift(@insns));
1082 eval(shift(@insns)); # ror
1083 eval(shift(@insns));
1084
1085 foreach (@insns) { eval; } # remaining instructions
1086
1087 $Xi++; push(@X,shift(@X)); # "rotate" X[]
1088}
1089
1090sub Xuplast_avx_80()
1091{ use integer;
1092 my $body = shift;
1093 my @insns = (&$body,&$body,&$body,&$body); # 32 instructions
1094 my ($a,$b,$c,$d,$e);
1095
1096 eval(shift(@insns));
1097 &vpaddd (@X[3],@X[3],@X[-1&7]);
1098 eval(shift(@insns));
1099 eval(shift(@insns));
1100 eval(shift(@insns));
1101 eval(shift(@insns));
1102
1103 &vmovdqa (&QWP(0+16*(($Xi-1)&3),"esp"),@X[3]); # X[]+K xfer IALU
1104
1105 foreach (@insns) { eval; } # remaining instructions
1106
1107 &mov ($inp=@T[1],&DWP(192+4,"esp"));
1108 &cmp ($inp,&DWP(192+8,"esp"));
1109 &je (&label("done"));
1110
1111 &vmovdqa(@X[3],&QWP(112+48,"esp")); # K_00_19
1112 &vmovdqa(@X[2],&QWP(112+64,"esp")); # pbswap mask
1113 &vmovdqu(@X[-4&7],&QWP(0,$inp)); # load input
1114 &vmovdqu(@X[-3&7],&QWP(16,$inp));
1115 &vmovdqu(@X[-2&7],&QWP(32,$inp));
1116 &vmovdqu(@X[-1&7],&QWP(48,$inp));
1117 &add ($inp,64);
1118 &vpshufb(@X[-4&7],@X[-4&7],@X[2]); # byte swap
1119 &mov (&DWP(192+4,"esp"),$inp);
1120 &vmovdqa(&QWP(112-16,"esp"),@X[3]); # borrow last backtrace slot
1121
1122 $Xi=0;
1123}
1124
1125sub Xloop_avx()
1126{ use integer;
1127 my $body = shift;
1128 my @insns = (&$body,&$body,&$body,&$body); # 32 instructions
1129 my ($a,$b,$c,$d,$e);
1130
1131 eval(shift(@insns));
1132 eval(shift(@insns));
1133 &vpshufb (@X[($Xi-3)&7],@X[($Xi-3)&7],@X[2]);
1134 eval(shift(@insns));
1135 eval(shift(@insns));
1136 &vpaddd (@X[$Xi&7],@X[($Xi-4)&7],@X[3]);
1137 eval(shift(@insns));
1138 eval(shift(@insns));
1139 eval(shift(@insns));
1140 eval(shift(@insns));
1141 &vmovdqa (&QWP(0+16*$Xi,"esp"),@X[$Xi&7]); # X[]+K xfer to IALU
1142 eval(shift(@insns));
1143 eval(shift(@insns));
1144
1145 foreach (@insns) { eval; }
1146 $Xi++;
1147}
1148
1149sub Xtail_avx()
1150{ use integer;
1151 my $body = shift;
1152 my @insns = (&$body,&$body,&$body,&$body); # 32 instructions
1153 my ($a,$b,$c,$d,$e);
1154
1155 foreach (@insns) { eval; }
1156}
1157
1158&set_label("loop",16);
1159 &Xupdate_avx_16_31(\&body_00_19);
1160 &Xupdate_avx_16_31(\&body_00_19);
1161 &Xupdate_avx_16_31(\&body_00_19);
1162 &Xupdate_avx_16_31(\&body_00_19);
1163 &Xupdate_avx_32_79(\&body_00_19);
1164 &Xupdate_avx_32_79(\&body_20_39);
1165 &Xupdate_avx_32_79(\&body_20_39);
1166 &Xupdate_avx_32_79(\&body_20_39);
1167 &Xupdate_avx_32_79(\&body_20_39);
1168 &Xupdate_avx_32_79(\&body_20_39);
1169 &Xupdate_avx_32_79(\&body_40_59);
1170 &Xupdate_avx_32_79(\&body_40_59);
1171 &Xupdate_avx_32_79(\&body_40_59);
1172 &Xupdate_avx_32_79(\&body_40_59);
1173 &Xupdate_avx_32_79(\&body_40_59);
1174 &Xupdate_avx_32_79(\&body_20_39);
1175 &Xuplast_avx_80(\&body_20_39); # can jump to "done"
1176
1177 $saved_j=$j; @saved_V=@V;
1178
1179 &Xloop_avx(\&body_20_39);
1180 &Xloop_avx(\&body_20_39);
1181 &Xloop_avx(\&body_20_39);
1182
1183 &mov (@T[1],&DWP(192,"esp")); # update context
1184 &add ($A,&DWP(0,@T[1]));
1185 &add (@T[0],&DWP(4,@T[1])); # $b
1186 &add ($C,&DWP(8,@T[1]));
1187 &mov (&DWP(0,@T[1]),$A);
1188 &add ($D,&DWP(12,@T[1]));
1189 &mov (&DWP(4,@T[1]),@T[0]);
1190 &add ($E,&DWP(16,@T[1]));
1191 &mov (&DWP(8,@T[1]),$C);
1192 &mov ($B,@T[0]);
1193 &mov (&DWP(12,@T[1]),$D);
1194 &mov (&DWP(16,@T[1]),$E);
1195
1196 &jmp (&label("loop"));
1197
1198&set_label("done",16); $j=$saved_j; @V=@saved_V;
1199
1200 &Xtail_avx(\&body_20_39);
1201 &Xtail_avx(\&body_20_39);
1202 &Xtail_avx(\&body_20_39);
1203
1204 &vzeroall();
1205
1206 &mov (@T[1],&DWP(192,"esp")); # update context
1207 &add ($A,&DWP(0,@T[1]));
1208 &mov ("esp",&DWP(192+12,"esp")); # restore %esp
1209 &add (@T[0],&DWP(4,@T[1])); # $b
1210 &add ($C,&DWP(8,@T[1]));
1211 &mov (&DWP(0,@T[1]),$A);
1212 &add ($D,&DWP(12,@T[1]));
1213 &mov (&DWP(4,@T[1]),@T[0]);
1214 &add ($E,&DWP(16,@T[1]));
1215 &mov (&DWP(8,@T[1]),$C);
1216 &mov (&DWP(12,@T[1]),$D);
1217 &mov (&DWP(16,@T[1]),$E);
1218&function_end("_sha1_block_data_order_avx");
1219}
1220&set_label("K_XX_XX",64);
1221&data_word(0x5a827999,0x5a827999,0x5a827999,0x5a827999); # K_00_19
1222&data_word(0x6ed9eba1,0x6ed9eba1,0x6ed9eba1,0x6ed9eba1); # K_20_39
1223&data_word(0x8f1bbcdc,0x8f1bbcdc,0x8f1bbcdc,0x8f1bbcdc); # K_40_59
1224&data_word(0xca62c1d6,0xca62c1d6,0xca62c1d6,0xca62c1d6); # K_60_79
1225&data_word(0x00010203,0x04050607,0x08090a0b,0x0c0d0e0f); # pbswap mask
1226}
218&asciz("SHA1 block transform for x86, CRYPTOGAMS by <appro\@openssl.org>"); 1227&asciz("SHA1 block transform for x86, CRYPTOGAMS by <appro\@openssl.org>");
219 1228
220&asm_finish(); 1229&asm_finish();
diff --git a/src/lib/libcrypto/sha/sha.h b/src/lib/libcrypto/sha/sha.h
index 16cacf9fc0..8a6bf4bbbb 100644
--- a/src/lib/libcrypto/sha/sha.h
+++ b/src/lib/libcrypto/sha/sha.h
@@ -106,6 +106,9 @@ typedef struct SHAstate_st
106 } SHA_CTX; 106 } SHA_CTX;
107 107
108#ifndef OPENSSL_NO_SHA0 108#ifndef OPENSSL_NO_SHA0
109#ifdef OPENSSL_FIPS
110int private_SHA_Init(SHA_CTX *c);
111#endif
109int SHA_Init(SHA_CTX *c); 112int SHA_Init(SHA_CTX *c);
110int SHA_Update(SHA_CTX *c, const void *data, size_t len); 113int SHA_Update(SHA_CTX *c, const void *data, size_t len);
111int SHA_Final(unsigned char *md, SHA_CTX *c); 114int SHA_Final(unsigned char *md, SHA_CTX *c);
@@ -113,6 +116,9 @@ unsigned char *SHA(const unsigned char *d, size_t n, unsigned char *md);
113void SHA_Transform(SHA_CTX *c, const unsigned char *data); 116void SHA_Transform(SHA_CTX *c, const unsigned char *data);
114#endif 117#endif
115#ifndef OPENSSL_NO_SHA1 118#ifndef OPENSSL_NO_SHA1
119#ifdef OPENSSL_FIPS
120int private_SHA1_Init(SHA_CTX *c);
121#endif
116int SHA1_Init(SHA_CTX *c); 122int SHA1_Init(SHA_CTX *c);
117int SHA1_Update(SHA_CTX *c, const void *data, size_t len); 123int SHA1_Update(SHA_CTX *c, const void *data, size_t len);
118int SHA1_Final(unsigned char *md, SHA_CTX *c); 124int SHA1_Final(unsigned char *md, SHA_CTX *c);
@@ -135,6 +141,10 @@ typedef struct SHA256state_st
135 } SHA256_CTX; 141 } SHA256_CTX;
136 142
137#ifndef OPENSSL_NO_SHA256 143#ifndef OPENSSL_NO_SHA256
144#ifdef OPENSSL_FIPS
145int private_SHA224_Init(SHA256_CTX *c);
146int private_SHA256_Init(SHA256_CTX *c);
147#endif
138int SHA224_Init(SHA256_CTX *c); 148int SHA224_Init(SHA256_CTX *c);
139int SHA224_Update(SHA256_CTX *c, const void *data, size_t len); 149int SHA224_Update(SHA256_CTX *c, const void *data, size_t len);
140int SHA224_Final(unsigned char *md, SHA256_CTX *c); 150int SHA224_Final(unsigned char *md, SHA256_CTX *c);
@@ -182,6 +192,10 @@ typedef struct SHA512state_st
182#endif 192#endif
183 193
184#ifndef OPENSSL_NO_SHA512 194#ifndef OPENSSL_NO_SHA512
195#ifdef OPENSSL_FIPS
196int private_SHA384_Init(SHA512_CTX *c);
197int private_SHA512_Init(SHA512_CTX *c);
198#endif
185int SHA384_Init(SHA512_CTX *c); 199int SHA384_Init(SHA512_CTX *c);
186int SHA384_Update(SHA512_CTX *c, const void *data, size_t len); 200int SHA384_Update(SHA512_CTX *c, const void *data, size_t len);
187int SHA384_Final(unsigned char *md, SHA512_CTX *c); 201int SHA384_Final(unsigned char *md, SHA512_CTX *c);
diff --git a/src/lib/libcrypto/sha/sha1dgst.c b/src/lib/libcrypto/sha/sha1dgst.c
index 50d1925cde..81219af088 100644
--- a/src/lib/libcrypto/sha/sha1dgst.c
+++ b/src/lib/libcrypto/sha/sha1dgst.c
@@ -57,6 +57,7 @@
57 */ 57 */
58 58
59#include <openssl/opensslconf.h> 59#include <openssl/opensslconf.h>
60#include <openssl/crypto.h>
60#if !defined(OPENSSL_NO_SHA1) && !defined(OPENSSL_NO_SHA) 61#if !defined(OPENSSL_NO_SHA1) && !defined(OPENSSL_NO_SHA)
61 62
62#undef SHA_0 63#undef SHA_0
diff --git a/src/lib/libcrypto/sha/sha_dgst.c b/src/lib/libcrypto/sha/sha_dgst.c
index 70eb56032c..c946ad827d 100644
--- a/src/lib/libcrypto/sha/sha_dgst.c
+++ b/src/lib/libcrypto/sha/sha_dgst.c
@@ -57,6 +57,7 @@
57 */ 57 */
58 58
59#include <openssl/opensslconf.h> 59#include <openssl/opensslconf.h>
60#include <openssl/crypto.h>
60#if !defined(OPENSSL_NO_SHA0) && !defined(OPENSSL_NO_SHA) 61#if !defined(OPENSSL_NO_SHA0) && !defined(OPENSSL_NO_SHA)
61 62
62#undef SHA_1 63#undef SHA_1
diff --git a/src/lib/libcrypto/sha/sha_locl.h b/src/lib/libcrypto/sha/sha_locl.h
index 672c26eee1..7a0c3ca8d8 100644
--- a/src/lib/libcrypto/sha/sha_locl.h
+++ b/src/lib/libcrypto/sha/sha_locl.h
@@ -122,7 +122,11 @@ void sha1_block_data_order (SHA_CTX *c, const void *p,size_t num);
122#define INIT_DATA_h3 0x10325476UL 122#define INIT_DATA_h3 0x10325476UL
123#define INIT_DATA_h4 0xc3d2e1f0UL 123#define INIT_DATA_h4 0xc3d2e1f0UL
124 124
125int HASH_INIT (SHA_CTX *c) 125#ifdef SHA_0
126fips_md_init(SHA)
127#else
128fips_md_init_ctx(SHA1, SHA)
129#endif
126 { 130 {
127 memset (c,0,sizeof(*c)); 131 memset (c,0,sizeof(*c));
128 c->h0=INIT_DATA_h0; 132 c->h0=INIT_DATA_h0;
diff --git a/src/lib/libcrypto/stack/safestack.h b/src/lib/libcrypto/stack/safestack.h
index 3e76aa58f5..ea3aa0d800 100644
--- a/src/lib/libcrypto/stack/safestack.h
+++ b/src/lib/libcrypto/stack/safestack.h
@@ -1459,6 +1459,94 @@ DECLARE_SPECIAL_STACK_OF(OPENSSL_BLOCK, void)
1459#define sk_POLICY_MAPPING_sort(st) SKM_sk_sort(POLICY_MAPPING, (st)) 1459#define sk_POLICY_MAPPING_sort(st) SKM_sk_sort(POLICY_MAPPING, (st))
1460#define sk_POLICY_MAPPING_is_sorted(st) SKM_sk_is_sorted(POLICY_MAPPING, (st)) 1460#define sk_POLICY_MAPPING_is_sorted(st) SKM_sk_is_sorted(POLICY_MAPPING, (st))
1461 1461
1462#define sk_SRP_gN_new(cmp) SKM_sk_new(SRP_gN, (cmp))
1463#define sk_SRP_gN_new_null() SKM_sk_new_null(SRP_gN)
1464#define sk_SRP_gN_free(st) SKM_sk_free(SRP_gN, (st))
1465#define sk_SRP_gN_num(st) SKM_sk_num(SRP_gN, (st))
1466#define sk_SRP_gN_value(st, i) SKM_sk_value(SRP_gN, (st), (i))
1467#define sk_SRP_gN_set(st, i, val) SKM_sk_set(SRP_gN, (st), (i), (val))
1468#define sk_SRP_gN_zero(st) SKM_sk_zero(SRP_gN, (st))
1469#define sk_SRP_gN_push(st, val) SKM_sk_push(SRP_gN, (st), (val))
1470#define sk_SRP_gN_unshift(st, val) SKM_sk_unshift(SRP_gN, (st), (val))
1471#define sk_SRP_gN_find(st, val) SKM_sk_find(SRP_gN, (st), (val))
1472#define sk_SRP_gN_find_ex(st, val) SKM_sk_find_ex(SRP_gN, (st), (val))
1473#define sk_SRP_gN_delete(st, i) SKM_sk_delete(SRP_gN, (st), (i))
1474#define sk_SRP_gN_delete_ptr(st, ptr) SKM_sk_delete_ptr(SRP_gN, (st), (ptr))
1475#define sk_SRP_gN_insert(st, val, i) SKM_sk_insert(SRP_gN, (st), (val), (i))
1476#define sk_SRP_gN_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(SRP_gN, (st), (cmp))
1477#define sk_SRP_gN_dup(st) SKM_sk_dup(SRP_gN, st)
1478#define sk_SRP_gN_pop_free(st, free_func) SKM_sk_pop_free(SRP_gN, (st), (free_func))
1479#define sk_SRP_gN_shift(st) SKM_sk_shift(SRP_gN, (st))
1480#define sk_SRP_gN_pop(st) SKM_sk_pop(SRP_gN, (st))
1481#define sk_SRP_gN_sort(st) SKM_sk_sort(SRP_gN, (st))
1482#define sk_SRP_gN_is_sorted(st) SKM_sk_is_sorted(SRP_gN, (st))
1483
1484#define sk_SRP_gN_cache_new(cmp) SKM_sk_new(SRP_gN_cache, (cmp))
1485#define sk_SRP_gN_cache_new_null() SKM_sk_new_null(SRP_gN_cache)
1486#define sk_SRP_gN_cache_free(st) SKM_sk_free(SRP_gN_cache, (st))
1487#define sk_SRP_gN_cache_num(st) SKM_sk_num(SRP_gN_cache, (st))
1488#define sk_SRP_gN_cache_value(st, i) SKM_sk_value(SRP_gN_cache, (st), (i))
1489#define sk_SRP_gN_cache_set(st, i, val) SKM_sk_set(SRP_gN_cache, (st), (i), (val))
1490#define sk_SRP_gN_cache_zero(st) SKM_sk_zero(SRP_gN_cache, (st))
1491#define sk_SRP_gN_cache_push(st, val) SKM_sk_push(SRP_gN_cache, (st), (val))
1492#define sk_SRP_gN_cache_unshift(st, val) SKM_sk_unshift(SRP_gN_cache, (st), (val))
1493#define sk_SRP_gN_cache_find(st, val) SKM_sk_find(SRP_gN_cache, (st), (val))
1494#define sk_SRP_gN_cache_find_ex(st, val) SKM_sk_find_ex(SRP_gN_cache, (st), (val))
1495#define sk_SRP_gN_cache_delete(st, i) SKM_sk_delete(SRP_gN_cache, (st), (i))
1496#define sk_SRP_gN_cache_delete_ptr(st, ptr) SKM_sk_delete_ptr(SRP_gN_cache, (st), (ptr))
1497#define sk_SRP_gN_cache_insert(st, val, i) SKM_sk_insert(SRP_gN_cache, (st), (val), (i))
1498#define sk_SRP_gN_cache_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(SRP_gN_cache, (st), (cmp))
1499#define sk_SRP_gN_cache_dup(st) SKM_sk_dup(SRP_gN_cache, st)
1500#define sk_SRP_gN_cache_pop_free(st, free_func) SKM_sk_pop_free(SRP_gN_cache, (st), (free_func))
1501#define sk_SRP_gN_cache_shift(st) SKM_sk_shift(SRP_gN_cache, (st))
1502#define sk_SRP_gN_cache_pop(st) SKM_sk_pop(SRP_gN_cache, (st))
1503#define sk_SRP_gN_cache_sort(st) SKM_sk_sort(SRP_gN_cache, (st))
1504#define sk_SRP_gN_cache_is_sorted(st) SKM_sk_is_sorted(SRP_gN_cache, (st))
1505
1506#define sk_SRP_user_pwd_new(cmp) SKM_sk_new(SRP_user_pwd, (cmp))
1507#define sk_SRP_user_pwd_new_null() SKM_sk_new_null(SRP_user_pwd)
1508#define sk_SRP_user_pwd_free(st) SKM_sk_free(SRP_user_pwd, (st))
1509#define sk_SRP_user_pwd_num(st) SKM_sk_num(SRP_user_pwd, (st))
1510#define sk_SRP_user_pwd_value(st, i) SKM_sk_value(SRP_user_pwd, (st), (i))
1511#define sk_SRP_user_pwd_set(st, i, val) SKM_sk_set(SRP_user_pwd, (st), (i), (val))
1512#define sk_SRP_user_pwd_zero(st) SKM_sk_zero(SRP_user_pwd, (st))
1513#define sk_SRP_user_pwd_push(st, val) SKM_sk_push(SRP_user_pwd, (st), (val))
1514#define sk_SRP_user_pwd_unshift(st, val) SKM_sk_unshift(SRP_user_pwd, (st), (val))
1515#define sk_SRP_user_pwd_find(st, val) SKM_sk_find(SRP_user_pwd, (st), (val))
1516#define sk_SRP_user_pwd_find_ex(st, val) SKM_sk_find_ex(SRP_user_pwd, (st), (val))
1517#define sk_SRP_user_pwd_delete(st, i) SKM_sk_delete(SRP_user_pwd, (st), (i))
1518#define sk_SRP_user_pwd_delete_ptr(st, ptr) SKM_sk_delete_ptr(SRP_user_pwd, (st), (ptr))
1519#define sk_SRP_user_pwd_insert(st, val, i) SKM_sk_insert(SRP_user_pwd, (st), (val), (i))
1520#define sk_SRP_user_pwd_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(SRP_user_pwd, (st), (cmp))
1521#define sk_SRP_user_pwd_dup(st) SKM_sk_dup(SRP_user_pwd, st)
1522#define sk_SRP_user_pwd_pop_free(st, free_func) SKM_sk_pop_free(SRP_user_pwd, (st), (free_func))
1523#define sk_SRP_user_pwd_shift(st) SKM_sk_shift(SRP_user_pwd, (st))
1524#define sk_SRP_user_pwd_pop(st) SKM_sk_pop(SRP_user_pwd, (st))
1525#define sk_SRP_user_pwd_sort(st) SKM_sk_sort(SRP_user_pwd, (st))
1526#define sk_SRP_user_pwd_is_sorted(st) SKM_sk_is_sorted(SRP_user_pwd, (st))
1527
1528#define sk_SRTP_PROTECTION_PROFILE_new(cmp) SKM_sk_new(SRTP_PROTECTION_PROFILE, (cmp))
1529#define sk_SRTP_PROTECTION_PROFILE_new_null() SKM_sk_new_null(SRTP_PROTECTION_PROFILE)
1530#define sk_SRTP_PROTECTION_PROFILE_free(st) SKM_sk_free(SRTP_PROTECTION_PROFILE, (st))
1531#define sk_SRTP_PROTECTION_PROFILE_num(st) SKM_sk_num(SRTP_PROTECTION_PROFILE, (st))
1532#define sk_SRTP_PROTECTION_PROFILE_value(st, i) SKM_sk_value(SRTP_PROTECTION_PROFILE, (st), (i))
1533#define sk_SRTP_PROTECTION_PROFILE_set(st, i, val) SKM_sk_set(SRTP_PROTECTION_PROFILE, (st), (i), (val))
1534#define sk_SRTP_PROTECTION_PROFILE_zero(st) SKM_sk_zero(SRTP_PROTECTION_PROFILE, (st))
1535#define sk_SRTP_PROTECTION_PROFILE_push(st, val) SKM_sk_push(SRTP_PROTECTION_PROFILE, (st), (val))
1536#define sk_SRTP_PROTECTION_PROFILE_unshift(st, val) SKM_sk_unshift(SRTP_PROTECTION_PROFILE, (st), (val))
1537#define sk_SRTP_PROTECTION_PROFILE_find(st, val) SKM_sk_find(SRTP_PROTECTION_PROFILE, (st), (val))
1538#define sk_SRTP_PROTECTION_PROFILE_find_ex(st, val) SKM_sk_find_ex(SRTP_PROTECTION_PROFILE, (st), (val))
1539#define sk_SRTP_PROTECTION_PROFILE_delete(st, i) SKM_sk_delete(SRTP_PROTECTION_PROFILE, (st), (i))
1540#define sk_SRTP_PROTECTION_PROFILE_delete_ptr(st, ptr) SKM_sk_delete_ptr(SRTP_PROTECTION_PROFILE, (st), (ptr))
1541#define sk_SRTP_PROTECTION_PROFILE_insert(st, val, i) SKM_sk_insert(SRTP_PROTECTION_PROFILE, (st), (val), (i))
1542#define sk_SRTP_PROTECTION_PROFILE_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(SRTP_PROTECTION_PROFILE, (st), (cmp))
1543#define sk_SRTP_PROTECTION_PROFILE_dup(st) SKM_sk_dup(SRTP_PROTECTION_PROFILE, st)
1544#define sk_SRTP_PROTECTION_PROFILE_pop_free(st, free_func) SKM_sk_pop_free(SRTP_PROTECTION_PROFILE, (st), (free_func))
1545#define sk_SRTP_PROTECTION_PROFILE_shift(st) SKM_sk_shift(SRTP_PROTECTION_PROFILE, (st))
1546#define sk_SRTP_PROTECTION_PROFILE_pop(st) SKM_sk_pop(SRTP_PROTECTION_PROFILE, (st))
1547#define sk_SRTP_PROTECTION_PROFILE_sort(st) SKM_sk_sort(SRTP_PROTECTION_PROFILE, (st))
1548#define sk_SRTP_PROTECTION_PROFILE_is_sorted(st) SKM_sk_is_sorted(SRTP_PROTECTION_PROFILE, (st))
1549
1462#define sk_SSL_CIPHER_new(cmp) SKM_sk_new(SSL_CIPHER, (cmp)) 1550#define sk_SSL_CIPHER_new(cmp) SKM_sk_new(SSL_CIPHER, (cmp))
1463#define sk_SSL_CIPHER_new_null() SKM_sk_new_null(SSL_CIPHER) 1551#define sk_SSL_CIPHER_new_null() SKM_sk_new_null(SSL_CIPHER)
1464#define sk_SSL_CIPHER_free(st) SKM_sk_free(SSL_CIPHER, (st)) 1552#define sk_SSL_CIPHER_free(st) SKM_sk_free(SSL_CIPHER, (st))
@@ -2056,31 +2144,6 @@ DECLARE_SPECIAL_STACK_OF(OPENSSL_BLOCK, void)
2056#define sk_OPENSSL_STRING_is_sorted(st) SKM_sk_is_sorted(OPENSSL_STRING, (st)) 2144#define sk_OPENSSL_STRING_is_sorted(st) SKM_sk_is_sorted(OPENSSL_STRING, (st))
2057 2145
2058 2146
2059#define sk_OPENSSL_PSTRING_new(cmp) ((STACK_OF(OPENSSL_PSTRING) *)sk_new(CHECKED_SK_CMP_FUNC(OPENSSL_STRING, cmp)))
2060#define sk_OPENSSL_PSTRING_new_null() ((STACK_OF(OPENSSL_PSTRING) *)sk_new_null())
2061#define sk_OPENSSL_PSTRING_push(st, val) sk_push(CHECKED_STACK_OF(OPENSSL_PSTRING, st), CHECKED_PTR_OF(OPENSSL_STRING, val))
2062#define sk_OPENSSL_PSTRING_find(st, val) sk_find(CHECKED_STACK_OF(OPENSSL_PSTRING, st), CHECKED_PTR_OF(OPENSSL_STRING, val))
2063#define sk_OPENSSL_PSTRING_value(st, i) ((OPENSSL_PSTRING)sk_value(CHECKED_STACK_OF(OPENSSL_PSTRING, st), i))
2064#define sk_OPENSSL_PSTRING_num(st) SKM_sk_num(OPENSSL_PSTRING, st)
2065#define sk_OPENSSL_PSTRING_pop_free(st, free_func) sk_pop_free(CHECKED_STACK_OF(OPENSSL_PSTRING, st), CHECKED_SK_FREE_FUNC2(OPENSSL_PSTRING, free_func))
2066#define sk_OPENSSL_PSTRING_insert(st, val, i) sk_insert(CHECKED_STACK_OF(OPENSSL_PSTRING, st), CHECKED_PTR_OF(OPENSSL_STRING, val), i)
2067#define sk_OPENSSL_PSTRING_free(st) SKM_sk_free(OPENSSL_PSTRING, st)
2068#define sk_OPENSSL_PSTRING_set(st, i, val) sk_set(CHECKED_STACK_OF(OPENSSL_PSTRING, st), i, CHECKED_PTR_OF(OPENSSL_STRING, val))
2069#define sk_OPENSSL_PSTRING_zero(st) SKM_sk_zero(OPENSSL_PSTRING, (st))
2070#define sk_OPENSSL_PSTRING_unshift(st, val) sk_unshift(CHECKED_STACK_OF(OPENSSL_PSTRING, st), CHECKED_PTR_OF(OPENSSL_STRING, val))
2071#define sk_OPENSSL_PSTRING_find_ex(st, val) sk_find_ex((_STACK *)CHECKED_CONST_PTR_OF(STACK_OF(OPENSSL_PSTRING), st), CHECKED_CONST_PTR_OF(OPENSSL_STRING, val))
2072#define sk_OPENSSL_PSTRING_delete(st, i) SKM_sk_delete(OPENSSL_PSTRING, (st), (i))
2073#define sk_OPENSSL_PSTRING_delete_ptr(st, ptr) (OPENSSL_PSTRING *)sk_delete_ptr(CHECKED_STACK_OF(OPENSSL_PSTRING, st), CHECKED_PTR_OF(OPENSSL_STRING, ptr))
2074#define sk_OPENSSL_PSTRING_set_cmp_func(st, cmp) \
2075 ((int (*)(const OPENSSL_STRING * const *,const OPENSSL_STRING * const *)) \
2076 sk_set_cmp_func(CHECKED_STACK_OF(OPENSSL_PSTRING, st), CHECKED_SK_CMP_FUNC(OPENSSL_STRING, cmp)))
2077#define sk_OPENSSL_PSTRING_dup(st) SKM_sk_dup(OPENSSL_PSTRING, st)
2078#define sk_OPENSSL_PSTRING_shift(st) SKM_sk_shift(OPENSSL_PSTRING, (st))
2079#define sk_OPENSSL_PSTRING_pop(st) (OPENSSL_STRING *)sk_pop(CHECKED_STACK_OF(OPENSSL_PSTRING, st))
2080#define sk_OPENSSL_PSTRING_sort(st) SKM_sk_sort(OPENSSL_PSTRING, (st))
2081#define sk_OPENSSL_PSTRING_is_sorted(st) SKM_sk_is_sorted(OPENSSL_PSTRING, (st))
2082
2083
2084#define sk_OPENSSL_BLOCK_new(cmp) ((STACK_OF(OPENSSL_BLOCK) *)sk_new(CHECKED_SK_CMP_FUNC(void, cmp))) 2147#define sk_OPENSSL_BLOCK_new(cmp) ((STACK_OF(OPENSSL_BLOCK) *)sk_new(CHECKED_SK_CMP_FUNC(void, cmp)))
2085#define sk_OPENSSL_BLOCK_new_null() ((STACK_OF(OPENSSL_BLOCK) *)sk_new_null()) 2148#define sk_OPENSSL_BLOCK_new_null() ((STACK_OF(OPENSSL_BLOCK) *)sk_new_null())
2086#define sk_OPENSSL_BLOCK_push(st, val) sk_push(CHECKED_STACK_OF(OPENSSL_BLOCK, st), CHECKED_PTR_OF(void, val)) 2149#define sk_OPENSSL_BLOCK_push(st, val) sk_push(CHECKED_STACK_OF(OPENSSL_BLOCK, st), CHECKED_PTR_OF(void, val))
@@ -2106,6 +2169,31 @@ DECLARE_SPECIAL_STACK_OF(OPENSSL_BLOCK, void)
2106#define sk_OPENSSL_BLOCK_is_sorted(st) SKM_sk_is_sorted(OPENSSL_BLOCK, (st)) 2169#define sk_OPENSSL_BLOCK_is_sorted(st) SKM_sk_is_sorted(OPENSSL_BLOCK, (st))
2107 2170
2108 2171
2172#define sk_OPENSSL_PSTRING_new(cmp) ((STACK_OF(OPENSSL_PSTRING) *)sk_new(CHECKED_SK_CMP_FUNC(OPENSSL_STRING, cmp)))
2173#define sk_OPENSSL_PSTRING_new_null() ((STACK_OF(OPENSSL_PSTRING) *)sk_new_null())
2174#define sk_OPENSSL_PSTRING_push(st, val) sk_push(CHECKED_STACK_OF(OPENSSL_PSTRING, st), CHECKED_PTR_OF(OPENSSL_STRING, val))
2175#define sk_OPENSSL_PSTRING_find(st, val) sk_find(CHECKED_STACK_OF(OPENSSL_PSTRING, st), CHECKED_PTR_OF(OPENSSL_STRING, val))
2176#define sk_OPENSSL_PSTRING_value(st, i) ((OPENSSL_PSTRING)sk_value(CHECKED_STACK_OF(OPENSSL_PSTRING, st), i))
2177#define sk_OPENSSL_PSTRING_num(st) SKM_sk_num(OPENSSL_PSTRING, st)
2178#define sk_OPENSSL_PSTRING_pop_free(st, free_func) sk_pop_free(CHECKED_STACK_OF(OPENSSL_PSTRING, st), CHECKED_SK_FREE_FUNC2(OPENSSL_PSTRING, free_func))
2179#define sk_OPENSSL_PSTRING_insert(st, val, i) sk_insert(CHECKED_STACK_OF(OPENSSL_PSTRING, st), CHECKED_PTR_OF(OPENSSL_STRING, val), i)
2180#define sk_OPENSSL_PSTRING_free(st) SKM_sk_free(OPENSSL_PSTRING, st)
2181#define sk_OPENSSL_PSTRING_set(st, i, val) sk_set(CHECKED_STACK_OF(OPENSSL_PSTRING, st), i, CHECKED_PTR_OF(OPENSSL_STRING, val))
2182#define sk_OPENSSL_PSTRING_zero(st) SKM_sk_zero(OPENSSL_PSTRING, (st))
2183#define sk_OPENSSL_PSTRING_unshift(st, val) sk_unshift(CHECKED_STACK_OF(OPENSSL_PSTRING, st), CHECKED_PTR_OF(OPENSSL_STRING, val))
2184#define sk_OPENSSL_PSTRING_find_ex(st, val) sk_find_ex((_STACK *)CHECKED_CONST_PTR_OF(STACK_OF(OPENSSL_PSTRING), st), CHECKED_CONST_PTR_OF(OPENSSL_STRING, val))
2185#define sk_OPENSSL_PSTRING_delete(st, i) SKM_sk_delete(OPENSSL_PSTRING, (st), (i))
2186#define sk_OPENSSL_PSTRING_delete_ptr(st, ptr) (OPENSSL_PSTRING *)sk_delete_ptr(CHECKED_STACK_OF(OPENSSL_PSTRING, st), CHECKED_PTR_OF(OPENSSL_STRING, ptr))
2187#define sk_OPENSSL_PSTRING_set_cmp_func(st, cmp) \
2188 ((int (*)(const OPENSSL_STRING * const *,const OPENSSL_STRING * const *)) \
2189 sk_set_cmp_func(CHECKED_STACK_OF(OPENSSL_PSTRING, st), CHECKED_SK_CMP_FUNC(OPENSSL_STRING, cmp)))
2190#define sk_OPENSSL_PSTRING_dup(st) SKM_sk_dup(OPENSSL_PSTRING, st)
2191#define sk_OPENSSL_PSTRING_shift(st) SKM_sk_shift(OPENSSL_PSTRING, (st))
2192#define sk_OPENSSL_PSTRING_pop(st) (OPENSSL_STRING *)sk_pop(CHECKED_STACK_OF(OPENSSL_PSTRING, st))
2193#define sk_OPENSSL_PSTRING_sort(st) SKM_sk_sort(OPENSSL_PSTRING, (st))
2194#define sk_OPENSSL_PSTRING_is_sorted(st) SKM_sk_is_sorted(OPENSSL_PSTRING, (st))
2195
2196
2109#define d2i_ASN1_SET_OF_ACCESS_DESCRIPTION(st, pp, length, d2i_func, free_func, ex_tag, ex_class) \ 2197#define d2i_ASN1_SET_OF_ACCESS_DESCRIPTION(st, pp, length, d2i_func, free_func, ex_tag, ex_class) \
2110 SKM_ASN1_SET_OF_d2i(ACCESS_DESCRIPTION, (st), (pp), (length), (d2i_func), (free_func), (ex_tag), (ex_class)) 2198 SKM_ASN1_SET_OF_d2i(ACCESS_DESCRIPTION, (st), (pp), (length), (d2i_func), (free_func), (ex_tag), (ex_class))
2111#define i2d_ASN1_SET_OF_ACCESS_DESCRIPTION(st, pp, i2d_func, ex_tag, ex_class, is_set) \ 2199#define i2d_ASN1_SET_OF_ACCESS_DESCRIPTION(st, pp, i2d_func, ex_tag, ex_class, is_set) \
diff --git a/src/lib/libcrypto/symhacks.h b/src/lib/libcrypto/symhacks.h
index 3fd4a81692..403f592dcd 100644
--- a/src/lib/libcrypto/symhacks.h
+++ b/src/lib/libcrypto/symhacks.h
@@ -176,7 +176,6 @@
176#define SSL_CTX_set_default_passwd_cb_userdata SSL_CTX_set_def_passwd_cb_ud 176#define SSL_CTX_set_default_passwd_cb_userdata SSL_CTX_set_def_passwd_cb_ud
177#undef SSL_COMP_get_compression_methods 177#undef SSL_COMP_get_compression_methods
178#define SSL_COMP_get_compression_methods SSL_COMP_get_compress_methods 178#define SSL_COMP_get_compression_methods SSL_COMP_get_compress_methods
179
180#undef ssl_add_clienthello_renegotiate_ext 179#undef ssl_add_clienthello_renegotiate_ext
181#define ssl_add_clienthello_renegotiate_ext ssl_add_clienthello_reneg_ext 180#define ssl_add_clienthello_renegotiate_ext ssl_add_clienthello_reneg_ext
182#undef ssl_add_serverhello_renegotiate_ext 181#undef ssl_add_serverhello_renegotiate_ext
@@ -185,6 +184,26 @@
185#define ssl_parse_clienthello_renegotiate_ext ssl_parse_clienthello_reneg_ext 184#define ssl_parse_clienthello_renegotiate_ext ssl_parse_clienthello_reneg_ext
186#undef ssl_parse_serverhello_renegotiate_ext 185#undef ssl_parse_serverhello_renegotiate_ext
187#define ssl_parse_serverhello_renegotiate_ext ssl_parse_serverhello_reneg_ext 186#define ssl_parse_serverhello_renegotiate_ext ssl_parse_serverhello_reneg_ext
187#undef SSL_srp_server_param_with_username
188#define SSL_srp_server_param_with_username SSL_srp_server_param_with_un
189#undef SSL_CTX_set_srp_client_pwd_callback
190#define SSL_CTX_set_srp_client_pwd_callback SSL_CTX_set_srp_client_pwd_cb
191#undef SSL_CTX_set_srp_verify_param_callback
192#define SSL_CTX_set_srp_verify_param_callback SSL_CTX_set_srp_vfy_param_cb
193#undef SSL_CTX_set_srp_username_callback
194#define SSL_CTX_set_srp_username_callback SSL_CTX_set_srp_un_cb
195#undef ssl_add_clienthello_use_srtp_ext
196#define ssl_add_clienthello_use_srtp_ext ssl_add_clihello_use_srtp_ext
197#undef ssl_add_serverhello_use_srtp_ext
198#define ssl_add_serverhello_use_srtp_ext ssl_add_serhello_use_srtp_ext
199#undef ssl_parse_clienthello_use_srtp_ext
200#define ssl_parse_clienthello_use_srtp_ext ssl_parse_clihello_use_srtp_ext
201#undef ssl_parse_serverhello_use_srtp_ext
202#define ssl_parse_serverhello_use_srtp_ext ssl_parse_serhello_use_srtp_ext
203#undef SSL_CTX_set_next_protos_advertised_cb
204#define SSL_CTX_set_next_protos_advertised_cb SSL_CTX_set_next_protos_adv_cb
205#undef SSL_CTX_set_next_proto_select_cb
206#define SSL_CTX_set_next_proto_select_cb SSL_CTX_set_next_proto_sel_cb
188 207
189/* Hack some long ENGINE names */ 208/* Hack some long ENGINE names */
190#undef ENGINE_get_default_BN_mod_exp_crt 209#undef ENGINE_get_default_BN_mod_exp_crt
@@ -238,6 +257,9 @@
238#define EC_GROUP_get_point_conversion_form EC_GROUP_get_point_conv_form 257#define EC_GROUP_get_point_conversion_form EC_GROUP_get_point_conv_form
239#undef EC_GROUP_clear_free_all_extra_data 258#undef EC_GROUP_clear_free_all_extra_data
240#define EC_GROUP_clear_free_all_extra_data EC_GROUP_clr_free_all_xtra_data 259#define EC_GROUP_clear_free_all_extra_data EC_GROUP_clr_free_all_xtra_data
260#undef EC_KEY_set_public_key_affine_coordinates
261#define EC_KEY_set_public_key_affine_coordinates \
262 EC_KEY_set_pub_key_aff_coords
241#undef EC_POINT_set_Jprojective_coordinates_GFp 263#undef EC_POINT_set_Jprojective_coordinates_GFp
242#define EC_POINT_set_Jprojective_coordinates_GFp \ 264#define EC_POINT_set_Jprojective_coordinates_GFp \
243 EC_POINT_set_Jproj_coords_GFp 265 EC_POINT_set_Jproj_coords_GFp
@@ -399,6 +421,12 @@
399#undef dtls1_retransmit_buffered_messages 421#undef dtls1_retransmit_buffered_messages
400#define dtls1_retransmit_buffered_messages dtls1_retransmit_buffered_msgs 422#define dtls1_retransmit_buffered_messages dtls1_retransmit_buffered_msgs
401 423
424/* Hack some long SRP names */
425#undef SRP_generate_server_master_secret
426#define SRP_generate_server_master_secret SRP_gen_server_master_secret
427#undef SRP_generate_client_master_secret
428#define SRP_generate_client_master_secret SRP_gen_client_master_secret
429
402/* Hack some long UI names */ 430/* Hack some long UI names */
403#undef UI_method_get_prompt_constructor 431#undef UI_method_get_prompt_constructor
404#define UI_method_get_prompt_constructor UI_method_get_prompt_constructr 432#define UI_method_get_prompt_constructor UI_method_get_prompt_constructr
diff --git a/src/lib/libcrypto/ts/ts_rsp_verify.c b/src/lib/libcrypto/ts/ts_rsp_verify.c
index ed0252d7d7..a003207428 100644
--- a/src/lib/libcrypto/ts/ts_rsp_verify.c
+++ b/src/lib/libcrypto/ts/ts_rsp_verify.c
@@ -616,12 +616,15 @@ static int TS_compute_imprint(BIO *data, TS_TST_INFO *tst_info,
616 goto err; 616 goto err;
617 } 617 }
618 618
619 EVP_DigestInit(&md_ctx, md); 619 if (!EVP_DigestInit(&md_ctx, md))
620 goto err;
620 while ((length = BIO_read(data, buffer, sizeof(buffer))) > 0) 621 while ((length = BIO_read(data, buffer, sizeof(buffer))) > 0)
621 { 622 {
622 EVP_DigestUpdate(&md_ctx, buffer, length); 623 if (!EVP_DigestUpdate(&md_ctx, buffer, length))
624 goto err;
623 } 625 }
624 EVP_DigestFinal(&md_ctx, *imprint, NULL); 626 if (!EVP_DigestFinal(&md_ctx, *imprint, NULL))
627 goto err;
625 628
626 return 1; 629 return 1;
627 err: 630 err:
diff --git a/src/lib/libcrypto/ui/ui.h b/src/lib/libcrypto/ui/ui.h
index 2b1cfa2289..bd78aa413f 100644
--- a/src/lib/libcrypto/ui/ui.h
+++ b/src/lib/libcrypto/ui/ui.h
@@ -316,7 +316,7 @@ int (*UI_method_get_writer(UI_METHOD *method))(UI*,UI_STRING*);
316int (*UI_method_get_flusher(UI_METHOD *method))(UI*); 316int (*UI_method_get_flusher(UI_METHOD *method))(UI*);
317int (*UI_method_get_reader(UI_METHOD *method))(UI*,UI_STRING*); 317int (*UI_method_get_reader(UI_METHOD *method))(UI*,UI_STRING*);
318int (*UI_method_get_closer(UI_METHOD *method))(UI*); 318int (*UI_method_get_closer(UI_METHOD *method))(UI*);
319char* (*UI_method_get_prompt_constructor(UI_METHOD *method))(UI*, const char*, const char*); 319char * (*UI_method_get_prompt_constructor(UI_METHOD *method))(UI*, const char*, const char*);
320 320
321/* The following functions are helpers for method writers to access relevant 321/* The following functions are helpers for method writers to access relevant
322 data from a UI_STRING. */ 322 data from a UI_STRING. */
diff --git a/src/lib/libcrypto/ui/ui_openssl.c b/src/lib/libcrypto/ui/ui_openssl.c
index 1e3dba0833..e319faa47b 100644
--- a/src/lib/libcrypto/ui/ui_openssl.c
+++ b/src/lib/libcrypto/ui/ui_openssl.c
@@ -122,7 +122,7 @@
122 * sigaction and fileno included. -pedantic would be more appropriate for 122 * sigaction and fileno included. -pedantic would be more appropriate for
123 * the intended purposes, but we can't prevent users from adding -ansi. 123 * the intended purposes, but we can't prevent users from adding -ansi.
124 */ 124 */
125#ifndef _POSIX_C_SOURCE 125#if !defined(_POSIX_C_SOURCE) && defined(OPENSSL_SYS_VMS)
126#define _POSIX_C_SOURCE 2 126#define _POSIX_C_SOURCE 2
127#endif 127#endif
128#include <signal.h> 128#include <signal.h>
diff --git a/src/lib/libcrypto/util/cygwin.sh b/src/lib/libcrypto/util/cygwin.sh
index d6228521e6..cfdb04d2a4 100644
--- a/src/lib/libcrypto/util/cygwin.sh
+++ b/src/lib/libcrypto/util/cygwin.sh
@@ -11,6 +11,7 @@ CONFIG_OPTIONS="--prefix=/usr shared zlib no-idea no-rc5"
11INSTALL_PREFIX=/tmp/install/INSTALL 11INSTALL_PREFIX=/tmp/install/INSTALL
12 12
13VERSION= 13VERSION=
14SHLIB_VERSION_NUMBER=
14SUBVERSION=$1 15SUBVERSION=$1
15 16
16function cleanup() 17function cleanup()
@@ -28,6 +29,13 @@ function get_openssl_version()
28 echo " Check value of variable VERSION in Makefile." 29 echo " Check value of variable VERSION in Makefile."
29 exit 1 30 exit 1
30 fi 31 fi
32 eval `grep '^SHLIB_VERSION_NUMBER=' Makefile`
33 if [ -z "${SHLIB_VERSION_NUMBER}" ]
34 then
35 echo "Error: Couldn't retrieve OpenSSL shared lib version from Makefile."
36 echo " Check value of variable SHLIB_VERSION_NUMBER in Makefile."
37 exit 1
38 fi
31} 39}
32 40
33function base_install() 41function base_install()
@@ -124,7 +132,7 @@ strip usr/bin/*.exe usr/bin/*.dll usr/lib/engines/*.so
124chmod u-w usr/lib/engines/*.so 132chmod u-w usr/lib/engines/*.so
125 133
126# Runtime package 134# Runtime package
127tar cjf libopenssl${VERSION//[!0-9]/}-${VERSION}-${SUBVERSION}.tar.bz2 \ 135tar cjf libopenssl${SHLIB_VERSION_NUMBER//[!0-9]/}-${VERSION}-${SUBVERSION}.tar.bz2 \
128 usr/bin/cyg*dll 136 usr/bin/cyg*dll
129# Base package 137# Base package
130find etc usr/bin/openssl.exe usr/bin/c_rehash usr/lib/engines usr/share/doc \ 138find etc usr/bin/openssl.exe usr/bin/c_rehash usr/lib/engines usr/share/doc \
@@ -139,7 +147,7 @@ tar cjfT openssl-devel-${VERSION}-${SUBVERSION}.tar.bz2 -
139 147
140ls -l openssl-${VERSION}-${SUBVERSION}.tar.bz2 148ls -l openssl-${VERSION}-${SUBVERSION}.tar.bz2
141ls -l openssl-devel-${VERSION}-${SUBVERSION}.tar.bz2 149ls -l openssl-devel-${VERSION}-${SUBVERSION}.tar.bz2
142ls -l libopenssl${VERSION//[!0-9]/}-${VERSION}-${SUBVERSION}.tar.bz2 150ls -l libopenssl${SHLIB_VERSION_NUMBER//[!0-9]/}-${VERSION}-${SUBVERSION}.tar.bz2
143 151
144cleanup 152cleanup
145 153
diff --git a/src/lib/libcrypto/util/libeay.num b/src/lib/libcrypto/util/libeay.num
index 1467ab6243..93f80ba0c6 100644
--- a/src/lib/libcrypto/util/libeay.num
+++ b/src/lib/libcrypto/util/libeay.num
@@ -1050,7 +1050,7 @@ ASN1_TYPE_get_octetstring 1077 EXIST::FUNCTION:
1050ASN1_TYPE_set_int_octetstring 1078 EXIST::FUNCTION: 1050ASN1_TYPE_set_int_octetstring 1078 EXIST::FUNCTION:
1051ASN1_TYPE_set_octetstring 1079 EXIST::FUNCTION: 1051ASN1_TYPE_set_octetstring 1079 EXIST::FUNCTION:
1052ASN1_UTCTIME_set_string 1080 EXIST::FUNCTION: 1052ASN1_UTCTIME_set_string 1080 EXIST::FUNCTION:
1053ERR_add_error_data 1081 EXIST::FUNCTION:BIO 1053ERR_add_error_data 1081 EXIST::FUNCTION:
1054ERR_set_error_data 1082 EXIST::FUNCTION: 1054ERR_set_error_data 1082 EXIST::FUNCTION:
1055EVP_CIPHER_asn1_to_param 1083 EXIST::FUNCTION: 1055EVP_CIPHER_asn1_to_param 1083 EXIST::FUNCTION:
1056EVP_CIPHER_param_to_asn1 1084 EXIST::FUNCTION: 1056EVP_CIPHER_param_to_asn1 1084 EXIST::FUNCTION:
@@ -2808,7 +2808,7 @@ FIPS_corrupt_rsa 3249 NOEXIST::FUNCTION:
2808FIPS_selftest_des 3250 NOEXIST::FUNCTION: 2808FIPS_selftest_des 3250 NOEXIST::FUNCTION:
2809EVP_aes_128_cfb1 3251 EXIST::FUNCTION:AES 2809EVP_aes_128_cfb1 3251 EXIST::FUNCTION:AES
2810EVP_aes_192_cfb8 3252 EXIST::FUNCTION:AES 2810EVP_aes_192_cfb8 3252 EXIST::FUNCTION:AES
2811FIPS_mode_set 3253 NOEXIST::FUNCTION: 2811FIPS_mode_set 3253 EXIST::FUNCTION:
2812FIPS_selftest_dsa 3254 NOEXIST::FUNCTION: 2812FIPS_selftest_dsa 3254 NOEXIST::FUNCTION:
2813EVP_aes_256_cfb8 3255 EXIST::FUNCTION:AES 2813EVP_aes_256_cfb8 3255 EXIST::FUNCTION:AES
2814FIPS_allow_md5 3256 NOEXIST::FUNCTION: 2814FIPS_allow_md5 3256 NOEXIST::FUNCTION:
@@ -2838,23 +2838,23 @@ AES_cfb1_encrypt 3279 EXIST::FUNCTION:AES
2838EVP_des_ede3_cfb1 3280 EXIST::FUNCTION:DES 2838EVP_des_ede3_cfb1 3280 EXIST::FUNCTION:DES
2839FIPS_rand_check 3281 NOEXIST::FUNCTION: 2839FIPS_rand_check 3281 NOEXIST::FUNCTION:
2840FIPS_md5_allowed 3282 NOEXIST::FUNCTION: 2840FIPS_md5_allowed 3282 NOEXIST::FUNCTION:
2841FIPS_mode 3283 NOEXIST::FUNCTION: 2841FIPS_mode 3283 EXIST::FUNCTION:
2842FIPS_selftest_failed 3284 NOEXIST::FUNCTION: 2842FIPS_selftest_failed 3284 NOEXIST::FUNCTION:
2843sk_is_sorted 3285 EXIST::FUNCTION: 2843sk_is_sorted 3285 EXIST::FUNCTION:
2844X509_check_ca 3286 EXIST::FUNCTION: 2844X509_check_ca 3286 EXIST::FUNCTION:
2845private_idea_set_encrypt_key 3287 NOEXIST::FUNCTION: 2845private_idea_set_encrypt_key 3287 EXIST:OPENSSL_FIPS:FUNCTION:IDEA
2846HMAC_CTX_set_flags 3288 EXIST::FUNCTION:HMAC 2846HMAC_CTX_set_flags 3288 EXIST::FUNCTION:HMAC
2847private_SHA_Init 3289 NOEXIST::FUNCTION: 2847private_SHA_Init 3289 EXIST:OPENSSL_FIPS:FUNCTION:SHA,SHA0
2848private_CAST_set_key 3290 NOEXIST::FUNCTION: 2848private_CAST_set_key 3290 EXIST:OPENSSL_FIPS:FUNCTION:CAST
2849private_RIPEMD160_Init 3291 NOEXIST::FUNCTION: 2849private_RIPEMD160_Init 3291 EXIST:OPENSSL_FIPS:FUNCTION:RIPEMD
2850private_RC5_32_set_key 3292 NOEXIST::FUNCTION: 2850private_RC5_32_set_key 3292 NOEXIST::FUNCTION:
2851private_MD5_Init 3293 NOEXIST::FUNCTION: 2851private_MD5_Init 3293 EXIST:OPENSSL_FIPS:FUNCTION:MD5
2852private_RC4_set_key 3294 NOEXIST::FUNCTION: 2852private_RC4_set_key 3294 EXIST::FUNCTION:RC4
2853private_MDC2_Init 3295 NOEXIST::FUNCTION: 2853private_MDC2_Init 3295 EXIST:OPENSSL_FIPS:FUNCTION:MDC2
2854private_RC2_set_key 3296 NOEXIST::FUNCTION: 2854private_RC2_set_key 3296 EXIST:OPENSSL_FIPS:FUNCTION:RC2
2855private_MD4_Init 3297 NOEXIST::FUNCTION: 2855private_MD4_Init 3297 EXIST:OPENSSL_FIPS:FUNCTION:MD4
2856private_BF_set_key 3298 NOEXIST::FUNCTION: 2856private_BF_set_key 3298 EXIST:OPENSSL_FIPS:FUNCTION:BF
2857private_MD2_Init 3299 NOEXIST::FUNCTION: 2857private_MD2_Init 3299 EXIST:OPENSSL_FIPS:FUNCTION:MD2
2858d2i_PROXY_CERT_INFO_EXTENSION 3300 EXIST::FUNCTION: 2858d2i_PROXY_CERT_INFO_EXTENSION 3300 EXIST::FUNCTION:
2859PROXY_POLICY_it 3301 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: 2859PROXY_POLICY_it 3301 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
2860PROXY_POLICY_it 3301 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: 2860PROXY_POLICY_it 3301 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
@@ -2882,7 +2882,7 @@ RSA_verify_PKCS1_PSS 3321 EXIST::FUNCTION:RSA
2882RSA_padding_add_X931 3322 EXIST::FUNCTION:RSA 2882RSA_padding_add_X931 3322 EXIST::FUNCTION:RSA
2883RSA_padding_add_PKCS1_PSS 3323 EXIST::FUNCTION:RSA 2883RSA_padding_add_PKCS1_PSS 3323 EXIST::FUNCTION:RSA
2884PKCS1_MGF1 3324 EXIST::FUNCTION:RSA 2884PKCS1_MGF1 3324 EXIST::FUNCTION:RSA
2885BN_X931_generate_Xpq 3325 NOEXIST::FUNCTION: 2885BN_X931_generate_Xpq 3325 EXIST::FUNCTION:
2886RSA_X931_generate_key 3326 NOEXIST::FUNCTION: 2886RSA_X931_generate_key 3326 NOEXIST::FUNCTION:
2887BN_X931_derive_prime 3327 NOEXIST::FUNCTION: 2887BN_X931_derive_prime 3327 NOEXIST::FUNCTION:
2888BN_X931_generate_prime 3328 NOEXIST::FUNCTION: 2888BN_X931_generate_prime 3328 NOEXIST::FUNCTION:
@@ -2906,7 +2906,7 @@ STORE_parse_attrs_start 3343 NOEXIST::FUNCTION:
2906POLICY_CONSTRAINTS_free 3344 EXIST::FUNCTION: 2906POLICY_CONSTRAINTS_free 3344 EXIST::FUNCTION:
2907EVP_PKEY_add1_attr_by_NID 3345 EXIST::FUNCTION: 2907EVP_PKEY_add1_attr_by_NID 3345 EXIST::FUNCTION:
2908BN_nist_mod_192 3346 EXIST::FUNCTION: 2908BN_nist_mod_192 3346 EXIST::FUNCTION:
2909EC_GROUP_get_trinomial_basis 3347 EXIST::FUNCTION:EC 2909EC_GROUP_get_trinomial_basis 3347 EXIST::FUNCTION:EC,EC2M
2910STORE_set_method 3348 NOEXIST::FUNCTION: 2910STORE_set_method 3348 NOEXIST::FUNCTION:
2911GENERAL_SUBTREE_free 3349 EXIST::FUNCTION: 2911GENERAL_SUBTREE_free 3349 EXIST::FUNCTION:
2912NAME_CONSTRAINTS_it 3350 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: 2912NAME_CONSTRAINTS_it 3350 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
@@ -2921,14 +2921,14 @@ SHA512_Update 3356 EXIST:!VMSVAX:FUNCTION:SHA,SHA512
2921i2d_ECPrivateKey 3357 EXIST::FUNCTION:EC 2921i2d_ECPrivateKey 3357 EXIST::FUNCTION:EC
2922BN_get0_nist_prime_192 3358 EXIST::FUNCTION: 2922BN_get0_nist_prime_192 3358 EXIST::FUNCTION:
2923STORE_modify_certificate 3359 NOEXIST::FUNCTION: 2923STORE_modify_certificate 3359 NOEXIST::FUNCTION:
2924EC_POINT_set_affine_coordinates_GF2m 3360 EXIST:!VMS:FUNCTION:EC 2924EC_POINT_set_affine_coordinates_GF2m 3360 EXIST:!VMS:FUNCTION:EC,EC2M
2925EC_POINT_set_affine_coords_GF2m 3360 EXIST:VMS:FUNCTION:EC 2925EC_POINT_set_affine_coords_GF2m 3360 EXIST:VMS:FUNCTION:EC,EC2M
2926BN_GF2m_mod_exp_arr 3361 EXIST::FUNCTION: 2926BN_GF2m_mod_exp_arr 3361 EXIST::FUNCTION:EC2M
2927STORE_ATTR_INFO_modify_number 3362 NOEXIST::FUNCTION: 2927STORE_ATTR_INFO_modify_number 3362 NOEXIST::FUNCTION:
2928X509_keyid_get0 3363 EXIST::FUNCTION: 2928X509_keyid_get0 3363 EXIST::FUNCTION:
2929ENGINE_load_gmp 3364 EXIST::FUNCTION:ENGINE,GMP,STATIC_ENGINE 2929ENGINE_load_gmp 3364 EXIST::FUNCTION:ENGINE,GMP,STATIC_ENGINE
2930pitem_new 3365 EXIST::FUNCTION: 2930pitem_new 3365 EXIST::FUNCTION:
2931BN_GF2m_mod_mul_arr 3366 EXIST::FUNCTION: 2931BN_GF2m_mod_mul_arr 3366 EXIST::FUNCTION:EC2M
2932STORE_list_public_key_endp 3367 NOEXIST::FUNCTION: 2932STORE_list_public_key_endp 3367 NOEXIST::FUNCTION:
2933o2i_ECPublicKey 3368 EXIST::FUNCTION:EC 2933o2i_ECPublicKey 3368 EXIST::FUNCTION:EC
2934EC_KEY_copy 3369 EXIST::FUNCTION:EC 2934EC_KEY_copy 3369 EXIST::FUNCTION:EC
@@ -2945,7 +2945,7 @@ X509_VERIFY_PARAM_inherit 3378 EXIST::FUNCTION:
2945EC_POINT_point2bn 3379 EXIST::FUNCTION:EC 2945EC_POINT_point2bn 3379 EXIST::FUNCTION:EC
2946STORE_ATTR_INFO_set_dn 3380 NOEXIST::FUNCTION: 2946STORE_ATTR_INFO_set_dn 3380 NOEXIST::FUNCTION:
2947X509_policy_tree_get0_policies 3381 EXIST::FUNCTION: 2947X509_policy_tree_get0_policies 3381 EXIST::FUNCTION:
2948EC_GROUP_new_curve_GF2m 3382 EXIST::FUNCTION:EC 2948EC_GROUP_new_curve_GF2m 3382 EXIST::FUNCTION:EC,EC2M
2949STORE_destroy_method 3383 NOEXIST::FUNCTION: 2949STORE_destroy_method 3383 NOEXIST::FUNCTION:
2950ENGINE_unregister_STORE 3384 EXIST::FUNCTION:ENGINE 2950ENGINE_unregister_STORE 3384 EXIST::FUNCTION:ENGINE
2951EVP_PKEY_get1_EC_KEY 3385 EXIST::FUNCTION:EC 2951EVP_PKEY_get1_EC_KEY 3385 EXIST::FUNCTION:EC
@@ -2961,7 +2961,7 @@ ENGINE_get_static_state 3393 EXIST::FUNCTION:ENGINE
2961pqueue_iterator 3394 EXIST::FUNCTION: 2961pqueue_iterator 3394 EXIST::FUNCTION:
2962ECDSA_SIG_new 3395 EXIST::FUNCTION:ECDSA 2962ECDSA_SIG_new 3395 EXIST::FUNCTION:ECDSA
2963OPENSSL_DIR_end 3396 EXIST::FUNCTION: 2963OPENSSL_DIR_end 3396 EXIST::FUNCTION:
2964BN_GF2m_mod_sqr 3397 EXIST::FUNCTION: 2964BN_GF2m_mod_sqr 3397 EXIST::FUNCTION:EC2M
2965EC_POINT_bn2point 3398 EXIST::FUNCTION:EC 2965EC_POINT_bn2point 3398 EXIST::FUNCTION:EC
2966X509_VERIFY_PARAM_set_depth 3399 EXIST::FUNCTION: 2966X509_VERIFY_PARAM_set_depth 3399 EXIST::FUNCTION:
2967EC_KEY_set_asn1_flag 3400 EXIST::FUNCTION:EC 2967EC_KEY_set_asn1_flag 3400 EXIST::FUNCTION:EC
@@ -2974,7 +2974,7 @@ EC_GROUP_get_point_conv_form 3405 EXIST:VMS:FUNCTION:EC
2974STORE_method_set_store_function 3406 NOEXIST::FUNCTION: 2974STORE_method_set_store_function 3406 NOEXIST::FUNCTION:
2975STORE_ATTR_INFO_in 3407 NOEXIST::FUNCTION: 2975STORE_ATTR_INFO_in 3407 NOEXIST::FUNCTION:
2976PEM_read_bio_ECPKParameters 3408 EXIST::FUNCTION:EC 2976PEM_read_bio_ECPKParameters 3408 EXIST::FUNCTION:EC
2977EC_GROUP_get_pentanomial_basis 3409 EXIST::FUNCTION:EC 2977EC_GROUP_get_pentanomial_basis 3409 EXIST::FUNCTION:EC,EC2M
2978EVP_PKEY_add1_attr_by_txt 3410 EXIST::FUNCTION: 2978EVP_PKEY_add1_attr_by_txt 3410 EXIST::FUNCTION:
2979BN_BLINDING_set_flags 3411 EXIST::FUNCTION: 2979BN_BLINDING_set_flags 3411 EXIST::FUNCTION:
2980X509_VERIFY_PARAM_set1_policies 3412 EXIST::FUNCTION: 2980X509_VERIFY_PARAM_set1_policies 3412 EXIST::FUNCTION:
@@ -2982,10 +2982,10 @@ X509_VERIFY_PARAM_set1_name 3413 EXIST::FUNCTION:
2982X509_VERIFY_PARAM_set_purpose 3414 EXIST::FUNCTION: 2982X509_VERIFY_PARAM_set_purpose 3414 EXIST::FUNCTION:
2983STORE_get_number 3415 NOEXIST::FUNCTION: 2983STORE_get_number 3415 NOEXIST::FUNCTION:
2984ECDSA_sign_setup 3416 EXIST::FUNCTION:ECDSA 2984ECDSA_sign_setup 3416 EXIST::FUNCTION:ECDSA
2985BN_GF2m_mod_solve_quad_arr 3417 EXIST::FUNCTION: 2985BN_GF2m_mod_solve_quad_arr 3417 EXIST::FUNCTION:EC2M
2986EC_KEY_up_ref 3418 EXIST::FUNCTION:EC 2986EC_KEY_up_ref 3418 EXIST::FUNCTION:EC
2987POLICY_MAPPING_free 3419 EXIST::FUNCTION: 2987POLICY_MAPPING_free 3419 EXIST::FUNCTION:
2988BN_GF2m_mod_div 3420 EXIST::FUNCTION: 2988BN_GF2m_mod_div 3420 EXIST::FUNCTION:EC2M
2989X509_VERIFY_PARAM_set_flags 3421 EXIST::FUNCTION: 2989X509_VERIFY_PARAM_set_flags 3421 EXIST::FUNCTION:
2990EC_KEY_free 3422 EXIST::FUNCTION:EC 2990EC_KEY_free 3422 EXIST::FUNCTION:EC
2991STORE_meth_set_list_next_fn 3423 NOEXIST::FUNCTION: 2991STORE_meth_set_list_next_fn 3423 NOEXIST::FUNCTION:
@@ -2999,7 +2999,7 @@ STORE_method_set_list_end_function 3427 NOEXIST::FUNCTION:
2999pqueue_print 3428 EXIST::FUNCTION: 2999pqueue_print 3428 EXIST::FUNCTION:
3000EC_GROUP_have_precompute_mult 3429 EXIST::FUNCTION:EC 3000EC_GROUP_have_precompute_mult 3429 EXIST::FUNCTION:EC
3001EC_KEY_print_fp 3430 EXIST::FUNCTION:EC,FP_API 3001EC_KEY_print_fp 3430 EXIST::FUNCTION:EC,FP_API
3002BN_GF2m_mod_arr 3431 EXIST::FUNCTION: 3002BN_GF2m_mod_arr 3431 EXIST::FUNCTION:EC2M
3003PEM_write_bio_X509_CERT_PAIR 3432 EXIST::FUNCTION: 3003PEM_write_bio_X509_CERT_PAIR 3432 EXIST::FUNCTION:
3004EVP_PKEY_cmp 3433 EXIST::FUNCTION: 3004EVP_PKEY_cmp 3433 EXIST::FUNCTION:
3005X509_policy_level_node_count 3434 EXIST::FUNCTION: 3005X509_policy_level_node_count 3434 EXIST::FUNCTION:
@@ -3020,7 +3020,7 @@ X509_policy_node_get0_qualifiers 3448 EXIST:!VMS:FUNCTION:
3020X509_pcy_node_get0_qualifiers 3448 EXIST:VMS:FUNCTION: 3020X509_pcy_node_get0_qualifiers 3448 EXIST:VMS:FUNCTION:
3021STORE_list_crl_end 3449 NOEXIST::FUNCTION: 3021STORE_list_crl_end 3449 NOEXIST::FUNCTION:
3022EVP_PKEY_set1_EC_KEY 3450 EXIST::FUNCTION:EC 3022EVP_PKEY_set1_EC_KEY 3450 EXIST::FUNCTION:EC
3023BN_GF2m_mod_sqrt_arr 3451 EXIST::FUNCTION: 3023BN_GF2m_mod_sqrt_arr 3451 EXIST::FUNCTION:EC2M
3024i2d_ECPrivateKey_bio 3452 EXIST::FUNCTION:BIO,EC 3024i2d_ECPrivateKey_bio 3452 EXIST::FUNCTION:BIO,EC
3025ECPKParameters_print_fp 3453 EXIST::FUNCTION:EC,FP_API 3025ECPKParameters_print_fp 3453 EXIST::FUNCTION:EC,FP_API
3026pqueue_find 3454 EXIST::FUNCTION: 3026pqueue_find 3454 EXIST::FUNCTION:
@@ -3037,7 +3037,7 @@ PKCS12_add_safes 3464 EXIST::FUNCTION:
3037BN_BLINDING_convert_ex 3465 EXIST::FUNCTION: 3037BN_BLINDING_convert_ex 3465 EXIST::FUNCTION:
3038X509_policy_tree_free 3466 EXIST::FUNCTION: 3038X509_policy_tree_free 3466 EXIST::FUNCTION:
3039OPENSSL_ia32cap_loc 3467 EXIST::FUNCTION: 3039OPENSSL_ia32cap_loc 3467 EXIST::FUNCTION:
3040BN_GF2m_poly2arr 3468 EXIST::FUNCTION: 3040BN_GF2m_poly2arr 3468 EXIST::FUNCTION:EC2M
3041STORE_ctrl 3469 NOEXIST::FUNCTION: 3041STORE_ctrl 3469 NOEXIST::FUNCTION:
3042STORE_ATTR_INFO_compare 3470 NOEXIST::FUNCTION: 3042STORE_ATTR_INFO_compare 3470 NOEXIST::FUNCTION:
3043BN_get0_nist_prime_224 3471 EXIST::FUNCTION: 3043BN_get0_nist_prime_224 3471 EXIST::FUNCTION:
@@ -3061,7 +3061,7 @@ STORE_method_set_delete_function 3486 NOEXIST::FUNCTION:
3061STORE_list_certificate_next 3487 NOEXIST::FUNCTION: 3061STORE_list_certificate_next 3487 NOEXIST::FUNCTION:
3062ASN1_generate_nconf 3488 EXIST::FUNCTION: 3062ASN1_generate_nconf 3488 EXIST::FUNCTION:
3063BUF_memdup 3489 EXIST::FUNCTION: 3063BUF_memdup 3489 EXIST::FUNCTION:
3064BN_GF2m_mod_mul 3490 EXIST::FUNCTION: 3064BN_GF2m_mod_mul 3490 EXIST::FUNCTION:EC2M
3065STORE_meth_get_list_next_fn 3491 NOEXIST::FUNCTION: 3065STORE_meth_get_list_next_fn 3491 NOEXIST::FUNCTION:
3066STORE_method_get_list_next_function 3491 NOEXIST::FUNCTION: 3066STORE_method_get_list_next_function 3491 NOEXIST::FUNCTION:
3067STORE_ATTR_INFO_get0_dn 3492 NOEXIST::FUNCTION: 3067STORE_ATTR_INFO_get0_dn 3492 NOEXIST::FUNCTION:
@@ -3072,7 +3072,7 @@ STORE_ATTR_INFO_free 3496 NOEXIST::FUNCTION:
3072STORE_get_private_key 3497 NOEXIST::FUNCTION: 3072STORE_get_private_key 3497 NOEXIST::FUNCTION:
3073EVP_PKEY_get_attr_count 3498 EXIST::FUNCTION: 3073EVP_PKEY_get_attr_count 3498 EXIST::FUNCTION:
3074STORE_ATTR_INFO_new 3499 NOEXIST::FUNCTION: 3074STORE_ATTR_INFO_new 3499 NOEXIST::FUNCTION:
3075EC_GROUP_get_curve_GF2m 3500 EXIST::FUNCTION:EC 3075EC_GROUP_get_curve_GF2m 3500 EXIST::FUNCTION:EC,EC2M
3076STORE_meth_set_revoke_fn 3501 NOEXIST::FUNCTION: 3076STORE_meth_set_revoke_fn 3501 NOEXIST::FUNCTION:
3077STORE_method_set_revoke_function 3501 NOEXIST::FUNCTION: 3077STORE_method_set_revoke_function 3501 NOEXIST::FUNCTION:
3078STORE_store_number 3502 NOEXIST::FUNCTION: 3078STORE_store_number 3502 NOEXIST::FUNCTION:
@@ -3088,7 +3088,7 @@ BIO_dump_indent_fp 3511 EXIST::FUNCTION:FP_API
3088EC_KEY_set_group 3512 EXIST::FUNCTION:EC 3088EC_KEY_set_group 3512 EXIST::FUNCTION:EC
3089BUF_strndup 3513 EXIST::FUNCTION: 3089BUF_strndup 3513 EXIST::FUNCTION:
3090STORE_list_certificate_start 3514 NOEXIST::FUNCTION: 3090STORE_list_certificate_start 3514 NOEXIST::FUNCTION:
3091BN_GF2m_mod 3515 EXIST::FUNCTION: 3091BN_GF2m_mod 3515 EXIST::FUNCTION:EC2M
3092X509_REQ_check_private_key 3516 EXIST::FUNCTION: 3092X509_REQ_check_private_key 3516 EXIST::FUNCTION:
3093EC_GROUP_get_seed_len 3517 EXIST::FUNCTION:EC 3093EC_GROUP_get_seed_len 3517 EXIST::FUNCTION:EC
3094ERR_load_STORE_strings 3518 NOEXIST::FUNCTION: 3094ERR_load_STORE_strings 3518 NOEXIST::FUNCTION:
@@ -3117,19 +3117,19 @@ STORE_method_set_get_function 3536 NOEXIST::FUNCTION:
3117STORE_modify_number 3537 NOEXIST::FUNCTION: 3117STORE_modify_number 3537 NOEXIST::FUNCTION:
3118STORE_method_get_store_function 3538 NOEXIST::FUNCTION: 3118STORE_method_get_store_function 3538 NOEXIST::FUNCTION:
3119STORE_store_private_key 3539 NOEXIST::FUNCTION: 3119STORE_store_private_key 3539 NOEXIST::FUNCTION:
3120BN_GF2m_mod_sqr_arr 3540 EXIST::FUNCTION: 3120BN_GF2m_mod_sqr_arr 3540 EXIST::FUNCTION:EC2M
3121RSA_setup_blinding 3541 EXIST::FUNCTION:RSA 3121RSA_setup_blinding 3541 EXIST::FUNCTION:RSA
3122BIO_s_datagram 3542 EXIST::FUNCTION:DGRAM 3122BIO_s_datagram 3542 EXIST::FUNCTION:DGRAM
3123STORE_Memory 3543 NOEXIST::FUNCTION: 3123STORE_Memory 3543 NOEXIST::FUNCTION:
3124sk_find_ex 3544 EXIST::FUNCTION: 3124sk_find_ex 3544 EXIST::FUNCTION:
3125EC_GROUP_set_curve_GF2m 3545 EXIST::FUNCTION:EC 3125EC_GROUP_set_curve_GF2m 3545 EXIST::FUNCTION:EC,EC2M
3126ENGINE_set_default_ECDSA 3546 EXIST::FUNCTION:ENGINE 3126ENGINE_set_default_ECDSA 3546 EXIST::FUNCTION:ENGINE
3127POLICY_CONSTRAINTS_new 3547 EXIST::FUNCTION: 3127POLICY_CONSTRAINTS_new 3547 EXIST::FUNCTION:
3128BN_GF2m_mod_sqrt 3548 EXIST::FUNCTION: 3128BN_GF2m_mod_sqrt 3548 EXIST::FUNCTION:EC2M
3129ECDH_set_default_method 3549 EXIST::FUNCTION:ECDH 3129ECDH_set_default_method 3549 EXIST::FUNCTION:ECDH
3130EC_KEY_generate_key 3550 EXIST::FUNCTION:EC 3130EC_KEY_generate_key 3550 EXIST::FUNCTION:EC
3131SHA384_Update 3551 EXIST:!VMSVAX:FUNCTION:SHA,SHA512 3131SHA384_Update 3551 EXIST:!VMSVAX:FUNCTION:SHA,SHA512
3132BN_GF2m_arr2poly 3552 EXIST::FUNCTION: 3132BN_GF2m_arr2poly 3552 EXIST::FUNCTION:EC2M
3133STORE_method_get_get_function 3553 NOEXIST::FUNCTION: 3133STORE_method_get_get_function 3553 NOEXIST::FUNCTION:
3134STORE_meth_set_cleanup_fn 3554 NOEXIST::FUNCTION: 3134STORE_meth_set_cleanup_fn 3554 NOEXIST::FUNCTION:
3135STORE_method_set_cleanup_function 3554 NOEXIST::FUNCTION: 3135STORE_method_set_cleanup_function 3554 NOEXIST::FUNCTION:
@@ -3154,7 +3154,7 @@ EC_GROUP_get_degree 3570 EXIST::FUNCTION:EC
3154ASN1_generate_v3 3571 EXIST::FUNCTION: 3154ASN1_generate_v3 3571 EXIST::FUNCTION:
3155STORE_ATTR_INFO_modify_cstr 3572 NOEXIST::FUNCTION: 3155STORE_ATTR_INFO_modify_cstr 3572 NOEXIST::FUNCTION:
3156X509_policy_tree_level_count 3573 EXIST::FUNCTION: 3156X509_policy_tree_level_count 3573 EXIST::FUNCTION:
3157BN_GF2m_add 3574 EXIST::FUNCTION: 3157BN_GF2m_add 3574 EXIST::FUNCTION:EC2M
3158EC_KEY_get0_group 3575 EXIST::FUNCTION:EC 3158EC_KEY_get0_group 3575 EXIST::FUNCTION:EC
3159STORE_generate_crl 3576 NOEXIST::FUNCTION: 3159STORE_generate_crl 3576 NOEXIST::FUNCTION:
3160STORE_store_public_key 3577 NOEXIST::FUNCTION: 3160STORE_store_public_key 3577 NOEXIST::FUNCTION:
@@ -3179,8 +3179,8 @@ STORE_store_certificate 3593 NOEXIST::FUNCTION:
3179OBJ_bsearch_ex 3594 NOEXIST::FUNCTION: 3179OBJ_bsearch_ex 3594 NOEXIST::FUNCTION:
3180X509_STORE_CTX_set_default 3595 EXIST::FUNCTION: 3180X509_STORE_CTX_set_default 3595 EXIST::FUNCTION:
3181STORE_ATTR_INFO_set_sha1str 3596 NOEXIST::FUNCTION: 3181STORE_ATTR_INFO_set_sha1str 3596 NOEXIST::FUNCTION:
3182BN_GF2m_mod_inv 3597 EXIST::FUNCTION: 3182BN_GF2m_mod_inv 3597 EXIST::FUNCTION:EC2M
3183BN_GF2m_mod_exp 3598 EXIST::FUNCTION: 3183BN_GF2m_mod_exp 3598 EXIST::FUNCTION:EC2M
3184STORE_modify_public_key 3599 NOEXIST::FUNCTION: 3184STORE_modify_public_key 3599 NOEXIST::FUNCTION:
3185STORE_meth_get_list_start_fn 3600 NOEXIST::FUNCTION: 3185STORE_meth_get_list_start_fn 3600 NOEXIST::FUNCTION:
3186STORE_method_get_list_start_function 3600 NOEXIST::FUNCTION: 3186STORE_method_get_list_start_function 3600 NOEXIST::FUNCTION:
@@ -3188,7 +3188,7 @@ EC_GROUP_get0_seed 3601 EXIST::FUNCTION:EC
3188STORE_store_arbitrary 3602 NOEXIST::FUNCTION: 3188STORE_store_arbitrary 3602 NOEXIST::FUNCTION:
3189STORE_meth_set_unlock_store_fn 3603 NOEXIST::FUNCTION: 3189STORE_meth_set_unlock_store_fn 3603 NOEXIST::FUNCTION:
3190STORE_method_set_unlock_store_function 3603 NOEXIST::FUNCTION: 3190STORE_method_set_unlock_store_function 3603 NOEXIST::FUNCTION:
3191BN_GF2m_mod_div_arr 3604 EXIST::FUNCTION: 3191BN_GF2m_mod_div_arr 3604 EXIST::FUNCTION:EC2M
3192ENGINE_set_ECDSA 3605 EXIST::FUNCTION:ENGINE 3192ENGINE_set_ECDSA 3605 EXIST::FUNCTION:ENGINE
3193STORE_create_method 3606 NOEXIST::FUNCTION: 3193STORE_create_method 3606 NOEXIST::FUNCTION:
3194ECPKParameters_print 3607 EXIST::FUNCTION:BIO,EC 3194ECPKParameters_print 3607 EXIST::FUNCTION:BIO,EC
@@ -3211,8 +3211,8 @@ EC_KEY_get_enc_flags 3622 EXIST::FUNCTION:EC
3211ASN1_const_check_infinite_end 3623 EXIST::FUNCTION: 3211ASN1_const_check_infinite_end 3623 EXIST::FUNCTION:
3212EVP_PKEY_delete_attr 3624 EXIST::FUNCTION: 3212EVP_PKEY_delete_attr 3624 EXIST::FUNCTION:
3213ECDSA_set_default_method 3625 EXIST::FUNCTION:ECDSA 3213ECDSA_set_default_method 3625 EXIST::FUNCTION:ECDSA
3214EC_POINT_set_compressed_coordinates_GF2m 3626 EXIST:!VMS:FUNCTION:EC 3214EC_POINT_set_compressed_coordinates_GF2m 3626 EXIST:!VMS:FUNCTION:EC,EC2M
3215EC_POINT_set_compr_coords_GF2m 3626 EXIST:VMS:FUNCTION:EC 3215EC_POINT_set_compr_coords_GF2m 3626 EXIST:VMS:FUNCTION:EC,EC2M
3216EC_GROUP_cmp 3627 EXIST::FUNCTION:EC 3216EC_GROUP_cmp 3627 EXIST::FUNCTION:EC
3217STORE_revoke_certificate 3628 NOEXIST::FUNCTION: 3217STORE_revoke_certificate 3628 NOEXIST::FUNCTION:
3218BN_get0_nist_prime_256 3629 EXIST::FUNCTION: 3218BN_get0_nist_prime_256 3629 EXIST::FUNCTION:
@@ -3241,7 +3241,7 @@ POLICY_CONSTRAINTS_it 3649 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTI
3241STORE_get_ex_new_index 3650 NOEXIST::FUNCTION: 3241STORE_get_ex_new_index 3650 NOEXIST::FUNCTION:
3242EVP_PKEY_get_attr_by_OBJ 3651 EXIST::FUNCTION: 3242EVP_PKEY_get_attr_by_OBJ 3651 EXIST::FUNCTION:
3243X509_VERIFY_PARAM_add0_policy 3652 EXIST::FUNCTION: 3243X509_VERIFY_PARAM_add0_policy 3652 EXIST::FUNCTION:
3244BN_GF2m_mod_solve_quad 3653 EXIST::FUNCTION: 3244BN_GF2m_mod_solve_quad 3653 EXIST::FUNCTION:EC2M
3245SHA256 3654 EXIST::FUNCTION:SHA,SHA256 3245SHA256 3654 EXIST::FUNCTION:SHA,SHA256
3246i2d_ECPrivateKey_fp 3655 EXIST::FUNCTION:EC,FP_API 3246i2d_ECPrivateKey_fp 3655 EXIST::FUNCTION:EC,FP_API
3247X509_policy_tree_get0_user_policies 3656 EXIST:!VMS:FUNCTION: 3247X509_policy_tree_get0_user_policies 3656 EXIST:!VMS:FUNCTION:
@@ -3249,8 +3249,8 @@ X509_pcy_tree_get0_usr_policies 3656 EXIST:VMS:FUNCTION:
3249OPENSSL_DIR_read 3657 EXIST::FUNCTION: 3249OPENSSL_DIR_read 3657 EXIST::FUNCTION:
3250ENGINE_register_all_ECDSA 3658 EXIST::FUNCTION:ENGINE 3250ENGINE_register_all_ECDSA 3658 EXIST::FUNCTION:ENGINE
3251X509_VERIFY_PARAM_lookup 3659 EXIST::FUNCTION: 3251X509_VERIFY_PARAM_lookup 3659 EXIST::FUNCTION:
3252EC_POINT_get_affine_coordinates_GF2m 3660 EXIST:!VMS:FUNCTION:EC 3252EC_POINT_get_affine_coordinates_GF2m 3660 EXIST:!VMS:FUNCTION:EC,EC2M
3253EC_POINT_get_affine_coords_GF2m 3660 EXIST:VMS:FUNCTION:EC 3253EC_POINT_get_affine_coords_GF2m 3660 EXIST:VMS:FUNCTION:EC,EC2M
3254EC_GROUP_dup 3661 EXIST::FUNCTION:EC 3254EC_GROUP_dup 3661 EXIST::FUNCTION:EC
3255ENGINE_get_default_ECDSA 3662 EXIST::FUNCTION:ENGINE 3255ENGINE_get_default_ECDSA 3662 EXIST::FUNCTION:ENGINE
3256EC_KEY_new 3663 EXIST::FUNCTION:EC 3256EC_KEY_new 3663 EXIST::FUNCTION:EC
@@ -3332,7 +3332,7 @@ STORE_list_certificate_end 3734 NOEXIST::FUNCTION:
3332STORE_get_crl 3735 NOEXIST::FUNCTION: 3332STORE_get_crl 3735 NOEXIST::FUNCTION:
3333X509_POLICY_NODE_print 3736 EXIST::FUNCTION: 3333X509_POLICY_NODE_print 3736 EXIST::FUNCTION:
3334SHA384_Init 3737 EXIST:!VMSVAX:FUNCTION:SHA,SHA512 3334SHA384_Init 3737 EXIST:!VMSVAX:FUNCTION:SHA,SHA512
3335EC_GF2m_simple_method 3738 EXIST::FUNCTION:EC 3335EC_GF2m_simple_method 3738 EXIST::FUNCTION:EC,EC2M
3336ECDSA_set_ex_data 3739 EXIST::FUNCTION:ECDSA 3336ECDSA_set_ex_data 3739 EXIST::FUNCTION:ECDSA
3337SHA384_Final 3740 EXIST:!VMSVAX:FUNCTION:SHA,SHA512 3337SHA384_Final 3740 EXIST:!VMSVAX:FUNCTION:SHA,SHA512
3338PKCS7_set_digest 3741 EXIST::FUNCTION: 3338PKCS7_set_digest 3741 EXIST::FUNCTION:
@@ -3364,7 +3364,7 @@ BIO_dump_cb 3764 EXIST::FUNCTION:
3364SHA256_Update 3765 EXIST::FUNCTION:SHA,SHA256 3364SHA256_Update 3765 EXIST::FUNCTION:SHA,SHA256
3365pqueue_insert 3766 EXIST::FUNCTION: 3365pqueue_insert 3766 EXIST::FUNCTION:
3366pitem_free 3767 EXIST::FUNCTION: 3366pitem_free 3767 EXIST::FUNCTION:
3367BN_GF2m_mod_inv_arr 3768 EXIST::FUNCTION: 3367BN_GF2m_mod_inv_arr 3768 EXIST::FUNCTION:EC2M
3368ENGINE_unregister_ECDSA 3769 EXIST::FUNCTION:ENGINE 3368ENGINE_unregister_ECDSA 3769 EXIST::FUNCTION:ENGINE
3369BN_BLINDING_set_thread_id 3770 EXIST::FUNCTION:DEPRECATED 3369BN_BLINDING_set_thread_id 3770 EXIST::FUNCTION:DEPRECATED
3370get_rfc3526_prime_8192 3771 EXIST::FUNCTION: 3370get_rfc3526_prime_8192 3771 EXIST::FUNCTION:
@@ -3670,7 +3670,7 @@ int_EVP_MD_set_engine_callbacks 4056 NOEXIST::FUNCTION:
3670int_CRYPTO_set_do_dynlock_callback 4057 NOEXIST::FUNCTION: 3670int_CRYPTO_set_do_dynlock_callback 4057 NOEXIST::FUNCTION:
3671FIPS_rng_stick 4058 NOEXIST::FUNCTION: 3671FIPS_rng_stick 4058 NOEXIST::FUNCTION:
3672EVP_CIPHER_CTX_set_flags 4059 EXIST::FUNCTION: 3672EVP_CIPHER_CTX_set_flags 4059 EXIST::FUNCTION:
3673BN_X931_generate_prime_ex 4060 NOEXIST::FUNCTION: 3673BN_X931_generate_prime_ex 4060 EXIST::FUNCTION:
3674FIPS_selftest_check 4061 NOEXIST::FUNCTION: 3674FIPS_selftest_check 4061 NOEXIST::FUNCTION:
3675FIPS_rand_set_dt 4062 NOEXIST::FUNCTION: 3675FIPS_rand_set_dt 4062 NOEXIST::FUNCTION:
3676CRYPTO_dbg_pop_info 4063 NOEXIST::FUNCTION: 3676CRYPTO_dbg_pop_info 4063 NOEXIST::FUNCTION:
@@ -3695,14 +3695,14 @@ FIPS_rand_test_mode 4081 NOEXIST::FUNCTION:
3695FIPS_rand_reset 4082 NOEXIST::FUNCTION: 3695FIPS_rand_reset 4082 NOEXIST::FUNCTION:
3696FIPS_dsa_new 4083 NOEXIST::FUNCTION: 3696FIPS_dsa_new 4083 NOEXIST::FUNCTION:
3697int_RAND_set_callbacks 4084 NOEXIST::FUNCTION: 3697int_RAND_set_callbacks 4084 NOEXIST::FUNCTION:
3698BN_X931_derive_prime_ex 4085 NOEXIST::FUNCTION: 3698BN_X931_derive_prime_ex 4085 EXIST::FUNCTION:
3699int_ERR_lib_init 4086 NOEXIST::FUNCTION: 3699int_ERR_lib_init 4086 NOEXIST::FUNCTION:
3700int_EVP_CIPHER_init_engine_callbacks 4087 NOEXIST::FUNCTION: 3700int_EVP_CIPHER_init_engine_callbacks 4087 NOEXIST::FUNCTION:
3701FIPS_rsa_free 4088 NOEXIST::FUNCTION: 3701FIPS_rsa_free 4088 NOEXIST::FUNCTION:
3702FIPS_dsa_sig_encode 4089 NOEXIST::FUNCTION: 3702FIPS_dsa_sig_encode 4089 NOEXIST::FUNCTION:
3703CRYPTO_dbg_remove_all_info 4090 NOEXIST::FUNCTION: 3703CRYPTO_dbg_remove_all_info 4090 NOEXIST::FUNCTION:
3704OPENSSL_init 4091 NOEXIST::FUNCTION: 3704OPENSSL_init 4091 EXIST::FUNCTION:
3705private_Camellia_set_key 4092 NOEXIST::FUNCTION: 3705private_Camellia_set_key 4092 EXIST:OPENSSL_FIPS:FUNCTION:CAMELLIA
3706CRYPTO_strdup 4093 EXIST::FUNCTION: 3706CRYPTO_strdup 4093 EXIST::FUNCTION:
3707JPAKE_STEP3A_process 4094 EXIST::FUNCTION:JPAKE 3707JPAKE_STEP3A_process 4094 EXIST::FUNCTION:JPAKE
3708JPAKE_STEP1_release 4095 EXIST::FUNCTION:JPAKE 3708JPAKE_STEP1_release 4095 EXIST::FUNCTION:JPAKE
@@ -4194,4 +4194,119 @@ OPENSSL_memcmp 4565 EXIST::FUNCTION:
4194OPENSSL_strncasecmp 4566 EXIST::FUNCTION: 4194OPENSSL_strncasecmp 4566 EXIST::FUNCTION:
4195OPENSSL_gmtime 4567 EXIST::FUNCTION: 4195OPENSSL_gmtime 4567 EXIST::FUNCTION:
4196OPENSSL_gmtime_adj 4568 EXIST::FUNCTION: 4196OPENSSL_gmtime_adj 4568 EXIST::FUNCTION:
4197ENGINE_load_aesni 4569 EXIST::FUNCTION:ENGINE 4197SRP_VBASE_get_by_user 4569 EXIST::FUNCTION:SRP
4198SRP_Calc_server_key 4570 EXIST::FUNCTION:SRP
4199SRP_create_verifier 4571 EXIST::FUNCTION:SRP
4200SRP_create_verifier_BN 4572 EXIST::FUNCTION:SRP
4201SRP_Calc_u 4573 EXIST::FUNCTION:SRP
4202SRP_VBASE_free 4574 EXIST::FUNCTION:SRP
4203SRP_Calc_client_key 4575 EXIST::FUNCTION:SRP
4204SRP_get_default_gN 4576 EXIST::FUNCTION:SRP
4205SRP_Calc_x 4577 EXIST::FUNCTION:SRP
4206SRP_Calc_B 4578 EXIST::FUNCTION:SRP
4207SRP_VBASE_new 4579 EXIST::FUNCTION:SRP
4208SRP_check_known_gN_param 4580 EXIST::FUNCTION:SRP
4209SRP_Calc_A 4581 EXIST::FUNCTION:SRP
4210SRP_Verify_A_mod_N 4582 EXIST::FUNCTION:SRP
4211SRP_VBASE_init 4583 EXIST::FUNCTION:SRP
4212SRP_Verify_B_mod_N 4584 EXIST::FUNCTION:SRP
4213EC_KEY_set_public_key_affine_coordinates 4585 EXIST:!VMS:FUNCTION:EC
4214EC_KEY_set_pub_key_aff_coords 4585 EXIST:VMS:FUNCTION:EC
4215EVP_aes_192_ctr 4586 EXIST::FUNCTION:AES
4216EVP_PKEY_meth_get0_info 4587 EXIST::FUNCTION:
4217EVP_PKEY_meth_copy 4588 EXIST::FUNCTION:
4218ERR_add_error_vdata 4589 EXIST::FUNCTION:
4219EVP_aes_128_ctr 4590 EXIST::FUNCTION:AES
4220EVP_aes_256_ctr 4591 EXIST::FUNCTION:AES
4221EC_GFp_nistp224_method 4592 EXIST::FUNCTION:EC,EC_NISTP_64_GCC_128
4222EC_KEY_get_flags 4593 EXIST::FUNCTION:EC
4223RSA_padding_add_PKCS1_PSS_mgf1 4594 EXIST::FUNCTION:RSA
4224EVP_aes_128_xts 4595 EXIST::FUNCTION:AES
4225private_SHA224_Init 4596 EXIST:OPENSSL_FIPS:FUNCTION:SHA,SHA256
4226private_AES_set_decrypt_key 4597 EXIST::FUNCTION:AES
4227private_WHIRLPOOL_Init 4598 EXIST:OPENSSL_FIPS:FUNCTION:WHIRLPOOL
4228EVP_aes_256_xts 4599 EXIST::FUNCTION:AES
4229private_SHA512_Init 4600 EXIST:OPENSSL_FIPS:FUNCTION:SHA,SHA512
4230EVP_aes_128_gcm 4601 EXIST::FUNCTION:AES
4231EC_KEY_clear_flags 4602 EXIST::FUNCTION:EC
4232EC_KEY_set_flags 4603 EXIST::FUNCTION:EC
4233private_DES_set_key_unchecked 4604 EXIST:OPENSSL_FIPS:FUNCTION:DES
4234EVP_aes_256_ccm 4605 EXIST::FUNCTION:AES
4235private_AES_set_encrypt_key 4606 EXIST::FUNCTION:AES
4236RSA_verify_PKCS1_PSS_mgf1 4607 EXIST::FUNCTION:RSA
4237private_SHA1_Init 4608 EXIST:OPENSSL_FIPS:FUNCTION:SHA,SHA1
4238EVP_aes_128_ccm 4609 EXIST::FUNCTION:AES
4239private_SEED_set_key 4610 EXIST:OPENSSL_FIPS:FUNCTION:SEED
4240EVP_aes_192_gcm 4611 EXIST::FUNCTION:AES
4241X509_ALGOR_set_md 4612 EXIST::FUNCTION:
4242private_SHA256_Init 4613 EXIST:OPENSSL_FIPS:FUNCTION:SHA,SHA256
4243RAND_init_fips 4614 EXIST:OPENSSL_FIPS:FUNCTION:
4244EVP_aes_256_gcm 4615 EXIST::FUNCTION:AES
4245private_SHA384_Init 4616 EXIST:OPENSSL_FIPS:FUNCTION:SHA,SHA512
4246EVP_aes_192_ccm 4617 EXIST::FUNCTION:AES
4247CMAC_CTX_copy 4618 EXIST::FUNCTION:
4248CMAC_CTX_free 4619 EXIST::FUNCTION:
4249CMAC_CTX_get0_cipher_ctx 4620 EXIST::FUNCTION:
4250CMAC_CTX_cleanup 4621 EXIST::FUNCTION:
4251CMAC_Init 4622 EXIST::FUNCTION:
4252CMAC_Update 4623 EXIST::FUNCTION:
4253CMAC_resume 4624 EXIST::FUNCTION:
4254CMAC_CTX_new 4625 EXIST::FUNCTION:
4255CMAC_Final 4626 EXIST::FUNCTION:
4256CRYPTO_ctr128_encrypt_ctr32 4627 EXIST::FUNCTION:
4257CRYPTO_gcm128_release 4628 EXIST::FUNCTION:
4258CRYPTO_ccm128_decrypt_ccm64 4629 EXIST::FUNCTION:
4259CRYPTO_ccm128_encrypt 4630 EXIST::FUNCTION:
4260CRYPTO_gcm128_encrypt 4631 EXIST::FUNCTION:
4261CRYPTO_xts128_encrypt 4632 EXIST::FUNCTION:
4262EVP_rc4_hmac_md5 4633 EXIST::FUNCTION:MD5,RC4
4263CRYPTO_nistcts128_decrypt_block 4634 EXIST::FUNCTION:
4264CRYPTO_gcm128_setiv 4635 EXIST::FUNCTION:
4265CRYPTO_nistcts128_encrypt 4636 EXIST::FUNCTION:
4266EVP_aes_128_cbc_hmac_sha1 4637 EXIST::FUNCTION:AES,SHA,SHA1
4267CRYPTO_gcm128_tag 4638 EXIST::FUNCTION:
4268CRYPTO_ccm128_encrypt_ccm64 4639 EXIST::FUNCTION:
4269ENGINE_load_rdrand 4640 EXIST::FUNCTION:ENGINE
4270CRYPTO_ccm128_setiv 4641 EXIST::FUNCTION:
4271CRYPTO_nistcts128_encrypt_block 4642 EXIST::FUNCTION:
4272CRYPTO_gcm128_aad 4643 EXIST::FUNCTION:
4273CRYPTO_ccm128_init 4644 EXIST::FUNCTION:
4274CRYPTO_nistcts128_decrypt 4645 EXIST::FUNCTION:
4275CRYPTO_gcm128_new 4646 EXIST::FUNCTION:
4276CRYPTO_ccm128_tag 4647 EXIST::FUNCTION:
4277CRYPTO_ccm128_decrypt 4648 EXIST::FUNCTION:
4278CRYPTO_ccm128_aad 4649 EXIST::FUNCTION:
4279CRYPTO_gcm128_init 4650 EXIST::FUNCTION:
4280CRYPTO_gcm128_decrypt 4651 EXIST::FUNCTION:
4281ENGINE_load_rsax 4652 EXIST::FUNCTION:ENGINE
4282CRYPTO_gcm128_decrypt_ctr32 4653 EXIST::FUNCTION:
4283CRYPTO_gcm128_encrypt_ctr32 4654 EXIST::FUNCTION:
4284CRYPTO_gcm128_finish 4655 EXIST::FUNCTION:
4285EVP_aes_256_cbc_hmac_sha1 4656 EXIST::FUNCTION:AES,SHA,SHA1
4286PKCS5_pbkdf2_set 4657 EXIST::FUNCTION:
4287CMS_add0_recipient_password 4658 EXIST::FUNCTION:CMS
4288CMS_decrypt_set1_password 4659 EXIST::FUNCTION:CMS
4289CMS_RecipientInfo_set0_password 4660 EXIST::FUNCTION:CMS
4290RAND_set_fips_drbg_type 4661 EXIST:OPENSSL_FIPS:FUNCTION:
4291X509_REQ_sign_ctx 4662 EXIST::FUNCTION:EVP
4292RSA_PSS_PARAMS_new 4663 EXIST::FUNCTION:RSA
4293X509_CRL_sign_ctx 4664 EXIST::FUNCTION:EVP
4294X509_signature_dump 4665 EXIST::FUNCTION:EVP
4295d2i_RSA_PSS_PARAMS 4666 EXIST::FUNCTION:RSA
4296RSA_PSS_PARAMS_it 4667 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:RSA
4297RSA_PSS_PARAMS_it 4667 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:RSA
4298RSA_PSS_PARAMS_free 4668 EXIST::FUNCTION:RSA
4299X509_sign_ctx 4669 EXIST::FUNCTION:EVP
4300i2d_RSA_PSS_PARAMS 4670 EXIST::FUNCTION:RSA
4301ASN1_item_sign_ctx 4671 EXIST::FUNCTION:EVP
4302EC_GFp_nistp521_method 4672 EXIST::FUNCTION:EC,EC_NISTP_64_GCC_128
4303EC_GFp_nistp256_method 4673 EXIST::FUNCTION:EC,EC_NISTP_64_GCC_128
4304OPENSSL_stderr 4674 EXIST::FUNCTION:
4305OPENSSL_cpuid_setup 4675 EXIST::FUNCTION:
4306OPENSSL_showfatal 4676 EXIST::FUNCTION:
4307BIO_new_dgram_sctp 4677 EXIST::FUNCTION:SCTP
4308BIO_dgram_sctp_msg_waiting 4678 EXIST::FUNCTION:SCTP
4309BIO_dgram_sctp_wait_for_dry 4679 EXIST::FUNCTION:SCTP
4310BIO_s_datagram_sctp 4680 EXIST::FUNCTION:DGRAM,SCTP
4311BIO_dgram_is_sctp 4681 EXIST::FUNCTION:SCTP
4312BIO_dgram_sctp_notification_cb 4682 EXIST::FUNCTION:SCTP
diff --git a/src/lib/libcrypto/util/mk1mf.pl b/src/lib/libcrypto/util/mk1mf.pl
index 1dcef2b8a2..458f830401 100644
--- a/src/lib/libcrypto/util/mk1mf.pl
+++ b/src/lib/libcrypto/util/mk1mf.pl
@@ -18,6 +18,8 @@ local $zlib_opt = 0; # 0 = no zlib, 1 = static, 2 = dynamic
18local $zlib_lib = ""; 18local $zlib_lib = "";
19local $perl_asm = 0; # 1 to autobuild asm files from perl scripts 19local $perl_asm = 0; # 1 to autobuild asm files from perl scripts
20 20
21my $ex_l_libs = "";
22
21# Options to import from top level Makefile 23# Options to import from top level Makefile
22 24
23my %mf_import = ( 25my %mf_import = (
@@ -40,7 +42,9 @@ my %mf_import = (
40 SHA1_ASM_OBJ => \$mf_sha_asm, 42 SHA1_ASM_OBJ => \$mf_sha_asm,
41 RMD160_ASM_OBJ => \$mf_rmd_asm, 43 RMD160_ASM_OBJ => \$mf_rmd_asm,
42 WP_ASM_OBJ => \$mf_wp_asm, 44 WP_ASM_OBJ => \$mf_wp_asm,
43 CMLL_ENC => \$mf_cm_asm 45 CMLL_ENC => \$mf_cm_asm,
46 BASEADDR => \$baseaddr,
47 FIPSDIR => \$fipsdir,
44); 48);
45 49
46 50
@@ -104,6 +108,7 @@ and [options] can be one of
104 just-ssl - remove all non-ssl keys/digest 108 just-ssl - remove all non-ssl keys/digest
105 no-asm - No x86 asm 109 no-asm - No x86 asm
106 no-krb5 - No KRB5 110 no-krb5 - No KRB5
111 no-srp - No SRP
107 no-ec - No EC 112 no-ec - No EC
108 no-ecdsa - No ECDSA 113 no-ecdsa - No ECDSA
109 no-ecdh - No ECDH 114 no-ecdh - No ECDH
@@ -228,6 +233,8 @@ else
228 $cflags.=' -DTERMIO'; 233 $cflags.=' -DTERMIO';
229 } 234 }
230 235
236$fipsdir =~ s/\//${o}/g;
237
231$out_dir=(defined($VARS{'OUT'}))?$VARS{'OUT'}:$out_def.($debug?".dbg":""); 238$out_dir=(defined($VARS{'OUT'}))?$VARS{'OUT'}:$out_def.($debug?".dbg":"");
232$tmp_dir=(defined($VARS{'TMP'}))?$VARS{'TMP'}:$tmp_def.($debug?".dbg":""); 239$tmp_dir=(defined($VARS{'TMP'}))?$VARS{'TMP'}:$tmp_def.($debug?".dbg":"");
233$inc_dir=(defined($VARS{'INC'}))?$VARS{'INC'}:$inc_def; 240$inc_dir=(defined($VARS{'INC'}))?$VARS{'INC'}:$inc_def;
@@ -261,6 +268,7 @@ $cflags.=" -DOPENSSL_NO_SOCK" if $no_sock;
261$cflags.=" -DOPENSSL_NO_SSL2" if $no_ssl2; 268$cflags.=" -DOPENSSL_NO_SSL2" if $no_ssl2;
262$cflags.=" -DOPENSSL_NO_SSL3" if $no_ssl3; 269$cflags.=" -DOPENSSL_NO_SSL3" if $no_ssl3;
263$cflags.=" -DOPENSSL_NO_TLSEXT" if $no_tlsext; 270$cflags.=" -DOPENSSL_NO_TLSEXT" if $no_tlsext;
271$cflags.=" -DOPENSSL_NO_SRP" if $no_srp;
264$cflags.=" -DOPENSSL_NO_CMS" if $no_cms; 272$cflags.=" -DOPENSSL_NO_CMS" if $no_cms;
265$cflags.=" -DOPENSSL_NO_ERR" if $no_err; 273$cflags.=" -DOPENSSL_NO_ERR" if $no_err;
266$cflags.=" -DOPENSSL_NO_KRB5" if $no_krb5; 274$cflags.=" -DOPENSSL_NO_KRB5" if $no_krb5;
@@ -270,7 +278,9 @@ $cflags.=" -DOPENSSL_NO_ECDH" if $no_ecdh;
270$cflags.=" -DOPENSSL_NO_GOST" if $no_gost; 278$cflags.=" -DOPENSSL_NO_GOST" if $no_gost;
271$cflags.=" -DOPENSSL_NO_ENGINE" if $no_engine; 279$cflags.=" -DOPENSSL_NO_ENGINE" if $no_engine;
272$cflags.=" -DOPENSSL_NO_HW" if $no_hw; 280$cflags.=" -DOPENSSL_NO_HW" if $no_hw;
281$cflags.=" -DOPENSSL_FIPS" if $fips;
273$cflags.=" -DOPENSSL_NO_JPAKE" if $no_jpake; 282$cflags.=" -DOPENSSL_NO_JPAKE" if $no_jpake;
283$cflags.=" -DOPENSSL_NO_EC2M" if $no_ec2m;
274$cflags.= " -DZLIB" if $zlib_opt; 284$cflags.= " -DZLIB" if $zlib_opt;
275$cflags.= " -DZLIB_SHARED" if $zlib_opt == 2; 285$cflags.= " -DZLIB_SHARED" if $zlib_opt == 2;
276 286
@@ -404,6 +414,11 @@ else
404 \$(CP) \"\$(O_CRYPTO)\" \"\$(INSTALLTOP)${o}lib\" 414 \$(CP) \"\$(O_CRYPTO)\" \"\$(INSTALLTOP)${o}lib\"
405EOF 415EOF
406 $ex_libs .= " $zlib_lib" if $zlib_opt == 1; 416 $ex_libs .= " $zlib_lib" if $zlib_opt == 1;
417 if ($fips)
418 {
419 $build_targets .= " \$(LIB_D)$o$crypto_compat \$(PREMAIN_DSO_EXE)";
420 $ex_l_libs .= " \$(O_FIPSCANISTER)";
421 }
407 } 422 }
408 423
409$defs= <<"EOF"; 424$defs= <<"EOF";
@@ -465,6 +480,18 @@ MKLIB=$bin_dir$mklib
465MLFLAGS=$mlflags 480MLFLAGS=$mlflags
466ASM=$bin_dir$asm 481ASM=$bin_dir$asm
467 482
483# FIPS validated module and support file locations
484
485FIPSDIR=$fipsdir
486BASEADDR=$baseaddr
487FIPSLIB_D=\$(FIPSDIR)${o}lib
488FIPS_PREMAIN_SRC=\$(FIPSLIB_D)${o}fips_premain.c
489O_FIPSCANISTER=\$(FIPSLIB_D)${o}fipscanister.lib
490FIPS_SHA1_EXE=\$(FIPSDIR)${o}bin${o}fips_standalone_sha1${exep}
491E_PREMAIN_DSO=fips_premain_dso
492PREMAIN_DSO_EXE=\$(BIN_D)${o}fips_premain_dso$exep
493FIPSLINK=\$(PERL) \$(FIPSDIR)${o}bin${o}fipslink.pl
494
468###################################################### 495######################################################
469# You should not need to touch anything below this point 496# You should not need to touch anything below this point
470###################################################### 497######################################################
@@ -497,7 +524,7 @@ SO_CRYPTO= $plib\$(CRYPTO)$so_shlibp
497L_SSL= \$(LIB_D)$o$plib\$(SSL)$libp 524L_SSL= \$(LIB_D)$o$plib\$(SSL)$libp
498L_CRYPTO= \$(LIB_D)$o$plib\$(CRYPTO)$libp 525L_CRYPTO= \$(LIB_D)$o$plib\$(CRYPTO)$libp
499 526
500L_LIBS= \$(L_SSL) \$(L_CRYPTO) 527L_LIBS= \$(L_SSL) \$(L_CRYPTO) $ex_l_libs
501 528
502###################################################### 529######################################################
503# Don't touch anything below this point 530# Don't touch anything below this point
@@ -513,7 +540,7 @@ LIBS_DEP=\$(O_CRYPTO) \$(O_SSL)
513EOF 540EOF
514 541
515$rules=<<"EOF"; 542$rules=<<"EOF";
516all: banner \$(TMP_D) \$(BIN_D) \$(TEST_D) \$(LIB_D) \$(INCO_D) headers lib exe 543all: banner \$(TMP_D) \$(BIN_D) \$(TEST_D) \$(LIB_D) \$(INCO_D) headers lib exe $build_targets
517 544
518banner: 545banner:
519$banner 546$banner
@@ -629,6 +656,16 @@ $rules.=&do_compile_rule("\$(OBJ_D)",$test,"\$(APP_CFLAGS)");
629$defs.=&do_defs("E_OBJ",$e_exe,"\$(OBJ_D)",$obj); 656$defs.=&do_defs("E_OBJ",$e_exe,"\$(OBJ_D)",$obj);
630$rules.=&do_compile_rule("\$(OBJ_D)",$e_exe,'-DMONOLITH $(APP_CFLAGS)'); 657$rules.=&do_compile_rule("\$(OBJ_D)",$e_exe,'-DMONOLITH $(APP_CFLAGS)');
631 658
659# Special case rule for fips_premain_dso
660
661if ($fips)
662 {
663 $rules.=&cc_compile_target("\$(OBJ_D)${o}\$(E_PREMAIN_DSO)$obj",
664 "\$(FIPS_PREMAIN_SRC)",
665 "-DFINGERPRINT_PREMAIN_DSO_LOAD \$(SHLIB_CFLAGS)", "");
666 $rules.=&do_link_rule("\$(PREMAIN_DSO_EXE)","\$(OBJ_D)${o}\$(E_PREMAIN_DSO)$obj \$(CRYPTOOBJ) \$(O_FIPSCANISTER)","","\$(EX_LIBS)", 1);
667 }
668
632foreach (values %lib_nam) 669foreach (values %lib_nam)
633 { 670 {
634 $lib_obj=$lib_obj{$_}; 671 $lib_obj=$lib_obj{$_};
@@ -677,7 +714,28 @@ foreach (split(/\s+/,$engines))
677 714
678 715
679$rules.= &do_lib_rule("\$(SSLOBJ)","\$(O_SSL)",$ssl,$shlib,"\$(SO_SSL)"); 716$rules.= &do_lib_rule("\$(SSLOBJ)","\$(O_SSL)",$ssl,$shlib,"\$(SO_SSL)");
680$rules.= &do_lib_rule("\$(CRYPTOOBJ)","\$(O_CRYPTO)",$crypto,$shlib,"\$(SO_CRYPTO)"); 717
718if ($fips)
719 {
720 if ($shlib)
721 {
722 $rules.= &do_lib_rule("\$(CRYPTOOBJ) \$(O_FIPSCANISTER)",
723 "\$(O_CRYPTO)", "$crypto",
724 $shlib, "\$(SO_CRYPTO)", "\$(BASEADDR)");
725 }
726 else
727 {
728 $rules.= &do_lib_rule("\$(CRYPTOOBJ)",
729 "\$(O_CRYPTO)",$crypto,$shlib,"\$(SO_CRYPTO)", "");
730 $rules.= &do_lib_rule("\$(CRYPTOOBJ) \$(O_FIPSCANISTER)",
731 "\$(LIB_D)$o$crypto_compat",$crypto,$shlib,"\$(SO_CRYPTO)", "");
732 }
733 }
734 else
735 {
736 $rules.= &do_lib_rule("\$(CRYPTOOBJ)","\$(O_CRYPTO)",$crypto,$shlib,
737 "\$(SO_CRYPTO)");
738 }
681 739
682foreach (split(" ",$otherlibs)) 740foreach (split(" ",$otherlibs))
683 { 741 {
@@ -687,7 +745,7 @@ foreach (split(" ",$otherlibs))
687 745
688 } 746 }
689 747
690$rules.=&do_link_rule("\$(BIN_D)$o\$(E_EXE)$exep","\$(E_OBJ)","\$(LIBS_DEP)","\$(L_LIBS) \$(EX_LIBS)"); 748$rules.=&do_link_rule("\$(BIN_D)$o\$(E_EXE)$exep","\$(E_OBJ)","\$(LIBS_DEP)","\$(L_LIBS) \$(EX_LIBS)", ($fips && !$shlib) ? 2 : 0);
691 749
692print $defs; 750print $defs;
693 751
@@ -781,6 +839,8 @@ sub var_add
781 @a=grep(!/(^sha1)|(_sha1$)|(m_dss1$)/,@a) if $no_sha1; 839 @a=grep(!/(^sha1)|(_sha1$)|(m_dss1$)/,@a) if $no_sha1;
782 @a=grep(!/_mdc2$/,@a) if $no_mdc2; 840 @a=grep(!/_mdc2$/,@a) if $no_mdc2;
783 841
842 @a=grep(!/(srp)/,@a) if $no_srp;
843
784 @a=grep(!/^engine$/,@a) if $no_engine; 844 @a=grep(!/^engine$/,@a) if $no_engine;
785 @a=grep(!/^hw$/,@a) if $no_hw; 845 @a=grep(!/^hw$/,@a) if $no_hw;
786 @a=grep(!/(^rsa$)|(^genrsa$)/,@a) if $no_rsa; 846 @a=grep(!/(^rsa$)|(^genrsa$)/,@a) if $no_rsa;
@@ -939,14 +999,15 @@ sub Sasm_compile_target
939 999
940sub cc_compile_target 1000sub cc_compile_target
941 { 1001 {
942 local($target,$source,$ex_flags)=@_; 1002 local($target,$source,$ex_flags, $srcd)=@_;
943 local($ret); 1003 local($ret);
944 1004
945 $ex_flags.=" -DMK1MF_BUILD -D$platform_cpp_symbol" if ($source =~ /cversion/); 1005 $ex_flags.=" -DMK1MF_BUILD -D$platform_cpp_symbol" if ($source =~ /cversion/);
946 $target =~ s/\//$o/g if $o ne "/"; 1006 $target =~ s/\//$o/g if $o ne "/";
947 $source =~ s/\//$o/g if $o ne "/"; 1007 $source =~ s/\//$o/g if $o ne "/";
948 $ret ="$target: \$(SRC_D)$o$source\n\t"; 1008 $srcd = "\$(SRC_D)$o" unless defined $srcd;
949 $ret.="\$(CC) ${ofile}$target $ex_flags -c \$(SRC_D)$o$source\n\n"; 1009 $ret ="$target: $srcd$source\n\t";
1010 $ret.="\$(CC) ${ofile}$target $ex_flags -c $srcd$source\n\n";
950 return($ret); 1011 return($ret);
951 } 1012 }
952 1013
@@ -1056,8 +1117,11 @@ sub read_options
1056 "no-ssl2" => \$no_ssl2, 1117 "no-ssl2" => \$no_ssl2,
1057 "no-ssl3" => \$no_ssl3, 1118 "no-ssl3" => \$no_ssl3,
1058 "no-tlsext" => \$no_tlsext, 1119 "no-tlsext" => \$no_tlsext,
1120 "no-srp" => \$no_srp,
1059 "no-cms" => \$no_cms, 1121 "no-cms" => \$no_cms,
1122 "no-ec2m" => \$no_ec2m,
1060 "no-jpake" => \$no_jpake, 1123 "no-jpake" => \$no_jpake,
1124 "no-ec_nistp_64_gcc_128" => 0,
1061 "no-err" => \$no_err, 1125 "no-err" => \$no_err,
1062 "no-sock" => \$no_sock, 1126 "no-sock" => \$no_sock,
1063 "no-krb5" => \$no_krb5, 1127 "no-krb5" => \$no_krb5,
@@ -1067,11 +1131,12 @@ sub read_options
1067 "no-gost" => \$no_gost, 1131 "no-gost" => \$no_gost,
1068 "no-engine" => \$no_engine, 1132 "no-engine" => \$no_engine,
1069 "no-hw" => \$no_hw, 1133 "no-hw" => \$no_hw,
1134 "no-rsax" => 0,
1070 "just-ssl" => 1135 "just-ssl" =>
1071 [\$no_rc2, \$no_idea, \$no_des, \$no_bf, \$no_cast, 1136 [\$no_rc2, \$no_idea, \$no_des, \$no_bf, \$no_cast,
1072 \$no_md2, \$no_sha, \$no_mdc2, \$no_dsa, \$no_dh, 1137 \$no_md2, \$no_sha, \$no_mdc2, \$no_dsa, \$no_dh,
1073 \$no_ssl2, \$no_err, \$no_ripemd, \$no_rc5, 1138 \$no_ssl2, \$no_err, \$no_ripemd, \$no_rc5,
1074 \$no_aes, \$no_camellia, \$no_seed], 1139 \$no_aes, \$no_camellia, \$no_seed, \$no_srp],
1075 "rsaref" => 0, 1140 "rsaref" => 0,
1076 "gcc" => \$gcc, 1141 "gcc" => \$gcc,
1077 "debug" => \$debug, 1142 "debug" => \$debug,
@@ -1079,6 +1144,7 @@ sub read_options
1079 "shlib" => \$shlib, 1144 "shlib" => \$shlib,
1080 "dll" => \$shlib, 1145 "dll" => \$shlib,
1081 "shared" => 0, 1146 "shared" => 0,
1147 "no-sctp" => 0,
1082 "no-gmp" => 0, 1148 "no-gmp" => 0,
1083 "no-rfc3779" => 0, 1149 "no-rfc3779" => 0,
1084 "no-montasm" => 0, 1150 "no-montasm" => 0,
@@ -1086,6 +1152,7 @@ sub read_options
1086 "no-store" => 0, 1152 "no-store" => 0,
1087 "no-zlib" => 0, 1153 "no-zlib" => 0,
1088 "no-zlib-dynamic" => 0, 1154 "no-zlib-dynamic" => 0,
1155 "fips" => \$fips
1089 ); 1156 );
1090 1157
1091 if (exists $valid_options{$_}) 1158 if (exists $valid_options{$_})
diff --git a/src/lib/libcrypto/util/mkdef.pl b/src/lib/libcrypto/util/mkdef.pl
index ab47329097..9a8c7b87d1 100644
--- a/src/lib/libcrypto/util/mkdef.pl
+++ b/src/lib/libcrypto/util/mkdef.pl
@@ -79,13 +79,15 @@ my $OS2=0;
79my $safe_stack_def = 0; 79my $safe_stack_def = 0;
80 80
81my @known_platforms = ( "__FreeBSD__", "PERL5", "NeXT", 81my @known_platforms = ( "__FreeBSD__", "PERL5", "NeXT",
82 "EXPORT_VAR_AS_FUNCTION", "ZLIB" ); 82 "EXPORT_VAR_AS_FUNCTION", "ZLIB", "OPENSSL_FIPS" );
83my @known_ossl_platforms = ( "VMS", "WIN16", "WIN32", "WINNT", "OS2" ); 83my @known_ossl_platforms = ( "VMS", "WIN16", "WIN32", "WINNT", "OS2" );
84my @known_algorithms = ( "RC2", "RC4", "RC5", "IDEA", "DES", "BF", 84my @known_algorithms = ( "RC2", "RC4", "RC5", "IDEA", "DES", "BF",
85 "CAST", "MD2", "MD4", "MD5", "SHA", "SHA0", "SHA1", 85 "CAST", "MD2", "MD4", "MD5", "SHA", "SHA0", "SHA1",
86 "SHA256", "SHA512", "RIPEMD", 86 "SHA256", "SHA512", "RIPEMD",
87 "MDC2", "WHIRLPOOL", "RSA", "DSA", "DH", "EC", "ECDH", "ECDSA", 87 "MDC2", "WHIRLPOOL", "RSA", "DSA", "DH", "EC", "ECDH", "ECDSA", "EC2M",
88 "HMAC", "AES", "CAMELLIA", "SEED", "GOST", 88 "HMAC", "AES", "CAMELLIA", "SEED", "GOST",
89 # EC_NISTP_64_GCC_128
90 "EC_NISTP_64_GCC_128",
89 # Envelope "algorithms" 91 # Envelope "algorithms"
90 "EVP", "X509", "ASN1_TYPEDEFS", 92 "EVP", "X509", "ASN1_TYPEDEFS",
91 # Helper "algorithms" 93 # Helper "algorithms"
@@ -98,7 +100,7 @@ my @known_algorithms = ( "RC2", "RC4", "RC5", "IDEA", "DES", "BF",
98 # RFC3779 100 # RFC3779
99 "RFC3779", 101 "RFC3779",
100 # TLS 102 # TLS
101 "TLSEXT", "PSK", 103 "TLSEXT", "PSK", "SRP", "HEARTBEATS",
102 # CMS 104 # CMS
103 "CMS", 105 "CMS",
104 # CryptoAPI Engine 106 # CryptoAPI Engine
@@ -107,8 +109,14 @@ my @known_algorithms = ( "RC2", "RC4", "RC5", "IDEA", "DES", "BF",
107 "SSL2", 109 "SSL2",
108 # JPAKE 110 # JPAKE
109 "JPAKE", 111 "JPAKE",
112 # NEXTPROTONEG
113 "NEXTPROTONEG",
110 # Deprecated functions 114 # Deprecated functions
111 "DEPRECATED" ); 115 "DEPRECATED",
116 # Hide SSL internals
117 "SSL_INTERN",
118 # SCTP
119 "SCTP");
112 120
113my $options=""; 121my $options="";
114open(IN,"<Makefile") || die "unable to open Makefile!\n"; 122open(IN,"<Makefile") || die "unable to open Makefile!\n";
@@ -127,7 +135,10 @@ my $no_rsa; my $no_dsa; my $no_dh; my $no_hmac=0; my $no_aes; my $no_krb5;
127my $no_ec; my $no_ecdsa; my $no_ecdh; my $no_engine; my $no_hw; 135my $no_ec; my $no_ecdsa; my $no_ecdh; my $no_engine; my $no_hw;
128my $no_fp_api; my $no_static_engine=1; my $no_gmp; my $no_deprecated; 136my $no_fp_api; my $no_static_engine=1; my $no_gmp; my $no_deprecated;
129my $no_rfc3779; my $no_psk; my $no_tlsext; my $no_cms; my $no_capieng; 137my $no_rfc3779; my $no_psk; my $no_tlsext; my $no_cms; my $no_capieng;
130my $no_jpake; my $no_ssl2; 138my $no_jpake; my $no_srp; my $no_ssl2; my $no_ec2m; my $no_nistp_gcc;
139my $no_nextprotoneg; my $no_sctp;
140
141my $fips;
131 142
132my $zlib; 143my $zlib;
133 144
@@ -151,6 +162,7 @@ foreach (@ARGV, split(/ /, $options))
151 } 162 }
152 $VMS=1 if $_ eq "VMS"; 163 $VMS=1 if $_ eq "VMS";
153 $OS2=1 if $_ eq "OS2"; 164 $OS2=1 if $_ eq "OS2";
165 $fips=1 if /^fips/;
154 if ($_ eq "zlib" || $_ eq "enable-zlib" || $_ eq "zlib-dynamic" 166 if ($_ eq "zlib" || $_ eq "enable-zlib" || $_ eq "zlib-dynamic"
155 || $_ eq "enable-zlib-dynamic") { 167 || $_ eq "enable-zlib-dynamic") {
156 $zlib = 1; 168 $zlib = 1;
@@ -215,9 +227,14 @@ foreach (@ARGV, split(/ /, $options))
215 elsif (/^no-rfc3779$/) { $no_rfc3779=1; } 227 elsif (/^no-rfc3779$/) { $no_rfc3779=1; }
216 elsif (/^no-tlsext$/) { $no_tlsext=1; } 228 elsif (/^no-tlsext$/) { $no_tlsext=1; }
217 elsif (/^no-cms$/) { $no_cms=1; } 229 elsif (/^no-cms$/) { $no_cms=1; }
230 elsif (/^no-ec2m$/) { $no_ec2m=1; }
231 elsif (/^no-ec_nistp_64_gcc_128$/) { $no_nistp_gcc=1; }
232 elsif (/^no-nextprotoneg$/) { $no_nextprotoneg=1; }
218 elsif (/^no-ssl2$/) { $no_ssl2=1; } 233 elsif (/^no-ssl2$/) { $no_ssl2=1; }
219 elsif (/^no-capieng$/) { $no_capieng=1; } 234 elsif (/^no-capieng$/) { $no_capieng=1; }
220 elsif (/^no-jpake$/) { $no_jpake=1; } 235 elsif (/^no-jpake$/) { $no_jpake=1; }
236 elsif (/^no-srp$/) { $no_srp=1; }
237 elsif (/^no-sctp$/) { $no_sctp=1; }
221 } 238 }
222 239
223 240
@@ -254,8 +271,10 @@ $max_crypto = $max_num;
254my $ssl="ssl/ssl.h"; 271my $ssl="ssl/ssl.h";
255$ssl.=" ssl/kssl.h"; 272$ssl.=" ssl/kssl.h";
256$ssl.=" ssl/tls1.h"; 273$ssl.=" ssl/tls1.h";
274$ssl.=" ssl/srtp.h";
257 275
258my $crypto ="crypto/crypto.h"; 276my $crypto ="crypto/crypto.h";
277$crypto.=" crypto/cryptlib.h";
259$crypto.=" crypto/o_dir.h"; 278$crypto.=" crypto/o_dir.h";
260$crypto.=" crypto/o_str.h"; 279$crypto.=" crypto/o_str.h";
261$crypto.=" crypto/o_time.h"; 280$crypto.=" crypto/o_time.h";
@@ -285,6 +304,7 @@ $crypto.=" crypto/ec/ec.h" ; # unless $no_ec;
285$crypto.=" crypto/ecdsa/ecdsa.h" ; # unless $no_ecdsa; 304$crypto.=" crypto/ecdsa/ecdsa.h" ; # unless $no_ecdsa;
286$crypto.=" crypto/ecdh/ecdh.h" ; # unless $no_ecdh; 305$crypto.=" crypto/ecdh/ecdh.h" ; # unless $no_ecdh;
287$crypto.=" crypto/hmac/hmac.h" ; # unless $no_hmac; 306$crypto.=" crypto/hmac/hmac.h" ; # unless $no_hmac;
307$crypto.=" crypto/cmac/cmac.h" ; # unless $no_hmac;
288 308
289$crypto.=" crypto/engine/engine.h"; # unless $no_engine; 309$crypto.=" crypto/engine/engine.h"; # unless $no_engine;
290$crypto.=" crypto/stack/stack.h" ; # unless $no_stack; 310$crypto.=" crypto/stack/stack.h" ; # unless $no_stack;
@@ -319,6 +339,7 @@ $crypto.=" crypto/pqueue/pqueue.h";
319$crypto.=" crypto/cms/cms.h"; 339$crypto.=" crypto/cms/cms.h";
320$crypto.=" crypto/jpake/jpake.h"; 340$crypto.=" crypto/jpake/jpake.h";
321$crypto.=" crypto/modes/modes.h"; 341$crypto.=" crypto/modes/modes.h";
342$crypto.=" crypto/srp/srp.h";
322 343
323my $symhacks="crypto/symhacks.h"; 344my $symhacks="crypto/symhacks.h";
324 345
@@ -1126,6 +1147,9 @@ sub is_valid
1126 if ($keyword eq "EXPORT_VAR_AS_FUNCTION" && ($VMSVAX || $W32 || $W16)) { 1147 if ($keyword eq "EXPORT_VAR_AS_FUNCTION" && ($VMSVAX || $W32 || $W16)) {
1127 return 1; 1148 return 1;
1128 } 1149 }
1150 if ($keyword eq "OPENSSL_FIPS" && $fips) {
1151 return 1;
1152 }
1129 if ($keyword eq "ZLIB" && $zlib) { return 1; } 1153 if ($keyword eq "ZLIB" && $zlib) { return 1; }
1130 return 0; 1154 return 0;
1131 } else { 1155 } else {
@@ -1172,9 +1196,15 @@ sub is_valid
1172 if ($keyword eq "TLSEXT" && $no_tlsext) { return 0; } 1196 if ($keyword eq "TLSEXT" && $no_tlsext) { return 0; }
1173 if ($keyword eq "PSK" && $no_psk) { return 0; } 1197 if ($keyword eq "PSK" && $no_psk) { return 0; }
1174 if ($keyword eq "CMS" && $no_cms) { return 0; } 1198 if ($keyword eq "CMS" && $no_cms) { return 0; }
1199 if ($keyword eq "EC2M" && $no_ec2m) { return 0; }
1200 if ($keyword eq "NEXTPROTONEG" && $no_nextprotoneg) { return 0; }
1201 if ($keyword eq "EC_NISTP_64_GCC_128" && $no_nistp_gcc)
1202 { return 0; }
1175 if ($keyword eq "SSL2" && $no_ssl2) { return 0; } 1203 if ($keyword eq "SSL2" && $no_ssl2) { return 0; }
1176 if ($keyword eq "CAPIENG" && $no_capieng) { return 0; } 1204 if ($keyword eq "CAPIENG" && $no_capieng) { return 0; }
1177 if ($keyword eq "JPAKE" && $no_jpake) { return 0; } 1205 if ($keyword eq "JPAKE" && $no_jpake) { return 0; }
1206 if ($keyword eq "SRP" && $no_srp) { return 0; }
1207 if ($keyword eq "SCTP" && $no_sctp) { return 0; }
1178 if ($keyword eq "DEPRECATED" && $no_deprecated) { return 0; } 1208 if ($keyword eq "DEPRECATED" && $no_deprecated) { return 0; }
1179 1209
1180 # Nothing recognise as true 1210 # Nothing recognise as true
diff --git a/src/lib/libcrypto/util/mkfiles.pl b/src/lib/libcrypto/util/mkfiles.pl
index 6d15831450..7d9a9d5e5c 100644
--- a/src/lib/libcrypto/util/mkfiles.pl
+++ b/src/lib/libcrypto/util/mkfiles.pl
@@ -15,6 +15,7 @@ my @dirs = (
15"crypto/sha", 15"crypto/sha",
16"crypto/mdc2", 16"crypto/mdc2",
17"crypto/hmac", 17"crypto/hmac",
18"crypto/cmac",
18"crypto/ripemd", 19"crypto/ripemd",
19"crypto/des", 20"crypto/des",
20"crypto/rc2", 21"crypto/rc2",
@@ -62,6 +63,7 @@ my @dirs = (
62"crypto/pqueue", 63"crypto/pqueue",
63"crypto/whrlpool", 64"crypto/whrlpool",
64"crypto/ts", 65"crypto/ts",
66"crypto/srp",
65"ssl", 67"ssl",
66"apps", 68"apps",
67"engines", 69"engines",
diff --git a/src/lib/libcrypto/util/pl/VC-32.pl b/src/lib/libcrypto/util/pl/VC-32.pl
index 5f25fc41bf..c503bd52b9 100644
--- a/src/lib/libcrypto/util/pl/VC-32.pl
+++ b/src/lib/libcrypto/util/pl/VC-32.pl
@@ -6,6 +6,16 @@
6$ssl= "ssleay32"; 6$ssl= "ssleay32";
7$crypto="libeay32"; 7$crypto="libeay32";
8 8
9if ($fips && !$shlib)
10 {
11 $crypto="libeayfips32";
12 $crypto_compat = "libeaycompat32.lib";
13 }
14else
15 {
16 $crypto="libeay32";
17 }
18
9$o='\\'; 19$o='\\';
10$cp='$(PERL) util/copy.pl'; 20$cp='$(PERL) util/copy.pl';
11$mkdir='$(PERL) util/mkdir-p.pl'; 21$mkdir='$(PERL) util/mkdir-p.pl';
@@ -33,7 +43,7 @@ if ($FLAVOR =~ /WIN64/)
33 # considered safe to ignore. 43 # considered safe to ignore.
34 # 44 #
35 $base_cflags= " $mf_cflag"; 45 $base_cflags= " $mf_cflag";
36 my $f = $shlib?' /MD':' /MT'; 46 my $f = $shlib || $fips ?' /MD':' /MT';
37 $lib_cflag='/Zl' if (!$shlib); # remove /DEFAULTLIBs from static lib 47 $lib_cflag='/Zl' if (!$shlib); # remove /DEFAULTLIBs from static lib
38 $opt_cflags=$f.' /Ox'; 48 $opt_cflags=$f.' /Ox';
39 $dbg_cflags=$f.'d /Od -DDEBUG -D_DEBUG'; 49 $dbg_cflags=$f.'d /Od -DDEBUG -D_DEBUG';
@@ -114,7 +124,7 @@ elsif ($FLAVOR =~ /CE/)
114else # Win32 124else # Win32
115 { 125 {
116 $base_cflags= " $mf_cflag"; 126 $base_cflags= " $mf_cflag";
117 my $f = $shlib?' /MD':' /MT'; 127 my $f = $shlib || $fips ?' /MD':' /MT';
118 $lib_cflag='/Zl' if (!$shlib); # remove /DEFAULTLIBs from static lib 128 $lib_cflag='/Zl' if (!$shlib); # remove /DEFAULTLIBs from static lib
119 $opt_cflags=$f.' /Ox /O2 /Ob2'; 129 $opt_cflags=$f.' /Ox /O2 /Ob2';
120 $dbg_cflags=$f.'d /Od -DDEBUG -D_DEBUG'; 130 $dbg_cflags=$f.'d /Od -DDEBUG -D_DEBUG';
@@ -266,10 +276,19 @@ elsif ($shlib && $FLAVOR =~ /CE/)
266 276
267sub do_lib_rule 277sub do_lib_rule
268 { 278 {
269 local($objs,$target,$name,$shlib)=@_; 279 my($objs,$target,$name,$shlib,$ign,$base_addr) = @_;
270 local($ret); 280 local($ret);
271 281
272 $taget =~ s/\//$o/g if $o ne '/'; 282 $taget =~ s/\//$o/g if $o ne '/';
283 my $base_arg;
284 if ($base_addr ne "")
285 {
286 $base_arg= " /base:$base_addr";
287 }
288 else
289 {
290 $base_arg = "";
291 }
273 if ($name ne "") 292 if ($name ne "")
274 { 293 {
275 $name =~ tr/a-z/A-Z/; 294 $name =~ tr/a-z/A-Z/;
@@ -277,17 +296,37 @@ sub do_lib_rule
277 } 296 }
278 297
279# $target="\$(LIB_D)$o$target"; 298# $target="\$(LIB_D)$o$target";
280 $ret.="$target: $objs\n"; 299# $ret.="$target: $objs\n";
281 if (!$shlib) 300 if (!$shlib)
282 { 301 {
283# $ret.="\t\$(RM) \$(O_$Name)\n"; 302# $ret.="\t\$(RM) \$(O_$Name)\n";
303 $ret.="$target: $objs\n";
284 $ret.="\t\$(MKLIB) $lfile$target @<<\n $objs\n<<\n"; 304 $ret.="\t\$(MKLIB) $lfile$target @<<\n $objs\n<<\n";
285 } 305 }
286 else 306 else
287 { 307 {
288 local($ex)=($target =~ /O_CRYPTO/)?'':' $(L_CRYPTO)'; 308 local($ex)=($target =~ /O_CRYPTO/)?'':' $(L_CRYPTO)';
289 $ex.=" $zlib_lib" if $zlib_opt == 1 && $target =~ /O_CRYPTO/; 309 $ex.=" $zlib_lib" if $zlib_opt == 1 && $target =~ /O_CRYPTO/;
290 $ret.="\t\$(LINK) \$(MLFLAGS) $efile$target $name @<<\n \$(SHLIB_EX_OBJ) $objs $ex \$(EX_LIBS)\n<<\n"; 310
311 if ($fips && $target =~ /O_CRYPTO/)
312 {
313 $ret.="$target: $objs \$(PREMAIN_DSO_EXE)";
314 $ret.="\n\tSET FIPS_LINK=\$(LINK)\n";
315 $ret.="\tSET FIPS_CC=\$(CC)\n";
316 $ret.="\tSET FIPS_CC_ARGS=/Fo\$(OBJ_D)${o}fips_premain.obj \$(SHLIB_CFLAGS) -c\n";
317 $ret.="\tSET PREMAIN_DSO_EXE=\$(PREMAIN_DSO_EXE)\n";
318 $ret.="\tSET FIPS_SHA1_EXE=\$(FIPS_SHA1_EXE)\n";
319 $ret.="\tSET FIPS_TARGET=$target\n";
320 $ret.="\tSET FIPSLIB_D=\$(FIPSLIB_D)\n";
321 $ret.="\t\$(FIPSLINK) \$(MLFLAGS) /map $base_arg $efile$target ";
322 $ret.="$name @<<\n \$(SHLIB_EX_OBJ) $objs \$(EX_LIBS) ";
323 $ret.="\$(OBJ_D)${o}fips_premain.obj $ex\n<<\n";
324 }
325 else
326 {
327 $ret.="$target: $objs";
328 $ret.="\n\t\$(LINK) \$(MLFLAGS) $efile$target $name @<<\n \$(SHLIB_EX_OBJ) $objs $ex \$(EX_LIBS)\n<<\n";
329 }
291 $ret.="\tIF EXIST \$@.manifest mt -nologo -manifest \$@.manifest -outputresource:\$@;2\n\n"; 330 $ret.="\tIF EXIST \$@.manifest mt -nologo -manifest \$@.manifest -outputresource:\$@;2\n\n";
292 } 331 }
293 $ret.="\n"; 332 $ret.="\n";
@@ -296,15 +335,35 @@ sub do_lib_rule
296 335
297sub do_link_rule 336sub do_link_rule
298 { 337 {
299 local($target,$files,$dep_libs,$libs)=@_; 338 my($target,$files,$dep_libs,$libs,$standalone)=@_;
300 local($ret,$_); 339 local($ret,$_);
301
302 $file =~ s/\//$o/g if $o ne '/'; 340 $file =~ s/\//$o/g if $o ne '/';
303 $n=&bname($targer); 341 $n=&bname($targer);
304 $ret.="$target: $files $dep_libs\n"; 342 $ret.="$target: $files $dep_libs\n";
305 $ret.="\t\$(LINK) \$(LFLAGS) $efile$target @<<\n"; 343 if ($standalone == 1)
306 $ret.=" \$(APP_EX_OBJ) $files $libs\n<<\n"; 344 {
307 $ret.="\tIF EXIST \$@.manifest mt -nologo -manifest \$@.manifest -outputresource:\$@;1\n\n"; 345 $ret.=" \$(LINK) \$(LFLAGS) $efile$target @<<\n\t";
346 $ret.= "\$(EX_LIBS) " if ($files =~ /O_FIPSCANISTER/ && !$fipscanisterbuild);
347 $ret.="$files $libs\n<<\n";
348 }
349 elsif ($standalone == 2)
350 {
351 $ret.="\tSET FIPS_LINK=\$(LINK)\n";
352 $ret.="\tSET FIPS_CC=\$(CC)\n";
353 $ret.="\tSET FIPS_CC_ARGS=/Fo\$(OBJ_D)${o}fips_premain.obj \$(SHLIB_CFLAGS) -c\n";
354 $ret.="\tSET PREMAIN_DSO_EXE=\n";
355 $ret.="\tSET FIPS_TARGET=$target\n";
356 $ret.="\tSET FIPS_SHA1_EXE=\$(FIPS_SHA1_EXE)\n";
357 $ret.="\tSET FIPSLIB_D=\$(FIPSLIB_D)\n";
358 $ret.="\t\$(FIPSLINK) \$(LFLAGS) /map $efile$target @<<\n";
359 $ret.="\t\$(APP_EX_OBJ) $files \$(OBJ_D)${o}fips_premain.obj $libs\n<<\n";
360 }
361 else
362 {
363 $ret.="\t\$(LINK) \$(LFLAGS) $efile$target @<<\n";
364 $ret.="\t\$(APP_EX_OBJ) $files $libs\n<<\n";
365 }
366 $ret.="\tIF EXIST \$@.manifest mt -nologo -manifest \$@.manifest -outputresource:\$@;1\n\n";
308 return($ret); 367 return($ret);
309 } 368 }
310 369
diff --git a/src/lib/libcrypto/util/ssleay.num b/src/lib/libcrypto/util/ssleay.num
index 15a58e7b13..37655bc40a 100644
--- a/src/lib/libcrypto/util/ssleay.num
+++ b/src/lib/libcrypto/util/ssleay.num
@@ -259,3 +259,64 @@ SSL_set_session_secret_cb 307 EXIST::FUNCTION:
259SSL_set_session_ticket_ext_cb 308 EXIST::FUNCTION: 259SSL_set_session_ticket_ext_cb 308 EXIST::FUNCTION:
260SSL_set1_param 309 EXIST::FUNCTION: 260SSL_set1_param 309 EXIST::FUNCTION:
261SSL_CTX_set1_param 310 EXIST::FUNCTION: 261SSL_CTX_set1_param 310 EXIST::FUNCTION:
262SSL_tls1_key_exporter 311 NOEXIST::FUNCTION:
263SSL_renegotiate_abbreviated 312 EXIST::FUNCTION:
264TLSv1_1_method 313 EXIST::FUNCTION:
265TLSv1_1_client_method 314 EXIST::FUNCTION:
266TLSv1_1_server_method 315 EXIST::FUNCTION:
267SSL_CTX_set_srp_client_pwd_callback 316 EXIST:!VMS:FUNCTION:SRP
268SSL_CTX_set_srp_client_pwd_cb 316 EXIST:VMS:FUNCTION:SRP
269SSL_get_srp_g 317 EXIST::FUNCTION:SRP
270SSL_CTX_set_srp_username_callback 318 EXIST:!VMS:FUNCTION:SRP
271SSL_CTX_set_srp_un_cb 318 EXIST:VMS:FUNCTION:SRP
272SSL_get_srp_userinfo 319 EXIST::FUNCTION:SRP
273SSL_set_srp_server_param 320 EXIST::FUNCTION:SRP
274SSL_set_srp_server_param_pw 321 EXIST::FUNCTION:SRP
275SSL_get_srp_N 322 EXIST::FUNCTION:SRP
276SSL_get_srp_username 323 EXIST::FUNCTION:SRP
277SSL_CTX_set_srp_password 324 EXIST::FUNCTION:SRP
278SSL_CTX_set_srp_strength 325 EXIST::FUNCTION:SRP
279SSL_CTX_set_srp_verify_param_callback 326 EXIST:!VMS:FUNCTION:SRP
280SSL_CTX_set_srp_vfy_param_cb 326 EXIST:VMS:FUNCTION:SRP
281SSL_CTX_set_srp_miss_srp_un_cb 327 NOEXIST::FUNCTION:
282SSL_CTX_set_srp_missing_srp_username_callback 327 NOEXIST::FUNCTION:
283SSL_CTX_set_srp_cb_arg 328 EXIST::FUNCTION:SRP
284SSL_CTX_set_srp_username 329 EXIST::FUNCTION:SRP
285SSL_CTX_SRP_CTX_init 330 EXIST::FUNCTION:SRP
286SSL_SRP_CTX_init 331 EXIST::FUNCTION:SRP
287SRP_Calc_A_param 332 EXIST::FUNCTION:SRP
288SRP_generate_server_master_secret 333 EXIST:!VMS:FUNCTION:SRP
289SRP_gen_server_master_secret 333 EXIST:VMS:FUNCTION:SRP
290SSL_CTX_SRP_CTX_free 334 EXIST::FUNCTION:SRP
291SRP_generate_client_master_secret 335 EXIST:!VMS:FUNCTION:SRP
292SRP_gen_client_master_secret 335 EXIST:VMS:FUNCTION:SRP
293SSL_srp_server_param_with_username 336 EXIST:!VMS:FUNCTION:SRP
294SSL_srp_server_param_with_un 336 EXIST:VMS:FUNCTION:SRP
295SRP_have_to_put_srp_username 337 NOEXIST::FUNCTION:
296SSL_SRP_CTX_free 338 EXIST::FUNCTION:SRP
297SSL_set_debug 339 EXIST::FUNCTION:
298SSL_SESSION_get0_peer 340 EXIST::FUNCTION:
299TLSv1_2_client_method 341 EXIST::FUNCTION:
300SSL_SESSION_set1_id_context 342 EXIST::FUNCTION:
301TLSv1_2_server_method 343 EXIST::FUNCTION:
302SSL_cache_hit 344 EXIST::FUNCTION:
303SSL_get0_kssl_ctx 345 EXIST::FUNCTION:KRB5
304SSL_set0_kssl_ctx 346 EXIST::FUNCTION:KRB5
305SSL_SESSION_get0_id 347 NOEXIST::FUNCTION:
306SSL_set_state 348 EXIST::FUNCTION:
307SSL_CIPHER_get_id 349 EXIST::FUNCTION:
308TLSv1_2_method 350 EXIST::FUNCTION:
309SSL_SESSION_get_id_len 351 NOEXIST::FUNCTION:
310kssl_ctx_get0_client_princ 352 EXIST::FUNCTION:KRB5
311SSL_export_keying_material 353 EXIST::FUNCTION:TLSEXT
312SSL_set_tlsext_use_srtp 354 EXIST::FUNCTION:
313SSL_CTX_set_next_protos_advertised_cb 355 EXIST:!VMS:FUNCTION:NEXTPROTONEG
314SSL_CTX_set_next_protos_adv_cb 355 EXIST:VMS:FUNCTION:NEXTPROTONEG
315SSL_get0_next_proto_negotiated 356 EXIST::FUNCTION:NEXTPROTONEG
316SSL_get_selected_srtp_profile 357 EXIST::FUNCTION:
317SSL_CTX_set_tlsext_use_srtp 358 EXIST::FUNCTION:
318SSL_select_next_proto 359 EXIST::FUNCTION:NEXTPROTONEG
319SSL_get_srtp_profiles 360 EXIST::FUNCTION:
320SSL_CTX_set_next_proto_select_cb 361 EXIST:!VMS:FUNCTION:NEXTPROTONEG
321SSL_CTX_set_next_proto_sel_cb 361 EXIST:VMS:FUNCTION:NEXTPROTONEG
322SSL_SESSION_get_compress_id 362 EXIST::FUNCTION:
diff --git a/src/lib/libcrypto/x509/x509.h b/src/lib/libcrypto/x509/x509.h
index e6f8a40395..092dd7450d 100644
--- a/src/lib/libcrypto/x509/x509.h
+++ b/src/lib/libcrypto/x509/x509.h
@@ -657,11 +657,15 @@ int NETSCAPE_SPKI_set_pubkey(NETSCAPE_SPKI *x, EVP_PKEY *pkey);
657 657
658int NETSCAPE_SPKI_print(BIO *out, NETSCAPE_SPKI *spki); 658int NETSCAPE_SPKI_print(BIO *out, NETSCAPE_SPKI *spki);
659 659
660int X509_signature_dump(BIO *bp,const ASN1_STRING *sig, int indent);
660int X509_signature_print(BIO *bp,X509_ALGOR *alg, ASN1_STRING *sig); 661int X509_signature_print(BIO *bp,X509_ALGOR *alg, ASN1_STRING *sig);
661 662
662int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md); 663int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md);
664int X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx);
663int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md); 665int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md);
666int X509_REQ_sign_ctx(X509_REQ *x, EVP_MD_CTX *ctx);
664int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md); 667int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md);
668int X509_CRL_sign_ctx(X509_CRL *x, EVP_MD_CTX *ctx);
665int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *x, EVP_PKEY *pkey, const EVP_MD *md); 669int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *x, EVP_PKEY *pkey, const EVP_MD *md);
666 670
667int X509_pubkey_digest(const X509 *data,const EVP_MD *type, 671int X509_pubkey_digest(const X509 *data,const EVP_MD *type,
@@ -763,6 +767,7 @@ X509_ALGOR *X509_ALGOR_dup(X509_ALGOR *xn);
763int X509_ALGOR_set0(X509_ALGOR *alg, ASN1_OBJECT *aobj, int ptype, void *pval); 767int X509_ALGOR_set0(X509_ALGOR *alg, ASN1_OBJECT *aobj, int ptype, void *pval);
764void X509_ALGOR_get0(ASN1_OBJECT **paobj, int *pptype, void **ppval, 768void X509_ALGOR_get0(ASN1_OBJECT **paobj, int *pptype, void **ppval,
765 X509_ALGOR *algor); 769 X509_ALGOR *algor);
770void X509_ALGOR_set_md(X509_ALGOR *alg, const EVP_MD *md);
766 771
767X509_NAME *X509_NAME_dup(X509_NAME *xn); 772X509_NAME *X509_NAME_dup(X509_NAME *xn);
768X509_NAME_ENTRY *X509_NAME_ENTRY_dup(X509_NAME_ENTRY *ne); 773X509_NAME_ENTRY *X509_NAME_ENTRY_dup(X509_NAME_ENTRY *ne);
@@ -896,6 +901,9 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *algor1,
896int ASN1_item_sign(const ASN1_ITEM *it, X509_ALGOR *algor1, X509_ALGOR *algor2, 901int ASN1_item_sign(const ASN1_ITEM *it, X509_ALGOR *algor1, X509_ALGOR *algor2,
897 ASN1_BIT_STRING *signature, 902 ASN1_BIT_STRING *signature,
898 void *data, EVP_PKEY *pkey, const EVP_MD *type); 903 void *data, EVP_PKEY *pkey, const EVP_MD *type);
904int ASN1_item_sign_ctx(const ASN1_ITEM *it,
905 X509_ALGOR *algor1, X509_ALGOR *algor2,
906 ASN1_BIT_STRING *signature, void *asn, EVP_MD_CTX *ctx);
899#endif 907#endif
900 908
901int X509_set_version(X509 *x,long version); 909int X509_set_version(X509 *x,long version);
@@ -1161,6 +1169,9 @@ X509_ALGOR *PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter,
1161 unsigned char *salt, int saltlen, 1169 unsigned char *salt, int saltlen,
1162 unsigned char *aiv, int prf_nid); 1170 unsigned char *aiv, int prf_nid);
1163 1171
1172X509_ALGOR *PKCS5_pbkdf2_set(int iter, unsigned char *salt, int saltlen,
1173 int prf_nid, int keylen);
1174
1164/* PKCS#8 utilities */ 1175/* PKCS#8 utilities */
1165 1176
1166DECLARE_ASN1_FUNCTIONS(PKCS8_PRIV_KEY_INFO) 1177DECLARE_ASN1_FUNCTIONS(PKCS8_PRIV_KEY_INFO)
diff --git a/src/lib/libcrypto/x509/x509_cmp.c b/src/lib/libcrypto/x509/x509_cmp.c
index 4bc9da07e0..7c2aaee2e9 100644
--- a/src/lib/libcrypto/x509/x509_cmp.c
+++ b/src/lib/libcrypto/x509/x509_cmp.c
@@ -87,15 +87,20 @@ unsigned long X509_issuer_and_serial_hash(X509 *a)
87 EVP_MD_CTX_init(&ctx); 87 EVP_MD_CTX_init(&ctx);
88 f=X509_NAME_oneline(a->cert_info->issuer,NULL,0); 88 f=X509_NAME_oneline(a->cert_info->issuer,NULL,0);
89 ret=strlen(f); 89 ret=strlen(f);
90 EVP_DigestInit_ex(&ctx, EVP_md5(), NULL); 90 if (!EVP_DigestInit_ex(&ctx, EVP_md5(), NULL))
91 EVP_DigestUpdate(&ctx,(unsigned char *)f,ret); 91 goto err;
92 if (!EVP_DigestUpdate(&ctx,(unsigned char *)f,ret))
93 goto err;
92 OPENSSL_free(f); 94 OPENSSL_free(f);
93 EVP_DigestUpdate(&ctx,(unsigned char *)a->cert_info->serialNumber->data, 95 if(!EVP_DigestUpdate(&ctx,(unsigned char *)a->cert_info->serialNumber->data,
94 (unsigned long)a->cert_info->serialNumber->length); 96 (unsigned long)a->cert_info->serialNumber->length))
95 EVP_DigestFinal_ex(&ctx,&(md[0]),NULL); 97 goto err;
98 if (!EVP_DigestFinal_ex(&ctx,&(md[0]),NULL))
99 goto err;
96 ret=( ((unsigned long)md[0] )|((unsigned long)md[1]<<8L)| 100 ret=( ((unsigned long)md[0] )|((unsigned long)md[1]<<8L)|
97 ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L) 101 ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L)
98 )&0xffffffffL; 102 )&0xffffffffL;
103 err:
99 EVP_MD_CTX_cleanup(&ctx); 104 EVP_MD_CTX_cleanup(&ctx);
100 return(ret); 105 return(ret);
101 } 106 }
@@ -219,7 +224,9 @@ unsigned long X509_NAME_hash(X509_NAME *x)
219 224
220 /* Make sure X509_NAME structure contains valid cached encoding */ 225 /* Make sure X509_NAME structure contains valid cached encoding */
221 i2d_X509_NAME(x,NULL); 226 i2d_X509_NAME(x,NULL);
222 EVP_Digest(x->canon_enc, x->canon_enclen, md, NULL, EVP_sha1(), NULL); 227 if (!EVP_Digest(x->canon_enc, x->canon_enclen, md, NULL, EVP_sha1(),
228 NULL))
229 return 0;
223 230
224 ret=( ((unsigned long)md[0] )|((unsigned long)md[1]<<8L)| 231 ret=( ((unsigned long)md[0] )|((unsigned long)md[1]<<8L)|
225 ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L) 232 ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L)
@@ -234,12 +241,18 @@ unsigned long X509_NAME_hash(X509_NAME *x)
234 241
235unsigned long X509_NAME_hash_old(X509_NAME *x) 242unsigned long X509_NAME_hash_old(X509_NAME *x)
236 { 243 {
244 EVP_MD_CTX md_ctx;
237 unsigned long ret=0; 245 unsigned long ret=0;
238 unsigned char md[16]; 246 unsigned char md[16];
239 247
240 /* Make sure X509_NAME structure contains valid cached encoding */ 248 /* Make sure X509_NAME structure contains valid cached encoding */
241 i2d_X509_NAME(x,NULL); 249 i2d_X509_NAME(x,NULL);
242 EVP_Digest(x->bytes->data, x->bytes->length, md, NULL, EVP_md5(), NULL); 250 EVP_MD_CTX_init(&md_ctx);
251 EVP_MD_CTX_set_flags(&md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
252 EVP_DigestInit_ex(&md_ctx, EVP_md5(), NULL);
253 EVP_DigestUpdate(&md_ctx, x->bytes->data, x->bytes->length);
254 EVP_DigestFinal_ex(&md_ctx,md,NULL);
255 EVP_MD_CTX_cleanup(&md_ctx);
243 256
244 ret=( ((unsigned long)md[0] )|((unsigned long)md[1]<<8L)| 257 ret=( ((unsigned long)md[0] )|((unsigned long)md[1]<<8L)|
245 ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L) 258 ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L)
diff --git a/src/lib/libcrypto/x509/x509_lu.c b/src/lib/libcrypto/x509/x509_lu.c
index 3a6e04a1de..38525a8cdd 100644
--- a/src/lib/libcrypto/x509/x509_lu.c
+++ b/src/lib/libcrypto/x509/x509_lu.c
@@ -87,7 +87,7 @@ void X509_LOOKUP_free(X509_LOOKUP *ctx)
87 if (ctx == NULL) return; 87 if (ctx == NULL) return;
88 if ( (ctx->method != NULL) && 88 if ( (ctx->method != NULL) &&
89 (ctx->method->free != NULL)) 89 (ctx->method->free != NULL))
90 ctx->method->free(ctx); 90 (*ctx->method->free)(ctx);
91 OPENSSL_free(ctx); 91 OPENSSL_free(ctx);
92 } 92 }
93 93
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index 701ec565e9..b0779db023 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -153,7 +153,6 @@ static int x509_subject_cmp(X509 **a, X509 **b)
153int X509_verify_cert(X509_STORE_CTX *ctx) 153int X509_verify_cert(X509_STORE_CTX *ctx)
154 { 154 {
155 X509 *x,*xtmp,*chain_ss=NULL; 155 X509 *x,*xtmp,*chain_ss=NULL;
156 X509_NAME *xn;
157 int bad_chain = 0; 156 int bad_chain = 0;
158 X509_VERIFY_PARAM *param = ctx->param; 157 X509_VERIFY_PARAM *param = ctx->param;
159 int depth,i,ok=0; 158 int depth,i,ok=0;
@@ -205,7 +204,6 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
205 */ 204 */
206 205
207 /* If we are self signed, we break */ 206 /* If we are self signed, we break */
208 xn=X509_get_issuer_name(x);
209 if (ctx->check_issued(ctx, x,x)) break; 207 if (ctx->check_issued(ctx, x,x)) break;
210 208
211 /* If we were passed a cert chain, use it first */ 209 /* If we were passed a cert chain, use it first */
@@ -242,7 +240,6 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
242 240
243 i=sk_X509_num(ctx->chain); 241 i=sk_X509_num(ctx->chain);
244 x=sk_X509_value(ctx->chain,i-1); 242 x=sk_X509_value(ctx->chain,i-1);
245 xn = X509_get_subject_name(x);
246 if (ctx->check_issued(ctx, x, x)) 243 if (ctx->check_issued(ctx, x, x))
247 { 244 {
248 /* we have a self signed certificate */ 245 /* we have a self signed certificate */
@@ -291,7 +288,6 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
291 if (depth < num) break; 288 if (depth < num) break;
292 289
293 /* If we are self signed, we break */ 290 /* If we are self signed, we break */
294 xn=X509_get_issuer_name(x);
295 if (ctx->check_issued(ctx,x,x)) break; 291 if (ctx->check_issued(ctx,x,x)) break;
296 292
297 ok = ctx->get_issuer(&xtmp, ctx, x); 293 ok = ctx->get_issuer(&xtmp, ctx, x);
@@ -310,7 +306,6 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
310 } 306 }
311 307
312 /* we now have our chain, lets check it... */ 308 /* we now have our chain, lets check it... */
313 xn=X509_get_issuer_name(x);
314 309
315 /* Is last certificate looked up self signed? */ 310 /* Is last certificate looked up self signed? */
316 if (!ctx->check_issued(ctx,x,x)) 311 if (!ctx->check_issued(ctx,x,x))
diff --git a/src/lib/libcrypto/x509/x509type.c b/src/lib/libcrypto/x509/x509type.c
index 3385ad3f67..9702ec5310 100644
--- a/src/lib/libcrypto/x509/x509type.c
+++ b/src/lib/libcrypto/x509/x509type.c
@@ -100,20 +100,26 @@ int X509_certificate_type(X509 *x, EVP_PKEY *pkey)
100 break; 100 break;
101 } 101 }
102 102
103 i=X509_get_signature_type(x); 103 i=OBJ_obj2nid(x->sig_alg->algorithm);
104 switch (i) 104 if (i && OBJ_find_sigid_algs(i, NULL, &i))
105 { 105 {
106 case EVP_PKEY_RSA: 106
107 ret|=EVP_PKS_RSA; 107 switch (i)
108 break; 108 {
109 case EVP_PKEY_DSA: 109 case NID_rsaEncryption:
110 ret|=EVP_PKS_DSA; 110 case NID_rsa:
111 break; 111 ret|=EVP_PKS_RSA;
112 case EVP_PKEY_EC: 112 break;
113 ret|=EVP_PKS_EC; 113 case NID_dsa:
114 break; 114 case NID_dsa_2:
115 default: 115 ret|=EVP_PKS_DSA;
116 break; 116 break;
117 case NID_X9_62_id_ecPublicKey:
118 ret|=EVP_PKS_EC;
119 break;
120 default:
121 break;
122 }
117 } 123 }
118 124
119 if (EVP_PKEY_size(pk) <= 1024/8)/* /8 because it's 1024 bits we look 125 if (EVP_PKEY_size(pk) <= 1024/8)/* /8 because it's 1024 bits we look
diff --git a/src/lib/libcrypto/x509/x_all.c b/src/lib/libcrypto/x509/x_all.c
index 8ec88c215a..b94aeeb873 100644
--- a/src/lib/libcrypto/x509/x_all.c
+++ b/src/lib/libcrypto/x509/x_all.c
@@ -95,12 +95,25 @@ int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md)
95 x->sig_alg, x->signature, x->cert_info,pkey,md)); 95 x->sig_alg, x->signature, x->cert_info,pkey,md));
96 } 96 }
97 97
98int X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx)
99 {
100 return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_CINF),
101 x->cert_info->signature,
102 x->sig_alg, x->signature, x->cert_info, ctx);
103 }
104
98int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md) 105int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md)
99 { 106 {
100 return(ASN1_item_sign(ASN1_ITEM_rptr(X509_REQ_INFO),x->sig_alg, NULL, 107 return(ASN1_item_sign(ASN1_ITEM_rptr(X509_REQ_INFO),x->sig_alg, NULL,
101 x->signature, x->req_info,pkey,md)); 108 x->signature, x->req_info,pkey,md));
102 } 109 }
103 110
111int X509_REQ_sign_ctx(X509_REQ *x, EVP_MD_CTX *ctx)
112 {
113 return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_REQ_INFO),
114 x->sig_alg, NULL, x->signature, x->req_info, ctx);
115 }
116
104int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md) 117int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md)
105 { 118 {
106 x->crl->enc.modified = 1; 119 x->crl->enc.modified = 1;
@@ -108,6 +121,12 @@ int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md)
108 x->sig_alg, x->signature, x->crl,pkey,md)); 121 x->sig_alg, x->signature, x->crl,pkey,md));
109 } 122 }
110 123
124int X509_CRL_sign_ctx(X509_CRL *x, EVP_MD_CTX *ctx)
125 {
126 return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_CRL_INFO),
127 x->crl->sig_alg, x->sig_alg, x->signature, x->crl, ctx);
128 }
129
111int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *x, EVP_PKEY *pkey, const EVP_MD *md) 130int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *x, EVP_PKEY *pkey, const EVP_MD *md)
112 { 131 {
113 return(ASN1_item_sign(ASN1_ITEM_rptr(NETSCAPE_SPKAC), x->sig_algor,NULL, 132 return(ASN1_item_sign(ASN1_ITEM_rptr(NETSCAPE_SPKAC), x->sig_algor,NULL,
diff --git a/src/lib/libcrypto/x509v3/v3_asid.c b/src/lib/libcrypto/x509v3/v3_asid.c
index 3f434c0603..1587e8ed72 100644
--- a/src/lib/libcrypto/x509v3/v3_asid.c
+++ b/src/lib/libcrypto/x509v3/v3_asid.c
@@ -358,6 +358,20 @@ static int ASIdentifierChoice_is_canonical(ASIdentifierChoice *choice)
358 goto done; 358 goto done;
359 } 359 }
360 360
361 /*
362 * Check for inverted range.
363 */
364 i = sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1;
365 {
366 ASIdOrRange *a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i);
367 ASN1_INTEGER *a_min, *a_max;
368 if (a != NULL && a->type == ASIdOrRange_range) {
369 extract_min_max(a, &a_min, &a_max);
370 if (ASN1_INTEGER_cmp(a_min, a_max) > 0)
371 goto done;
372 }
373 }
374
361 ret = 1; 375 ret = 1;
362 376
363 done: 377 done:
@@ -392,9 +406,18 @@ static int ASIdentifierChoice_canonize(ASIdentifierChoice *choice)
392 return 1; 406 return 1;
393 407
394 /* 408 /*
395 * We have a list. Sort it. 409 * If not a list, or if empty list, it's broken.
410 */
411 if (choice->type != ASIdentifierChoice_asIdsOrRanges ||
412 sk_ASIdOrRange_num(choice->u.asIdsOrRanges) == 0) {
413 X509V3err(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE,
414 X509V3_R_EXTENSION_VALUE_ERROR);
415 return 0;
416 }
417
418 /*
419 * We have a non-empty list. Sort it.
396 */ 420 */
397 OPENSSL_assert(choice->type == ASIdentifierChoice_asIdsOrRanges);
398 sk_ASIdOrRange_sort(choice->u.asIdsOrRanges); 421 sk_ASIdOrRange_sort(choice->u.asIdsOrRanges);
399 422
400 /* 423 /*
@@ -415,6 +438,13 @@ static int ASIdentifierChoice_canonize(ASIdentifierChoice *choice)
415 OPENSSL_assert(ASN1_INTEGER_cmp(a_min, b_min) <= 0); 438 OPENSSL_assert(ASN1_INTEGER_cmp(a_min, b_min) <= 0);
416 439
417 /* 440 /*
441 * Punt inverted ranges.
442 */
443 if (ASN1_INTEGER_cmp(a_min, a_max) > 0 ||
444 ASN1_INTEGER_cmp(b_min, b_max) > 0)
445 goto done;
446
447 /*
418 * Check for overlaps. 448 * Check for overlaps.
419 */ 449 */
420 if (ASN1_INTEGER_cmp(a_max, b_min) >= 0) { 450 if (ASN1_INTEGER_cmp(a_max, b_min) >= 0) {
@@ -465,12 +495,26 @@ static int ASIdentifierChoice_canonize(ASIdentifierChoice *choice)
465 break; 495 break;
466 } 496 }
467 ASIdOrRange_free(b); 497 ASIdOrRange_free(b);
468 sk_ASIdOrRange_delete(choice->u.asIdsOrRanges, i + 1); 498 (void) sk_ASIdOrRange_delete(choice->u.asIdsOrRanges, i + 1);
469 i--; 499 i--;
470 continue; 500 continue;
471 } 501 }
472 } 502 }
473 503
504 /*
505 * Check for final inverted range.
506 */
507 i = sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1;
508 {
509 ASIdOrRange *a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i);
510 ASN1_INTEGER *a_min, *a_max;
511 if (a != NULL && a->type == ASIdOrRange_range) {
512 extract_min_max(a, &a_min, &a_max);
513 if (ASN1_INTEGER_cmp(a_min, a_max) > 0)
514 goto done;
515 }
516 }
517
474 OPENSSL_assert(ASIdentifierChoice_is_canonical(choice)); /* Paranoia */ 518 OPENSSL_assert(ASIdentifierChoice_is_canonical(choice)); /* Paranoia */
475 519
476 ret = 1; 520 ret = 1;
@@ -498,6 +542,7 @@ static void *v2i_ASIdentifiers(const struct v3_ext_method *method,
498 struct v3_ext_ctx *ctx, 542 struct v3_ext_ctx *ctx,
499 STACK_OF(CONF_VALUE) *values) 543 STACK_OF(CONF_VALUE) *values)
500{ 544{
545 ASN1_INTEGER *min = NULL, *max = NULL;
501 ASIdentifiers *asid = NULL; 546 ASIdentifiers *asid = NULL;
502 int i; 547 int i;
503 548
@@ -508,7 +553,6 @@ static void *v2i_ASIdentifiers(const struct v3_ext_method *method,
508 553
509 for (i = 0; i < sk_CONF_VALUE_num(values); i++) { 554 for (i = 0; i < sk_CONF_VALUE_num(values); i++) {
510 CONF_VALUE *val = sk_CONF_VALUE_value(values, i); 555 CONF_VALUE *val = sk_CONF_VALUE_value(values, i);
511 ASN1_INTEGER *min = NULL, *max = NULL;
512 int i1, i2, i3, is_range, which; 556 int i1, i2, i3, is_range, which;
513 557
514 /* 558 /*
@@ -578,18 +622,19 @@ static void *v2i_ASIdentifiers(const struct v3_ext_method *method,
578 max = s2i_ASN1_INTEGER(NULL, s + i2); 622 max = s2i_ASN1_INTEGER(NULL, s + i2);
579 OPENSSL_free(s); 623 OPENSSL_free(s);
580 if (min == NULL || max == NULL) { 624 if (min == NULL || max == NULL) {
581 ASN1_INTEGER_free(min);
582 ASN1_INTEGER_free(max);
583 X509V3err(X509V3_F_V2I_ASIDENTIFIERS, ERR_R_MALLOC_FAILURE); 625 X509V3err(X509V3_F_V2I_ASIDENTIFIERS, ERR_R_MALLOC_FAILURE);
584 goto err; 626 goto err;
585 } 627 }
628 if (ASN1_INTEGER_cmp(min, max) > 0) {
629 X509V3err(X509V3_F_V2I_ASIDENTIFIERS, X509V3_R_EXTENSION_VALUE_ERROR);
630 goto err;
631 }
586 } 632 }
587 if (!v3_asid_add_id_or_range(asid, which, min, max)) { 633 if (!v3_asid_add_id_or_range(asid, which, min, max)) {
588 ASN1_INTEGER_free(min);
589 ASN1_INTEGER_free(max);
590 X509V3err(X509V3_F_V2I_ASIDENTIFIERS, ERR_R_MALLOC_FAILURE); 634 X509V3err(X509V3_F_V2I_ASIDENTIFIERS, ERR_R_MALLOC_FAILURE);
591 goto err; 635 goto err;
592 } 636 }
637 min = max = NULL;
593 } 638 }
594 639
595 /* 640 /*
@@ -601,6 +646,8 @@ static void *v2i_ASIdentifiers(const struct v3_ext_method *method,
601 646
602 err: 647 err:
603 ASIdentifiers_free(asid); 648 ASIdentifiers_free(asid);
649 ASN1_INTEGER_free(min);
650 ASN1_INTEGER_free(max);
604 return NULL; 651 return NULL;
605} 652}
606 653
diff --git a/src/lib/libcrypto/x509v3/v3_skey.c b/src/lib/libcrypto/x509v3/v3_skey.c
index 202c9e4896..0a984fbaa8 100644
--- a/src/lib/libcrypto/x509v3/v3_skey.c
+++ b/src/lib/libcrypto/x509v3/v3_skey.c
@@ -129,7 +129,8 @@ static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method,
129 goto err; 129 goto err;
130 } 130 }
131 131
132 EVP_Digest(pk->data, pk->length, pkey_dig, &diglen, EVP_sha1(), NULL); 132 if (!EVP_Digest(pk->data, pk->length, pkey_dig, &diglen, EVP_sha1(), NULL))
133 goto err;
133 134
134 if(!M_ASN1_OCTET_STRING_set(oct, pkey_dig, diglen)) { 135 if(!M_ASN1_OCTET_STRING_set(oct, pkey_dig, diglen)) {
135 X509V3err(X509V3_F_S2I_SKEY_ID,ERR_R_MALLOC_FAILURE); 136 X509V3err(X509V3_F_S2I_SKEY_ID,ERR_R_MALLOC_FAILURE);
diff --git a/src/lib/libcrypto/x86_64cpuid.pl b/src/lib/libcrypto/x86_64cpuid.pl
index b771a8539d..58e9bedcf0 100644
--- a/src/lib/libcrypto/x86_64cpuid.pl
+++ b/src/lib/libcrypto/x86_64cpuid.pl
@@ -7,16 +7,25 @@ if ($flavour =~ /\./) { $output = $flavour; undef $flavour; }
7$win64=0; $win64=1 if ($flavour =~ /[nm]asm|mingw64/ || $output =~ /\.asm$/); 7$win64=0; $win64=1 if ($flavour =~ /[nm]asm|mingw64/ || $output =~ /\.asm$/);
8 8
9$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; 9$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
10open STDOUT,"| $^X ${dir}perlasm/x86_64-xlate.pl $flavour $output"; 10( $xlate="${dir}x86_64-xlate.pl" and -f $xlate ) or
11( $xlate="${dir}perlasm/x86_64-xlate.pl" and -f $xlate) or
12die "can't locate x86_64-xlate.pl";
13
14open STDOUT,"| $^X $xlate $flavour $output";
15
16($arg1,$arg2,$arg3,$arg4)=$win64?("%rcx","%rdx","%r8", "%r9") : # Win64 order
17 ("%rdi","%rsi","%rdx","%rcx"); # Unix order
11 18
12if ($win64) { $arg1="%rcx"; $arg2="%rdx"; }
13else { $arg1="%rdi"; $arg2="%rsi"; }
14print<<___; 19print<<___;
15#include <machine/asm.h> 20#include <machine/asm.h>
16.extern OPENSSL_cpuid_setup 21.extern OPENSSL_cpuid_setup
22.hidden OPENSSL_cpuid_setup
17.section .init 23.section .init
18 call PIC_PLT(OPENSSL_cpuid_setup) 24 call PIC_PLT(OPENSSL_cpuid_setup)
19 25
26.hidden OPENSSL_ia32cap_P
27.comm OPENSSL_ia32cap_P,8,4
28
20.text 29.text
21 30
22.globl OPENSSL_atomic_add 31.globl OPENSSL_atomic_add
@@ -47,7 +56,7 @@ OPENSSL_rdtsc:
47.type OPENSSL_ia32_cpuid,\@abi-omnipotent 56.type OPENSSL_ia32_cpuid,\@abi-omnipotent
48.align 16 57.align 16
49OPENSSL_ia32_cpuid: 58OPENSSL_ia32_cpuid:
50 mov %rbx,%r8 59 mov %rbx,%r8 # save %rbx
51 60
52 xor %eax,%eax 61 xor %eax,%eax
53 cpuid 62 cpuid
@@ -79,7 +88,15 @@ OPENSSL_ia32_cpuid:
79 # AMD specific 88 # AMD specific
80 mov \$0x80000000,%eax 89 mov \$0x80000000,%eax
81 cpuid 90 cpuid
82 cmp \$0x80000008,%eax 91 cmp \$0x80000001,%eax
92 jb .Lintel
93 mov %eax,%r10d
94 mov \$0x80000001,%eax
95 cpuid
96 or %ecx,%r9d
97 and \$0x00000801,%r9d # isolate AMD XOP bit, 1<<11
98
99 cmp \$0x80000008,%r10d
83 jb .Lintel 100 jb .Lintel
84 101
85 mov \$0x80000008,%eax 102 mov \$0x80000008,%eax
@@ -90,12 +107,12 @@ OPENSSL_ia32_cpuid:
90 mov \$1,%eax 107 mov \$1,%eax
91 cpuid 108 cpuid
92 bt \$28,%edx # test hyper-threading bit 109 bt \$28,%edx # test hyper-threading bit
93 jnc .Ldone 110 jnc .Lgeneric
94 shr \$16,%ebx # number of logical processors 111 shr \$16,%ebx # number of logical processors
95 cmp %r10b,%bl 112 cmp %r10b,%bl
96 ja .Ldone 113 ja .Lgeneric
97 and \$0xefffffff,%edx # ~(1<<28) 114 and \$0xefffffff,%edx # ~(1<<28)
98 jmp .Ldone 115 jmp .Lgeneric
99 116
100.Lintel: 117.Lintel:
101 cmp \$4,%r11d 118 cmp \$4,%r11d
@@ -112,30 +129,47 @@ OPENSSL_ia32_cpuid:
112.Lnocacheinfo: 129.Lnocacheinfo:
113 mov \$1,%eax 130 mov \$1,%eax
114 cpuid 131 cpuid
132 and \$0xbfefffff,%edx # force reserved bits to 0
115 cmp \$0,%r9d 133 cmp \$0,%r9d
116 jne .Lnotintel 134 jne .Lnotintel
117 or \$0x00100000,%edx # use reserved 20th bit to engage RC4_CHAR 135 or \$0x40000000,%edx # set reserved bit#30 on Intel CPUs
118 and \$15,%ah 136 and \$15,%ah
119 cmp \$15,%ah # examine Family ID 137 cmp \$15,%ah # examine Family ID
120 je .Lnotintel 138 jne .Lnotintel
121 or \$0x40000000,%edx # use reserved bit to skip unrolled loop 139 or \$0x00100000,%edx # set reserved bit#20 to engage RC4_CHAR
122.Lnotintel: 140.Lnotintel:
123 bt \$28,%edx # test hyper-threading bit 141 bt \$28,%edx # test hyper-threading bit
124 jnc .Ldone 142 jnc .Lgeneric
125 and \$0xefffffff,%edx # ~(1<<28) 143 and \$0xefffffff,%edx # ~(1<<28)
126 cmp \$0,%r10d 144 cmp \$0,%r10d
127 je .Ldone 145 je .Lgeneric
128 146
129 or \$0x10000000,%edx # 1<<28 147 or \$0x10000000,%edx # 1<<28
130 shr \$16,%ebx 148 shr \$16,%ebx
131 cmp \$1,%bl # see if cache is shared 149 cmp \$1,%bl # see if cache is shared
132 ja .Ldone 150 ja .Lgeneric
133 and \$0xefffffff,%edx # ~(1<<28) 151 and \$0xefffffff,%edx # ~(1<<28)
152.Lgeneric:
153 and \$0x00000800,%r9d # isolate AMD XOP flag
154 and \$0xfffff7ff,%ecx
155 or %ecx,%r9d # merge AMD XOP flag
156
157 mov %edx,%r10d # %r9d:%r10d is copy of %ecx:%edx
158 bt \$27,%r9d # check OSXSAVE bit
159 jnc .Lclear_avx
160 xor %ecx,%ecx # XCR0
161 .byte 0x0f,0x01,0xd0 # xgetbv
162 and \$6,%eax # isolate XMM and YMM state support
163 cmp \$6,%eax
164 je .Ldone
165.Lclear_avx:
166 mov \$0xefffe7ff,%eax # ~(1<<28|1<<12|1<<11)
167 and %eax,%r9d # clear AVX, FMA and AMD XOP bits
134.Ldone: 168.Ldone:
135 shl \$32,%rcx 169 shl \$32,%r9
136 mov %edx,%eax 170 mov %r10d,%eax
137 mov %r8,%rbx 171 mov %r8,%rbx # restore %rbx
138 or %rcx,%rax 172 or %r9,%rax
139 ret 173 ret
140.size OPENSSL_ia32_cpuid,.-OPENSSL_ia32_cpuid 174.size OPENSSL_ia32_cpuid,.-OPENSSL_ia32_cpuid
141 175
@@ -230,4 +264,21 @@ OPENSSL_wipe_cpu:
230.size OPENSSL_wipe_cpu,.-OPENSSL_wipe_cpu 264.size OPENSSL_wipe_cpu,.-OPENSSL_wipe_cpu
231___ 265___
232 266
267print<<___;
268.globl OPENSSL_ia32_rdrand
269.type OPENSSL_ia32_rdrand,\@abi-omnipotent
270.align 16
271OPENSSL_ia32_rdrand:
272 mov \$8,%ecx
273.Loop_rdrand:
274 rdrand %rax
275 jc .Lbreak_rdrand
276 loop .Loop_rdrand
277.Lbreak_rdrand:
278 cmp \$0,%rax
279 cmove %rcx,%rax
280 ret
281.size OPENSSL_ia32_rdrand,.-OPENSSL_ia32_rdrand
282___
283
233close STDOUT; # flush 284close STDOUT; # flush
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-26 22:54:35 +0000